Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 14:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-08_2faf668c37ead3dfd7639cd89454767b_avoslocker_luca-stealer.exe
Resource
win7-20240708-en
General
-
Target
2024-11-08_2faf668c37ead3dfd7639cd89454767b_avoslocker_luca-stealer.exe
-
Size
1.3MB
-
MD5
2faf668c37ead3dfd7639cd89454767b
-
SHA1
e33a2f3a2bd63de36b9f6dc838b0c2fb7d9703f3
-
SHA256
1ff98b60c1cfcd051d2ffd20e717a9f6e04f5a69deb9be632447ab078254bf76
-
SHA512
3ad843be339a2381667a722e09f9cc91885774867829224866245487f59a78290d686a5b7b009633c8a292794d12fba17c5ec096be2c61d20dd814a00f0f2054
-
SSDEEP
24576:R2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedD8NDFKYmKOF0zr31JwAlcR3Qi:RPtjtQiIhUyQd1SkFdDgDUYmvFur31yH
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1820 alg.exe 2028 elevation_service.exe 4508 elevation_service.exe 4996 maintenanceservice.exe 2152 OSE.EXE 232 DiagnosticsHub.StandardCollector.Service.exe 2484 fxssvc.exe 4712 msdtc.exe 3436 PerceptionSimulationService.exe 1880 perfhost.exe 3068 locator.exe 2240 SensorDataService.exe 5060 snmptrap.exe 2736 spectrum.exe 856 ssh-agent.exe 1520 TieringEngineService.exe 2288 AgentService.exe 4192 vds.exe 2516 vssvc.exe 4036 wbengine.exe 4896 WmiApSrv.exe 1016 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-11-08_2faf668c37ead3dfd7639cd89454767b_avoslocker_luca-stealer.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1d82e13938f5360d.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-08_2faf668c37ead3dfd7639cd89454767b_avoslocker_luca-stealer.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-08_2faf668c37ead3dfd7639cd89454767b_avoslocker_luca-stealer.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-08_2faf668c37ead3dfd7639cd89454767b_avoslocker_luca-stealer.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-08_2faf668c37ead3dfd7639cd89454767b_avoslocker_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046dafc45ea31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e4b6f46ea31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1ad7146ea31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc848946ea31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e280b46ea31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2028 elevation_service.exe 2028 elevation_service.exe 2028 elevation_service.exe 2028 elevation_service.exe 2028 elevation_service.exe 2028 elevation_service.exe 2028 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2084 2024-11-08_2faf668c37ead3dfd7639cd89454767b_avoslocker_luca-stealer.exe Token: SeDebugPrivilege 1820 alg.exe Token: SeDebugPrivilege 1820 alg.exe Token: SeDebugPrivilege 1820 alg.exe Token: SeTakeOwnershipPrivilege 2028 elevation_service.exe Token: SeAuditPrivilege 2484 fxssvc.exe Token: SeRestorePrivilege 1520 TieringEngineService.exe Token: SeManageVolumePrivilege 1520 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2288 AgentService.exe Token: SeBackupPrivilege 2516 vssvc.exe Token: SeRestorePrivilege 2516 vssvc.exe Token: SeAuditPrivilege 2516 vssvc.exe Token: SeBackupPrivilege 4036 wbengine.exe Token: SeRestorePrivilege 4036 wbengine.exe Token: SeSecurityPrivilege 4036 wbengine.exe Token: 33 1016 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1016 SearchIndexer.exe Token: SeDebugPrivilege 2028 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1016 wrote to memory of 2268 1016 SearchIndexer.exe 121 PID 1016 wrote to memory of 2268 1016 SearchIndexer.exe 121 PID 1016 wrote to memory of 4996 1016 SearchIndexer.exe 122 PID 1016 wrote to memory of 4996 1016 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-08_2faf668c37ead3dfd7639cd89454767b_avoslocker_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-08_2faf668c37ead3dfd7639cd89454767b_avoslocker_luca-stealer.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4508
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4996
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2152
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:232
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1860
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4712
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3436
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1880
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3068
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2240
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5060
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2736
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:224
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4192
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4896
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2268
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4996
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD577f854da9312ff147b4b3f9e84129fd9
SHA12698de645720eaeb36b31c859a8951483a72b5c0
SHA25677ccd24698e3e20595e2fba915667f418e2540ba1397cf40b74b0a4d1dd7324c
SHA5126e7d898348f0e07169586d1e90429f7ec0587b04afed494f6de5da87fe6e4444c821e5bd889922647b151c182160afcb44ce649fd87f86c3be30ef7ed348ba33
-
Filesize
789KB
MD554c5fcc43c5f4380bb3889fd6e45212f
SHA15738a34245266d69adc5c083acb46589732f63bd
SHA25680e86e81930629ece474533b04da239628895a2a74c1dc54fe9be6044590348b
SHA5124af6262a045dfff26111226e61bf22f9a93e91e462047c9bf549bf6f99ccf422e14c5ce08566f3e1485cd98935b809514f2eeafacdb1c141c24ba1a1836ea373
-
Filesize
1.1MB
MD5ddb37c8fd061c23997ee7f7d907b6a2f
SHA180f66e627865db2c3a6c6ab32416e16d8e5afd19
SHA2567b653d96f4def370463559aa38051016d1d9324940c54d33b19fea92c873bcbc
SHA512f8351aac334c80452c8a80a3af4e41fc0a75500b07946c962337f082e51d2d916cbe2d1d03b3ed6b1f77f15e43f7a39b4a5f57299b9fc820c1d2108aef50ff7d
-
Filesize
1.5MB
MD5354b08335dc8a7425c1b7e6ddd904751
SHA1a0b9620c568cdc8d168eb21040f0fac8cae56aad
SHA256b99f36840be38d784704e2a3230def10f9c51b9b6c55d2594ccd4909e6810587
SHA5125cf4b1161768b1d88df0fe21b67c7113c4b88e4c8f1f10792b7041efcb009e43c8ef348a25ed47ffbc5f92b1ad688b3f48bfdc40168605257782261e63866350
-
Filesize
1.2MB
MD5bfd0986a5c3bf2f0fce26397243f42e2
SHA173203a54a5f52bb20601f2e440969c7445611f2d
SHA2567684a65999ed5da9f83c86d81db5198cceff445c885b869b9beb4419d01cc8bd
SHA5121aec0e7996a73b03fa10eabe4a58e1aad1e9da1f06e27598fdfeebd8b25e753808fcf340eb64ef2b44bbab0f7aec6e650e8da2a5d25a9a92b2e7f55f992af643
-
Filesize
582KB
MD59592c7bb8eeb1ba4c1f11f8ad4206b55
SHA1eece89606f15108534dfc5fc1d18830cd38712ce
SHA2565e576ca1ec6fa0f94eb6bc0dbe21097644f87e429053786b749e4859ea21c582
SHA512770c29db88b4e236f89b32701779c91d7b61ecd4bf2268c489696e3c48368127d72f241c75e9dee3e03ec719a2b0442ef8e6cb091e53ce2247f4dc5425deca09
-
Filesize
840KB
MD54c0c1a2643c5f2f6ef5dd8c475aa4f43
SHA199eeb0c0c77015a3d57627a328782b8321bb9103
SHA256eb4297747d77f74072a4a1bbb36efbb8d3daa1ca6577c71394f161fe58bb3e3c
SHA512022187d6ae62f4f1a33e9ad3391e59fca8d3af6b86b1f73f672d1644e7fe3310fa1c396399df057e1921fba342817e3db07d5222c24fd9891a6afd2bb6146ec3
-
Filesize
4.6MB
MD5fc684f653923e0a7fc29562bd5c5e4fb
SHA155af2a59d508e2ff5e751d288dfd12e86a310df0
SHA2564119c7f7205bae917f5ee7604b9ab6187ad7a278800873fe574d892f4a357724
SHA51263d0bb9389b2af3af613cee0bf9662850ab258cec4feae012c479fd8ae246d9bdbbaa034aa8c1eb40a2728571b41e4cff589764cfaaefb6c66ecadd3613e1186
-
Filesize
910KB
MD5531562f12c9d1da1279c60f3044660e5
SHA18372035ad5e9967dc92f93003f8d49596cfe3885
SHA256c6e37a97ec23e0000b659d9137745a257b1b2d6cc19ba19ebc9f2098d1594d7b
SHA5120b92fe42d569b1fd8adae23433c4eab41548efef1664cb1eb89148112b69436e503163534a3c5c234ff1a583da8ccaddcd5d5a049645c6e6f4f0d058dacd7038
-
Filesize
24.0MB
MD557c67ca9c3c0e932bb356eb449c96276
SHA199dca3825a3755b605e3e1536e2c793e514dc60f
SHA25688a3418c0eef6e0757303b06e0991100abd70467c593dc6ff69df40ca98b2c6c
SHA512bb4969b56d78660555bfc660d6f0efac612c9e1b4e0ac8494774970d534223ec35849243571fac201edc2065462cd6d4a79910d8551fe29914b2c50bd389264d
-
Filesize
2.7MB
MD50a011dc50d09cabd37b7e37a3c252c97
SHA106e07c07cf44c7ea22e1e80ea01f0e35afa80721
SHA2560305ba2d8f3ec6c2a8eaeb59936c67f81d2639e33d97238e29853e3d87743ef3
SHA512ddc78ed191efc4456b01af263615b64642813409020e2af565e9aee18aa6629d75d978935d0629d5fc6a00af4d7591ae4a04207b5e3f7b1b0a02bfb3241b3f15
-
Filesize
1.1MB
MD5d1a0417c31873184b2c611aeba3a822c
SHA11eb101719a1e50ec5a2c1df2571952e86e7c1069
SHA2566738acbf3962288b1700548538ab2042922aeb0f43ac66ac6b3b3172c58910f2
SHA51237801397e18790bfd2c9001f90446cbd04bef4bcab34e2915d391dc0baab4cebb900d8f56ce0cfa14ec3affabed1c8a44b8cd69f46e631c68e2fb26ae2879bf1
-
Filesize
805KB
MD525432834ad227dda74395bd3151e3b95
SHA1b0c4feff1db89039dc70dafcccfc55b684a358f0
SHA25656cd6f1c70000599c1de0c268d7bc0403add837cdc8f8bacb808fe81b9c90ffd
SHA5123070aa120b73d26fb9f2c80d6d068ac268fe4e1270c0a512ca70446d5e9f4b3bdba1f731a541f53e662351b4968561facfd640c7715187b89f0b5ad664b67eff
-
Filesize
656KB
MD5a4ba3530767169d9d0d1fe211d97517b
SHA10d20a43c465c7bd2b98d35aba16ad089122ab78b
SHA256584c2d7b2280397b230bd9e529e6a2b5f68617484a8c7f75d59a3868a939f838
SHA5123666b62466d90f9f8799cf767d8c46cec40c8d83f59d1fd780ea8bfac79f4d756e22a6ebeb7ab803f61c786c0e96724831c327065d7eca4b7d63526ade622ea4
-
Filesize
4.6MB
MD53a186c0d189cb7f90d957c8700e10457
SHA10c691b1eb0c9e62bbefe254c4993fec3585574dd
SHA256cd6690dede8bd27301341351275613313b0e214012e3092c6751801159bdbe78
SHA512515d81607e7fdd74886661015e3f42762010c5a8537ce01c96c591213fdcce6e293419ad0fef915c3843d1ef98221c8aa53545e26e6c1dfa3b5e7789e3d110ae
-
Filesize
4.6MB
MD56ef5dc69626b724ec824b76272efdb40
SHA172ab761ec22554377c67c70217284d2439f3c1e7
SHA2562a498662fe4dc0a7b441116b6a19e8851c543e27283412207530a6c61cff80b8
SHA5121a423478ff6bb36f451bb12680f192fc26ef2503eadf47e2a28e4d3be243ea925d512022e19ad21aef257a20f37991b3d532c85a12db0bb672aba266fd3dab16
-
Filesize
1.9MB
MD50e839cf20adbe238ecf0679a4a5a9f90
SHA11790ebf31e00a51fcd37196c94796f9ee41f7995
SHA256691811d48d2046096db4686736b144904c331a5660b089c9aaec85691fcce46b
SHA512a5ff7a71239084972eb4eec6a6957c783f105cbe7ed3164ca8a091c07517f7ef8a797f26ddd7f78966fb429e91670b30fcfe63245c9519b97731c462a83880d1
-
Filesize
2.1MB
MD524f9098cfa648b31ad1c85ff35d78ecd
SHA1266828eae6eac7800ef3b622a859de756b1b9440
SHA256a09d2259a411abba93e573f4c43897f28b3a7ba4259d1bc8d1202614243304b0
SHA5121d15b67ece71113aa801d8aa47b68619412c5ba645a5f8bcc7debabd651c3b973bbfcb06e154728cab077b5a818096c80a63fcf1ffffa558bff0701238928f57
-
Filesize
1.8MB
MD5df7197af7f18220ff15b984cbf5fd0ca
SHA1f93dc551e700abe48ded305f36b1a3fd43f3670c
SHA25624afed8d3990bf56a35ac0fdca8b6076fcf9b173e06fd9411da5f6d215bbeb6c
SHA5127a5f757c467d4cf907428a6486dec5c171842356cfb61b487a3416a8d29fde5e337c3de455a6cc51b52c6d87c1c6ec35bfc5aa7c21f70ac896537ce0d3bff35a
-
Filesize
1.6MB
MD526005e09a0bc67beab504e36eb6a20d5
SHA19989deced9212578d3e87ab6d5a59b3c7e8d4f6a
SHA256d35b38c05933fd8f86b801f466f33f3547fd080f00dcc3e6fdaf39e6db0a3dd5
SHA512cc4d9bbdef6923d3ee2f08faeecbaa9a8a2eb2b3a6fea1651788a5802ff68550b653cb4a1cf47de51e7c17b20d537da882d78b6bfdd53b75178bcf549265f0fa
-
Filesize
581KB
MD5b4f5a3b41d8990efe8bd97acc185d571
SHA182671f9095c74d9dc96b38a2afcf6b0eb6e9875e
SHA256ef00171b2627968ef589043a5538491bbb98ff0ff8263855bdc44368ec0fec7b
SHA51219688bcdf54ac7bc9138e2e5bb29f07037afcc67af187cc212590786492b5fce280f3f190360baef029df9b55d0c2803145a7c5291801a8c16424962743113b4
-
Filesize
581KB
MD584489be95a85e81b8d51f0849044925e
SHA1d04dea7d2db57e43d3be809e9a70e8117ede22e1
SHA256ad873a263c2f2296fb3a7cf8732682eafaee90566dc9995f4b83a7533e155641
SHA512efbf1dacc8746ba88ce0f7c029b2a7aa4da5f1c39a52544250bad92a6ffed5fab846763c4599a71b0e84a3eccd211f91e061520dc5b524127dd8267232d67f27
-
Filesize
581KB
MD5bfb6bc3fba983a890cd4aa2d7f88765e
SHA1038d440912dd1df93d5ed77d8601d18fe8113e0f
SHA256ec454eb9c7c997660b16c144694a9a8ba25f19475692f476671b417f7df1b8cb
SHA512584d3d1d6ccaac339a2ba80ec73b1a6c87edc8d0a57936e5fe238a1bdd72823a13892c32f330be945bb858f5d637105835af709364b48c0b2e6be998b8567d46
-
Filesize
601KB
MD553f5acd828522c775d21cdfd8db24470
SHA1768345a814f81f2103c7ceeaccbd0128bb86aa4b
SHA2566017b662544ac5fc3eea0f2d30777550b1abbe6af372edcb662de4d456ebc240
SHA51223db1108d0b782309f360e9ad3908113e2ba6284ac4cc795298c63a947f73e76514bfb3547a13e21724f8021fc44f4630d45ef775c16a50f565311c73ea5a35e
-
Filesize
581KB
MD5195b2c832a25d46deb998b6f318408b6
SHA1a3dd2f5371e580d63c9d4029dce31ee6aba5e214
SHA2562de81a89c72225c147116ef31bff40730c0702ddebd2f4546bdbc23634473f25
SHA512406910c7ad4f093cea363c2f27c80545d694c583d726ae021a58d9559b1c9467405bcdc089791b64c94ec3ed738ba6da01b91acbb8f3e4aa5607bf34733b5b06
-
Filesize
581KB
MD53ad497f0a54e5d4054982f2dd360c5e8
SHA144245696516da143856565bed55c37008b7f9727
SHA256da154efa2e1c872867a07d48aa13ad58fcff0273c51cb60d62346158ada28ffb
SHA5123d98b6e6262cb11293f7facd3e6142b4f6073b98d927065141a8536a0ee49cbd2552cf691f8fabd6decfe25db14bbb6b6b7680a2ffa43bb162d91621123f6c52
-
Filesize
581KB
MD5dbfb2484c8715e3c2a7af5df501eb06a
SHA13d24240523c57f896efae7de6986fcda80f7ef81
SHA256f533b83e1e43b25bc6f5a9ee1ebce1225c38cebe18a62d15518cd701e9ffeb1e
SHA5127df2157c533fdeb6f024b59bc5e3462b834a11af95bb311a889ff14cea748ef320ede6120926fb71cbc4d1644aca4d61be139a62ca7db42806e234937d1db317
-
Filesize
841KB
MD51fec9f360e5360b3033eaf9bdc16569b
SHA1178ea1417dccda75be5fdd4cbcd5f6840509bda1
SHA256a2fd50b46c8205ee3492c3e3743ee5f7b8a1fa86a583ace3959a2b877b3e16e5
SHA512c3ba231bcd4b1ff06e021b2c96a65ea98ce9c8312d79a767cee50a95334ba8184702e80946c92746dd0499edbac77b73a0edb374cddaf01d7f6aab8d3469b57d
-
Filesize
581KB
MD55128e36990a274bf5e9434c91395641b
SHA178c042e91c988cbf83e35633826e901f38e97c20
SHA256812350b83c505858f070d298bb6371e9e818682596ee231177c27627d37a9348
SHA512a19c2fcd43cf23723494ece6ea9fc9230b3f0a69291a78c15e476da77bf726ad45122bafa97081eea361c9662121ca32ef96cbcb8c02fb34058d704ba09eecdd
-
Filesize
581KB
MD57ffb267b196f93eb42303ed93a693c8c
SHA11f50ad01c5eb504c54bdd9b51a5fba4f2a0b4841
SHA25627abc439a52036cd019277b955cbaf4960924eb24cf0221a601692b99a7e2a60
SHA512bfd9e92935f14bc8ace5094d13eb9b6942320e5639c8608554a160270d253747190667145568f9913a446ddb16b3f2e7bce7905d313d2f681ebb79bf5afbe08a
-
Filesize
717KB
MD5ed792b1d49c168dc46fed3cafd94fcb0
SHA1a9072d4fa8551fe0b1c1bedd4cd4ebc675b80936
SHA2561be21950b90665f6936fb52272c2c19fd56f4118bb8f3f26161462e6c5b3f89a
SHA5129ae4d546b2ec731ede5799c4aa7d92cb7c9417b255e5a871003151fd676d41eb4d64655b772ddc1195befb4e14064f71711cd0bf17a67e5184c8839887c49ff3
-
Filesize
581KB
MD559ac815bebe4b506a3d5f151bd1f67e0
SHA1d6a90dafbed0b85e47e47fee525a4f5a1b8bf646
SHA256e124bafd0280ce46bc4730b6a34ac09f768194abc9aadc7b8d85a1a390fc3cc6
SHA512fea0dca3a6b00ec24804ad6b6a6251f39a6c43aa43b54b33d00c32f726cb0d6f6e2dc5dcadee8d01b177b2316f23f86203cf649cd20f007f451425fee68acb59
-
Filesize
581KB
MD518578d45f5471a35490e8a34edb50098
SHA19fd1bfdd0b69e41c5fecce7885bd5196dde0ad94
SHA2565e7315b40c42ee15b929d741d623d7ced14465b5e25233c18d51a6a066ee20c1
SHA512b502a67b5fefd97e26f3df3e73c20ef0f8a3b0cdab9723cb57ed5a5a283fbfa80c4c565331a6b07b765574a6026a2e1ca52d7aed9bb9d78851493f7131d53457
-
Filesize
717KB
MD5dda06765ea8d1e71e711e22bd758723a
SHA10a9299efc2dc528979c9571744d2b567189a24a8
SHA2560d80c1a992eed259bdaa039b06cc9787596aa2c6b1c99520951413de6826535b
SHA512315e676f2bbaf03874051f83afa4fe6adf3c1a9b0d7e1e81654d4a8c223691c882667bee6df3cd0ec451fc8f8409ff9686c2483ecdf0acab573e86bf4eba59d2
-
Filesize
841KB
MD5a2c7c040780862a52272239ec5b19652
SHA1e40fa7a0ef4b8cb3ad552b8cb21f086a22be3093
SHA256893f3079d32278bf2cf17a9ba80f407541f0e9709edb896827dc8970d5714f5f
SHA512dfbdd1024c5845434a9ce488847c407e55b299656d94e3082aa5acd0821b521809cb2bbf900a536264a045664ab2257090317b1ed3a5571e9a585eb4aef9e84e
-
Filesize
1020KB
MD52659b08f0833ebd4f8004f1a9e638cdc
SHA184c79731051987c45d33dad7decc0e5cd83dfc8c
SHA25603b8a4d1e2527b1644713189f54bd23333a967b5874db83bfe7cc51014aec002
SHA51202418def88cf65f317cda15da638038b97885ee1f580a5e41a38c688dd4319195eb217a19cdc8beeb01bdd6cdbd77daa1439a3c41f368e7426838d304dc42d45
-
Filesize
581KB
MD5c43f9b370eb869256cf6d26031100545
SHA19f3a5477bcfecb28090da43215fb4d3344fed1c1
SHA256d53260837bb2255251e2efc0040faec844416c4ea0429b0c577518b82de1ae9e
SHA512a39af410ea5e0538296e68c28117142ced567eefd17ed8f0f5ebc604c506cd9e69043e4ab9fdcc4b07827ac6dec7fdbd36e10ad89ba0d25275be0718b4b0c9f4
-
Filesize
581KB
MD505bdb003e7f3a807635dd66caef05cf3
SHA132a3ef1b1208a3edfedaf5e0681d6a32695b5f0d
SHA25618bd373fbbf86d6b6f5899cd6925657345cf1c04202f53cde2da512481f2b0c6
SHA5127cdced7b7d5c98a645f184d694578382a88aba70513cdc59a6cae903f33c358eeabef84ef1442f33e2cefcb1d1f09238e485ba8f5005ab15aabd3056b820a88b
-
Filesize
581KB
MD546f2d71ad4e5f7b0303fe94a8f34a87b
SHA16269eb258ea16f6372463df359517ca0e9668bae
SHA25653b4437933f97f6e4016378cfa554d5d033a965c0494f2485156453e83e7032d
SHA512e6a91bac9cdfdfb758c56966add649384453d6c4f78a8683764c8d487eed8b253278e43afbcc854b04bff4786533d52fbc3211ff17bee45ea8b9160bf6f9db14
-
Filesize
581KB
MD5b1c63758574a6b6aea8656c232ebe60c
SHA195a43997655db0c992b909bd5c40414f16bf0f8a
SHA25694d60903cec2e8a0ebacf5444ba40996ffd5455c92331a257e5248e4f3b1092d
SHA51208daa11e5b37e3552b3cf4a69630c5956f512d8e03256882b1e4abd1f4683ff91cd3d414c1ca9bcdda98790d2b71048b22baef97bde5b4e2f4f91ac2a528ae5e
-
Filesize
581KB
MD57d9f1102db9e2dff75dd62ba3aa39a4f
SHA158bd2eb00728119b223897f5b197ce34ab3b97e2
SHA256867cdd6bccd13881525eb9492546e1c0e85b218f5f14cc8a246e08838a4e1d95
SHA512e5c59a8664005429dd4ecafa17debfd99fc6e456aec10bf48caeb42a2cbfbf54b03f4cf916e45b3fc490420b0a7abe042b5c8401088040e031a6344d8f9b96fb
-
Filesize
581KB
MD5442d287c193394851b33174d8fe5ea46
SHA177104194394527b300c2fb698e1effb27ee171db
SHA256d02e64ec714227b52125f521a8e3b733d525bb019b725d02785f0f2580b72689
SHA51234db62bbac07235f16db59c02b86097fbddda8246545ab465e8a1417f3b9374d325a8448e29ac011a26c9dbfe7a7f508f702a82aafe6ada26064be2a27a2afda
-
Filesize
701KB
MD5db6b0c35804b2ddc77fb926d102fd819
SHA1397aa9dd567741f119097522bbb992bcfffcd0fc
SHA256d383528b43c00e3e8502a8d20e2b30d02989a852616da53a87b7778adfc3b0c2
SHA512669320ffa5ee40227eb6910b5151dff917ef29797951d06377d1dd543834dfe30c4365d01c8fe2e867ad000dc4b9f6cc56d6fe8a6a60658e87fb91288750b0a7
-
Filesize
588KB
MD5337960836056efe2858b8be63d0ce3b7
SHA178efec2c81c7cbdb27188df9a514357c894f6711
SHA2568bd421580ade53151a53a0a08cb25e9e7d9f86fca58ad3ad7fbb133cc585a3a8
SHA512b2d2bd29c584a5630825e2bef1252078bad20b7ddf967c9fbcbd30c0b17fa782ca053e6e5ee0e8074503111176073eb3ff79f2197bd16809c57e27df3da5ee9d
-
Filesize
1.7MB
MD5fc3dcac1c7a74e2629c2c2d6ec87cee6
SHA1f15e78fb2f95ec5fe8906e606bf9c763c3b7976d
SHA2566d70f04b1dbc1f56c56be57852c8a84e6a4216b30772433607077bf31340b6b4
SHA5127d3eb3f6b55ef968ba7c65c56d83a77efa36b31c981579b63019d3b738a88675e1f266ebb2cd74b3c4968dd170f7774af72ca6196fcfd25b894bce4267ec7ca8
-
Filesize
659KB
MD5541bd0588d0dd42e8868b7fd2466780d
SHA1da92ed66b2335d07e99d4dea4b45d410011b2964
SHA2565337ab05efcbe8d8467d8a16a938de24415ad0b3d9fe671a3dbe556818e61cfb
SHA51238bed25885c3bda018d3997b4349c77988a389056642fef1b4d8664d5e6c8ea5ba90fa7d1972b2b835cd4e3686309212956cc9c6fd1899a1bd71a2747070ddf0
-
Filesize
1.2MB
MD57cebb71c02a1a8ad6bc79fd9bcad28a8
SHA17473fec186bfd44216f1660b392e236ac42cb79b
SHA256b2df0c86ad375c4801b8e52467a9305132bcef1a6f7777d8c179523a239c1539
SHA512fa39a5cbba51a0796889a54b87d522aa584dcfb27e086b6706b4020b2fa512f95642e85e68d7fbe74f2415cf6ddc0119d313738d87d6cf9da1c6180a2b543c0c
-
Filesize
578KB
MD5dcff2ac752f3c65bcdf1da3d5a6c3742
SHA1a8e94d5d6b5d32c23ac5fca9d52b17503bd408a0
SHA256ff61dac8b032a22d4f93523cc4ad317a48f77abd17fbe20c46cfe9f7953e3bd3
SHA512dd424e2caf0921dc093ad470c66625b3b01302e3d1b341f995645ec912749ea984abad3a2fb7ff2bce84a0a0bf45689c5c6dddfdcd4ffb83a0ac13ba14e26b38
-
Filesize
940KB
MD5fa10a4c616d7360d5d20abc4f833cab4
SHA10203f3379cf8813f23d77a49c7f18b0015f64114
SHA256a1c22105c95cc746ae2cdcae0f5f25f77968a105aeaeee24cffced4129fda092
SHA512ad77ee6021f643c7c820294b6fff6a79af5cb22443502a518fd89c05fc4fe1ac777fba3256baae382c4f3eb20600fc1af3ac63a088598108acbc1465d1dc3ac2
-
Filesize
671KB
MD5d0dc3676cddc136a3bf7f39b27e9ddc1
SHA1a47a5ca4b73f3bd97dec6b3c094b997e34beb3ee
SHA256fd852b20c5bd561c31f7ee608ab4d4dd622567fb6c2da60734759b2f467a8bbf
SHA5126ba098aa6c6d6706369321ebb367f2f4aa95c1d4f52850e019d4449c17d9d26538422a54e1e6c170ed20b55f7408f0466a0bd4e7d1315bd5a349c6d7e55dbc52
-
Filesize
1.4MB
MD5513c3b9f0863d862f96a16bca8108bea
SHA18efd44d32633fb1172d005d9a91c0bbe485da743
SHA2566273b23420e6df189e24c8e79a91cc5ce62835b955fc04570828dba159de5f37
SHA512f2d64dd431f3f4a979d9013e74e4e9a44b7a87591bc12aa0dd4c42a16ee11a8b64b9a766589eaf0468cad9992a54c6e754b52ff3f7b5139770cd07c8bd113a01
-
Filesize
1.8MB
MD57fae7fce811c051cc7aa9419270a74be
SHA10249f7551ae07051d75110595e51b1c5a4bbfe97
SHA256f3358fc546e70b8186778eab2b9247ca1e1f0fd46d09ae8f52cc0a40d8c2d55d
SHA512d390d225dc8730168b7e5382a2e22107925654f4c4c892e5e11e50bae475d19a5b336c87c8206322bf5afdf53b646c9cab384f47cd720acde39f07988735ebb2
-
Filesize
1.4MB
MD5ed86674a11ace7a2a2c7c4e3a7c46a21
SHA15ab26fb5c65bcfb2c4e2481a2e7216396c5794f2
SHA25669303214a27fa9798e9224128a71483dd2d507e3bd0257645ee98a980282a74b
SHA512f6221488d86719c99b194daccdac36119af2a5ffa5c4c2f981844c38c869703ab37d1891c929494d8afabbab437c0bd11b133284d4b0ba030a36a56c2a0bab77
-
Filesize
885KB
MD5d0e093cc3e0d049a6074bbfa8e2a79ab
SHA1c8b090bc504337d26efbbd6bb02cee3e3cc92272
SHA2562ac315864ebb0d7a08a1f13dd742fba2f3e2df4f0b7e52b24ffc7ea24eadb62f
SHA512795b53a2c6769999e6e4c6e00a186be6fe64795aea85319d9cc4bdbedd230d597ab72eaa926cfb2ec4b4265424c23b614a6c85c9b50689bd6bcbe7d21d3d4d02
-
Filesize
2.0MB
MD5099530aa9e2e9041103695c5f2327fb4
SHA129abc201fd01aee018b4e071ad819b6499c7871f
SHA25644ae0a92992e262135cfebafe7c51193409c6a64c3c5e3410615913dea1d4c99
SHA512b3882186fc09ecf01c5168271320881c05a45f2d03f327d431cec703589ca5e051d6b740b9d2ab857cb9ce63f3c38232be65b1d1e19234f56c1f591d9cb05985
-
Filesize
661KB
MD5ae5e9b340482bf796d868ebb32c26266
SHA17df2a188bf22a59a664b7771162028bac2f36bab
SHA256d15a5b0dc2cb3e5f70d2dfb8f2040e021d6e47f986d96889a280e2d42c997eae
SHA5123918719d51d2f0a315a45ac1bf6f5fff817df6b4c2fc85188b843f8a648f88057030d44f2feb00dc5072d69d65b9b67685d93da5f896f422713edde54f6e87eb
-
Filesize
712KB
MD5306f04337a46df56c759cb777d53a5e2
SHA18ffb45785345940a58495ea20cc54ccb7610be42
SHA2562bdeb8e833e365206db17938e3c9a388394aacffe301581709a7e7f89336c8ed
SHA512c58b5ad5ace887730cc460d370ba773e566744411150691638e59b67bb21d39aa8665d07bbf2c7ecdae296d56a17645b7c430487b2761af9eea8fb319ef629cb
-
Filesize
584KB
MD5ac8b2e6f6014ca83e1504db661257b68
SHA14a432246128b8485a9c444589669f879b9498934
SHA256f8634c6a29e7f36235e69425f31509a9d1a127c762356af5eefe570058c22f4d
SHA5129525979436e7113adfe0cd58f27cc967206f14464346acc10756c338267acc1c8f78f5d983227ea1b404fe3f85aaf8d300e144d474221e4396c0e5008eef7582
-
Filesize
1.3MB
MD58dc160817cb04b26efac288e684a7622
SHA14c44636732c162924ef89272d87f5f04ba94809e
SHA256c9f02f6902877a5e30f6de0b88bc3f8e78ee582e83eec195c820ef819ac3db8a
SHA512886acff2dadd8864f2e0afdb1424cbbd294d9b196da9d463464cef3c858b8d318805ceae59b46e9cf94a6449f8fe1d3b1c5cea9d4eca5781dc2ebc2e4999f276
-
Filesize
772KB
MD507fe09c7a128cb19a1154bb71ad3d456
SHA16b38dbc8fe0232015081c7e79923c83a2a26c694
SHA2568362c6e679776686c9bdaeb225bf9d23438a9054c780dc9a3acece2582a7bc59
SHA512efda060200ea661a912e15cac29e9586cdccefe87986b78786ebb3dcd37dfa4f08cd42c7d23851ae17ef391b37b91f9e6cf844a3a1e88a063cb5f4daabb6423b
-
Filesize
2.1MB
MD526f934962dc79e366d73bde1696c206c
SHA135ae8094e511eaadc46be7d069615cde06af0c21
SHA256684f7f1bb559523772110471c6bbc0db28b565f88235d2fa3bb00ebc25ab268a
SHA5122c06b7bd854524413c31209dbacd735439dbede99b3922592c0f357cb414c3e416ea4ca2b44115bb3c5b84df8c05b6507be745a8fb54ddbd8fe8e1c9a07a95eb
-
Filesize
1.3MB
MD506fd129e417bdd633078d69f013ff35c
SHA1be5662b2d1f2b91bc43d2c0026dcba50c3e5f254
SHA256d5f042573268d22bb198aceef2a3a06ba88da86d2db8a29a8188fd84356adac4
SHA512f9068cf4f921ac188e108cb5575fb1803c0f0c8630c4d8c2a452567ce12028917bbc4661d07a03f8b9b4356acc68beaceecf2dd3e245db519dcf86e3a822350f