Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 13:26
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20240729-en
General
-
Target
Quotation.exe
-
Size
3.1MB
-
MD5
aea0e096d1dfd0e4408d822f828f72e3
-
SHA1
b69ce5621a2259c671e51f53aa88521d18dadbc0
-
SHA256
c6474419259677bfc2d0972306eea797f3decdcf610cf8444aef2f93bf664a31
-
SHA512
5cd5d8d81f0e306278e1fd9810abfa36f5ad429c31d908a7b6de96f0bbf63246bd291ae5d926ea1179474b747df2beb019da354afdce8d6382e8383320d377f3
-
SSDEEP
49152:uCVOkfUWQZSZlnphMfeuXcHDb31Ux0fvSH0eLnrhtdDL8:uCTqSZFHVG0SphP8
Malware Config
Extracted
remcos
RemoteHost
23.95.235.18:2557
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-E0JKXE
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2396 alg.exe 856 DiagnosticsHub.StandardCollector.Service.exe 312 fxssvc.exe 3044 elevation_service.exe 432 elevation_service.exe 4340 maintenanceservice.exe 3872 msdtc.exe 4632 OSE.EXE 4960 PerceptionSimulationService.exe 3480 perfhost.exe 3544 locator.exe 4484 SensorDataService.exe 2232 snmptrap.exe 3684 spectrum.exe 2868 ssh-agent.exe 2212 TieringEngineService.exe 3564 AgentService.exe 3364 vds.exe 636 vssvc.exe 1904 wbengine.exe 3616 WmiApSrv.exe 3672 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6c9200a089816891.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe aspnet_wp.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_wp.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe aspnet_wp.exe File opened for modification C:\Windows\System32\SensorDataService.exe aspnet_wp.exe File opened for modification C:\Windows\system32\SgrmBroker.exe aspnet_wp.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_wp.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_wp.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_wp.exe File opened for modification C:\Windows\System32\msdtc.exe aspnet_wp.exe File opened for modification C:\Windows\System32\vds.exe aspnet_wp.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_wp.exe File opened for modification C:\Windows\System32\alg.exe aspnet_wp.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe aspnet_wp.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe aspnet_wp.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_wp.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe aspnet_wp.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_wp.exe File opened for modification C:\Windows\system32\locator.exe aspnet_wp.exe File opened for modification C:\Windows\system32\TieringEngineService.exe aspnet_wp.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe aspnet_wp.exe File opened for modification C:\Windows\system32\spectrum.exe aspnet_wp.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_wp.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3356 set thread context of 916 3356 Quotation.exe 98 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe aspnet_wp.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe aspnet_wp.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{A1342620-C3E7-48E4-A8CA-2B9DD9AE1E3F}\chrome_installer.exe aspnet_wp.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe aspnet_wp.exe File opened for modification C:\Program Files\dotnet\dotnet.exe aspnet_wp.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe aspnet_wp.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe aspnet_wp.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86062\javaw.exe aspnet_wp.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe aspnet_wp.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe aspnet_wp.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe aspnet_wp.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86062\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe aspnet_wp.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe aspnet_wp.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe aspnet_wp.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe aspnet_wp.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe aspnet_wp.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe aspnet_wp.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe aspnet_wp.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe aspnet_wp.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe aspnet_wp.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe aspnet_wp.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe aspnet_wp.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe aspnet_wp.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe aspnet_wp.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe aspnet_wp.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe aspnet_wp.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86062\java.exe aspnet_wp.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe aspnet_wp.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe aspnet_wp.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_wp.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002feea5bb16efda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081c4dcbb16efda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008100b9bb16efda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b72c3c216efda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbd7d0bb16efda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f260dabb16efda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe 916 aspnet_wp.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 916 aspnet_wp.exe Token: SeAuditPrivilege 312 fxssvc.exe Token: SeRestorePrivilege 2212 TieringEngineService.exe Token: SeManageVolumePrivilege 2212 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3564 AgentService.exe Token: SeBackupPrivilege 636 vssvc.exe Token: SeRestorePrivilege 636 vssvc.exe Token: SeAuditPrivilege 636 vssvc.exe Token: SeBackupPrivilege 1904 wbengine.exe Token: SeRestorePrivilege 1904 wbengine.exe Token: SeSecurityPrivilege 1904 wbengine.exe Token: 33 3672 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeDebugPrivilege 916 aspnet_wp.exe Token: SeDebugPrivilege 916 aspnet_wp.exe Token: SeDebugPrivilege 916 aspnet_wp.exe Token: SeDebugPrivilege 916 aspnet_wp.exe Token: SeDebugPrivilege 916 aspnet_wp.exe Token: SeDebugPrivilege 2396 alg.exe Token: SeDebugPrivilege 2396 alg.exe Token: SeDebugPrivilege 2396 alg.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 3356 wrote to memory of 4128 3356 Quotation.exe 92 PID 3356 wrote to memory of 4128 3356 Quotation.exe 92 PID 3356 wrote to memory of 4128 3356 Quotation.exe 92 PID 3356 wrote to memory of 4128 3356 Quotation.exe 92 PID 3356 wrote to memory of 4128 3356 Quotation.exe 92 PID 3356 wrote to memory of 4128 3356 Quotation.exe 92 PID 3356 wrote to memory of 4128 3356 Quotation.exe 92 PID 3356 wrote to memory of 4128 3356 Quotation.exe 92 PID 3356 wrote to memory of 4128 3356 Quotation.exe 92 PID 3356 wrote to memory of 4128 3356 Quotation.exe 92 PID 3356 wrote to memory of 1812 3356 Quotation.exe 93 PID 3356 wrote to memory of 1812 3356 Quotation.exe 93 PID 3356 wrote to memory of 1812 3356 Quotation.exe 93 PID 3356 wrote to memory of 1812 3356 Quotation.exe 93 PID 3356 wrote to memory of 1812 3356 Quotation.exe 93 PID 3356 wrote to memory of 1812 3356 Quotation.exe 93 PID 3356 wrote to memory of 1812 3356 Quotation.exe 93 PID 3356 wrote to memory of 1812 3356 Quotation.exe 93 PID 3356 wrote to memory of 1812 3356 Quotation.exe 93 PID 3356 wrote to memory of 1812 3356 Quotation.exe 93 PID 3356 wrote to memory of 3468 3356 Quotation.exe 94 PID 3356 wrote to memory of 3468 3356 Quotation.exe 94 PID 3356 wrote to memory of 3468 3356 Quotation.exe 94 PID 3356 wrote to memory of 2968 3356 Quotation.exe 95 PID 3356 wrote to memory of 2968 3356 Quotation.exe 95 PID 3356 wrote to memory of 2968 3356 Quotation.exe 95 PID 3356 wrote to memory of 2968 3356 Quotation.exe 95 PID 3356 wrote to memory of 2968 3356 Quotation.exe 95 PID 3356 wrote to memory of 2968 3356 Quotation.exe 95 PID 3356 wrote to memory of 2968 3356 Quotation.exe 95 PID 3356 wrote to memory of 2968 3356 Quotation.exe 95 PID 3356 wrote to memory of 2968 3356 Quotation.exe 95 PID 3356 wrote to memory of 2968 3356 Quotation.exe 95 PID 3356 wrote to memory of 2980 3356 Quotation.exe 96 PID 3356 wrote to memory of 2980 3356 Quotation.exe 96 PID 3356 wrote to memory of 2980 3356 Quotation.exe 96 PID 3356 wrote to memory of 916 3356 Quotation.exe 98 PID 3356 wrote to memory of 916 3356 Quotation.exe 98 PID 3356 wrote to memory of 916 3356 Quotation.exe 98 PID 3356 wrote to memory of 916 3356 Quotation.exe 98 PID 3356 wrote to memory of 916 3356 Quotation.exe 98 PID 3356 wrote to memory of 916 3356 Quotation.exe 98 PID 3356 wrote to memory of 916 3356 Quotation.exe 98 PID 3356 wrote to memory of 916 3356 Quotation.exe 98 PID 3356 wrote to memory of 916 3356 Quotation.exe 98 PID 3356 wrote to memory of 916 3356 Quotation.exe 98 PID 3356 wrote to memory of 916 3356 Quotation.exe 98 PID 3356 wrote to memory of 916 3356 Quotation.exe 98 PID 3356 wrote to memory of 2900 3356 Quotation.exe 99 PID 3356 wrote to memory of 2900 3356 Quotation.exe 99 PID 3356 wrote to memory of 2900 3356 Quotation.exe 99 PID 3672 wrote to memory of 5464 3672 SearchIndexer.exe 131 PID 3672 wrote to memory of 5464 3672 SearchIndexer.exe 131 PID 3672 wrote to memory of 5496 3672 SearchIndexer.exe 132 PID 3672 wrote to memory of 5496 3672 SearchIndexer.exe 132 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:4128
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"2⤵PID:1812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵PID:3468
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"2⤵PID:2968
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵PID:2980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:2900
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:856
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2492
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:312
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3044
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:432
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4340
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3872
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4632
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4960
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3480
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3544
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4484
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2232
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2504
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2868
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3364
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3616
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5464
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD55eb620ea367d4cb392c4aaf2a0618c03
SHA125cfbe1925754d4b97f789b5ea70d0627e39b065
SHA25677001dea735d54c2e9c2cc8a6330318c62f23d14b5a0998b68cd3dcd1e3281e6
SHA512bc0d3b25b520d6ee3b0fb290ec60263a31b08c94c5faa407c741ddef346290ed254b1c4989004e9ec96892e4c509fd50f828fc91296582f68374321c71d36d83
-
Filesize
1.4MB
MD5c2787871206bacca0c5706fe3ee6225d
SHA1421c8c97c2ed9441338933be25d7b88f738549dd
SHA256b1e2464811de7708590aaa143cb057ed38d61fc4fed1ab076e91137ebcf01a79
SHA512645453b230532916644af94c2ab3bb5945941762b6e85f964ba2956a4151412be90a763359f44cfc01560ebc6d20456541a2f668a73fba32aa48c0a6e3ed22e7
-
Filesize
1.7MB
MD5b0ffeaa148f497f4fa0721876102a57c
SHA1aad5ebd41be21cf2d1b878d62f044630d4d94421
SHA2564fd6d74719938c844701255fbf384f801bb9a9cc159350761bb3b3583aba3ec2
SHA512b4d281343c6d272df5ac12810ac6966f232a3ce819ddcbece43ef687e278db43629f753b89e7153bce21b118f01cd163efaa42cfaf1ae167ca5b37d65c4b98bd
-
Filesize
1.5MB
MD5c6df6b008f5ab8af8e8b1341963a053a
SHA18a062de1e8fd250f56b71cbacbf1413392ef860d
SHA256b372039d0ac2ed6018a989a1b3912bba34342237d2a2bd008fb479e562749c5e
SHA512a8f84b1f30aa681c4d2877ac38b4be23bf8ec0c422c111eb98e567057e91bf06f0e4fe8ff304e74db9e90aa39ee722fa1004098f7469c02f21361484787e155b
-
Filesize
1.2MB
MD5d7873b9a5d40452e74630f9fcccf69d8
SHA1ed03ea2f06615dad5dfdf3a76cc1657f7dfc3e10
SHA256d33a6df006fa4ac27e7aca895888d16f7be584929e337659d10db836a19e7a8b
SHA512acb3db1d3802275af180cb9e9dacdebfcdcedae9bfdced98b823fd4b0bf0daa827d9de6fa7786f33b101487a587265aa846eb43c9bca487893d74b196aefad1f
-
Filesize
1.2MB
MD56458c3a22aba7e9f0fa291af1f64ebf0
SHA10d07e253f1c9ed763ae99c6d07ad7f4bfc32c223
SHA2563d8c49a54dd3e7e8c7ba0fc0539c6b026859da54ea7d161cbb2ef31d888f32c2
SHA51230b8bb9b6e3dda5d56a0df47d5e3aca73a3c29d11602698957ce3b8afa95b76e5b8c5e0d43d49aa4e0843fae40ad57a39d7879e5f460e4572b38f2106d8ec851
-
Filesize
1.4MB
MD587ed1813c7f95d5b00dc5e808f5adc6b
SHA113bdac79fef5ccb6086533a2cf390000ac3670c5
SHA2566ad6322703c34b008d9a08c984fee83781d57f7043139855f1e875321d6a2afb
SHA512ca94657a744f0c5bae1e831a2172fe46792f3999b02d80e4b7608375f6a1bfd16fac43cdb384f95f8d1dbe6041904731ec752181e9488f8baf09c7639617c7ac
-
Filesize
4.6MB
MD50b8893dd84cee757dc543d02b104eedf
SHA112a3869ff996f7d76df6a9ec3ba655534740e326
SHA256e3cd65fc33eb7baa029e9d996e3e30b61fc6b40267000ae024c9924e3d3a8815
SHA512ee1860972fad82b12bc8571a46f22d512227da3651d133e5b574627f9a13b0220b811d3fed19176ee02406cb5d3c5a213635242b7fad61dab309a6322e8f8998
-
Filesize
1.5MB
MD5a7cea387118607f46b17df3bc7b43cf5
SHA17afa90154df0769aefc7bf3ed41ad1a6827428ec
SHA2560e59263b73f78d2531b280a031746a53a6ebe31e74249b0b6a4019a5f82c1b72
SHA51204a2d7b363560a2c26c12db8f85a13f47f4bb4a4205de22c37c6dc490734beb63be044db1a2bd3bb5e97385b03594d20cc1e42fd5c0dac8381e8013d63cdbb3a
-
Filesize
24.0MB
MD53b11bd7eb196118f77d362a61e4af8e7
SHA1fe62534d8dcf2965cb5d73da522707864beb2094
SHA256952569b51a07bf3f8e65f278222e37c2a15e21617aa8eda3b5212c912f2597f3
SHA51220e9e9affd0d6aa6332e50e80deb387f348bbcdcaae7ac289c13f0ec7315b8637800d1c303701b0d0d292524d1414fe2125361fe95b734f1d702fbc2b8323c82
-
Filesize
2.7MB
MD5e929cc2a3fe74222764f380fdc872f24
SHA193695100edbfc60ae75e039d5d3cd91b478e33b7
SHA2566b172822ba1d13596f7f5e77ea9dd6d9826ad8945cc4a783074cd1ac1ccb15b3
SHA512d00aad5ef0b1e3579e2e549b217cff7c6bc9018ff2e24c926d2e8cf23a31f66812217270e5b29819a05d3e9d47684cc05f25c82d8e253209b1085610fadb95b6
-
Filesize
1.1MB
MD5b82081043cc0be0bcff3b91453cba98e
SHA1ab74b47ae6309de130bf5cd6c8b619e616e4eac9
SHA256654d49dea0ba3395f5180785cb5acfb09ccb15c3c0b85a064b803ac73ce612c9
SHA5127e13b463d453536d9239d122a96513778f788c9991281986131309030bcfb3e86b079bf0599f6214cdcb7a1b5c587b82d8ff43ab7fab471f7ffab83cd962d261
-
Filesize
1.4MB
MD51e05b0330bb0afb53648ca1bd9316328
SHA1c5ebe0f377b4730e92599fc8929eb6bc235154bf
SHA256ad22111e548b5a5abec17f35390678c0ac2c914e9360bcf5565953c63462e2e3
SHA5124105ca5106bee743c61c8f1122f7c47d0c08e272ad8a95b0e1e1e002b7d6fd7fa395fc4b646ff481d541f7dfee21c6a9c6ea95ddabb117d0de89ac4a860eed67
-
Filesize
1.3MB
MD59ce45cb89194a2a99fd550beec295192
SHA18da0937a80195f541340d565afbbb527b5f618b6
SHA256d517db5c1d3dce890b88de7f073ef95eb39ef3b63114baa3ee2ed48d614ec9af
SHA512d25aad0a44bb13c117d24cea2afb35e3630c3140f3f96db8cd8740a457cfb9313a7ae99e4117e75a152624a1f2f4f3a9104bc88785da3e8faf2e2e25e72d27e8
-
Filesize
4.6MB
MD57de6e68996230ed494e94155cdb18f54
SHA1a172ab0bf216af8074213527f5f3531c19d7c6cf
SHA256a53a91c1a8e4a2c4d1cacd6c8a96aa5b39cf693efdc9bbb772a34c0f10c64aed
SHA5124c7d83057aa339ba5d0e0c2f7549b9385fcbe65820157f9fedf245ff9e39bac2abfd6960a86841f5ac37c24ee568f33020cdca921a7ee222091133e22f868a13
-
Filesize
4.6MB
MD520242694a06c8666efe0a850b8f93f8c
SHA1da66801f522caa36eb8f4eaa99c054356508b461
SHA25642c648af34be84c87fc3761dde463f4a73820f750e6c895f8aa0179db9d0890e
SHA5120ea318e4438794595e3beb4ae429902e403c3819841420cd11ee551f03d8d31155e2adb331cf4ad807e6152fc462e0cd8b20f1fea9ec1f2175268b9e4e66fc29
-
Filesize
1.9MB
MD5313813520ecdd1f672a3988d705549df
SHA10be26ac18a3d3c1b5a8fbf5649aad0f8f3efb7d5
SHA2560de91e23c0844f6e7d8bb1b09bc154069553b328896429da8ae00be257ac75de
SHA512709692579cd9f5b12324bb4d94b83983a1cd8edc090f422780cd116d8df9bf027f773d817a5b64bc1fc0bc0d50cb4b79147a33af9ec75ee34efd514bb225713d
-
Filesize
2.1MB
MD52ffa1dfdd834db2b962ddfb08f49b496
SHA129f7f1b6531c1640c6e2037ac69bcf8655a22eaf
SHA2560db08516c4bd519827ab22d85c45c0ac63a568d9e4c83a2199e904a30c6e3678
SHA512522ab1c418cada2fff99bd339c0dd1c9ae66945b200c30cc502ed9a8edd729033b1b4b64cc1b5ed45326e00771252fc65e47b3199819f936f56bc0bdf6602a5b
-
Filesize
1.8MB
MD512fd2abd57dd866bf68f06504297b2d5
SHA1cefa05c9441c617590e37375ff66d46ca56c2008
SHA25629c70cb81b5412936fb3b202ead4dfc0de5d7202b7f3f85c011c8eec61817c68
SHA5123b13bc07286457a5889b02fc53d2b7e808a133a8bf1ef83edaef31554f7fd2f0d2e676cf5e0c9e453ea3ee2f889ef81bbd267a0d8f909ac93badfffd3017ac07
-
Filesize
1.6MB
MD561df5c3ff0fa28d77d66affc097dd259
SHA152fec7bb7a4d2fee604684fa3b17c65988aec805
SHA2562a6550f1b819f62be126381a25ca35a3a790c474ff013753a0287ca589238c07
SHA512bfccf2faee90fb02e4b0d8fdab0f170ffb40f12527ce09d5f3317d83845aea04c6533503735456885520b4edd5a3541246be408cac1402f6ffcfbe55fed21744
-
Filesize
1.2MB
MD5f1c435fbc5535188fccb2e04f03325b2
SHA1e78defe2eb109ac918e3e05710dc283ce59a2786
SHA2562cfa5cc784b317d25ea2ab8e8c98eacebd45087c6c6fea3d382c143e0e930976
SHA51293f891bc591688f9ab450e110bb6cff2187cf8f6877387816ac22b0a247c15f7ea809a80818707eb081d64fdcd8fb3c2a84905ea6aee7f765da5db859e9449c0
-
Filesize
1.2MB
MD5b42c06be3f4965eb281818e6283c07a4
SHA17f68f590d226fa605861fb30cabfd4b5d91a4b16
SHA25685434001494df43c54d03be15368909985f1b02851ff7e8e80d437597ecab6f3
SHA5121b07287c2dca01a31bcd76b227209138cc178e0e4bba375673c16b2691d1974a2ecbbb136ae6489190f929824269a6a26b808d42980133f7e5cee5a3f7392522
-
Filesize
1.2MB
MD5db979f606cd4af133ca5c117d1465132
SHA115d46861aecd84bb76149445cd80c0de77c4dc4b
SHA256c5765531b6de99d0166cae5754cf65d26e383702a72d6a3064d6a33f746ae4db
SHA512c8fb847580244523b3d533c6c685a3fab7a1cada18fdd24e33d865f65676ad06fc0325624279dd460e599b7d38a4d1bc023984ed3bb82be567ef40d3530cb74d
-
Filesize
1.2MB
MD52063bd1a443ca93fe2c5f08d159fb063
SHA1ecfa441f20b8084c8ad5f92f4f21e631d72e057a
SHA256b2aad732b445e7f7069a81132cc27545fb4b3dc0455132825baafa387a6359d5
SHA512e82db31b5c72f1d68ec0708eaf0b57066bb02fc0290a9c7ebf2807e5f5b0a3a315e4b17808f2f54cea1cf4cdcbf4b07470444bed84f48e64f74050cd1d48399f
-
Filesize
1.2MB
MD5e534e7921264f77ef241e50a5726eea7
SHA1b34a0b0272bfd3cc9dd6c7a2d630ce76c5d00cc5
SHA256279efc0cb3a5bfbb1c2ae0fd1e7541249de77b236e8258da472d24805db4b3a6
SHA512a06b7b8f20502d85c2db9395dd8781b4d389d6cb77617e5a1a44fa64f29f9005d8c7b8884ee99c229687a22a03c81f0fb40305d3c1767233659338cb19af1892
-
Filesize
1.2MB
MD5747a1405f9d1a097cbfb68c25acfe419
SHA1841479dc2fb5d9880fd5dca8de6fad56f88bd17e
SHA2569ee0255a023d373118ab044927af3f9dcdf87afcfd2969ca84ff1a60f3c42c23
SHA512d4e622acb3ebe6e5b2daed506acec48955a1b4be90a288f7a23e7232b8a2fd05eb26628f95abe48a65043be6ae39549031acb91a1b3831bd7e3c2a351c656e6e
-
Filesize
1.2MB
MD5f46941c579a7363372d3d38da1ca1e4c
SHA114f37dcee34942aedea2377cd0d5e6251167e7a6
SHA25665107c17a013f52ca64b4ee6bae13a7be5ca109962300eb627b7e3ec67cb0de1
SHA512ded6c40b4c0566b32d5f8f37130d2c7236da022068e94f41a87af4c30d5dafac3cac1f32b24bffe88469c9bf7ffeb4c834c96ad4ed7c5f13dd4cbb804cfa6a2b
-
Filesize
1.4MB
MD530da27275c108aa7c92d302d1bf8bb65
SHA113c51bb465baab770d8d6a0d39732dff2e3fa4b1
SHA2563bb3cc59e2e59c07cab63a5ef30733b1fbfdade7a628d3a990b2f698b29e8e36
SHA5129bd96f041a471fcb0a9d3c297bcc6ccbd02bace0d756e61fafea1a1aec9038bda85d92720943d210cd9e608f698587eb77728bacaf6e37dcb9d455a872c9343a
-
Filesize
1.2MB
MD5f1f45d45aee05190728fbf03599880fa
SHA179ab8989e03985cefb78ff3e509a51953a2a7ef9
SHA2569b0a17f4b28157badec9ac8d09df6e05f2cf7cf9e0249244db9a0e302f1ae9e0
SHA512c9a120c26f600f430c08c92363733c5528c747135fc93187d6aeb00f814e2d03acf61724b8f9444f59f282a5eb044d74862d0859a0ba868e94be02cb9185d2a1
-
Filesize
1.2MB
MD5128c4c37b02d8158cf164efaeab8cca2
SHA19188d1bef23817efb4bc5d138d210fea03b24207
SHA256f423cd4ad89bc20b5f8eac9f451e9aa669811a01fe210e1d35bb8203d76eb497
SHA512866b32958c6b690c009aa50148ec0420e496f1378dbb241353f6395a1adc2305d1707dd6078ec3928498c6245a7f6261e4fcdb8d5c7f35d50ad099de9e3a7b92
-
Filesize
1.3MB
MD5601fbb546f697c796fa2010e7ecb06ae
SHA152ea2a265dd8b67037ba098535e8bbf9857fb220
SHA256566fae8656d6c4eabfa45c0cc84efb89020cc741e027c5c806b70aebe1384f33
SHA512480711f05e5efa283fbf6a6c0912df516c70176b4b93fa43beb155843b737a49ca502667a18e8b1fff7df0cd2304a5bcfa768f8f3df0d374b829c102262109ac
-
Filesize
1.2MB
MD5f787fa2e2cc502b370360903d4f3b840
SHA16d788b9fe9bdf6cd6736cf02981e7c10b133f0d7
SHA256e002707cb96a38cd784e08fd33ab9ccb8e2b8a16eda9f694aba97adfc648d8a1
SHA5125351e0b96ca0f610eb7a9a5c298899632bcdf7dbe4d0913e28383481c7d17ea1465c2a98aac0a2879bf550dff99a5966141e338a5e6cf182e0f489f1652271bb
-
Filesize
1.2MB
MD528e9f658f481df7c6eea162c653817e2
SHA1bda0c7fb9a50794c4e53faa28f04746d751b5cda
SHA256a2b737aa20298181ccd15967c6f92b5042965df7cc654b3f29ffe8252493f5fc
SHA512310371d6b980478c800a5cd32a4958e448772f47f6f141da232a0514b0705d1662b71f96d2121472a671a630cf93620896c64a2a354acef5e983bb8172fb5d15
-
Filesize
1.3MB
MD5b236f1d891f2a560b9eca2a1050b7db1
SHA1e93586a71b1d1397ea6a8c9d6b11664eeac7e82e
SHA25622180d72e58e2bc00f037201ef5b707d10e62cbfa36b67c5a50e1d4fdaa34f18
SHA512a6f34f00c29a6a71e01d3a0959dfaa568035a70102ad44536437814637861c913150fbf3dfaa4b2d75c4629ad9d9e9df18f1451701d85522024d7a1bae4b971d
-
Filesize
1.4MB
MD55371509d9be912628fe3e6fb11a51829
SHA12962ca128e75632bf095033ca49c672786050704
SHA256fb9bdfa0ced95e81fa6f248a3c078af41691a36f8d7b3fa46cab2894c4fa472c
SHA512747ce9bcc83041b2fc07df7084c63395c34363038c2560b7b0fbda0ebb711b387240c94c673c79c7bdcd76bcabc26f008bc61f879b222b0c4fd18e4933b884aa
-
Filesize
1.6MB
MD58e99369d2b61b576c7a7d9e4572e8f17
SHA1d7f47caf56f770193f17ae04beabe5afc637b397
SHA2567153ce432bdf640fd36918b5f2446c2c52adfed99ac50b91b76254381ba6b6a9
SHA5123afdcb4190616bafff2045c0a3ce04309bcf4aeb944354a2a3fa22a68e5bf9e6972a48a839972e36d563feccef22db2f32b20f8a83d1fa4a1cb49c8995c86394
-
Filesize
1.5MB
MD51bb157ac00cff0f3c055516e23b5ad01
SHA15ccb20c91af1d33cba9669467fa92644caa80e83
SHA256994f65a08a21d29fa8e55d5d6e1f0e48009ba978c40e2dfc9f969176ec410e53
SHA5122b85b659d2eabb883eecfaf89adbbcfe2e030d802436949e9399a936567c0d12bcfa3aa8ccd156d253c74c6d3b5a45f29ab0ec2ad13249073e9ab814127afa52
-
Filesize
1.3MB
MD539b179594351d1d994fb9225dbe83fdb
SHA112ef3a974323e66716a0fe6b1d32390f38abc5fb
SHA256b15cfe1e095501e611dac70618ec16d8569d534ed0a52b50b6a6471d5684d0f3
SHA5126ebc4cd8b8cbe1883d9e2e0c50e5237a80a27fed2c1eb4c9a06442eaa995450863cbea09695b6d0104b84ab354bf3213c9f7cdc1bf60d357fb3733dea22d4f5b
-
Filesize
1.2MB
MD5127a1f1da01fe02063299d59b97b7423
SHA1edd5766febc47187c794850eb9403345bd13440d
SHA256ebd94469cebcf5fb0274def5f96d8fb58d11c75f91519f9fcc4035979d78d69c
SHA512cede2bf9191ad96865555b6122b722a0513b9f5b1373e46ad3215bc304c9b136a228ee67ca3f586a83c48258ad56a15f23e8065d97a3ae151da1db9eb8476d6e
-
Filesize
1.7MB
MD51222cc7b5ce0fc4d1456e8f45757b892
SHA105b6fb8e05c85754503e7363a55e2ba498348d0a
SHA256c9e6ae1e62cb93746fe039e92aad63203977147cc9dde7b3ca146dbd6950480b
SHA512d421cb8cbf10727c6065f2fab150624e76bc08dd0ed2c192cbacc2e30d9d80295d517ec0cfd439fd3d8132f25e0709e301fe6b999e20509a98b13989f56df081
-
Filesize
1.3MB
MD57e9e6c589d30984b6a307dcda6c73d77
SHA1a3a9f899dfcbe266fc734b19b78ef53272eb66fa
SHA25691af8cc1c79aca5fcfd60b89f892acb697eb94bdd1018bb208ec5839d7156027
SHA512bad5f37517c9b0a6c46c5105aa50672ac00da0142fd629910761c9e062b034935175cc5c791ba0694f54b6b4b73149382a0404209f2c997fd3f826029607bca2
-
Filesize
1.2MB
MD5312fe6cb2f237161094d33fa43eea6ae
SHA1eefa1be185d7a47caa0a737d5f87d152aa85c029
SHA256bc778cf8a6aa102d412457cd520ac601e634955e295762c46532349ec0d90401
SHA5121350b6c8ced01a06d4d73419c8577fc1d5f5bf1f755706b6d6e39505884a2acab6b56aae6014fef1579c8a82702eef68cef4caf67f31e0088994e6dacded165d
-
Filesize
1.2MB
MD5afb181087393fd72643561d2de1e7fa1
SHA1970a7aa3d96a2defe95baa09632614de44ab1277
SHA2567883ca2f0f7db3f4eb28c358789be9b461ec4a10b0d0201db3e7ea096dc4f0d5
SHA512af37dfe68877bfbe8412c7a86e714709c5b331ffaca8e0d69568a577efebe1d0507990419a9a3fdca39f93f7c4cabec520f825b12325435dbf780d2a2c768aa8
-
Filesize
1.5MB
MD545da022ba517547280de2c6f4d90d1f8
SHA181108eeefcee053338bb5fe2be0d77b54d772793
SHA25677272cfcb552d4fe5dd5a5694526211b312cff3203b6174b9ab7e2fe27e7d8b2
SHA512a7bbf2e8a3d85bd5f433842d4195531961ab11e15b2b065373c407c5bcb71c4bf1bf0b9ad7da0a67239f902210ffdeecdf5812a7aa1f5007a19c99d27dc99ba2
-
Filesize
1.3MB
MD52816144f939ff694169b0a2e0f3fd13d
SHA1e19538262825e4dd7e97e120286288d1e8d93a0d
SHA25688cb704a61d950b6dec562529314db6716b9d79ea71cb5775275a8c07d8f6e86
SHA512bccbcb0a8c42cbfee152c9896201030e4b0c09ec82c639a4b9aea0f7921446d870873fa4ff7219f3148675b554c9c4f73b8f829e1a790f354730ff21945a66b8
-
Filesize
1.4MB
MD5b7e96edb6c66eab92484d28d2111be98
SHA15779b0ba27aac3361fcda4ef64ff4b9aaa856c02
SHA25613b8d3da4c0cb9043a68cadd12f6497e32b07765fa023972e6576344986041f2
SHA5125aa84c9c3aa999d643d41b74ab1a81d51ae2483cbd6f57384d8e055064462a620ebd1fb52c0473691ace43929711748739648c190636ce161fef8c16ae6d5d25
-
Filesize
1.8MB
MD5a61c05872c4060f44365b968d0b0c485
SHA1e022d4048663393ffc75d54b3415dad169d0463d
SHA2566d4464f90bcb77f588518c3c1f2204a12aaab44e617f698ec03fcbdb1da7423f
SHA512948e3969fbe65ae0b0d81bbcf06bb6d5312bac8dec053747112cb9fe18acd37679368f0d6845efcaa2ef4b5f4a48d16e2897d9921d33d17700c95a1bac5573c8
-
Filesize
1.4MB
MD512fd1ed888c18a7e2f43870933a998aa
SHA1e5cca56040f0976b9e00cf37ced891b102bc972d
SHA2566824be0cc692b00fac350c2366cd3fdf75fc90a3d33d0724a8b16e547125795d
SHA51240125623949239d01515c8cf9ecb193d6e7576ce7fe889f39d18ec0b3ba2f2aeddb1c59dd05d38263b5210ab45f6e20b501dda72df82f4270558a9c0d852f783
-
Filesize
1.5MB
MD5c8ce4810836d4d02e87b046ea2050252
SHA1fe2dd621ea99ef01cd1a724f280dcedeb5a2e10a
SHA256548c713688f473f03715f60e18c61b906e8f1880f381737ec8ebbca1a316e9da
SHA512853639b581a943fe3f8bcc1736a96586680b1a662f643c4b9138cb2e32ee7628a90d29ce9680d30c32c8f471023aa3eaa0cfbbff38bc5ab77c2c73768e92ec02
-
Filesize
2.0MB
MD56c963cfccd3967dc01bc6b672566d1f4
SHA1771e7e8015ec7043ab1a14e55c2e50b8ce90680f
SHA2567118be33ee1c374c76b700d4cc705fd1e61ce86afc7a05ef4dbcfc0b371f79ad
SHA512e68221ba1db3bd3c4332fb8fadfd8dccb10c464f0ae016a753ec6329b9d177bbe693b1bff31eafea5f5d5938d69bbcaee14c24749b4183e21431f4682e3d3b99
-
Filesize
1.3MB
MD55c9aae6a03de6c574a2e5d09b43a3263
SHA174e1bfc52891a56c951cb82624d8bb2a02c35a29
SHA256c9d4bc4f75deff8364bc1f10b4ea3ad9b6248078c5523f4a1e84ed60a65bbaaa
SHA5127cf06a6ce0ead72dc0a384f8af7e96007a4ae74087f3a3375964c65d152b6ecdf41ef95ac962566ad38d7de48d431f3916d8721a58601eed7cee31ac64b2eefb
-
Filesize
1.3MB
MD59f546660ec9fed88fbbd4a410e6d08a4
SHA137c137f875c429d7a312107f42c52f6f399c453e
SHA256646be6e03b428954ba78b106fdfec4db5e94bb1aeaca9e5a4bdd43f31738afa2
SHA512a46b7e94e5a07c499843c33ca30394d39976bdc65c64a0d7bb70bf2e5540c6b6a315fe552d64f78c1b3dcf31032f6ae7adccf58c3ba1086670f63ebac7ff4024
-
Filesize
1.2MB
MD5a875aa6b0aad5155f2288410f07b4674
SHA146c970dcae08a264e7d569a28ae9bbc16de42675
SHA256e1059a2bddcbc9c9f1a9b3e9a4e57b1072940862b2bbf7e7fca5f84cf1d0470d
SHA512504262d09b245df44ec3da6751635e9a41f4cea68adb5085b51ca799d9cc5beef3211d1f28833c25d898eb45e8d11d2470b9539a6f567f85e2a0280bc4b54c4c
-
Filesize
1.3MB
MD5b219008efe5d6a934b1f1951f0abeb10
SHA1272c337e645821852b92db9386ede718436964ad
SHA2564893b514eb88d89eea13006d22dc48d0a0dfd017c3f82952dfcb9d2a90fc5b93
SHA5122bbf262d40ffad7e9b455029e59bfe94940ed11099a143b62a147057431405eeb3aa1634c1e1e348787ffe07d7f3b5d2914623e13c1ddd19b678723f45a4fe62
-
Filesize
1.4MB
MD5c463a9cb37e630b10d6ec33b3dd6c425
SHA1fcc0191172e269d3d11a350cdb453d7db769f656
SHA256a400ca78c65a77887c020cef8cffe5c3d1432e3df2f96bd9a8f8b76c3c480a97
SHA5123f14b899290825e9225b5e581454cc1033ddac56abe513c826a8ee2d6473bea1517305a0218d096742f49811147fc43ab6b203da935ec3fcf5ed849d0c7c4131
-
Filesize
2.1MB
MD5e3b0e9bd8546682fed97e64a5daa72f0
SHA17eed03876350fe9b9ba5738fc05d48a0da913b46
SHA2562915ff9cfd9a84e13230fbb211bd9fde77b361659b9d2765538777e30b26964a
SHA512bc1206f44e8f5e41d5d576c863f2360569b1b1209f8fe9b09c7b1df8deb4035b4c2fe6ce59cd566d320570c271bd5bc96db960c782a74b7cba59adbd9731de5a
-
Filesize
1.3MB
MD5c97ae74ed64a382ded504513fdab2134
SHA115899613aed94fcface40b7bafda4a97976964c5
SHA256ab7138e326740d760d2d9a826c7d6c7f6e238737dff2edce5153f45d4fee8595
SHA51238ffafd5134c9e9061edf82862afe86c3d314310e6976b7e0dc7b9688055a1070cabde5a6b6a8bff280383c1948325e07a55fcc2444264cac798890db13f9b8e
-
Filesize
1.5MB
MD5b78870029ad5a648c6d1498822c0e7e7
SHA148e5635a0e18b44922ff2f717d2915f99b430741
SHA2566f95261e4f3002514a12106184fa1ae9c43972c75f79a2f3e24eb9cc4872808a
SHA512d2f0050d0a4609be85beed63235b9b88fc905035d770e016d87319b328ef3b87253be2e802588678ac61d1ee2fd35738582e682e3518c7948eb3eb8220291cdd
-
Filesize
1.2MB
MD50aa81b95b196a6b951606dd9d0656773
SHA176a48491e986b87f8f43ec5ed3907313369da12f
SHA2564c364bb24cb40aa3534cf5b8be8ee9c0bce0e5b7077888cbb10844e5d1cebc3a
SHA512e8d03eb051f713f945d45bbf8098d5899675c1adda10578c703838d964313b5fff0014dd4bfbe9d086d17dd638f8e49b5f248fa30dc295b0f84341db78d51d40