Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 07:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe
Resource
win7-20240508-en
General
-
Target
2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe
-
Size
2.0MB
-
MD5
b28e98015ed1924c927a3ff8099345bd
-
SHA1
2ec346e599d4f9046561a84fbbebe96abb8e316d
-
SHA256
ce16a0909552bf933412d7fc85a817ec33e855c3e9ee32db79d8d23d82f592d5
-
SHA512
d65595db8de9699598c4d5bcd86a5cf23534b82ec7c198446bc7e7dec6d0d6c7f75b736039a541f6f45045b9ebe0e43bd111b1b643d05a1edff078c9e66e99d3
-
SSDEEP
49152:l9kZlyP3pgXWFVeVpPsRRE7P7S33isGcnlQHPxi:lcgFVeVpU7NnlS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe -
Executes dropped EXE 23 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exeReader_sl.exepid process 3556 alg.exe 2288 DiagnosticsHub.StandardCollector.Service.exe 2844 fxssvc.exe 548 elevation_service.exe 1936 elevation_service.exe 2328 maintenanceservice.exe 2460 msdtc.exe 4236 OSE.EXE 4400 PerceptionSimulationService.exe 3944 perfhost.exe 2072 locator.exe 1536 SensorDataService.exe 4288 snmptrap.exe 4552 spectrum.exe 2012 ssh-agent.exe 1436 TieringEngineService.exe 4004 AgentService.exe 1432 vds.exe 1236 vssvc.exe 4732 wbengine.exe 1580 WmiApSrv.exe 2340 SearchIndexer.exe 6056 Reader_sl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe -
Drops file in System32 directory 38 IoCs
Processes:
2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\AgentService.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7ece38ecc8648821.bin alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe -
Drops file in Windows directory 4 IoCs
Processes:
2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000672bffa689b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6160ba789b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008305d9a689b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a3a6fa789b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfa2d6a689b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e91a4a689b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c6a9da689b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000268d01a789b5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000268d01a789b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008305d9a689b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe -
Processes:
2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exeDiagnosticsHub.StandardCollector.Service.exepid process 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe 2288 DiagnosticsHub.StandardCollector.Service.exe 2288 DiagnosticsHub.StandardCollector.Service.exe 2288 DiagnosticsHub.StandardCollector.Service.exe 2288 DiagnosticsHub.StandardCollector.Service.exe 2288 DiagnosticsHub.StandardCollector.Service.exe 2288 DiagnosticsHub.StandardCollector.Service.exe 2288 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe Token: SeAuditPrivilege 2844 fxssvc.exe Token: SeRestorePrivilege 1436 TieringEngineService.exe Token: SeManageVolumePrivilege 1436 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4004 AgentService.exe Token: SeBackupPrivilege 1236 vssvc.exe Token: SeRestorePrivilege 1236 vssvc.exe Token: SeAuditPrivilege 1236 vssvc.exe Token: SeBackupPrivilege 4732 wbengine.exe Token: SeRestorePrivilege 4732 wbengine.exe Token: SeSecurityPrivilege 4732 wbengine.exe Token: 33 2340 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2340 SearchIndexer.exe Token: SeDebugPrivilege 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe Token: SeDebugPrivilege 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe Token: SeDebugPrivilege 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe Token: SeDebugPrivilege 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe Token: SeDebugPrivilege 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe Token: SeDebugPrivilege 3556 alg.exe Token: SeDebugPrivilege 3556 alg.exe Token: SeDebugPrivilege 3556 alg.exe Token: SeDebugPrivilege 2288 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exepid process 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
SearchIndexer.exe2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exedescription pid process target process PID 2340 wrote to memory of 1092 2340 SearchIndexer.exe SearchProtocolHost.exe PID 2340 wrote to memory of 1092 2340 SearchIndexer.exe SearchProtocolHost.exe PID 2340 wrote to memory of 3172 2340 SearchIndexer.exe SearchFilterHost.exe PID 2340 wrote to memory of 3172 2340 SearchIndexer.exe SearchFilterHost.exe PID 4272 wrote to memory of 6056 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe Reader_sl.exe PID 4272 wrote to memory of 6056 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe Reader_sl.exe PID 4272 wrote to memory of 6056 4272 2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe Reader_sl.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_b28e98015ed1924c927a3ff8099345bd_avoslocker.exe"1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"2⤵
- Executes dropped EXE
PID:6056
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4032
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:548
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1936
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2328
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2460
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4236
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4400
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3944
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2072
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1536
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4288
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4552
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2596
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1432
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1580
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1092
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3172
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
611KB
MD52adead4e8bd4c77f3dbf06056bfd7161
SHA1c4eaec01a3705cb95c1c2e5a59b48a7d17489f25
SHA2562c44ad3fba62c49407b130d5ee2810895bf8a738d478bc899a087833ab8c6eb5
SHA5129bdc691b1f7c207f0f1d1cf2bc8d7ceab09482ddd2d4bead44c0cc5927e9ff8b75c00454a121e256ed6b2615677405548822c8b1cf01135e35d141ae87b2e198
-
Filesize
2.1MB
MD55719568b460ece94ed5a936189ad9ecc
SHA178529076eab71297ab653b7fe36705184d5dddaa
SHA25658137456b87f7ace3e2eaef38a00d8ee0ef235ed0810850aa394c9f319f5aa6a
SHA512a58332b9ced5c303800138cfb021b6c60b9ff08aa635c2280c092a297f16299755c6a86b691174a4f4dc18d0c476cfdc296567b2f54db83e3622cf183b403545
-
Filesize
797KB
MD59ae33ed640959eed52913faaf7e9f1ec
SHA175264c923ebb3a2213ac281c6ba0320170b180b5
SHA256e7268b4e6f106247ecf923cc868832f132ab64b53a9fe80af996ed129db84ed0
SHA512f7b3b0824932413a3d7c11775310b5f392c6984efa6054d45b38b474e5b565559aa6334b74c9979e3a8d5aed087b11f4a3174de0e2bfbceea6cf064ca796756f
-
Filesize
1.1MB
MD56d6e7391cde3c0f2b1310d70fadd6189
SHA124bd1dc2ebfa06a9f18508978e4e362bd682a761
SHA2563088d0c7407a04d86437916431cad032caacb32a87613ba51a20e04bcc89d6c9
SHA512834c1770c56c71f500109708863727e8ab16305eae4cb0082969c9f3a12774b739ad1f65da322c14a1307f1f216568371388cf4bd4318501173397a8218cbeb7
-
Filesize
1.5MB
MD5740626483ac2796b4e53e05f9756eb85
SHA1987f665e9d66b8b23529f15faf1e55ab039b16f5
SHA2562c64f2527b76c3e27022d51fd24a35403d1e7b0d78c824f50e674bc908ece944
SHA512564b71d2b737b86132d41d9c513d5afe0ba94da7275674db5d7c8b58292cb1d157a180ff44f8a583706cd8a48c77a3a0712c0acf56965ca4827e0771039e551e
-
Filesize
1.2MB
MD5297860ac6f887da89a7ac1175f23bbb0
SHA12d3849e9c86728d312475e55f7dff55b18215405
SHA256c938fdce08a38a01c665a4146c61e218eb684bd16d37033b2f8bc43fc78522ff
SHA5123512bd87a7ef7a4fc0ae0cc7c77fe11fb25d8fa5db592065884854873321d44633d10236b05eb480f1f1dd5d9394b5d17777264e91f29edcf89733d9a763f954
-
Filesize
582KB
MD52698000398f10ef840fdb9c37106e938
SHA1c5cb798d069a20784ff2ae2a7be7208aeb475f7c
SHA25637526c8fed400a888712d3bb64e468fcec7b5394bfad11408117a4bb80bd514c
SHA5127627e773d0f0cea3632b71c87cd9247c74d5602a03be9b2f327761fc691fa2cb2b82823305ed165ff445873717cd49c788bbab2a86d37af5757e5fec5e9b2d0c
-
Filesize
840KB
MD5a8deed60c73b31c99d8d65594f701210
SHA124a98256c865fd6d22377724fbae9609eef32581
SHA25637920992aa3b0a36037da2391e53019fe22f662fbc9a33e80e65a5ba5879d2a3
SHA512990813073ca564ec1725d2148b74989c0bba2c28b4bd2a6f229881edfb2a20724486167b98ad3e2aab104373e888b979834cf86bb8b4777c8eae2bbc4252027c
-
Filesize
4.6MB
MD500ebf6b485e5112e53e50e05f317ea58
SHA18d8afde554c7a96dbd499b28295fd0d8287a477a
SHA256a98cbc05be3b7915fd874cfd24fa2d360ec49882deb5a3b9b1278c47e7928394
SHA5123dc551b275e6f02d667836e8833d4e2f9fc4b153c540e1468fea3c652fa8d60e09fdf2531d15d891896b8d84975fb4261111ba909f65d8fff96ce8d2c51f0aba
-
Filesize
910KB
MD501875109be44ffb626fa2fda802d1aea
SHA10e4473d2eda18b56c866aa4dd2d153c5116b1592
SHA256b9270cf0844894a5c4a4d9a813903558df4cd6c3e457e4c40d4c95cae9391ba2
SHA512ded5333a13742d471ddddbe57f04de1fea49cc14c22c358ba31d83e17c4fb6b44d1ce343f509750ec7e62a75bdaba32a365f8b96753fa1eae651a86cd11e08ad
-
Filesize
24.0MB
MD5006d51e04e731da9efb1e5e053f05bf9
SHA19ca5b554dc36ac53b7d643f1a07de2c26e95d65b
SHA2565419e3fcd2bece97c9c7e08317e2327953bd246f13518c1493e1c13eab1d1df9
SHA512ca24b642c16ca280f260cafb4b8f372153ed940c2feaa72c46e4d42dcb478277af91d8c14bb362f50e5a3b78030e254ea6fbfae9e50b8d3a672a71c0a7f5ba27
-
Filesize
2.7MB
MD5a9e6bf8398a6fffedfc58cec0767919b
SHA13500237aaa22a52f8c05cb845337bb4a96bb4b1c
SHA256b5cc8a2d8dce056c122dcf2e38caf67b7e62ff7443891d87ee8f7868b98dc850
SHA512bb6f9060bae01650b6aaaa94cec896ccebfce6889233f4ef8e9f6e33d865d5ec3e14dbba59b473b5402b452840bae5f3bf1e099e65067db3da0667acb4b0e013
-
Filesize
1.1MB
MD5c3b09a3995cc70c130d9e1b12862e50d
SHA1f131ee64b2d234deecc1e20761d52fec0746f3d0
SHA25615d9319054fbd55b3ecad5b58066d6be89f706f6dd64aea30fdae78cf4868760
SHA51294f2398bc24f3a72c710353eef6940f15badf724b1e5b32a152b5c13c5ef2e89c5c3e346b5ed69c253d1db68973c0550b4144a612fca708ff5dbce9fd65c42d6
-
Filesize
805KB
MD5182ebd32af4740a4cf420d2d0c28cb1b
SHA17e145f4d044bcb7731d4133b1a02ac5ff49628e6
SHA256ee8306245056852c3d6210a083d1b47762c235a1ea27b84a8e482600d9063be3
SHA5122941f8ff0821a5974ca32587f231ec2fe233e046fedef6486aaa17cb15c6e345cf76b88f02323ff24df0d1699b0b2ab1c346bca9e2696b7112066ed8c3dec412
-
Filesize
656KB
MD590c9019a73844425906c1394334ab7da
SHA1816eb498e2363c66e49e915c75347f37219872a2
SHA2565f17ce8788908c041114c98d4a7476162d8771473939d44430d52cbece75b2bd
SHA512d2bb1104575b486df3f110d97556f8688533fe00cbc8be363d1ad0ed427b8eb13b326640736257d92ff7488166d082aa8cf8018b652a4f94a96eaad6f76c929b
-
Filesize
5.4MB
MD51c695d49d1b7cd3c5be7386a805b6660
SHA1d8175d5c4c2f974fa81421d4a3fc2ca4c899152f
SHA256f37bf4738f2a1b03d989daed884a7a17d8986216a71438180cc16c4f7e3aa746
SHA512efa1c443bda2b3eaf9253d6d12c8a5fbbda8065ab47346e53e3fdb297526a5e056e8976ccea114a49c763176d3210681ace37dcb77f5edc3f831ba64125b3215
-
Filesize
5.4MB
MD5ee1cc307c6fbf41d7d73767ae9d69e2a
SHA1047a0535d194408c0c07851e8587b27f121ef3b1
SHA256ef8b5455026672556780776347bfbb5c3e8a11a93b09e62c27e616d65ab1c975
SHA5121f17cd9ad4a14f85b1d65934f15fb754de93d9045b86f24853423f21c7b9740eb72325124003117aa96c9f78dcb48235605a0e24f7ce72e2598152978404c30c
-
Filesize
2.0MB
MD5becf97466eb2c21010649ed0f2d18494
SHA1f264ba524bd733f925db377778f4d0c16e0e9026
SHA25604ab9c84511e978d1a1d486772d57a7530b8e32894056960097cb5e12c1746ac
SHA512c4eca8fc429bfbfd83d956860195a41571fa92d0c6800b59a41c7d6d7503fd9f9b5daba06598f3d154afcad9269ee32bfdef9f37ca48d004b904b9ff5fe45840
-
Filesize
2.2MB
MD56dcffea4c02184a228a1f7c14a815c6f
SHA13bee9d3ee02831a5c263724bdd4d960559dee903
SHA256183642726778be866a380024e91ca22f6e735a0bf7f4bf25400b2a7bbf9ebaf3
SHA512e9d24c6621cf3d22a0244afc8c6be9a520b1fdcf91a43fb4bfa01ace2e33c6ad99e04de38f149833a150b09f62709cb65cc694757788ef111d7f73775c409d8c
-
Filesize
1.8MB
MD55eac99b2b5bda8e3add94aa368871e43
SHA148abb9e574fa1119ea1ed21bbaf5b276b55b8181
SHA2567c8501305003c0dac244598b85ad6cc317a653b12466338e1c39bdd839308aad
SHA512c996d19aaa87dc1b4ab62c5e009f936d3abc2f270dce06adf0487212a0a9c2cbc0e5a1e5521b253a345a2f69e0dbee9ecafce8ab41cefc381060d9c6e28fbeca
-
Filesize
1.7MB
MD50e060474abbc3a1fbac450e5f2c0b0cf
SHA1954f5e6c29cd264a52fbf80e2f4f533c0f9a5f86
SHA256d5b53e223710bdb9e907f3d954aa9a61e99859e337b6ff9d9e0cbbf399688713
SHA5124e0af81dd9e3311b0c25e8c1ef10b9f02d6082cb13f377560393a348202d572ce1baf8d44db661ecfa00ce5d3003b809e8306b9f47aa9399ca7def609cb03b4c
-
Filesize
581KB
MD563167e4f2a3e555e8037e03617607aca
SHA1117b3fe3fb04bb8759963307590a504a3f4580e4
SHA256a97868b865bb1f150e466a19f474c4995b195935cd14b8e1f938561c05b01170
SHA512d979316122a81dcecc21faa636c7ff272c4e8ee517a15e25d392866faf5522cc26a5d79a3554ded5ced5181d4d5b4cb2785ddfe1435cbd9448b8800c048ceb0f
-
Filesize
581KB
MD5da8c698da763f9bf25f9045d7cc9dc7c
SHA18da5573d6eb43c584561faf2f7541a0fa63cf345
SHA25681ff1f46ad43d687856222d20d3edd30ee3ba6e40b68ef8c23152053acbb25f0
SHA512ea582814a33c1336bd4e2c22436286283bdf925effc7dbafcad7430a43a368254cea8e62325ce88b016d500f9cbb49a9c6956a77b9a718c0de04b024a9f277bf
-
Filesize
581KB
MD5e89624f4437db42b5d47e50c6063a97a
SHA18c1c1c4560005b11ae8a2d171cb78b4e7d1d26e9
SHA256b4ee900a1a31a8a2bb6d3b4a5258e2312b596efbc0b8a58dceba940eed8d2c7a
SHA512e004f139092b7aed18fcf3530e9e64db1609936242ba646fe8ac20d6584754ba98591ff3b51e8b5deafbf1b63434f7b595060f04dc0798514295f377c6ee3968
-
Filesize
601KB
MD54b307db206ed174b9119ce3a5cfce4b8
SHA119561aa11f3a1adcfb677f72bb6ed962026ec2e2
SHA256654288ac995d8979410e7a5149f0b5cfd2baa0f539e379e08c8299d55dac5f14
SHA512d571a80210477fc9e0cdd8c33492eb2d05dfccbf61d3560412d21267e612fc3aa9b552ad03607342b46d92f425f451134bf7d50b604ff14797e36afc811a8dd1
-
Filesize
581KB
MD5d63435cbc843daf657a5d9c587a74c14
SHA1d6be5b64fe17364850a0fb65ed9db3a1edf460de
SHA256176f9097bfdb582b065fb4b15267248c95ca770d249d7d7d6cee738dc65c4cc3
SHA512de8fdeefb6a4822a9ebaeddc9420f32e945573961a92220026053051a563f5172fdf503eba2946bbe3b6f93980655d3920d9dc33fb952e59978b009b55939ee0
-
Filesize
581KB
MD59cef2bce2d1d9020dca46167a18b572d
SHA122aa99e94cbe1e4ba9e6d97822cedd0f205f0308
SHA2568d4b92b80161ab10ee1791ea16899c8d96ddacf86713b959081b9d62cdbe2f9b
SHA512e1602f67b1d76619a8d701d116b63ec80e30d6157b4fe8e9d9eb21b93b098dde2892feb7c17937bfc2e07e2e4efb50415db6d16b22db385a268dc74ff5e24dba
-
Filesize
581KB
MD5ff6f36e0b14149c7c438b47b0dece0b7
SHA1207d8e3ceebbc3892585fa8260f355ab812badfb
SHA25652f72df0e44293670ce6d1c8940e898164cc34719a146c2cd90712587330752d
SHA51257130107e44b821d4ff46a66d9e7dec7a668a0f59422b54a40d0687fe0f5ef836cccd5b7b976996c7d978cceeb707adf6913705a196fdde224b1d43be3363b24
-
Filesize
841KB
MD535400d22018fc4ad81445783351dcd52
SHA19821f0a2be7206d8a66c52a0079ba13f5ea846f1
SHA25671b5634371a2d50755549d51940cbd5827915956d07fc945bef05d5cd335eb29
SHA512ddc1d7ed7e38533122b5303195482521cadcc286d8e5c5bd069d8548c191198511202a055efeddac9d9d15ead809e2b1e3ad1723c78ac70fca07acc0011314be
-
Filesize
581KB
MD5091823f86ff06bf568398c3f489bfec4
SHA1bdbd79cc5c6b0bed1f1dabbc99cda47b55974dcd
SHA2565b560c8f7f146dd408e413a2192cd2970f7a862926553bc5566b27198f82b660
SHA51219598ddd7376e44b995566873c1cf442e8a23f20b3349a5d62f04c081eb8ba705abe4fc3b9ce4e76c168259b3be2f0087aa61e072ecd3e85d6d1f2407c4cd729
-
Filesize
581KB
MD544c71bf5f23e72f466de0412648517eb
SHA1b359ff4a36966e5424e96b92f0ae222849139f2d
SHA2562b4fbe7c06e7582a31969590bcd8629d3b26ad2e3992c5c42ecfae8277f089ca
SHA512c49bd4698482bd23e6633c5026d2a529ad3fe386422ac3f642e7a805fc1fe4b906d5ec9e6ca3345c93809de13652a469e1dd7fc5f768e569d5868ef9b192cb5d
-
Filesize
717KB
MD53300f042a0868a9bf29218b266228672
SHA19df787b15bc16e17d9f917416ac5222e460b4d48
SHA256ca524c980cc1bc18def9d7f4790f7a321aad806edc0a094ad9f06d7409aecccd
SHA5125e57f589b79d344124bb73801a3b5926fa93a150e6c0b8be5b57fa3d9db822db721b556daae12edd8572267f4869d0ae73d1eb91c045608934549622214a344c
-
Filesize
581KB
MD597ebc5222c407415e5a98e478200face
SHA1187debdd0695580d427a0620a23f01c9156e9319
SHA2567ac2ea1a9fb341ab826cc2149e227c6dbb1a50ae9724f745467fe432f1daa9b6
SHA5128a87048e66ef951bc7fe2a3bbbd569a18b424e1f727698be0d58e73226cd1f2b4e5f858783660e57d88c4cddef628466b0f18ad4a1bce43a170bb59211bc44c4
-
Filesize
581KB
MD5bf89d6dede40de252b7dea7cfee2c79f
SHA11468b1d183235b0e63cfa34712e2e487d3b35548
SHA2565601d8cb0773bb3da5fcbe931bc46d6d643a3a6f186aff7069cdad60e7ceaa49
SHA512c0d69be770014f98fdfc8a750b0c7170dc4644a3ffeb64287fdd257a84273f363298e4c42710ba8c2aa5c477108c4794414843f870a706128c77df33b479566d
-
Filesize
1.5MB
MD5a3404687ce0df4e532315cd4aded1d7b
SHA14b82aac4e598cd43d2ab368a22493709bbf6afe0
SHA2569c7b434c9b48ef931c71d5dab44c26d007446c1d5c6bee76369cdcd6320c4854
SHA5121cb5729e1ffe56cc7b3f612583e33e39d4238b4bc3f1bffa0d3595ab0276036ce2bef9adb24e5ed8dc124eceb3b4bc2dc8d04bf0977af823bf48da8a972a5ace
-
Filesize
701KB
MD508066c1e3061c02d99ef89cebd34d849
SHA1b988fea6223fa1cd7a71ec7d0d8ed976d4c94fe9
SHA25615683941067aad3a539a5289c44d0ac93dd98df0174d51fadfd0ce0137de93b1
SHA5129ba337ab32314a3744f97fdf87fa97b31a93dbd4d38ccedf34c60a8e4b8b8a1af1233977b7b28fc029de74973f0031fedea01cfa5984000261181d6d94e6aced
-
Filesize
14KB
MD50162a7a6ca55dd442e64f02c36187314
SHA124392ff794633445f4fe12a8a422046d24d67482
SHA2565aa41c7e3160dca492317182e2cf5ad947e91457b5d4a39fc5d7aabcc0c9dd8c
SHA51236e1fa17e868670b433206734fe028ce6b05dc3c6266c557342152fb3cb1984455fe6a9345c877eff394bf6959c6130a861ce7f30004d23c4a580227256a6332
-
Filesize
4B
MD5455831477b82574f6bf871193f2f761d
SHA1f44217a81173869e08671753c52553646ff5d95b
SHA25669bf0bc46f51b33377c4f3d92caf876714f6bbbe99e7544487327920873f9820
SHA512cbc0ee58e447428bdcf72fc8b03c8cfb086edbb14205b918e75ebeff1d85ff1dd254e9dcb387afbd3fa766c803937c306e0a2a79870c0d87abcb7ab93661cf85
-
Filesize
5KB
MD5eea5c3b8ab21420fd068d60c1df38b85
SHA14891795ab900af8e26b88604d84076fe7911c407
SHA2565c89686dfa61670bf1df890857583703d11932f4987ee4b5f53042c1dbd1b1a4
SHA512753daa5720e173e9f6e70547a0ed7f6a0a0d69508c03cb748f1102c951657a2e17b79815a13c36fe4d46ea10064d6eb59184c0e2e8bedd629a9d893f1b791246
-
Filesize
5KB
MD5ddb8f08ea958100ee5970f534c0fa9be
SHA1711b2069ceff68616672c94075a74f43548f61c9
SHA25610cb0f42806027c65f4cdee639e3023a911414eeddcd88c56c83aeffcc85e3ec
SHA512cb574965bcd81250020dad28bb735f842aaa3b2b0ccc652faaafa49e0dae21e19f446fc8fa8cd86e19221d4acca60a2068ff0d741b91fe816224a884d551700b
-
Filesize
3KB
MD5a58599260c64cb41ed7d156db8ac13ef
SHA1fb9396eb1270e9331456a646ebf1419fc283dc06
SHA256aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2
SHA5126970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71
-
Filesize
12KB
MD541e15d1d2c7bcd0db27d0eb684853a42
SHA1482941b846c78f6c3120061d2b6504b640219843
SHA256252a3d7b7b1d242b03b500a41db02ef81a79f17a3f11f7dd0a745797ec8846f3
SHA5125981eb420867faab8ff0ab26fb136dc8b4aa0c3aa45bea92ff5485bc912fd8e04b7453580dd2bca0492669145d456ef7f6e11b260d75c16aa457b2a344a9d524
-
Filesize
588KB
MD5e4c5eee69bcba13ba36c6162608ad060
SHA14266d5a1f09da9c36788341ef049f0d255ebefb3
SHA256eeb3f998e20d49d5267e89e799a511d6759f1c4226d2662354d7440b3ee7f6bc
SHA512ccf0ff53007d017083f678eb0f72bb4403027c650db3ec93cb7c0d37569f2abff71a5dfb2c250e11b411ae634f8222811e0d1bdbf3b4459bf0567f2339d420b2
-
Filesize
1.7MB
MD506609e4b6d9cfedbba7c10e4e86fefc1
SHA1ba655836c5c5317e1f85b7ea9700193ece077957
SHA256c5e493aa5cda5e4b09a16fca93e680ec9cfcc3bd2cc2b28685aba27f1bbaadc4
SHA512057c1f8c62e7f8c870160c36d8b2151f56838d6f7ae1429667ae11000e7084b28425eaeea7061c7877f3690131f35f8435198dfcb80d28ef5173dc1b185f237a
-
Filesize
659KB
MD55ee6aae7627d91e5e5b29c009545c53e
SHA16b7a25fde590fad5a9f3c90ede8536ed901a65c2
SHA256751e0310926c2d60942c68241bc5ed515897922aa672453d22952d58bc13bed7
SHA5120fdef59fe575d7ca3213006416f06c79414e86a00cf6b51717aa067b318a344be57a8a51d03fdc3c271e4f167ebf752fc5e688dc84021ae5f84e3eca5adc6fe4
-
Filesize
1.2MB
MD5721b1b73cefa8b4a2943cc994f97dbae
SHA1aba04c3d1989178b339eaf4e67b790ed86e33877
SHA256662e8be8ee309f552efc101285e6c0641ba5ddf9cf672dc579e08c9166c80b9d
SHA5126229c591155bec8ebc0bfef3d55d92cbffc7b6f0c57eb07ae11c78d7b139abbe2ef1afc6617f2c10fd84059855bd34f9648ab571d55148749621f1c32a9cb577
-
Filesize
578KB
MD5e83d5648e0f91674598c4089c24b1d83
SHA1f13281c7a89fc44932f889365c4ff6daeb3e39ca
SHA256cb52c7e9ba1a1c9501467837eeccd082d9ad43175b5a6d8b9a625afff0f9f00e
SHA512651337054afdf41ee737ed17932c0d17ce96dc60e35659ebf3d56e67c4db0f93ad04bcbe9205a2fb5610f2dea655d66ef71ef4bb19ca3ad1e90912caed3a302d
-
Filesize
940KB
MD5cec038483bcc39764e0207cd8bf24cc7
SHA1a6ec461eb34ebe70307577461292722745255e35
SHA2564c7c137a148165527c46da1d6e5e9610694aac8cc77e96d5a55b1b5631181b60
SHA51251ae9fbfbf41a6fb8bd4e81a9c22132f62693a36eb32903fe31dfc9ff07c011df249c00a0579806d5e7c112f6eb8a5cf5ae9bc6d633e54ca3f1f3156b958d205
-
Filesize
671KB
MD50b3a2f4a950786bc4457e276cd43e25c
SHA13e175a56357a2b22ba0e2a0cc6db58a3aace834c
SHA256733337948c0186b0223c9a02720107766b9acaf59874bbc3bc5eb035975ee216
SHA512907588ce69662ff7af3850cca8deeafb83d487c1b13184738244a13a4cd048ac0e0c244de670554fa71e0048a191704ea2cb69adcc70e298fb61de6547b5a90e
-
Filesize
1.4MB
MD55b439200ce786b936d07bba8d4f3ad85
SHA11aadc88300386d6999f0efcbf41a9e91a0bdb0e8
SHA256b56f0e5167df4f45a48251ede72b2f9681dc1a1414b3759c0a892ac07f3b9a45
SHA5123bb3f2ced9288e57f280512c3c604d55e8815e225813af498c2dee7550b9b7b780c29897125d88795defc3ccfa643570aaf5bc540bb8d09d6e97490af52f0544
-
Filesize
1.8MB
MD57b80322056b4d6e2f39ba3971b944b96
SHA1f3cc07317e0428e9267f424e389b1d18dbe23d0b
SHA2564e87626c6bcac77a032ba956998c931a500b5fc68011efe4b9b96a5fd1744229
SHA512a47632539258e0c05fe273c7ca4b5008751015dca595e53f4134cdbd556ec7d1b2a2576b68c6ff03801ecfd75bce83a17cfbfe32bf720e5ed6b6716ae4291a0b
-
Filesize
1.4MB
MD509c78e03457fd34c10689ff7c11cc8c7
SHA17101fead982d0c1beae6bf46427439d0f49e8ea9
SHA256562cdc4beca7e37f8ef97e6cb9686cb73aede9de3a8d916588cbed2980466318
SHA5123fddcba14ae84429a985a5adb97963dc8b9baa9e0a5774050b7ee2d3e9e40ed2547b59889907e649ba879c0a0aaef9df523b49550d8f7a155a1c6847c827b2c2
-
Filesize
885KB
MD5935e4e3a1a01d9bf97d87d4f37a41078
SHA1acc8d364652979e5b1c0c6dcf80927ba9a6f7489
SHA2565f3c0b1cd82de1785610157d4925483424994b202420339fafddf14dc1cb5eac
SHA5125f9e35615d8e2a1bf822eaf9048f34d2ccdb11f7a6632ade8a2f30898e055b9f9e2e9a44d77b7339431e3904d80347ae99f9a114a52228c23f654cc98fc6e9a6
-
Filesize
2.0MB
MD5a1520fad44d38f7d2acd3f88b60b7420
SHA1a1097a9ee21dc39a8ac2d02e36bf8357aaaccab6
SHA2568f7a24afd7ccd3931f0c12edf4e92870ac5c0315ac4c747ca1b048b1aad944d8
SHA512ae8f77791ca5bd84080aa797c606fd226fd95a070a95a39bdb8e3ae7fb31ef2e59cbdfb54e92f5dc11f12f34a583a2645aed427f270601b415942d97b5dbec65
-
Filesize
661KB
MD5c60f91b4a2b7928c67e9d474fa7535ea
SHA18b933e133830c8fa9f2347bc59c9c37b5761f7bf
SHA2567eb64ccf2a67e81aff58a941e73dbb5f6f1a9fd17117884e55cfd72f951cc9dc
SHA512d99c710c0cbfd4c200eaa332891057750230666525d3d65074e9e0597719b8d371bc6ddd822b8a688431b0800eaa53d470889e0114d9a47e7c52bc57fd7bb91a
-
Filesize
712KB
MD5f891b72d825faab3890ddf19067bd9d5
SHA162c03adf2a818a57942b50dd6605c948e04f0b0b
SHA2566bfa51d5dfbc7ddcc063fc7f4c8ffcae21585cdea653abed2d61c5e30525a259
SHA512aac8756173c0b0fa1919104be193a1101d6c45cdbabb7d799166bb0857948bd80f84d1e8bfb13d4d85b13b45e7b26cff4b4d3017f5cc123f124c09f1246778b8
-
Filesize
584KB
MD56998421c89059a0d2da230c3d4bdb82a
SHA116df170ada8242c55858221abd7d97679bd2a8b4
SHA25632e845dd161dd42287f64cb6c10f4e84e40657888af7acfddc896b3a2737e8ea
SHA512bdfdf0e1bbda2c97c2fbc2de11f65b4fc47b2b05e7832f794ed25c1b460d33b06c42205144955bb9b2a5eea9727954878fbed32a2886617ec6eb6cf9ebf114f6
-
Filesize
1.3MB
MD50a76aa9e5212b58e1a406de2a7930575
SHA14f78cc9bf0df223794edcca38345952f055fc439
SHA256b8d8fc6ec7f161d33cb87464c1f28980c7b129f9991da36227bb248e7979e28e
SHA51234916d2008de9acb18631e400f1aa823ce3d759cf3ad446dc73356b065232a0cddbbedc3ba5612e2406d55ef4428f4b348a50d3c9c1e42a0596d2d62b9ddee58
-
Filesize
772KB
MD5f2c1ad478ee07d5da9ac02e2ad79c562
SHA1717fdf719e05f9edd9bb37618b2af7adc48bfc2b
SHA256d011b789a1fc369e2a23c996ab1bafe1dc84ea7dfbb7fac3eeda492bf7cfdbc2
SHA51245850c320a382b221c7bd271bb2612b8c4fbfe94744559529b4fde17ef89a71cd2dceb4a86e5d4e2299e6b9190a13045fc93d06bf800f94b5ed39b112da80a6d
-
Filesize
2.1MB
MD58c5bd6f8fceab9ab9c3d257399a4568a
SHA161d97dc0366a36ac058abf36ea7828ae4c159595
SHA2569f176b4f8680586541e88ad62575f3a5a43c4c004576b8458da3a4f4f7ffe9e8
SHA512ae021c684bdf9e3d4eb4db502b1a04a3e56d561318174f7f468e320ce95ef4e69af1f9ebe28e8c69c9e971abdab5cba7e5ad664a0408e2e761cc235e86ca3055
-
Filesize
472B
MD5150650f8b4ce06bf6720a55c29275c38
SHA1c69a908cd7138d119f38c8db07031364b1d21388
SHA2569d7407b8bcd4af6820eae7da00db7598246d0f58dc502ef3c89aacbd9cc8a104
SHA512fcfb7f30078c6e1c43cf272b96b5fbd599fb6ea694cbb79a7a3e40de0eea9e031a4b67d1c2f348d3ab19760b48b67758fd7b4ddd921aab9f3e8d3a064c662bd4
-
Filesize
596B
MD5dc1ecc554b3f04dc9600236cdecc8a5b
SHA15ae617e99bdded544273928e3e02147405e6a032
SHA256550a13ba1f49e521874c12f8908b48d130519016d3abd734b9ba3e3695f2a8bd
SHA5125c18ad0696a910c5806e952965b6ea6a7943443714eab387cfe0437c5546b6b43c87d70495e5a21ecd284faaf545ab0b6c7fbfc5f89b27ab4779e3cef124f11b
-
Filesize
726B
MD566912ae2193d013c3bf5b8b031c7a36c
SHA1e5288840baebf03420e92c9deb1a60121f24467d
SHA256c89ff4970db3664d4435522769ed127af57f09ba648689de94c00a60572db3c9
SHA512c519bdc0aaf38be5206f763c6ec85e3b1d245ef900c36f2fdfc8865783430e62e09c53fb344e4559e939e4ac40a2fe4e81b79e396264be2dedf9a237cdfb1462
-
Filesize
764B
MD5f42344a5ea9de1aab44141b96b820a34
SHA1b23a200020fbdaf7c23e39945d381fa814d68d37
SHA2569e41e1f570b18efff9faebb19e8992be6460165403129aa3db838a2bef8956ef
SHA512a5534eecadea9dacf00907bc06ce7eb588fd234570c9a6ff1d903f4396eec46b41fd4203f07ece98060f7ef4c44063c3fe1dcab970b80bbef2162b6ff482ff16
-
Filesize
234KB
MD5cd12a965da4fb66e7f8a07e3f421196c
SHA1f6377f231362acbd1063aff829ced283a2660b89
SHA256790b06745f32e0f56a7af24c871ffce225ba05ebf0d8f8a71a00c727c97dcf09
SHA5123fa242c3f573c706e0f36b477ce03f47d9ba0712ef72b94eae4f426dfe21ebbaf1dbebb0981335970b5186d416b4d25e175773796486f39e17de1df0a68a9b0d
-
Filesize
1.3MB
MD597eb5dd6431fe99513f014229be010f5
SHA11274e3cc015deb0814021fd973945e392ef6bae3
SHA256395dfb5274db8d4e36a7c8892a41ea5e8673f99d5bec6c70992a9a57d6a52eaa
SHA5125b57cdf0dd8f1793d3bc254e9bef02f6e975a9709a5ee877f375ed8fc4393414d46611255b31a71f2f10e1cc689dcb7fdc695914fd2a3eebf8ddc15cc4b6b98b
-
Filesize
877KB
MD5488ac49eb8516693cb731c37473f1869
SHA12c743110622c70ba8685276f235d3059f71d1c52
SHA2563bbb45c730b6a80561b724c9e46d4d5e96350ba05af3d9e9d90a611127d6aad6
SHA51208bbc286e7f48899f8dd4bf84271fa760d7fdab2bd39dec0856fa1210cfcd662659675129bff7e771bd87b8e5ac820d6c90470892c2b18ba247d13d570c37068
-
Filesize
635KB
MD50efcba1d6a2c74e695b7572f48a4cbba
SHA14635ed8bee17e66ecc09c486454733b4437b516e
SHA25684316e213884992ec4491c650b937276056ba024e891f829ea5aa1b5392e87ca
SHA512b4e5ef580692f95c4566b25ddab8932520d546f34a76dfcee7a80f3570f5012f37a02efc1882c174a3dc7e5b7933ce04aef954607532b2aa8f64d82d0ea87400