Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_8228208f03bf7c256f89e7e5bd5c86d3_avoslocker.exe
Resource
win7-20240221-en
General
-
Target
2024-06-01_8228208f03bf7c256f89e7e5bd5c86d3_avoslocker.exe
-
Size
1.3MB
-
MD5
8228208f03bf7c256f89e7e5bd5c86d3
-
SHA1
94821013aed325a8ca1ef623c87fab6bdf14b1ec
-
SHA256
4988f4545bb2c6023e4e27da114bf159157da4d2dc7f88541b7789ba7b875c0a
-
SHA512
ebfca19714d23fae30b81b13609bae4e0bcc525064824e0e6e842deb09095c1344537d77970f19d8997ec4ffeea02fb41f5c06e61a9be856d2e2c248f0dca678
-
SSDEEP
24576:B2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedbRVldlnXfH9gPwCn7vOb7HHcg:BPtjtQiIhUyQd1SkFdbRVlbnXf9gPTTg
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 1812 alg.exe 436 elevation_service.exe 3592 elevation_service.exe 4488 maintenanceservice.exe 696 OSE.EXE 4196 DiagnosticsHub.StandardCollector.Service.exe 1052 fxssvc.exe 4464 msdtc.exe 2136 PerceptionSimulationService.exe 632 perfhost.exe 1680 locator.exe 3576 SensorDataService.exe 4988 snmptrap.exe 1516 spectrum.exe 4176 ssh-agent.exe 4916 TieringEngineService.exe 4384 AgentService.exe 3640 vds.exe 4500 vssvc.exe 3280 wbengine.exe 3188 WmiApSrv.exe 4336 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
elevation_service.exemsdtc.exe2024-06-01_8228208f03bf7c256f89e7e5bd5c86d3_avoslocker.exealg.exedescription ioc Process File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_8228208f03bf7c256f89e7e5bd5c86d3_avoslocker.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f346d42c1ed82f9f.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exealg.exedescription ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exeSearchIndexer.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0d7900df7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8da520df7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000509d950df7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed635c0df7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004033b0df7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f327800df7b3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008188a10df7b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3a0380df7b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid Process 436 elevation_service.exe 436 elevation_service.exe 436 elevation_service.exe 436 elevation_service.exe 436 elevation_service.exe 436 elevation_service.exe 436 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 660 660 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
2024-06-01_8228208f03bf7c256f89e7e5bd5c86d3_avoslocker.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 736 2024-06-01_8228208f03bf7c256f89e7e5bd5c86d3_avoslocker.exe Token: SeDebugPrivilege 1812 alg.exe Token: SeDebugPrivilege 1812 alg.exe Token: SeDebugPrivilege 1812 alg.exe Token: SeTakeOwnershipPrivilege 436 elevation_service.exe Token: SeAuditPrivilege 1052 fxssvc.exe Token: SeRestorePrivilege 4916 TieringEngineService.exe Token: SeManageVolumePrivilege 4916 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4384 AgentService.exe Token: SeBackupPrivilege 4500 vssvc.exe Token: SeRestorePrivilege 4500 vssvc.exe Token: SeAuditPrivilege 4500 vssvc.exe Token: SeBackupPrivilege 3280 wbengine.exe Token: SeRestorePrivilege 3280 wbengine.exe Token: SeSecurityPrivilege 3280 wbengine.exe Token: 33 4336 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeDebugPrivilege 436 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 4336 wrote to memory of 2032 4336 SearchIndexer.exe 121 PID 4336 wrote to memory of 2032 4336 SearchIndexer.exe 121 PID 4336 wrote to memory of 516 4336 SearchIndexer.exe 122 PID 4336 wrote to memory of 516 4336 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_8228208f03bf7c256f89e7e5bd5c86d3_avoslocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8228208f03bf7c256f89e7e5bd5c86d3_avoslocker.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:736
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3592
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4488
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:696
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4196
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3696
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4464
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2136
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:632
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1680
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3576
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4988
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1516
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2304
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3640
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3188
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2032
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5e06e31f3d513e5b0085ab556203a7640
SHA10401150656454f2068ffc5a1a03e355091c9cd1e
SHA2568f6438ea1a4fa2c3ae89e2764f998e0d306ac390e383333fbbda6f33a65935b3
SHA512e655f17f9c4f135886bcf7085c78bb861fcea01da21ba13ceef96e66a4f4e64e01a0b955e8f549fcafafbdcb05b32555542967f0dfad7c236d2cd8667e49cce1
-
Filesize
1.6MB
MD5b77b9e022f3a193a2ceba23f29f04259
SHA12680b9b052f697729361af4886a4b0fe7bb76b97
SHA2569201ea1f1d0131f204232bad166a77be2253c1182b77124d2b5e3db1f94de7ec
SHA5125a8dce41e605aa44314a58f3cd710c6ab59d772b0b843ad5c294dc489400e3dc5a437584be5f68489ef270a994b320549d42400d12c6199282cc74063f0e1926
-
Filesize
1.9MB
MD565bece98fe1603e878790dfefc218bcb
SHA1f0ec5de83deb29615e8908b5cb689250943a788c
SHA256553aa3003beccc1566f04cc5f414bfca5d6ba399c96070c838e186981d2ac164
SHA5124f393997b0136be0ff63ad6f03216261d682d4825807b603285b8a9d7f788797b999a25f1624907bf72d9847d6a3f7f46a32888661504e6acc258ddbea4165bd
-
Filesize
1.5MB
MD59977a5523da112d38f2edc303ba23e0f
SHA1722918d6bd7f7a78fd0f493bd8358e8b80fb26f7
SHA2561a73eaaf107dab68950517bcbbeaa2a7f3827c685966d15ed4322db4b2275274
SHA512400b86e15e9d90a5382bb2b092bc842c94b56d2373f5c6d490dea2bb8b57eddca76cd63c7091b874313a48568dd59f110f1c27d978b6a6808b1958869657a731
-
Filesize
1.2MB
MD5e0619f02018d95e6bd3b53b6f1a3ec06
SHA1181a0719695da4cb76f39b4ee2716976d9c7a998
SHA256a577484843e7616d41cdbd7ef896cdf2c514504488b930bdcbcade926a875330
SHA5124d86f4ba9858ae5d1a0ee12200f067710f56c4da2dfbd30497e2cb99869b3a73ae7f7620761e184353243ab86810954ea7ba752f5f0d1e248bf1cc77c4483c2b
-
Filesize
1.4MB
MD5f12cfc46d1ac0a2459509d60df2b93f6
SHA16b3d1adf3845be7f644de1d37cf1a6df7c4b9930
SHA256f4071ee33dae6f180aa55fa020b54a39432921f86c89dc9d5bb68c7e716358d5
SHA512a217518bfba393629fc2d8cc4f595cda6e6758b0ed38d2553304eb51af623c8b181a8b5e02cc8cbdf4c58ab34d54e1e26764a4ad19f09d46ea801a04e2c75948
-
Filesize
1.6MB
MD5c0414ebff6cebb1186c844acf6f74f3b
SHA145018ac05738f9b94e4bbcde901a44cc65e96ee5
SHA256cba0bf9e9b0c39e859ede90a08563f91da8ab3e8e5c37e2898c0747feeced7c6
SHA5128e2bc4d491d1020f911e91315343b6da38d4d5bd6fbbe6b4719be8511eb250564b28c20b082809584cc1a6143769509b5d892df35e5e9c5b6315a0f3112ea740
-
Filesize
4.6MB
MD58cf42cae95a4c43a2d88a87c11f095c9
SHA134a521c987a134fe260ebb119ec5ab9ac7e6d63e
SHA25667d6f60bcdaa18cf2a05f50e29df426ce35e6376506246c492eee21191efad7c
SHA51234d699a43da5b36969c1b4407809c9f57878ea1c583401d1546e0d91e14f9b3688ad40a28cd961e52357e96333b953c70e92696ed9914bf1f54dae4391a8bbf3
-
Filesize
1.7MB
MD51b9e5c0feaaf6ff84f2edbfd04f1281d
SHA1e342a24487326a936b300cf2ab41fbb4533c574a
SHA2569c93cdec7716ac220bb6714865c01a4ce93ada306dd9ec792e126597cdc23bf9
SHA5122f79da0b2d72a654dc288190a930ace5d4d217f10a36a468ed32ba6f8ec73a4da93d391983faad44229bdfaf597a97b75ce6fad087219b6e27fe6dde7349aadb
-
Filesize
24.0MB
MD558fb6dcc159861257a6b1cd86f80659d
SHA118922448d235bff4be24ec805f93ca2eb0311ce3
SHA256543bda21e0b5e90b6fb9c2301570833e23abb1fd898c320df3bb765abd4b95b7
SHA512fd3961262d8d8b3e69f778a0ba864ee37624fa6de9b952bab7883beaaca13e035b757f6466857b17c365a1e1b107deeb978ba2cc3a57aba068b5ab574c1881f3
-
Filesize
2.7MB
MD55c7178246ac911983dd4c2800669d8ce
SHA1e1bbca112aa927e62eb84d42f565f574b6fd775e
SHA256c3c040b12347dd98816bd762ee9468eb8d3ea3d2fefb55b883e5a00e965540fa
SHA5121fff536bd8dfe986b6102ae00d1314f91fde209f259f9c4b1e0e573361574fea63509a906cae36f43bcee466988e3cedcfbe0f7ec6976138e72d9168d62dd798
-
Filesize
1.1MB
MD5af203cf75e75f15315304315b4fab3cc
SHA173bb87b62991e91ffa219077e31ee2e0f653aa0a
SHA25648aa4d710b298f00901e0992ddbfbef3803a85b22ea0ed9854f84484cc94d398
SHA5122ae1f21749aed05504ae9e51eef695992b9475b2eecf22cb8c1383dfa501b90c6cf88d5addcb83ef8b3fdc8dc5ad13f915bf3b468a527df6683af22dd4b3fde9
-
Filesize
1.6MB
MD509aff03161e5dd72c3bef1249a07d2ba
SHA1146599942702aa42fe05ba463e2f83dd87fa877d
SHA256139ece583d448224fdb543fb1d4a281d8074c63633b24e42185b0c755bd659ca
SHA512b256e89e7cd659ec7e5806a9bcb6288f3df3b0bd191a800c394501ad7eef0c049cef85e90258723be6e0de758f940c0ef6aab7ae4e7996ea2e5eede269d1ea29
-
Filesize
1.5MB
MD52e623cdaba05ea79aa1b8e525ad26e07
SHA146ee767c7d061a990483989246f05280834390e3
SHA256ed3253d61d45af5c458971abde7249dc9615348a714dd59bcaa8dff662db0ffd
SHA5126631efe7f140c0efb98638a90f3bed965ced1016dfe06393128806af20047503f66d71a00abe82822581acf426b65d2213249495292167ca4b5e6d5a568fd6cd
-
Filesize
5.4MB
MD59f8a2f7d4bdade562e67daede03f4ae6
SHA19b4e9eb6211cb0c35afb323a3be89299a96e5d2a
SHA25637ddd9f6f306c8e3fe0adfe487be407672cd63b14cb1fe4ce3083f50d6646828
SHA51281654a7715d928c1a19f90e275f71619cdd2d45ce2b1586bf5ecebd0579b866592ef62dd9d000eff58bc8041c74ecb9460f33318b663506d5de310fa0ee917d7
-
Filesize
5.4MB
MD5a6d350e0cd994973829fb2263e2d938c
SHA13f1111f1aba3d737b2d43e3c10f95a091b29543a
SHA256d3437bf56bbf5e22220d589aa2d1ad6ac48a8bd029e4245eb66afa4961a225be
SHA512a6c3a7111b2379f54c6324b1ee1ef9be21d414dad2607cdec29ae35e66bf33b175af1ad951fc03406821694a12dc27b64ec6e7a8f34c2316907c9e42d03a8626
-
Filesize
2.0MB
MD5c947b4c7dbe5c506de448cfef65d048d
SHA1fb68f303880a18f6a760b01c00c7c3e95f3b6bd9
SHA256c044be543a58425ae20545b757c41aef842ace95a945ffc59d10865688255549
SHA51224cd441219c367eebc55fe2d81b0ff94953d6ffd572d04c73c32186cc95a40b3e1570242ffae27d31549711c254ecd34021c4c6c981d2eed0713374d1862c4d0
-
Filesize
2.2MB
MD5f657cf6529caa217392fa8eb7a3c0c3a
SHA1a45323e74e0d1c06c59fa7cf5a89071ea3c2a0c0
SHA256031682165a387a1f3dfb254d29f9fd35eb4cca508d79166e5795bc5659bc524a
SHA512ddb54853d6c34f8802c8c4c581481ea686572e3aae69542cd96afa73ec5cc358cabd7204c88e0d820847d1c18804c5935683754fd67ad75bf16d8c703ee07704
-
Filesize
1.8MB
MD586c1f548eef6fe88ceeaa0822708f43c
SHA125744a99a99ad3e75f589cd5e21bdf01ee808dd8
SHA256648f4dfddc939c95e48646b550e3cadd90d35cc5d5fad3f81d7469f4d2275866
SHA512c0e8ba8f21f5515184c4ffef69c683812182566f2a7f719cb823652681c29f365b6818396951db1acf649aa79440c54fc638052145218a623cc20230650316ca
-
Filesize
1.7MB
MD5cb7f3b63c560184db6cbc807f5502ad6
SHA1237e4bbf140b1eb731b8d0ae64620cec056b3103
SHA256ec8385e94e5f9c1dbd562cc4688da18401732b968a01d6d3dc5ea51afbb9fe2c
SHA512bbaddd92705886448a5e925e0d9903ee52778c67c22c3a60122fc023cee7f7d88be5adc1fc02cc998d9ae8bd89c84c6134b5a834715a4ebb0b55b0283b83024a
-
Filesize
1.4MB
MD5453591dac7540d2f36c1301dabaaf8b5
SHA18056a955e728f056df2937078ae61bee822fc3f4
SHA25621fd8a088dd540a68f74dc306a5d1aa48ba86869248f37f3fd3de72267013141
SHA5129bab42c5810515154faa592e46104bec19e1cf42d02850396bba3f9791f9ea155ab60c9246d9076c2eb912abd7c60a965055ca4e09ba618263fd8c9cedd5bb7f
-
Filesize
1.4MB
MD5671b03ba88ac27b09bf38a2abd78e050
SHA1899b1ea7eb98dc1de0e20b0f90c87e7779119fdb
SHA25696db06f342ac2aa10850b209a1f68ad6d81cc5a75623b2db6f92de7fb985101a
SHA5125d7001e4550b2793965a1278202ffc0e3da39eaca34a19bf837f1da7f67186124028510c6cd3aab5232a22fa66ac9da2a723007704589bd58ca9eac60d19bdf7
-
Filesize
1.4MB
MD56d13263a29ded1fe5be9e6b0b2b524a8
SHA1df8256236d1469f1a50407176fd87f945c0080e5
SHA2567a89f9a510e6e9fe0fb79714c445fce1f0d18fd901a71e322d7307e2a8717abb
SHA5122f43eed6d5f9778b4fd99be12b19371146872dc202e65852216e2bf50fe29d4b5a8bbef6d6a406b661f8beeb88f46f6ce74c1f77fc3fbf1a25694b581f078cae
-
Filesize
1.4MB
MD533ee3d56b44eb52157d246cf43915350
SHA107bab515566143a1274af4da8af491aa00aea13a
SHA256e781a42f97d822051bb3db38b91054fee990f38290a8e5176eac238463532256
SHA51289b5de17cc7a4083cd0148f4ceeb429b1aa888c44bc447ab6a9c8989c86f2ac7292e624dcfa68ff88cfa3ff33875487f18a2dd1c23e4454c902ce021913c45e6
-
Filesize
1.4MB
MD59fd0f51e505ba2c58e214232b2b655ce
SHA13ac55ba33d6c224a6de4936fd9001b640bb18569
SHA256c14827452d1857a12f77053c5a09081fd287fa905df4f6111ae7188dcff4924a
SHA5124970a10a30ac4cdd1a144041003efb68fc1e8b3e0c6a2e6be1c375d94a4b6f83168e5aa55fe762b432ed32d5253ba2c010007c5475620b73e1bbfb5162418f0c
-
Filesize
1.4MB
MD5d5d0a2c6be4c2b4e5af6a583ba32b4da
SHA13be3fe265415e7ebecfd3e1e2970ef757e3486dd
SHA2569a7c380af63a1c6a4424bb024d68faaeedc0fbe435df5824dd06200dbd0fdaa3
SHA512dd794255343f6cacc752db9b7ada48556f65d35159c091e8d15c01d1512b5120d8c0cd61c23f958dc6f106c1095a16e6b48b389f2dfa7efeb2fbb0ea9a5026ec
-
Filesize
1.4MB
MD5d3f6b90694acb0fdf814bb6fafb522c8
SHA10a9f8b80643b7f210f67b391a0e97c9994efa314
SHA256a7ad0f9b5df8b94b5379274fcdeecb65c55592f8d076f14ba564a48e5c768404
SHA5125874ee2aa91ae84d910df84fbea8f715d56d2838c8cd66a0d94d639dce86091a720e19dd676a3888885aef4a1534fe63a043067de465157e912e2063808a0bf2
-
Filesize
1.6MB
MD53fa9855c36d0fab8514769435117aa0b
SHA1e195671b3dd09b561822a4965cd0dbb903f6bd10
SHA2565c51db938447b76b2603068ca49bfa038bf0e9f0c7c9c7255de57ed751a1711f
SHA512803696dcd55e50844e0d5f04f75357437778dc6a6cd54ca253dbb4405c701922f41049a883750619bc19ab7ec981ec12c797873d2053b98d17892c7466f68b52
-
Filesize
1.4MB
MD5dbf73d84af884ddb7e6cbd51e860e04a
SHA1ac87a2a60ee365761a92148bf10132af28b1fc34
SHA256803021752c8870958f1074d67fafd954c1c771840ba0c80248f0057665b7359f
SHA512de161b2d5af21dc61d7b9911fb60f745f10e99f87b5c317168474c217a9c61fd3d780d43066f141ffd58678dcc185293b349a1e5ea0a4b090f177e8fcb9e557e
-
Filesize
1.4MB
MD5dee9fb112d4b8669f83061f100bb5932
SHA1e94977fde2965ea311600a12be6e8c3277b86d16
SHA256283b6a6d83231669e8326b63a487c9ee78d94bd244a71beb1211ab3c69945fa3
SHA51265a614c38ecd305be3ab513c383731a45e4afa737e13ab1beddde961d8424c2b37898026571f4e1c38e6da975998aa62989a61b360827d842c03386e6eeac9c7
-
Filesize
1.5MB
MD5f3d7d01ae3132a498fc9911501aa11f1
SHA117af4c7934321261dffaf0d30ad89c5a0fb9ad52
SHA25649c28846bcf1af625518c1b7fe6282a2eca0a03a5c4a8c48e525ad873426b1d3
SHA512407c374324e9ebaabc716500ed305dafbf94b0cb28e98151b8feb61307c701b7cbab481cba06c7d73c79dd8df1e45248b2c084c4d59281e2c4ef8f7b2d856c22
-
Filesize
1.4MB
MD506d382fe4a8f12d5f0976eea50855dff
SHA12e87543d277803a91a43154416cc1799219b04ae
SHA256190e18defcc33c97448b21bc1132aeb341ea65c5c6af164b2936ecf500ab684c
SHA512ff251c1859d8c2fdc42ad697447a8860502481c33628c09c9ff3235440df3085edbc82621bc75dcfa0ceda0168e6db7127b32e5a14f81a116bde708b2bac1357
-
Filesize
1.4MB
MD5677e64bb3715744f9c422d8eecafb679
SHA1a0613414211b349d9354327a4db7a67105dc371a
SHA256854243cf0d4ef1b6ecbf3d1a8d0eaa6239b22c0d9b666fff2892e9844a5d73ff
SHA512605ad35bfb1062173b660750f1b302f23fa9c6a2c65b2d2186f48a8adc5ecd340abbd9157867b09b1b8c844bc70122fa180eb692d7b794b965495565df2a1501
-
Filesize
1.5MB
MD5cc3e7dbc96b679b1d115b77bda8bcfc3
SHA17a5ecc6a6b125783a401937f81122610bda6ebd2
SHA256a2e2fbaec842bce61a092d939f52971d35b8ed6cd27c32a8b15c9d678c60d98b
SHA5120bec31160b64bda00973f1c366bbd3e7eda990c14fbb705a50aedef899c9c3fb56323e718df9706858d74356fdcaf082fb478a12493556cca74fa5dd72f5b690
-
Filesize
1.6MB
MD52632154a185d827146baca8e4e0cfcc2
SHA17a0a7c9fd543c15903a9c08218f1333f2be5e5e9
SHA256c8487e6e723970c0bbf9cf9cc694bdf8672e47637f54995f1ec5955f1a44e170
SHA512bdfaa701fe36048e6202a7419a573ae61a3af6503ce31a7f12e489c225b52994998b31add03ac6ef56cd1366536d90ee564716ca2502f3ee18ee07da7b7fceba
-
Filesize
1.8MB
MD5d0d11b3fada1ac7efe69f04fa595db9b
SHA1796ccea7cd5654de90fb16c0fe0a5e2b2b93660c
SHA256c93a60e9506487341aedec37fdd693ba0009708ac62dff6937c229d190173fb0
SHA512e59463d47915c71d9c540ffaa93098a4fea23e2f67be8df530fb92cb634adf2584887f2851083ee8cd7b0efd73e2038a255dd30d233eb739fba2bcb25d6e57ac
-
Filesize
1.4MB
MD509e637fe57edea1ce6beec5204ceea92
SHA1c5032f7cd33565d386d23835fca28ea64521b1bd
SHA25650a086fed0d6a787826379a9fdf57fd18ebccdae8c5aa7553b2240dd536fcce0
SHA512a4193e516886d2fc1f1196ad867a5eeb25c8e88f36d814efd5d5262aa58cfb7a9b16e5071df2fd9bb3af40bd9a8eaaad9870ce6001740182feb9d040911f84d4
-
Filesize
1.4MB
MD58fb0cc2e59a65a9e8ec3ffe8f85dac7b
SHA1cf4c8b0ce1b60dee9e1c8e379c3907f16a1eb922
SHA25650b14a2198956d79072f7d0214787db09c781d8046cf6fea3f58aee2c9996b93
SHA5123d35c94dd973dc4b4ee7c26d4b5e1c2644b086968315bef28b9215e467a35ea35767e05c262fe2e58c6007917440fa9e30cf0f9cf437b75ed50cfbe9d91747f6
-
Filesize
1.4MB
MD5b4c1a3b865768a28a1255385ea0e5354
SHA1c9c6d3d8740e0fef53e6b90bea433d097990b4b0
SHA256d59fa4e65e095333bcbdbecd5c73bfd7f5573264313784a008eb845251233b21
SHA512e0cbb0aca226ce05e3313934f7eeff3bf6d26e7475b4e4d84f157f9fd39a0016da246436063cbf74efc53b6d65225811ddf5ccda2c206cde06d7b47963715998
-
Filesize
1.4MB
MD5654fbeabf8684c4e0f901359e0beb05a
SHA12992b9e39b8b7e0bd9f6ed3ca2cd3c9bee4048f9
SHA256ee439b23e23239ee5e0c63b1478b5033e9a8cc31a990550cec40e4d5ae865566
SHA5125aa2a934cc24b6da131764445a169fedf38582d2d22d1eb5234f48a5e5159e59e3ab1d49415198bfad1ed86d8524b5a2cd371bc6463b42482b813ea2c9f9377b
-
Filesize
1.4MB
MD571c0c6660cf166d727e8e44586bae8fc
SHA1c3c8ed5b769e5a63388c8d0f0f8dc2a86d7cef2e
SHA256ebe8ba28d67c4822ac7ea6d81bd60a5b5f6882e06066484de5207c376670f112
SHA512506ba8f726bba0b89588f0dc1ca86bd4cb76924d77787b740b6c35326b0e44b30bebf298c50aad2853967b3801a94e4613500e423b2e321fffd43b88d40783c9
-
Filesize
1.4MB
MD594eb6117882ff8da46adfab3d0ff151f
SHA189d47c941e0effcb5daf102db2de1a8dcc25ed81
SHA256c88e7e5c0e1910ebfe1a903eb30872ca4861614550bc04218edb4c3df3bfd63c
SHA5125f42a42b2070efb876ae69b7de53314e532106a593e22a62873992c8b262acbf322029bcb0b7fe94a399820033cdfb0d22fd8c295c7827f41624885deacfde5f
-
Filesize
1.4MB
MD55641d40c1249f021830e696d7e5353f5
SHA17eaa129c33a3d3b84c808c7226a416e38339b94e
SHA2565886fa37b980aef2c073030b2f60599622480ef776c4a5ec4d81e2f3fa6ccb83
SHA51200b50d51d966535094d5fc78118387d34547a09ebd2cf06e4ac4a3f0c12d1359200357c3288377a1599c43a47cdf4c87d8f4c19173f907ff1865c0af17cf40bf
-
Filesize
1.5MB
MD5e0b6476f8121dabec8694362c1e616bc
SHA15b6f3ce2a9eef46c52e032541fa128df810f304b
SHA256c702b308ecd034a89926db83835ba9aafae78a71072470820f90596dff3728c1
SHA512a46cfcc75b118df54766a5bc5c06a749f3805d0583ecb4eaa15663b313b607fdbc2199ffe6ce5eb9ee975675cc2a5442913799c424c816482f2e40e544253664
-
Filesize
1.4MB
MD587057ccd902462f797af51aae4afeb85
SHA101c2ce71a2d003ff822c1102f90b059b4f5cce8a
SHA25604b71b6808de2e37bd05c2bf956a1fa340988d90d14427e5f8cd9355dc0db841
SHA5127f9f679e5407c2354a8bce6bbc45312820b0bcfa0d9c6ef8d4e9b9f3f6d37f6a9aace7c1d9c8c38053b75127fe24532de77f0d0ac466c3f85f89500467537085
-
Filesize
1.7MB
MD5a13553ec40aee120890d88dda86d388d
SHA1c544165abf8873ad6c5d10aae8603b9645f59a1c
SHA256fd2331c05b057bacf548b93c5dc8a64812b9c80af59d207f9c7388394b82e273
SHA5126f035a834150c0350e2c3d87b12a46e09781c69c0b4064dbcf08a6c72f7d622abdebe4fce214a5b4ecd9b2ff0daf0ff9de589a4e25649ab2c59cd10548cc2caf
-
Filesize
1.5MB
MD5eb83ab63eb64c644ceebae6e09bdbc14
SHA1c1bfaccaf1c1c2d3e92bbf538660fd6013db9528
SHA256299e7f40548c79dc988421e1591c255af796813d82a1fe36c13a39add83d50d3
SHA5121364770a0bbe97b29305e076ed05eb86f1cb68da8f8a06c8ee81e7d4e355d37f83432187d99ecad32e713d0640ac136857db95c0ebbe426a6fee0b443b97cda0
-
Filesize
1.2MB
MD57fe811f5c5350444d4aa2d03dd2db4c8
SHA173e0e19ec76211ac8fb9adcd66355dd46fa4e837
SHA2561de511c8a0866607f819fa073a4dce10d9a3f8f97447b5f16b3b325922b8efd0
SHA51205531e9717883bdba56213087a6d2e20d9b29a5f5168ad5f14f2504e89cd029daacef7fc371a2774aaea1bbc8408853bb0a1ae2e276031cc979d2d951f956ee2
-
Filesize
1.4MB
MD56df2a666d6834cc3f94f911d968ea0d7
SHA1a590c1714adcf582ed0466a643bed223f419ee55
SHA256d60f422f2ad3acbe7af46f835eaf3429202ec5b0c5f09453206b08a6d1088b49
SHA512878f7f4725c23f8458d35c13ab8d7f9b3fee269cb553a49ef415823b54606a654c31eaf259347770939b8c72a284bd5078443fb794e4baec907c83fa340233ba
-
Filesize
1.7MB
MD56f093942e7b78ac8f1d1bbb31d3d07af
SHA190e811948d2485bf1a992a59268ad8bf9321bb0f
SHA256740b72c2d95e857c0582b917cf0161bcf737455b2c1d5739021085d5c9376d75
SHA5125e112b74e01c36439972e725c5db1e4d655c5349388acdb323a4dd06f65a09af1872131c30432fd67652c57a3669877c1c789597e0d347f9bba9d82a2545f2c8
-
Filesize
1.5MB
MD54839a23ec87adb8e329230097ee8f2d4
SHA1c4b8f2166f1d3f8ebd3a7c07cbe871f80ca8296f
SHA25605a9ed10cef4ac2d44aab3b865ffc0deee193cd6c2b833e357f72a1cc9305fbe
SHA5128224e0ebb4e45fc34e5213e55784db94aa32563fa2205f19ea75b254746c146779cb234a39c497fd1b12f7a6d08aefafc0ded0b1d45ce79a2dbe525a5eb7b550
-
Filesize
1.4MB
MD58238b499c97f7128601bfab03564c5cc
SHA19ff8b82ebc60bad9216354275124c942dd124ba0
SHA256ca0e831cd429ed20d421db34b40f6be5653c438e4078ed9c75c09e22dd458c6f
SHA51288de021329aa2b83f428d3d4dbdb32ca6040ac5261dbdba9e63ecb3e43205d1b4abd31675ea6129c129682d67ebc115995d03adfb316df9e6584a3ca177904d1
-
Filesize
1.8MB
MD58a9a534771b0e7e30b2ea0a3686f39a1
SHA13be681f2576246115f21b599f2668d14e4b19ca7
SHA256f18821ced4b97f447293db595b8da3bf6aebe888bc72386cacb500edfbfcec21
SHA512a3da7ec60d7ddac6d7791384379dff995834ed801de5a130666b9a0314cc0ba56c5a7aee802e78d5384ce5111e409d8cc07b89a36ae01be354e6b84416f66199
-
Filesize
1.4MB
MD54a6014d1d27bf91c24ad716e97fa02c1
SHA118809ec7cac61ff7c99799f787dd6951880f52d5
SHA2565eac97f28f435a194a23190f4b8a546874f88f0c568f5901168e5d7d051841f4
SHA5126f515eadab4b000d0f5bf3e231ed41c9be8be63851a9b73486771cbeee11f279acafdc02ca700ef46d28ed69c0a7dfcc987ecfa1b11a703031ffc5024f22d851
-
Filesize
1.7MB
MD53d670995c95a1e4c8c740e131960ccb9
SHA1dea1e134407f3af889d05adf7d4cc1138e5e388f
SHA2563507b1b6b5f197f5a95b816ae60b400356441a05711ff7204d18ba563ed6f5ab
SHA512db69c3985dd3fd9bafd590c02a3c7de90f4392caf51d17b6da731e1123303745a9b5bb19e4c144eba2efac6ef50c918afbad438920aa53c1054f6d0b4818a2ff
-
Filesize
2.0MB
MD526859961dc17657918cb2e1dede6b6a6
SHA199e272ff6f1deb488231b5572e67f3ffa82bb39a
SHA256d668ddb1c99bcea265e61c556b452cecedad870a98a6baa4b738ebd1d0430451
SHA5127449f8517d9da83948c80c033e104c7a2059a6896e781d16f78de356e24b294d087d683540935cacd646f2c47f0a97abfff7ec9d3c28674c5463c61e3cd28299
-
Filesize
1.5MB
MD5c6e9699382df52cf024ea2f7f2e9dea8
SHA1916c34fb068d67eddf06beb3c622976c89930830
SHA2563cb2293458e13b1033b25f9600572efd61151b16249e15b6bda722f191dbd1bd
SHA5122ab4285943d5d8fa33ca41efe931b8a484934c04fa2b37b9fdee29caa1a9ba63e795325b5f2243b48a48e68f76ec47e134a8c07ae42b33d0baacfe04b2ae6596
-
Filesize
1.5MB
MD5ebc9ad93752dcbabe4bc0bdb4e1731ba
SHA171f9124ba7dd7179b9577abb1947dea788cc0312
SHA25613a856c0a88d80fb8d7d441dccc0ca9eaf2f75f3d3efa42461b1a31f09ed6e8e
SHA5129ba0c2719da5237bc519dcd9f850763378a5a5dbca2c735cab55b186db0c546427e4e4b3497658593f6d7339da787264969413b48404eac78e57640850b60f32
-
Filesize
1.4MB
MD52045bd9cdfedaa97df1e722d749bba94
SHA1ce53aac530e65eb947a7c3562e4787454c8b508a
SHA25605f247f7849ec217280a7032fcc333314f33412c7db43c01451d52ecba7d3746
SHA512acd87d07532d3212c752ccd01aeb363457492ffe7cbf8a8a6ae1eca731fe650c8b91abac925362139247cdb0b28bb8dcdbb2e50003c0bd43583375908c42698b
-
Filesize
1.3MB
MD5ad5d5bce17eb39da22462bef87126195
SHA1708d3e8a5b4c2c0319f7c65e5bcd05f690cab55f
SHA2561f59bb000da4fdc38d819ce45c44060428efc322db9bbb151c150e9968d5ded4
SHA512a93e76b3eb97dc260dfa524c221b33accb292a13c364ffa15ce9b3163b12d7d8e425467d87fa771d3e2ee34a4b76cf4991b42a7b520e0bc0ae868802186ad9ef
-
Filesize
1.6MB
MD5cab65f4dbe8e1aa8b90b5c93671f5b3d
SHA1a186a3491357f38e1be752b2d3e27904632abec0
SHA256910ef4f12fd5a9de411ff3f3192c4a4fbeac3783236653c2127de75ed65f1d66
SHA51211904c8f04c5be2821d345cdf2c76364235e686cb06f1ee791608fd55dea6199081d46b96c4fa6fb2edfe9abdd08d4591b4fa134cf088520acdaa7b9619e81e6
-
Filesize
2.1MB
MD5ba5a65bfab3f9a0fae7267f40658e62b
SHA1b767b230c049a70e893a4552ada26cee87b10843
SHA2565d642bd51206773ca5ba4c7cddbab01384d24174e65d007af7d0f88bb25d8c8f
SHA5123308112beefd63d75d515d38987ee89a8f314dc9aaccbd86431e194faf9baa2ca45b32a6ada6ee20a34c0b00cbb9b1562fb9b442ccbac542ec8d49264b1ca46d