Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 14:44
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20240704-en
General
-
Target
Quotation.exe
-
Size
3.1MB
-
MD5
aea0e096d1dfd0e4408d822f828f72e3
-
SHA1
b69ce5621a2259c671e51f53aa88521d18dadbc0
-
SHA256
c6474419259677bfc2d0972306eea797f3decdcf610cf8444aef2f93bf664a31
-
SHA512
5cd5d8d81f0e306278e1fd9810abfa36f5ad429c31d908a7b6de96f0bbf63246bd291ae5d926ea1179474b747df2beb019da354afdce8d6382e8383320d377f3
-
SSDEEP
49152:uCVOkfUWQZSZlnphMfeuXcHDb31Ux0fvSH0eLnrhtdDL8:uCTqSZFHVG0SphP8
Malware Config
Extracted
remcos
RemoteHost
23.95.235.18:2557
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-E0JKXE
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1836 alg.exe 1300 DiagnosticsHub.StandardCollector.Service.exe 1800 fxssvc.exe 4236 elevation_service.exe 2444 elevation_service.exe 1748 maintenanceservice.exe 3140 msdtc.exe 1692 OSE.EXE 4272 PerceptionSimulationService.exe 368 perfhost.exe 4404 locator.exe 3516 SensorDataService.exe 2496 snmptrap.exe 3584 spectrum.exe 4428 ssh-agent.exe 4536 TieringEngineService.exe 1792 AgentService.exe 1160 vds.exe 4032 vssvc.exe 1944 wbengine.exe 4052 WmiApSrv.exe 2856 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe csc.exe File opened for modification C:\Windows\system32\vssvc.exe csc.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe csc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe csc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe csc.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe csc.exe File opened for modification C:\Windows\system32\locator.exe csc.exe File opened for modification C:\Windows\system32\TieringEngineService.exe csc.exe File opened for modification C:\Windows\System32\vds.exe csc.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe csc.exe File opened for modification C:\Windows\system32\AppVClient.exe csc.exe File opened for modification C:\Windows\System32\SensorDataService.exe csc.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe csc.exe File opened for modification C:\Windows\System32\snmptrap.exe csc.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe csc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\19d76088b36a5b05.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe csc.exe File opened for modification C:\Windows\system32\SearchIndexer.exe csc.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe csc.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe csc.exe File opened for modification C:\Windows\System32\msdtc.exe csc.exe File opened for modification C:\Windows\system32\spectrum.exe csc.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe csc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 464 set thread context of 4208 464 Quotation.exe 98 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe csc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe csc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe csc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe csc.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe csc.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe csc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe csc.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe csc.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe csc.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe csc.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe csc.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe csc.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe csc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe csc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe csc.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe csc.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\javaw.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe csc.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe csc.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe csc.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\java.exe csc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe csc.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe csc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe csc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe csc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe csc.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe csc.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe csc.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe csc.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe csc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe csc.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0ca04a121efda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eca23a121efda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033e73ea021efda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094cbe5a021efda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008055efa021efda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b6802a121efda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe -
Runs regedit.exe 1 IoCs
pid Process 2992 regedit.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe 4208 csc.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4208 csc.exe Token: SeAuditPrivilege 1800 fxssvc.exe Token: SeRestorePrivilege 4536 TieringEngineService.exe Token: SeManageVolumePrivilege 4536 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1792 AgentService.exe Token: SeBackupPrivilege 4032 vssvc.exe Token: SeRestorePrivilege 4032 vssvc.exe Token: SeAuditPrivilege 4032 vssvc.exe Token: SeBackupPrivilege 1944 wbengine.exe Token: SeRestorePrivilege 1944 wbengine.exe Token: SeSecurityPrivilege 1944 wbengine.exe Token: 33 2856 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2856 SearchIndexer.exe Token: SeDebugPrivilege 4208 csc.exe Token: SeDebugPrivilege 4208 csc.exe Token: SeDebugPrivilege 4208 csc.exe Token: SeDebugPrivilege 4208 csc.exe Token: SeDebugPrivilege 4208 csc.exe Token: SeDebugPrivilege 1836 alg.exe Token: SeDebugPrivilege 1836 alg.exe Token: SeDebugPrivilege 1836 alg.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 464 wrote to memory of 2992 464 Quotation.exe 88 PID 464 wrote to memory of 2992 464 Quotation.exe 88 PID 464 wrote to memory of 2992 464 Quotation.exe 88 PID 464 wrote to memory of 2992 464 Quotation.exe 88 PID 464 wrote to memory of 2992 464 Quotation.exe 88 PID 464 wrote to memory of 2992 464 Quotation.exe 88 PID 464 wrote to memory of 2992 464 Quotation.exe 88 PID 464 wrote to memory of 2992 464 Quotation.exe 88 PID 464 wrote to memory of 2992 464 Quotation.exe 88 PID 464 wrote to memory of 2992 464 Quotation.exe 88 PID 464 wrote to memory of 3280 464 Quotation.exe 89 PID 464 wrote to memory of 3280 464 Quotation.exe 89 PID 464 wrote to memory of 3280 464 Quotation.exe 89 PID 464 wrote to memory of 3280 464 Quotation.exe 89 PID 464 wrote to memory of 3280 464 Quotation.exe 89 PID 464 wrote to memory of 3280 464 Quotation.exe 89 PID 464 wrote to memory of 3280 464 Quotation.exe 89 PID 464 wrote to memory of 3280 464 Quotation.exe 89 PID 464 wrote to memory of 3280 464 Quotation.exe 89 PID 464 wrote to memory of 3280 464 Quotation.exe 89 PID 464 wrote to memory of 4048 464 Quotation.exe 92 PID 464 wrote to memory of 4048 464 Quotation.exe 92 PID 464 wrote to memory of 4048 464 Quotation.exe 92 PID 464 wrote to memory of 4040 464 Quotation.exe 93 PID 464 wrote to memory of 4040 464 Quotation.exe 93 PID 464 wrote to memory of 4040 464 Quotation.exe 93 PID 464 wrote to memory of 5060 464 Quotation.exe 94 PID 464 wrote to memory of 5060 464 Quotation.exe 94 PID 464 wrote to memory of 5060 464 Quotation.exe 94 PID 464 wrote to memory of 4224 464 Quotation.exe 96 PID 464 wrote to memory of 4224 464 Quotation.exe 96 PID 464 wrote to memory of 4224 464 Quotation.exe 96 PID 464 wrote to memory of 4224 464 Quotation.exe 96 PID 464 wrote to memory of 4224 464 Quotation.exe 96 PID 464 wrote to memory of 4224 464 Quotation.exe 96 PID 464 wrote to memory of 4224 464 Quotation.exe 96 PID 464 wrote to memory of 4224 464 Quotation.exe 96 PID 464 wrote to memory of 4224 464 Quotation.exe 96 PID 464 wrote to memory of 4224 464 Quotation.exe 96 PID 464 wrote to memory of 4208 464 Quotation.exe 98 PID 464 wrote to memory of 4208 464 Quotation.exe 98 PID 464 wrote to memory of 4208 464 Quotation.exe 98 PID 464 wrote to memory of 4208 464 Quotation.exe 98 PID 464 wrote to memory of 4208 464 Quotation.exe 98 PID 464 wrote to memory of 4208 464 Quotation.exe 98 PID 464 wrote to memory of 4208 464 Quotation.exe 98 PID 464 wrote to memory of 4208 464 Quotation.exe 98 PID 464 wrote to memory of 4208 464 Quotation.exe 98 PID 464 wrote to memory of 4208 464 Quotation.exe 98 PID 464 wrote to memory of 4208 464 Quotation.exe 98 PID 464 wrote to memory of 4208 464 Quotation.exe 98 PID 464 wrote to memory of 2844 464 Quotation.exe 99 PID 464 wrote to memory of 2844 464 Quotation.exe 99 PID 464 wrote to memory of 2844 464 Quotation.exe 99 PID 2856 wrote to memory of 408 2856 SearchIndexer.exe 130 PID 2856 wrote to memory of 408 2856 SearchIndexer.exe 130 PID 2856 wrote to memory of 4124 2856 SearchIndexer.exe 131 PID 2856 wrote to memory of 4124 2856 SearchIndexer.exe 131 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe"2⤵
- Runs regedit.exe
PID:2992
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:3280
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:4048
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"2⤵PID:4040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:5060
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"2⤵PID:4224
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵PID:2844
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1300
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5088
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4236
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2444
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1748
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3140
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1692
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4272
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:368
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4404
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3516
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2496
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3584
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1896
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1160
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4052
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:408
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4124
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5e86e01635e6bb8dca778c304f2921016
SHA19012db42891c34c7ff9684915cc67c93eaf27a29
SHA2567152a3b7d9169d3d513267d18d7cf6a600994dc39ae9ba4208a98e8a8651915e
SHA51211e8d4a449413c0c4cedc239158fc3572b4eda9f179965ddf49a1b551c79854c71abdeb901a658c54100180c8579a8be3fc6e963f48eda96e360c30bbea8fda7
-
Filesize
1.4MB
MD56536ffd5eebbb9ed06ebe3e689edf217
SHA18ce64d6a978abeb681e8ac4ef865061a2ef8d425
SHA2568e37811dc3e857f464200c774e83c78fdba7018b6bdc36695f1ed2f6b777ac8b
SHA512d241353fd7698d812eb2a9da95b563e84a8508b7ce0c3caf26d0deedb5c8c88ed67a6c0e2f3f3c9c644a7746fd429dc48ddb0a5123641d1add4e5c4c014678cb
-
Filesize
1.7MB
MD54b8c8fb82ee2f7f197e71b14bf5e201b
SHA1056c1960879239863da9047d93c3d6310af5d39c
SHA256bda90420c3d6ae60fb7059fb915cf26f6a11387bcf8b4d1326e94c659c591276
SHA5129e6e8c4410a12fd73709a527b14f0947a44ceea8b8b68bd877d135e38e344f68a5bb3dd78e4b818154bf76f48b1057201ae4875a25cf188fa17f95f9bfce06de
-
Filesize
1.5MB
MD55227766036e4f36c666d299b42bff956
SHA1dbdeb1bc8d09c28f2bae49d43874ad2480e7ede5
SHA256c9dbeced3ebb326de11aad7c55e2f793f5db0e5f85121614fa7cf79e5530083a
SHA512301c0e8abaa496dd14e26667e6d26e1798e8eb9a7dea241ea16ccee666fe692462ab68700e8a4c52b6569f25c8721b7d5c62456af8ee28ef94cd14720c4a12b2
-
Filesize
1.2MB
MD50679f231f737a61767041556fc74740f
SHA178678738189b63bd2aecc6042d5dcde25ef31781
SHA256a5943182396ab8fc42b79d381367094ceb682284d18013963c30538b6b2b6080
SHA512d01bf70f891e2d9ade1b072111bb775c1efb0b9f16091642ce8b25eea2119ffd9d86e2777331d841e2e61a2733728dc47725e5b4ac863c3651a241925531d1de
-
Filesize
1.2MB
MD5dfba81c3616fe01af6b1f343324eb96b
SHA1f05bc2d7520e69ed35d7a3a68692c9c4625982a5
SHA256ae2e3ddccd8bd1ca0a34a52c0518dc36465d22dcccb459d1f31d81a91c1baa7c
SHA5123c2a6cd0d3c5fd2200938dbb70b90034f9a3a651201554bebe3d0437e6c0e5210ba53be0c08669190d3ad50e419ec13e4403096f271423013ef517134e370eb7
-
Filesize
1.4MB
MD5a21ed12c84e72d893f6333fbf1088365
SHA16edde7ce23798532c6b8b35ebe4dd2c22edb6d09
SHA2568d5d2f0b2c01660e87cd080db80423c794dab3d64e291b1947ce9e3a3b537efc
SHA512c5b6a8f45871d119993020870cb9afa6f5125b600a60bd7c0325d5f9756226eea859f4d3625b4d574aa43d7604b619ba32b569af1f2f127d4982ba97a2be4057
-
Filesize
4.6MB
MD5c5b20842332b0597ea5366e12f1e14e2
SHA1dc14a9d1a576de6fadc23e88e59f061e40b3c784
SHA25636cf432dbd35cbc1385733ea4b9440fe98e7365acd0e4a2208e2ed159bbadcdb
SHA5124b10f5b1a84ebd00463947d10ec9618696fba50eb547b23aff82a029b16bb0a8e3534da1f75ee962279b3aa4b78725c6c64813e7598792af07cef2f20aeb21d3
-
Filesize
1.5MB
MD5b4f4ad42538d322cc7e2576cb41ffd4d
SHA1478351ac23e05f57f3d4a785d2615cdc8edcb282
SHA256ccd21593cf08ce3636dd3dbb2e7b518462ace297746b27a1130099c2b4e40c19
SHA512dd128418886021d78ef69e0745d104c1c3bba894d01179aaebdec451175ff5d405b2ae0a32024bf71c8f8ed8e58606a76e83441a1b5bd0b7207600a9aebf167c
-
Filesize
24.0MB
MD50e633670a4d38214690038cfea40a507
SHA1950245b6cada95acbafee55ef9ca914e63154ccd
SHA256a29c4cf169387aa35f021d13328f4bd3e54e320fa83c85fdd62f44056c48101f
SHA512accd31be69c4c0957150f972b8e79335c8639fde06e205be77c7c6b4a7105976a85c967d614e533baba8bf304b111196d5859a079a35f70b8d4f914d421f3cd1
-
Filesize
2.7MB
MD5e84cd80ddc20bef400f964dd145f8ee9
SHA1c5924ecacfaa3159cef48050865c45cefaf498ce
SHA2566b5aad861b5520846b816d76f36f1e5627fd4d1bea1abc1b7f529d16956beff0
SHA512f51ffc07a63bbabfce1069164d3ac81f5324f1cf3d94fb4f0c48e7467b2a9d45fdf797dde46a6840b6f55888acae7a4e52bd002903f573bf3cf4b4c2a72b2293
-
Filesize
1.1MB
MD5c54fcef0f069f4a8f18c5e21a037a067
SHA111dc9e9a83c1b2d0625686407314c303714c959f
SHA2567e502bd1292f76a34834578f188c565fc30a558754d175f3f243530f91620bbe
SHA5125201c209178fb90fec318ee36b60a82bc261e9c2610f0b5d27d0b3b68c6b2f5774ca3536ffe3edeffe416179b4966bc9704802be024b4d55caafa095a4b9d0ee
-
Filesize
1.4MB
MD5ac1c2f65d951cf75487a6f665199be13
SHA1fd732eef74ba2e29e84f0dd57345c095655eefc7
SHA2560d463658ccb6c160f4532ec629ffa24fd0c77656d6828313c3f0363272585f71
SHA5128bb5d5c28b28c94a8e95e81ba21970c53e814d3414546cae07ec80d8bcce9e5c5322d9004f87e85f07d7b0d9dc9ebeb10ab88becefb6797d5b56cd0629b30a70
-
Filesize
1.3MB
MD5f0c891ddd0309bebf187ec1e2c23e9ed
SHA16ce0df3f49c914d9b18cfb0e49f2672709d5f87e
SHA256e1f42b189eb1ebf4efe568af0306fd20b788b03ee4facc78077728c098388ba7
SHA512b2153be96bca9239a7d38f1a44ff7991ce104c5c5097a6c5388079666c8f5ef09c9e043d7a2e16773274dad6d389195a3b62ca9f56d306db92bd95281dcea849
-
Filesize
4.6MB
MD52fc812a45d80c9a5b8ce99b20226e9ed
SHA16c83a1493ed1f0f457e02a8e6bd94dd2f4e873f7
SHA2563b0cc1bc07d595d6129e8a94c3b85c2e660cc2a083789599258cfeb8da210c84
SHA512d8adea141deb90aaab9b4a19a5fc25867dab4b7b5c06cf3453a5d709f4b6d62e608e8a483e85d9895d4d6cd1d78d552dadf2adf11977d67084817da5edc9d8e4
-
Filesize
4.6MB
MD592d0ff5c98c0cbd57e2c524108404f64
SHA1f67d422ea7ab0d9d77e777ae328198f2b769333b
SHA256f307c84329325f0a4fb31969f207978cd0a63f40f428de53573777ba697c856c
SHA51239178b0ec672cc6dcd23372cdd94e7d288aea860ebee95ee8bb945b03fef05dcc3bd39cc7e8c9f3743f3610108b2e076f920de365aec5204ba0dec3d4fdad3d2
-
Filesize
1.9MB
MD541b706822336660c56303c96ec6bf8c5
SHA11cef81470a9ca108ceb501dad985c1abb74ea3f3
SHA256db4412303dc3907af069f4f3cc8044dcfa92bcbc2a6fcfabae2ddbc25693bb39
SHA512a2fd42303ba173f1cb02b01641cdf24df914ffc555d3f451366ad0ccceab7f19173acce4380739284fcfd6ae3ac40cafcd059986ef24b26223b4f745f78bfe51
-
Filesize
2.1MB
MD52cb9709869362d6a21b700e3eb0dfb93
SHA1ac3213d3e46c0b7da03c4681aa311219e4292b30
SHA2564d4df88972b72487548c9006d369e6dd17a5a1151063ed6d73e9cb80332ddcfa
SHA512d81fcfafcfcfacda936fd19a3c125d062c2a2878d5fe551a7213386e31c8acd25ba560753b93d7a197b16f69d3e2110c8ac3113086c7ee7b256b651782e5ad7d
-
Filesize
1.8MB
MD575373b91b60f8ee1899f4a7e8ce52152
SHA181c63cdc5149aa75391ba229982f73e95ecbccaf
SHA256ad8bc3d2c4b6afd7fb02300312567ec9427d7412c36ab82abbf1af5799a7db15
SHA5123ec6082f1b8db0e425a000086b96a3206bdd4a4f6b184363027b212a3e6ce9a2799386b29dbefc65b0cd087e4aba7853bcb76d31eec3fda2768653489b90f042
-
Filesize
1.6MB
MD5fe0868d1037fac2de3be0c65a8468523
SHA1e4e6cf75888e1e81b4eab95632effde77adfa0fc
SHA25637a71e34e2b443f828247b2f5cc4020512b3560d092584684430a17a8a26f514
SHA512f88b0c6aaf611edd98fc9a6920f0e7e1f730175a860f175c712001342394ff53312f3f35605263587378659c259b6a49cd3fd54f6149c77fb56932fd1050554d
-
Filesize
1.2MB
MD5bd7bcd06aed18ef254c51ca266a8b837
SHA13ed928e22e7274f455c08fc0a5e3614b7ca94d16
SHA256600ad3c79e30dc178a7f1e7b744412d8c9d16fd6c4ca056aedc6f693805f4af9
SHA5122ab28823b4987e73e8fa6fce41df878517713bef1f4fb6292da114b0466393ff44da16764631cd8cc7c37c234180b4213c5b66cc01c8d0065a410942cea42496
-
Filesize
1.2MB
MD5255d621e6b0d191f7759c75a067d0dbe
SHA1db2ec0ee1919e847c5d28594825e5919f6083ae5
SHA2567bee629c77069295036925f609d91b4870abc8b270b3247733f3b40374596d19
SHA5121f12a2509f70113b4cf2fa76dc47157a0263c53be3b951301b5fe7062c2e7f323fbbdfab3b57f1cd52175de1c91fa353f4465841b66031f625f88edacd018546
-
Filesize
1.2MB
MD5993a7ad2529eb9c72e0a587880745786
SHA10f5ab7868ec8d8d3ca7a56c4272438f219471f01
SHA256a6cf571e604ef118a3c87ae3746e17bad397b5f2897f25fa414062137654ac5d
SHA51296489d279979fc8761fdd828ffdc9acc818f811189a1b04e9601935a9005056991e3e4cf200821c46bb5b2541999068a8f64f83029f9ffb4b543e5663403189d
-
Filesize
1.2MB
MD5543068b493038f8c56da5ab59e647ba8
SHA17fe06b5a5696eb09169a5d7f38fd1aa5a62351e9
SHA25695cae63fe3649e15e46d276a265e22f05fbddfdf1c88ee320d666c5c814769d4
SHA512fb54cb66c383ba2c1346203bc3571754a60b660ed36bb425b43b6de447c718ff324993376c099fef362f0de2104688580c4078d5c4109f68ad5520cf2e6c1d70
-
Filesize
1.2MB
MD55d8dd80d39770ccea09a2d866958feff
SHA1e4ec247a1c554712f14fc68d07f82f80157cb050
SHA25663dbc6a9c382e4103daabcbad17efbf98da5e599a1ca9d0bf22fb7d7b2ee9203
SHA512f3b73b463adcc4e75df5691e6718123a2c21b72d56364b053fc2371bb49d2f45e402aef5680fde7392f42704288989f8b67f98653aad6c95d417ae44753d0a06
-
Filesize
1.2MB
MD50241a3ecfcd251d39214cae8bda8a6be
SHA165f58b56170e39fd5299e7cda1f11f866460b82a
SHA256f48462218d9797f3cabf7b1a2fece6e6e05cd0bc42eb04d9378f9674c999f8d0
SHA512f290aa729a14d2a9398b61656f47a9fcc9b196154de62fd90f7fa49e02b14400bdde499bceb54034d279b91a94f48963791f4754f47a61a4ec79f0ef5f08bab2
-
Filesize
1.2MB
MD5a59e2d9e42caa90643bd4d6211ce4c75
SHA13d50821f3c436b57d5812372bda8be6bf3012793
SHA2560cd26c3a12e5bacdb387d303e76563c785f472b8ec95aa2acf0992044bbbbcab
SHA5127e283802e6e2a045ae30bef228efe107df502b783810b4c777f5c45f0e1f9bbe9e148b25491831731662507e92f3f20924446c7481a0b6ac8861ecac4b57f04d
-
Filesize
1.4MB
MD5681add281c2193655ab54cedd7de7ed0
SHA1587901e8c27b5dcbb3b70a62a701e6e9af93a396
SHA2567ff2f96c7d7ade0d641b595d533bf96a423b3233e77137dafa9b39efb9661388
SHA512821ea6f66123dda9f5ccf7935cd1b72f2e9e81884904bffcd87341907e6ee2d9572bcb0d042f5e4dc979df2258ac117663433194334ae23b28b590a8dc559804
-
Filesize
1.2MB
MD5cbc02a5a1afe316f85f5fee66e51fe8f
SHA19df89caf504ddc1a59206c422a62b7d629077b90
SHA25656e82d7ca02254a69a25bd797fae7fd2b68f2dedd8abe55e02eca5784f340928
SHA512f5724a162dca3483c59f1455a61ba93313238982f1b99243956158390c36884efc1f28df2a3363bea2fa869c9f0b9099d195f86d2fe1957b3a8bbe4defdcf13c
-
Filesize
1.2MB
MD5f664d19ea049bbb6584f5fd1c9254bdb
SHA17dd248ecb59c388397b53edd938721fcaa8ee4cb
SHA256288937ad23a269ee13db122444d7dafb369e6ad76a36976d453466c98f938555
SHA51201438769053150b0206a74e83f1b9b408614e772300ada987974255342ad8ac52daab362c09fb7dd399af4d0139ebce8097c981c8cf4d35a85584cbc06fa5f9a
-
Filesize
1.3MB
MD5bb1df67b2f0fe2005913d7c139e76b82
SHA1fb5c559fe393ecc116912c246530795b45305cef
SHA25666c9010223f4559ee9a6b93aee464f79b8e83c1a037630dc833bf3de9b3457d9
SHA51245a1c07b1d65dc4f680505f236c2ad5fbf7ec31f06ccec53a27f2523ffe3fef06fdc2a7b791f8b72eca2e0899a57b398418496a8a306956ec9131932af31d902
-
Filesize
1.2MB
MD5ea8b81f2e656c7b877a9fb218e8c7d3b
SHA192a7fc6397d6155a36b109addaa4669dfdd50c9c
SHA2564113cac80cd4263e695e0ffabb3828aef1904f45a52dc52749ec40b699c854eb
SHA5126aff467c06a514342d4c07e33861ee1d85e71f522aeda189b05ccde3dd3016efbfcf670505c67e1230a5decde3fcc116c36b3faf29ada378e7f4b965f3e9096e
-
Filesize
1.2MB
MD5c7c914a8cdecf626010f91a61537fc2a
SHA1677eb8cef617a69880da8cd3f65d57715e15194f
SHA2560a24a087d26ebd743e3eccf745b8832cf6f5caddda60f5e3dfd1617651cd4462
SHA512c5617400ff14cd9aa22344f16ddc572edfb2fb0986eddfa06128385a786a227316bb7dd10139a2fe668f102bd69aee6683c75337a240b9968d4b594506ba7c13
-
Filesize
1.3MB
MD5e210668d79ace0f907a0fde217e98417
SHA1ed738732d93bee16d6dcce4feafffb2ec127dc9a
SHA2562b425ca00fdb659f5896e70b03f5ba1e9ee796cf57bb53219f2815b21e354956
SHA5121a8f0dc889c4240171ad33203b9d9b44fe1565482522a0e93b7c0dc9f54df6fddf8e57341dde14f130ec1665fdab6ce4c9d10466ae4ec985fed722f10415d937
-
Filesize
1.4MB
MD5544d78598ef4423e84621bb54e2b1755
SHA1707ee5327cb3859363e102096bbe38cf807064c7
SHA256eb3f5507789dd075b91131b32fdfd294434aed771f9b96214e593d2c72b651a5
SHA512d74c3b7a3fa5383e4696379848baf3b85dd013b901be9f8f1798fda3e842e4d97a957bbcfd8940d140ad905de6cab0fafc63a0004974b94d8104ad6a1479958f
-
Filesize
1.6MB
MD56a11caf3689c25006ea022d49461ae76
SHA1dcaec542f0aa5da8702cb6c524e28a081208e486
SHA25678cd518d2c1422592fe6ff110f9f5aebeccbcd67ad36db7c27ca49cd7f9f01e3
SHA5123afaa8fe72715662230e7748a27456b8407d4b48b4458441d87612e5dc7756c98f37f53ab1fa14711d001c0b270e3e643e8fba0cc4c92d06010e64faea77b3e7
-
Filesize
1.5MB
MD5ee2c2f910b53cb501ec94643853b084f
SHA1016d91ee82bb50d9f179789bb1b2bb22beee59b2
SHA2560899caf329618e6424126535cc56600e5193d7dbb2a6124bd055c13e04accb64
SHA5128e6f1298221909da1b7a0b3d4556d7ef6c89e6773c05f5898894a7e1049764b3d453c935602e4ae585b5324f544e80f3ac5748b9a5263c4108452f4988082025
-
Filesize
1.3MB
MD5ad33f5acd79c38db5fbc6007b878d3ba
SHA1cb298f2169067ad4fb32c420cab188a90aba5491
SHA25656b697e4a7c3da97b66cdf72f291e0337b8eb130fa77e68b2a60ace7fbe2a211
SHA512ab0d5a34ea9e15891d158b10a575f5abb5de218344f7660cbe5df78300822ab205cfb58e647936a890050424cead0df4386f10d58cc8c7a528cd3afc25b3b424
-
Filesize
1.2MB
MD5b0b681c59d6d828e762c407e5a552c76
SHA150dd84fb499ca33018076b3107ce0e1838f561e6
SHA25613d31f99128fca647ce49d732fbc75caa13b9c072e29c00d9a45ca5377ab2420
SHA51285c2ee6279166447b4ce2392002a122533f7d78c60bc8d274e6c8ffe7554ff8b3718e4b0fc94bd374735fb4bd9ba4011b705b2086f45b3deaa66492435cd4647
-
Filesize
1.7MB
MD59220e2dca0db96962bcc69791515bf8b
SHA1f00f8c73c2fdc172def6f3787bfd927b62abbe60
SHA256604f47bff393fa961d8584705ccd9edbb214f67a2c6a7f31be58a23b323cbb9f
SHA512858d4cf30b92df72f34907ed48a8de6dfa0103277d549f69f5955dba00da0e1d318595681578373f5cf8b5ad72517d6f4c5b2fb9a7dc3a1dc75b180559e1b1fe
-
Filesize
1.3MB
MD517fc27018f1480a4b25ae3e39fa5e838
SHA16db2f17abb05ea8ed3cb6a73282673a3a9a8ad61
SHA256d8bce3898686e0c0ec7866df4fd174c2c9c1e121c31c4d0edf7e50799d293dbe
SHA512c84ab206846054146d082cad8ad44dbee273233397808bd143e4e611d63ec2c8e71df8423858073b3eca168812f78b506134443dada14ad3cf2f4b1ad431efaf
-
Filesize
1.2MB
MD54d3dcadb05ba77b071ac6ebdcbdd8834
SHA112223b90f65b2d39d93b9eb089f138a5f08158fe
SHA2566b75cc9047e122cdd78433da36d894a2d553643f8880bb14be50f10a11b3cf1d
SHA512a730992a270dc2a775de39bbe36117d8b783457ebac98a121cbd04711867badc391a02efab6a267c0fb427bbbe645ecb4104c7008f55a865b83d7603fe8b9a45
-
Filesize
1.2MB
MD58f99f29d118d7879584d99f545ad862f
SHA1244db424138bb78ca000f1a1e4807445b577f062
SHA256d6d812a22565131ec5c1f86d5b1ef2aa36acad2f69b5b2db70c382b5ecdd6d2a
SHA512b9df4301efc6accc756c12b27f789a903c1346fb53e09c695df1202b17353d499e26c8e70f9f2b05c55675b2d6d6cdc57a77cff7c155edcccdd5870ff5b36427
-
Filesize
1.5MB
MD52f6868ca2555d23954cbb390ab802019
SHA190dd7b6fed60abf65c7bf36f447a6d29e688a9ac
SHA2568be5e7c1a87a71c2c6c127daac462cca3d59963d44f12935815e82a69fc462e0
SHA5129a6e2d78f900fad23296e967687dba859c3fe5c3d617368d8c22a56983c16c13ade2fead2f49cd8822b45b68b19ffd87e2d7158306800dbba0bd0e68b8220145
-
Filesize
1.3MB
MD59533947f74eeb87f261eef7a0b682e34
SHA188fe82183b6b07631fa04c3b3b3d897f3b51efd5
SHA2560fd3cd7217e06fbcb9ed969ce583d12a72f2c698c177b94ea3e6745516df450b
SHA5126c855db31eaf79d8ee8ecf17d22926315600910357f36933367229a94c66fcde1a513187b96c8c045bcf1ecf472670d77ef6b4f8c423ece3284a87e648df693f
-
Filesize
1.4MB
MD528407bfa069e52f9f6b50adea40bb56e
SHA171ee3fd39f006bef0003ed2e81646947ae0f0816
SHA2561d0dde17d95854d9a1e6810261caa35b3bc9a59c64dcddab4515cc2a73af2ac0
SHA512d0d62b0dbddfd9edad05862dfc5dbddfcc6fa051ad27936f3f6e8dc1f5fd56e70241bf178b226736c4a77d3377eaf8d3829b43ef6133be35ef907dd251e3f206
-
Filesize
1.8MB
MD5a9108f8f6465507023e4174ef02febd9
SHA1763890e77d7de5339064651f9f8292c6bbf8f5de
SHA2566988dc74ef8c17057424c7b1aeaa865acdba7ba25a578db4f49c8c3abf71adf6
SHA512c7fd1601366aa5e99dd24447baf8f4d0958364e578f1815a924d5b4a6b30778a9c8d13accfb55ce4b77c17197b9eda3ba2b219357a97701384da44eac7259398
-
Filesize
1.4MB
MD5f356e0d1e96028d63bdfb98282c5a621
SHA1386faa5a883b5c0d33499e73abf0d9cd63800f8c
SHA256f6a5a5f6aa3da86b7f89dd8fc94525bb0f1eebb8d4ebc05ce7cfd8c3cc346d47
SHA512396845a1d3ac25b31239006a2bc90c706abd17a821e899aefa5233cf9623cc498729a9f2d7d5d0e5c726b663d0b22158ff57d68e29434a732ca1a27db96bd296
-
Filesize
1.5MB
MD5fe02b162205ea14de4fa3d2fd5e452bc
SHA19ae1c5e816ebd12395759f27d4cb6956027d3100
SHA25609d0b663da90f7a75412a89822ad7c9538b5a1ec5bc5eaa0be216a78bf24c3a8
SHA512b8a00d6107b70d4e3b5e9946725d16b4ad0f53feec134ebdf9150a5cb468ef0ecf0adbc6dee8b997dd14648abd2d4e749eed4a9f2ad4f04e1aabcea22d169e66
-
Filesize
2.0MB
MD55fba03cdd6c923feb727dae6073a0d51
SHA153d9980de5ef578b6e7aa7fa049a822082053180
SHA256bbea98d152d58a3ee66bd4d8cd6cfc496434b935d208d61c73ff333e2f73682e
SHA5120a930e9878ad5819f3c029669a4280fe307bbee5c69519a90d639d500097325ea0af7a26f2eaa0995d55e269dccc2679dc87918a3a0383f24806fc51f98f2042
-
Filesize
1.3MB
MD5c906050352fb09f8fa8a1bdb89b45fa1
SHA1ee4589bcdd8b9731b6a22c22cc49540021384b62
SHA256faa4c7c5f8d0ae2fd8953f7edae4099bf66238b656bfa0f0b589b43bb3d8eecb
SHA51202cfcb4fc4363658d5510d1b6343f66ce8cdb111b71a749018097e64283f5da9d5525a55f3c5080cb1c4b1117aa99d991bf791547969cb67bafeef31577ba71d
-
Filesize
1.3MB
MD5bbdf7345aa9614f7bf42282bc79b93f3
SHA1959150740fd14f12de4d9a1f76472ac19c90219e
SHA256fa3c7b1fe55ad9cb19e9c3080555c914e8292fddff3ea831a45eb8b234351701
SHA512749f72fe877375c70730cd5e8b4cc6e488d660e24854498dcdcf698aa394b742463fca2fda5ecd80830322d8e50aa3e0685cccc7d052fed6fd115812fe1ea5b0
-
Filesize
1.2MB
MD5f9d0c8061d05d9e675ca9e46a80e95e4
SHA144c4e5057b4e1ee6fc1e720e53add2b56c60ff89
SHA256b93e43730fc65e677432fba4394541d054b5b0a420e906bb18058e900f596768
SHA5129886a16d34a7f5e398081b0d8e242a4be456fc475345257ae462be990ef75ddcc1aa0fa70ab2a685a6a379c24eb0665ce4171278eb295591a1619de0d78c0b1b
-
Filesize
1.3MB
MD59d02ed67ede5a12e55c857c4a0857efa
SHA185727c6e005704d554dd968832b20b8952c8b2f8
SHA256b7bd41de9b18a514d9a7a46be3d325b171b695bafb5e6b6671cc6ce7bb168f36
SHA512908763b4ce90a4f93305ec5ed51c66d44eecbf429da69d04cbcae1f6634a0a369473654b20b9565ef3b3fea3e4e7f65f30fcdd99721d8d518f88598d6443a2d4
-
Filesize
1.4MB
MD56acb982807c2ffe147726ab143a047af
SHA15ab9462b3d8e9643ff756f3059222c977eb9c8fa
SHA2567055d7434165f3ad0b9d9d4ecec79f432ec6b28270857bf237cfddde41292716
SHA512b7259a738ef7f6b3a9fc9a45115f8783e0d9f1523cbd2143113c29769af16e8545610ccbab2781a16ae833a6213c0001a36065e6380f1400976e22c98618db01
-
Filesize
2.1MB
MD5848286432359d6a16f8e79217284887c
SHA1e5152d2fc219092262f75f1d6455a055894598da
SHA2565f6341ca3d1d5555b410153ac7e2eceeeebbe914c45c7a46ceffdc98f10ac75e
SHA5129630bdc8022ffc54d61795f15f552f995e57bd341ce297a616c13f2b7863a8ed64fb83c1fa5cbfad2c531bfecce1eb45d14488ae75b2191ab257547fc8f52a95
-
Filesize
1.3MB
MD5c5f54884bc004fdffdb4ab3db4d8d4f6
SHA1f01d3cb02589b9c985021ee94e15061f1d5ab56d
SHA2561ce573cda8d57041a699751501d6704ae73597361f9ac7e00d53f4f0fa175fec
SHA512d3c69a663afa4c1e2c92853db7dde0bfd62ff33eea10b134fd9ba1d830ea5924841ccb3250205d3bc001630741974277f0586971accfd51bdd6584ae5039a762
-
Filesize
1.5MB
MD5026a807a9ad74526fad98b6d0448e982
SHA14062ee9bf367a1c6afdab92cdc12fcd8fc15761d
SHA256049bcc4e9f70f426bcc2e06c8e05e2d68f5e4af085768d96cd2d634d700f7dae
SHA5126d823f90e0d84e03336d4e5b0f9f65f3324c445786362176072b6ee12dc281a75f1f14dc2ed7c197e8e9f2f792f9e81f7a00dfcdaf40323b5f524c3d0e924c3d
-
Filesize
1.2MB
MD528c791222ef1acd04db0a8a35d1305eb
SHA13e5e8cf621d0f3eaacb958f0afde586cfc2e46c4
SHA2562ff21d0e47cf2b0fdf2d1696089e88ca55a1324fa19af1a91394ccd9c8b5999a
SHA5121592389e4792f42a8f6b111e91049514a2694075ebd1e40729c94a28d99244a42e6b6a20938144ccbf0b1cb18ac7092b6ff6dd703e20f3af54be0c18edcb82da