Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 18:01
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe
Resource
win7-20240419-en
General
-
Target
2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe
-
Size
1.3MB
-
MD5
d277695b0fefaa9d41d8b43ad7390d1b
-
SHA1
b9aa2e4abd2436f6f26ccddfa16129fb14f3d3da
-
SHA256
710df036c18187fbd5d82133d1bff579a5b5437f69d7b2272ebbaf48e4f6b97a
-
SHA512
385e751b6a8b56816ad2b962432ca94d6e721dbb64eac52378135c5d80b37b77942438c7f77216b74bc5b8ce69c287eee09fe0fa4f1ee7eadafaf70fcf19f6f2
-
SSDEEP
24576:w2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgeduTNjx+mZCkt76f/24pN+XNqNl:wPtjtQiIhUyQd1SkFdOf9Ckt7c20+9qT
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 3336 alg.exe 3196 elevation_service.exe 3732 elevation_service.exe 1372 maintenanceservice.exe 4620 OSE.EXE 228 DiagnosticsHub.StandardCollector.Service.exe 5036 fxssvc.exe 436 msdtc.exe 1984 PerceptionSimulationService.exe 624 perfhost.exe 704 locator.exe 2204 SensorDataService.exe 4664 snmptrap.exe 2416 spectrum.exe 3396 ssh-agent.exe 1400 TieringEngineService.exe 1064 AgentService.exe 4516 vds.exe 1468 vssvc.exe 5116 wbengine.exe 2804 WmiApSrv.exe 3724 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 26 IoCs
Processes:
elevation_service.exemsdtc.exealg.exe2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exedescription ioc Process File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a22fd1e253fadf5.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeelevation_service.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaws.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e75d3b4f2bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007aee8bb4f2bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0508eb4f2bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d14d1b4f2bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid Process 3196 elevation_service.exe 3196 elevation_service.exe 3196 elevation_service.exe 3196 elevation_service.exe 3196 elevation_service.exe 3196 elevation_service.exe 3196 elevation_service.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 1924 2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe Token: SeDebugPrivilege 3336 alg.exe Token: SeDebugPrivilege 3336 alg.exe Token: SeDebugPrivilege 3336 alg.exe Token: SeTakeOwnershipPrivilege 3196 elevation_service.exe Token: SeAuditPrivilege 5036 fxssvc.exe Token: SeRestorePrivilege 1400 TieringEngineService.exe Token: SeManageVolumePrivilege 1400 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1064 AgentService.exe Token: SeBackupPrivilege 1468 vssvc.exe Token: SeRestorePrivilege 1468 vssvc.exe Token: SeAuditPrivilege 1468 vssvc.exe Token: SeBackupPrivilege 5116 wbengine.exe Token: SeRestorePrivilege 5116 wbengine.exe Token: SeSecurityPrivilege 5116 wbengine.exe Token: 33 3724 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3724 SearchIndexer.exe Token: SeDebugPrivilege 3196 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 3724 wrote to memory of 4776 3724 SearchIndexer.exe 112 PID 3724 wrote to memory of 4776 3724 SearchIndexer.exe 112 PID 3724 wrote to memory of 1436 3724 SearchIndexer.exe 113 PID 3724 wrote to memory of 1436 3724 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3732
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1372
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4620
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:228
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3020
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:436
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1984
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:624
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:704
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2204
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4664
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2416
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1608
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4516
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2804
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4776
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD57508bbacd003e14822d70daad8666cc0
SHA17e48404ee104a71ffccaa6f547a36e4ea304274b
SHA256563f467311062aaa37406bcfcb7b709daa4368d972b5029766e34b0a43eb5a10
SHA512316a20df189fb3275ffe5820db90d3d91fd675153065afeb7ff80d520f06b5c3e95c2f7ca7957cdde3b44bc58ebbc653581c77218a24b0fb443d8e224f6d52ca
-
Filesize
797KB
MD5583347876de3eb4cfc7d1f0479446399
SHA1e0de168fdf28bc0645ae5a5dc183c0c076b1a95c
SHA2564bc2c973e1f32223bf3caad2ec4c749ffc8009c47c4e5106ae275e27af09de10
SHA5122f9ef89ed07a51922b670b4c83a94a4c5ee3561c989dfdfa433925af22b4b3278fb9d4f92884c4f64579ed726f928a816410eed15574e8fafe61f057a71692fd
-
Filesize
1.1MB
MD5fd03b3cf4a64211dfa0207bb96feaa22
SHA1ea3dd3e5380b30a5c7e94a3ff3bd55b1c64744eb
SHA256fd6387b8a698801deafd842e0daa648527d33c88fcbc0983815bcef3c5707298
SHA51255ed7ec26d1034999d0a8f92734dfda1a0ddb56b8a9ce94baddc4f3013406c340c51b3f1dc0f5227561d614a6fd7ad5ee9824b0bf43bba59340d2b34c2584148
-
Filesize
1.5MB
MD59aecd9c44fe85f3509f079e30d670de2
SHA1bd6aa84098f41409be226ee05a9c10b0b5782e16
SHA2568c222546308caeae6bcdf4ba8bd67dc45023e7abec49ac02074ea2068c762fc4
SHA5124c3719fbb79f57b1616748fc7cc8cda5cf357dea314a5f12b4f953e8b973dbdcaf0b0e1071bff352b2b00efa8ca3bc74c81c0dbdb955eaa879d54373056cb5b7
-
Filesize
1.2MB
MD52935d9d591e73c0822f74f818a89eb2a
SHA153af2b3dfb619e14569eb638dc8a94824f3abfab
SHA2566ab9d4bf9999928d6ca0b740c704e559ae4ad9bf6317424c0324d05a4bd4e033
SHA512feca6bd2ed1b6689b9c517d7b8a41f3399af7380a4965354b24dce8b63d9130235d57481ee04b54689014388ebd99fa9b13a43f8830580b78fcb44e18f2f7933
-
Filesize
582KB
MD59ddebfa2654b63925e99dbfe80e11a82
SHA127cdbc44607d3d1600960d808eaf96574ea9fcfd
SHA256982c991d9fd422f96d6d7f05ddc176df6363f9682dc60f54345fa8cdeebde011
SHA512e9b141989ef16ac7ac3b7c0ac83e39d5ba0151f3849777bcb618db2c3ecdacbbfa4b123ef00a23b6fed04c35708b2a002bc934f69dda9cbf7071d89e2b78f2f4
-
Filesize
840KB
MD57d4e08e6a74bd383ce8946e30c8d6d63
SHA1a59e9211774a05963138900b16233bb2ac335cad
SHA256793a236cc22dad59bb0dccdf463de6ce581a0b7d3e14c7de021c673176a0a8fd
SHA512f7afbd8473dce6b5b533d00c27f82cb7eb4fdc00394d21cef15f7696fac8b8d067c151a83598756de0df159dcb49a6f9107f151b776f7b918546ecbbd497da78
-
Filesize
4.6MB
MD5e1f7e1eace75afbc9cd76780b65238ad
SHA176bba9891733f3f06f21407c9972fcdb0349bfd2
SHA256de7b48b833429e28a9497e273d6a2b444f3d660f53cbb7bfe7a04fd8db4186ca
SHA512ec91fac88e8bb6d33107fd05d8b2fdc0564e2fe19b6efa63190c8b58c4bfafd28f6e3e061b504cda352400eb9dca69519508588927f564574df50108e1461679
-
Filesize
910KB
MD5491ee53d28102dd56aa1fe424c98878b
SHA192fe6c95795a18411a1c1fcb1ee11ad46a2cdb7d
SHA256579df65402a915f784f87719ec278a9c72e8971b6bd154cc40390ddf704f2647
SHA512f9ad8a157e729b7dd28d5855283fc0b0d387ee1d8d15590440fd361a7a7a8824f94fe74809bf6bd5462779e0592859e069988920e490a4bd247493219cc436b8
-
Filesize
24.0MB
MD5bc79811f00b33df541aef8d1048dbc8f
SHA1b08aad1df11471ba54643fbf324983021991b062
SHA2566c8a8a341ac93b1ee88ae9ba8322edb3abd8ea68cfbb6931b8054d9e9d5dac55
SHA512f09e1ac8343cbd22dff0a849f20678e9df462f05a35503910a8e64e4b1b47fb2eabffce4dd14a52d844ba2f84ba26d7ff7e65719b0f680a20769e46a72da8265
-
Filesize
2.7MB
MD5921f4569b984b8bf60a8f61bfbdf7340
SHA1e71a28e4883c5d9e3cd04288da0326f0f04e9f1d
SHA256efa75fc70201ff37f49e3eacd2c157ba9f80a8417c88a1dc2394cd92234b6fb4
SHA512559117499d7c460e3ece17e998fd2d0ebd98cf1db125395c33ac71c1cd81f87c023babe26f7c330d31186cdf9a0355f6822f91b801acea60c52745c3b2b5047c
-
Filesize
1.1MB
MD5af56eba44ac1f123f67e73ea47ebad9c
SHA10715be66e9b15055bfd4a7a08181ae3ab990f7be
SHA25650ad1e2d3c0befb7dd81e1b7f2f78806d749066a793caf535f62876e6401f592
SHA512056685cc12d812e836c15a30b51d4a861385157a66e8a127bd176bdd158a559d486fcc16dc9d6e4ec2ee588aa733785e4984bf2a5e1e456b66802b40ece52e57
-
Filesize
805KB
MD5da9ef053425d38e384188f0fe83faf52
SHA11b6319283e867c23d84f5487ef07f4d3c9885719
SHA25631fe7d1702c335c58a69478b1464eb7e887bba8dd176804dac24d8047c6d4dce
SHA512bd9c2d8bbfbced6d6524d7eee817d467a7a45deb3a776f990145339eae37dc0760348e730271e3c3e2da704a6ad7f0f0d05dbe32cb83fb0260e6780918d1f5c9
-
Filesize
656KB
MD56579dbc2439eb33deda86f0a6f130161
SHA11fe1eb028722e73d347906d0a19dbc8da071a084
SHA2560973a43f3881930f384b836ff6ab6a62501a89bd4c20eaa4839fdd1767dadfc3
SHA512a8d87e16feae35cd31f52eec3987ae49e96e44cd07b22a3b59e0fc5006dd6ba27153847a570c660cb4a968b9ddfb156b9f823e54090e5a971e700c1d3bd8ceb3
-
Filesize
5.4MB
MD57d27100239bdf067bee7183621adc091
SHA149569096ea8d5b80512a5705b9c40f76d0d890af
SHA2564963526f77d5a6061203a9e81814de4318a82b2b28d37066f22b80a15a0fb376
SHA5127dd293e81474486eb96efa56e210df1cb48760753318797da5e5d784119d903325d02fe192f29980fa18727ab0c03e2624625e87d19fa05c864c2765752515d8
-
Filesize
5.4MB
MD5372b36b94f6a80f5372a884de1d5375f
SHA1b00a8b13b1773c96c23cfc6ad24382e16118be6a
SHA256f3fe2208d86de1e0a025a1efb852fa6b50beeb28bba65a97e3274ec71612670a
SHA512694d02506ee0e02b7f1a227ae622575f1fca30371d2460e814508f5caf929639d0835d01605527bfb12268ddc4af13407b44b3793672918324a06b418fedea99
-
Filesize
2.0MB
MD58fb4a448d3ef7f1e116cc329d498c209
SHA1ab26cf0b41e4276044406974038bd66c3220b8c1
SHA256710ab31c79beeaba9162724bc4f654b8d3aa90aca2a2753154d8eb20e4c9590e
SHA5129c8ba54933825d4fd439947192afdae2c825e3ff18601416f25ef6a709c88bfd62ea9c96b25a7164777f80e32074699fc6fa79a2bf4ac922785c59d4d9248c04
-
Filesize
2.2MB
MD53227db5394198aebaa030a38e9ea4a88
SHA1146a7b31c466421e449c20a05a78d075ccf49017
SHA256f84921c6b9aa862ef04ab391712216f5976ffa263b8f40ee28d5ed9e5155ddc1
SHA512300639a9ab71c01c141c04a03c5f6695e1d888eba1ab34c71b67897b201e18c508d2ca9b8e65e4b7b27520a117413d11d5a095a81063fdd68b635633db6e4ab3
-
Filesize
1.8MB
MD52ee2cd6c39807ddf6a327336914f3b56
SHA16b6074422df667b4d2b13842a43bdfd0e565fc74
SHA25684707fac06d78d2dcc001d3db2eaeca40f19bcec4637fa396ed06ab04815dc85
SHA51288a42f853dde1086f695819ac075a0d01090cb627ff30ff4b30ca208f23e886517b9f81d8c22976df448897f556633a6cae49d876e9fa874ced307ab591c58b3
-
Filesize
1.7MB
MD5d4056a1b691bd3af47d7f5032e7ed0a9
SHA197d6bd397a8ab37203e2b169b160b524c5383109
SHA256f17df4abec8926805d35f984a2d0c70d3136087d45e03c5d3e8de82569ab8bbe
SHA512581d77b38bb1344a59918aa2527aa39bd146ca594f2e6c44b17fbd94acfe84ffa577d5cf41e19616d124f905c0dd103bc3327b0ae15c51c8c356cc06039eed83
-
Filesize
581KB
MD546aa23b1d4bd0a7ed84dee0e22e62b61
SHA11185d595272c56e2e524c234a08e7baa57a5d6ee
SHA256ee62ba8f3a1d738d3848ddbc1c85aa74dc787e5bdccba880cad0b56072d95b49
SHA512ebc086870e0f5a3c96e311e622b40bcf13a498344324115d485d435d1e1f9c3cabb12b7ee950b54ae9f3bc3012af620d0d4d589f99dc287b92a870321189a88a
-
Filesize
581KB
MD5cb34a853995b8ceb60694e9bc0827875
SHA1aa5d12f4476b32a53dee88abc0a186f4259643db
SHA256566c35d8005b007a487cea1aa341bfbcd720a1bc981ef75bae228af98c22c4df
SHA5126401aa54abe2aa8ee50e0bafe1337d384e28f1e6da469a5dad381b70f719c48e26608ef1e0636da48b97907a9931fda8ea038a8a8991b77dbfee6e4b5a0545ee
-
Filesize
581KB
MD5c1e8f19b01e994bbd0b09b4df3db9c8c
SHA1edc96d97173ca362759a1b44d9d9beb97949aa6c
SHA2564430337edb3439b347d8c2171f3c9526d411c12fb850dfdbed140a0c171bdab9
SHA5122647edd9678a60557bbe3c45f45411e58163148cc43e31687737f2f475e60c4aa233e92d253c6da4883ac9a6575a12bc85717a58de4407bc4ebf36ebb20d1cc0
-
Filesize
601KB
MD5f365a1baa4d3312614f2941d26ce27c9
SHA1959bb1a27f2437f99f6715c76e2422271a481530
SHA256b72e723b2c7bf131f69181adf6907de06dcd76f23b5e61e33533b91643dc4fe8
SHA512a204379b2da5bc43f2892c58bc5a9f8bd8624c179a12da05dbb4b15c484373a8043cd87ed5401f32e3c00f03b5c79f7a0552541d877d475b7ffaee4b401df894
-
Filesize
581KB
MD5e98584f5a47c2afe5611e63f276ff687
SHA1a8e30cdc7303ef7dc10e1f39a58aa0597f024149
SHA25630f108a0202849ea8bef69e69a4f5478539dd8bdb5704210f1a27f818e3bb622
SHA512b8d1b72624337eab4bd7614471c1bef0eae34eeab53a2326117f65ef39763a49993fa714a3fc7534dc5f3b49a7a6cbd9be37d0c78fad025ede1d25995e44bda0
-
Filesize
581KB
MD5848667cc918896a813668519aeff556d
SHA1177dfad1fb409d18713860c453c887f58aa0db7c
SHA25656ac3aa53fe512ebd17d9ea240d95044dcd68e6ead65763ddac385555ccf2b58
SHA5124a4cea94d9685c6e853c9753963b6cb0070783f0c11845483c452723ee7efe0fbc0c7970d081db73edc8e67712b0140274efdf944b9a1023072e0ef9ef700458
-
Filesize
581KB
MD54aa6a8d8c44cd99db917c1f5a8f1a446
SHA1b77493e74be7732370375a7432af8d9052322160
SHA256c007a67beeeefaa8fb1a04981bb7f59dc1ab22ecdf9ab9cfe5bb96406645ecc5
SHA512d366b9e509aef67e88d3cd87118c784170d47f805d10ca6355296659ed847d7ea9b9538b0f79ca9f342a5f6c59c072bf405ea7a5c4ac54dd82298d33570c655d
-
Filesize
841KB
MD5cb214768a2d6bf952b09539a9dfb5562
SHA1bf5e28125083e6f89e1dceabdb38177622143e07
SHA256acadd8cceb27481b32051104c0f6d09f726f79f1ee9afc9a6b05e1ff691a5941
SHA5129fa25b821a94a185bae6c791beb74d89d906956c51ce718ddfe6e03d2d10b926f17ec16df59d326f21e72a166d4c08344c0eaa3086830db0a91ec1d3fd847301
-
Filesize
581KB
MD51145588654c22c37044ecd788a0ba2d9
SHA1277afc636c077585901cdd74f018368b4a31f577
SHA2567fc85b120a5d1b046589e607a3070026171ee64f5473a6fff23f6f7d70531c4f
SHA512a1b86622965569c0283f0498980561327917c360a3e70e811c8671939acfed96f083aeadc4b55228ab1cdd0ebabefddd6ef4cad2f5d542e0886f978b22e7a095
-
Filesize
581KB
MD52f12cd9fa19c987073598f993185f8d0
SHA18b95a058688a80b9ba3730591eefc4916f9c4184
SHA2566fb215d4ae58cf4c1b69f93189b2bfe063e69f16508259cec1379867da749338
SHA512531e570c61af5bb6f797323c5917e64e4ae03f81873d0e3453df4018ff2b32e3141d961bef5b5e7af7360d9f89a1d861e3720f48cf321bce21b8ad739a17457d
-
Filesize
581KB
MD53ca0974cddc75a25356efa7cd0785aeb
SHA1e9bff38550d495ea34f03967374a707a6aac5367
SHA2562187eaa150ef789ed7659c908a23a94968f243186506d7a4e00e1629da8116d1
SHA512b51df1d620e7d9a30d3f9c4d8cc82e5c3decd8282aef7059bbed5f31741e3ec32f86bf0c321830c2a3fb91cebba97ce1df0bdedfeb0f2c481122096aa6794244
-
Filesize
581KB
MD5871bca73d96cfdf5ab3f56d849b93616
SHA1d7d8f16007e73d691e94c8583dd1188f4f88b773
SHA2565e9d97f4a7a1c7c44579a8b7c88d7781a4fde8ed7aedf070cb35ea42aa47eaea
SHA51262db75c3fe9c867cfd5cd8d0c671712519d2666600fc693d008335c9f9235a3244a317382f09e21f060de6288a3f006959cd31f6c1de63ef72f377ff992fe0bf
-
Filesize
717KB
MD508f927e6d2c24d9b0ce44ff2added104
SHA1ee5eaca2cb524f9ea4c450cad8a9b58641dc008a
SHA256a88265f9ff826af6beb679b305728aef2f55b5ab5e8f7509f0bae495d8cd35d0
SHA512760e4d2338590852cca46aeb1ac70b5062ca1b17659c19dec8a44230886712913dc8a4ae95dda6b6cc3a38b49f4dec89261771e280e4a313aac023bd5e750fe9
-
Filesize
841KB
MD51cd3e6e6515537e910d7766ae6497de4
SHA1ac3a4b8c4f207e3992c66e23d32ae69ab0c07b7c
SHA25629574adcfae231de5acccc88fb0ede8db27254e7f349e814621520d5aeaea238
SHA512701b354ab14867780bd999470dc707a51d25c113d032b65dad5c2a78a9047684ebb2dea573dd4ea007501ae1de1904a3498319bcc2cc43dbd5495ee6ab02f273
-
Filesize
1020KB
MD5a72eeda3b60f53b058041d701b062149
SHA12d7901760e957a20fde21263cc4c234f5de3ee88
SHA256fde6f3bf2ab581c2d45308fe9e53e7884a209501fb61766a8a2deac8fe140017
SHA512fea732ff8d9f7159c341caa86f29af8dcb140bb1cd086516d15137f42119af0ed82b69292c7025d8625193dd87f12b6aad1d84f1ba3781fb47ad1877ab236696
-
Filesize
581KB
MD552ca468cb258760562da7477f5c7ccc7
SHA13a7c96b23aa91dfa4454d05091464bc36ba951a9
SHA256fc65bf9ddf84789a8184464687aa86caa9090587a91e4f1dd2b0a37f968c3830
SHA51207930f161e47e9dc6d7d7dc8948b67dfd9642cc0163d40d59485ec9787e2fd4efc6356570165d73348362a8ce41823d85738bb99746c02fc22105f77d8a0e9a0
-
Filesize
581KB
MD588ebdd4822067beac74ff10c74080b93
SHA1e7e4322c2cef525f81eb2907558a47ac81813129
SHA25698bb19b0e0d0c53a4df8611c3c42149bd0a38f44cb7014f7b4b50afb59268aaf
SHA512d3b6ed0a790dcc017e99871bdeeb41698e0334942cfde3d291f4426f384832a40e7ebba103a8e053f37e15de1ccc4bfc88a218f0f79ecad90d5142a4d0040505
-
Filesize
581KB
MD5ae354ade182e207a8f7ed68384aeee56
SHA1e6c989251b4457a822278bff76f9891fdb394e9a
SHA256f2515e2f798de8f19039e225ef5a39988841203ea260fd506458d4a29602ca3c
SHA5125c6abfce8bc486c174ecdc60a54c48f546ed942eaeaedc1ca55346208cf4ac8403b72e58727a884966d09beaaa573534548e3843c9aaa4f85f60a48f2e1e0247
-
Filesize
581KB
MD5d0d07c3c86982f8e0529b55f7807be11
SHA155fb928261ea171425efd3cb85c046d19dc46dd1
SHA2560549e23e837eb4fec75f0da92c452dbe080900545c7d996fc510909fab6c84a4
SHA5126b55d9937d5077d6eb72757444012564a27ed39b1c2288aabb68810eb76c24c613e23b9ba1903306464929ecb9f965b0c62e3b4dbc266dcc68cfc40a72733cc2
-
Filesize
581KB
MD51909d5884477b548dbac3f313e171b17
SHA1aaa7c7a417ab2bfa5f40cf9993efb5c9ffd9ed43
SHA256014ad867439cb0f50e3f203b15299d9b4c1adf98aa64710704d12f0e99ff8695
SHA512e9c782f90ad2cd51af1d1ee258d9468274dae9a0e6a557e65adeecd513c7df0c645120aa01b655887295e898d4930144b65cea81083258f3dc42e4a353b77313
-
Filesize
581KB
MD516e66a39cf3ecb7214ec92bed16696d8
SHA1545fd6ca2c9d4e095d29afea65ff96aa0843ba88
SHA256afc106788601ea2a52df68af1ced6c5dc8bbd546fd0745002806be8d81fea30b
SHA51218d76281a8ce566856c5111c4c8e56fc2e5b686790e6f8e759fb261f798bf2d3a03876d6648fc66102321246549fbef3b10143057c719c902c6939aabbe1c3a4
-
Filesize
701KB
MD5a554681eef72cfe5af2ed71b06314556
SHA1920abbd7e5e04dd5c1371824fef40490684f9cbd
SHA256da3a327538dfdcb45c2c33e04de287f359bf0ff836bd163dd85001307938987d
SHA512352c20a28b7f050e9c3a8fe5601f40e8dbc3281e9d116d59806f9c719a4b3f90d2643593a3fd66a5776a4e31e87b8421014c64a7d290175cde0e784d6d9b07e9
-
Filesize
588KB
MD5654016e77785a8b7ce6853234d9263a6
SHA194beaf5bec9590e6bf3b05232a86e2ca2a060b72
SHA256760898255badec1178b19de994cf16bce72bd8276bc92bfa945e7794dd113abf
SHA512f72ccaeaeab2c5ddbc626b6fa5433a09a603345f0a025bd1ceafa60acc253186773c1504afe9aa2ce771edab5535980cbaad70aeb0b21b9d0c4350bc92d5822b
-
Filesize
1.7MB
MD56bf629d5c9410908f942529810e59dce
SHA13226c0c89faf2f3751eec9d95a5afc79e2c5fb4b
SHA2568c0b9cbf93d3eb988ea93ab8f0e72f207a2991e14afe303de08329cbfe064387
SHA512ec7e70763cbb4ee7457da3c069a2e0a1d1fd7b2d9f373ff3bcc2839718bbc9888abec2baf87906598572c58dfa41b72ac5753cd6b16fab0b21922c8fd8dc8bec
-
Filesize
659KB
MD593215ea9198d116712f448bab159518f
SHA11751858b8694504d638ba1dc72e7723ff397a28f
SHA2568dc1915280308d38cba60dd620bc57af8112cf1c6721ff87a4ec01ff899dd67d
SHA512b5921c73ad6fdf2b0964590666bb4aec34cde1f15cb5cf66136ed40d45b1bc98278ccb3893ab1eb0fb8e7affbc9c3fee8c140799bc8134987606c5d38cd0f715
-
Filesize
1.2MB
MD518fc515be6212f0b8a94ead6617c2e81
SHA1aa06e79a9f82555b45254a808bceee13ee59ebb0
SHA256fbf953adb813e5ff111594cbdffca79e4db65537067b7e3d7a5da6deba96c415
SHA5127c018a5de0f71ae2d68559e5f5e647887014942ad1b94f5dcdb954cf5f87c027061d93fb83f3473bf8a593eccbb3807348274ebd2cf3ea12a35570479607a138
-
Filesize
578KB
MD5462b7b9ecbdd4f60a2e6a4d513417085
SHA11839cdcb9979b8ef158447d5f429e0806d0754b8
SHA25646dd262fe1d61e5f3f8673f376e82b5b18e475ac0b1c40f68564dba34e2c5278
SHA51253d20b7db2b6eb38e807e53c8d2151a8c9a044bf92b8e112a02864fd16cd3070c79147a4c36896aa2296d162b8474cc4d5874511a856ac68baee8bb3d59e83c4
-
Filesize
940KB
MD52c08c1789f761d41c1c876bd3d878a4e
SHA1e290fce1f027dfe4fa807a56e4c7367a1bf315c3
SHA256c1619ebcbedfd1b1f1ec9f60eca236fac4df91a463c0809756a0ac29e4e23f32
SHA5122f16389c8e446fb47731d445a662fdcb336f9a7899996f1e1ad822efeed421d3578d47cc3b875dfb0f2ea2a83c5d47138e20a1a8ddf6d4d03b84e9bf785686dc
-
Filesize
671KB
MD573a8d82d8729730dcb675e1d6fe429e6
SHA1532807803e027289ba22fcbfca3d7ef4b17f8b4e
SHA25656d9fee35c6540a8dca174158007ffeddd1b7e94d2709a44a5a725a394ee29a7
SHA51201ff3062c2fea39f700fa1c6c731e14963bf788e851f4d60582c320c81d71dd266c1f23146ab0ec3abe64f23a55c6da65112a5433108b40a4cca1542f6b55ca2
-
Filesize
1.4MB
MD55ee74b169a987674863a16642003c756
SHA119cc1d0ef071976303b3f668cd2a28c4a4bffa83
SHA2561f2ff93762ef23077a37468c7c68cc6333a4dcd98792055dbbda343abe03fa02
SHA51228f2fe2bd5d236f686d17d3ca7da6e365fafa2e8cefa6fd66fe7d0edef51125ac25fb87d4496027be591261eeb6fb70884146b58988af76aa4ae8cb27f35748a
-
Filesize
1.8MB
MD5fc71ec4734c6de37b93b0c283953c8ab
SHA163df3cc2d23987d269b2dfe7990dc8dff86aa5c3
SHA25611c30fe2fd13a68c7f21a14cc33d1d39089f28fc62494dbb6d77e5fc64261400
SHA512b74ffc61129a3eafd9aa3499fe131e7490d236c98ef2d88b5fb5394fbbfdbf90869f76405ea03970cb5bcca47f9b156826fb207f4a9ac3ea160ec12f18eac53f
-
Filesize
1.4MB
MD5b5c891e539f4336db07c8b222fb6482d
SHA143b05ae90450e0d73bb2ea173a313e4e0150263f
SHA25690b2117bc818d612cb506489f3357f01d2eec411a8267048284e7b2d8d7a1bb5
SHA51261749fca3b34c053ac847532ed7be8ec9a734517287181c26377ce2dbffd486731675717ed28654499ee39c896d2cf257258e451767345dfef8086c31abc25c8
-
Filesize
885KB
MD54de81bafe79c03aff80198d26168e02a
SHA1e1cc07e25c36b4042d4eb3de9e90502d1b8dce39
SHA25673ba6edacde7403f34b7c94825494467b282e96fb9ce432ef610ca53e2515e32
SHA51286035ba1691cbf559eb337783e863b78a946cb937b79b6516a7e640a4a8f614652cfee390b1c01b203f2606c84eee0690baae00a2432d6e78c0ff7dd6a7fad22
-
Filesize
2.0MB
MD582bd6632aba66d29cc4acf2a3c4761de
SHA12508c71ddb636e74854d821ada319e5b01d275a1
SHA256b1becb4f74d5ddeff304b19b8c86e569ce74ce31162290b354bc3bfeed3d5032
SHA512fee3bcc5c558dd06cc5ff54c0255c418ef917b1b2e35bd96d18d47df445927da235c0bc7da8e1375a53c2901719ff34434a44919719bd8ef2914cbf35884e195
-
Filesize
661KB
MD5bf2c4c6dea5efca53ec4d79d8b776fa4
SHA1efa0b16ac635e07216e76a419d72694016708397
SHA256a7f4718055c03313499db2966296413ac639eeac52f70a3487943e6a96c70daf
SHA512d2ba9fc27740f9cc1c22e3b67812f23617b79ccc4e92e0f477c19f7dfe8517b2de163ed1c47a77c3d3ed18035efbbe74cf33db42cfd7386f4cb557924d20305a
-
Filesize
712KB
MD5788805c08a28312be9ff9f8f011a9cd1
SHA1ad468f5fd50f676782267735035cd8e8c26fe0d2
SHA256b2c5dd764133ef9c1ff4401c399c179862f9777f89d401993270ff9cc3aa12c5
SHA512ae9cd70db16a52be1b89a705d1f509d9670b68a567ad5287cf9337cf330fa686c258cfee8c78c3d00686bb28427ca1c09ebbff59f5f53a21c9ed2aa1e86c54f4
-
Filesize
584KB
MD5a9886a8a27ff0f2ee0f0fe0714e48b64
SHA12bd53e375b9401a503f514fbdef301594ba9f445
SHA256eec530d13cac5689bd149876d02b74ae5e8dd43e08a867339cb84b0d3451ce01
SHA512dc4cc9b0e29f27982d126cd32c555fec1b339049cad10d53eb00e46aa3140752b7e2990f8f28215055a1e1f74666175aa59f9d7426f70ec9bae67a6ceec9ff8a
-
Filesize
1.3MB
MD5569bf32d2bc4ef9f1ab9c187395dac44
SHA1b8f65dea5fd851aa7d2cdf06462db61a61e71050
SHA25672c763a2ee0dd7c08ca7f21058eee0beba7d1288a648517741e38aad483f3902
SHA512e00e0d61896253493a2c6b6aca498d605eb4e13c1a1588c69bac7cb67591e065e0605a92192595bd9b4f9218f4ac70438ae35b9ccbd6ed8bc0f36b66033f1e96
-
Filesize
772KB
MD575c693acc1f263c6cbade53388037bfb
SHA1c74e37604eabf9fec6e44242b36da118af4d26b0
SHA256f4ee1bfffa1db81ce50bc5dc7b9597074dff5bb27f5bae214f026da7c8937a10
SHA5121131b8a88055fa388a02f9088319b2cb7656d80499e0a1b8bd465ad8c2da3834525c44e2d1036e5616d885a16d521e5454369f62a31543a5f2de3b1982930208
-
Filesize
2.1MB
MD552a2d4fc14fd12be095b0ba83a0d486a
SHA1df77fd667efdb7821dd0b0677e662871f8b513e7
SHA25687132757acf8a32e82acaae404a10f0bbe690e9bd624bdb1dbc1da65d1bc9ca7
SHA512c73ca25bb658bfa1bc76f81f3ce6e4ca88bba047c775b8a524408fd3e082a6ab340550cb477a1e1cc6f503c0da4fe9becb7437cdf73373e98cf7a7b2b8de76f6
-
Filesize
1.3MB
MD5e1e71091080f337c11a3931c01086509
SHA178f580404842b0f16130be2076d2e17a90015be7
SHA25620648aac9a71726edab4a3983db78dbf411ddd962cfb51ba79985a82c53904ee
SHA512442eef84c02f395d6ad8357b725be51791cc8e6b6c1bcadce6302206aa812c091aa7ff4a0bb23cbe5f704054e8c64587e996bfc449ccc3e339d824e5261d5696