Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2024 08:51
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20240708-en
General
-
Target
Quotation.exe
-
Size
3.7MB
-
MD5
8873846b9663e1fb72778a220667c010
-
SHA1
1a10dc17e957cb85d9ccdde65f262077d438b68d
-
SHA256
6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9
-
SHA512
85fdab0152ea521e9d366358c1d19a0e65673ca1121736d8cbc5013d69b5dbb465de7afe10e6bfc1a24bfd6f50c5549aecbb94ec0a2c93a98ab6585e39d035f8
-
SSDEEP
49152:IrasJSuxF9rdUbJ2wMt7QjKuBQucLjaVd1JScFItNYUy3U9ATAP9nPLM8wFVEkb7:WxD6vJw3YUSHAPa9fn4c1d/prj
Malware Config
Extracted
remcos
RemoteHost
23.95.235.18:2557
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-E0JKXE
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1860 alg.exe 2980 DiagnosticsHub.StandardCollector.Service.exe 3560 fxssvc.exe 2944 elevation_service.exe 1676 elevation_service.exe 1552 maintenanceservice.exe 632 msdtc.exe 1928 OSE.EXE 388 PerceptionSimulationService.exe 4288 perfhost.exe 2388 locator.exe 4104 SensorDataService.exe 4896 snmptrap.exe 2360 spectrum.exe 3968 ssh-agent.exe 1968 TieringEngineService.exe 764 AgentService.exe 920 vds.exe 376 vssvc.exe 2628 wbengine.exe 2928 WmiApSrv.exe 5072 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\76a1dd6826e8edb0.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe msbuild.exe File opened for modification C:\Windows\system32\fxssvc.exe msbuild.exe File opened for modification C:\Windows\System32\msdtc.exe msbuild.exe File opened for modification C:\Windows\system32\SgrmBroker.exe msbuild.exe File opened for modification C:\Windows\system32\spectrum.exe msbuild.exe File opened for modification C:\Windows\System32\alg.exe msbuild.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe msbuild.exe File opened for modification C:\Windows\system32\msiexec.exe msbuild.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe msbuild.exe File opened for modification C:\Windows\system32\AgentService.exe msbuild.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe msbuild.exe File opened for modification C:\Windows\system32\wbengine.exe msbuild.exe File opened for modification C:\Windows\system32\AppVClient.exe msbuild.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe msbuild.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe msbuild.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe msbuild.exe File opened for modification C:\Windows\system32\SearchIndexer.exe msbuild.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe msbuild.exe File opened for modification C:\Windows\System32\snmptrap.exe msbuild.exe File opened for modification C:\Windows\System32\vds.exe msbuild.exe File opened for modification C:\Windows\system32\vssvc.exe msbuild.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe msbuild.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2888 set thread context of 3748 2888 Quotation.exe 87 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE msbuild.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe msbuild.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe msbuild.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\javaw.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe msbuild.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe msbuild.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe msbuild.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe msbuild.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe msbuild.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{80279D00-E918-45B7-8FD9-5E902C3B5EF2}\chrome_installer.exe msbuild.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe msbuild.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe msbuild.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe msbuild.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe msbuild.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe msbuild.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe msbuild.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe msbuild.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{80279D00-E918-45B7-8FD9-5E902C3B5EF2}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe msbuild.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe msbuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msbuild.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbc54a78b9efda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051f67877b9efda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096739978b9efda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a68ef277b9efda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000781d9f77b9efda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fccf7177b9efda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048c72b78b9efda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe 3748 msbuild.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2888 Quotation.exe Token: SeTakeOwnershipPrivilege 3748 msbuild.exe Token: SeAuditPrivilege 3560 fxssvc.exe Token: SeRestorePrivilege 1968 TieringEngineService.exe Token: SeManageVolumePrivilege 1968 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 764 AgentService.exe Token: SeBackupPrivilege 376 vssvc.exe Token: SeRestorePrivilege 376 vssvc.exe Token: SeAuditPrivilege 376 vssvc.exe Token: SeBackupPrivilege 2628 wbengine.exe Token: SeRestorePrivilege 2628 wbengine.exe Token: SeSecurityPrivilege 2628 wbengine.exe Token: 33 5072 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5072 SearchIndexer.exe Token: SeDebugPrivilege 3748 msbuild.exe Token: SeDebugPrivilege 3748 msbuild.exe Token: SeDebugPrivilege 3748 msbuild.exe Token: SeDebugPrivilege 3748 msbuild.exe Token: SeDebugPrivilege 3748 msbuild.exe Token: SeDebugPrivilege 1860 alg.exe Token: SeDebugPrivilege 1860 alg.exe Token: SeDebugPrivilege 1860 alg.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2888 wrote to memory of 3748 2888 Quotation.exe 87 PID 2888 wrote to memory of 3748 2888 Quotation.exe 87 PID 2888 wrote to memory of 3748 2888 Quotation.exe 87 PID 2888 wrote to memory of 3748 2888 Quotation.exe 87 PID 2888 wrote to memory of 3748 2888 Quotation.exe 87 PID 2888 wrote to memory of 3748 2888 Quotation.exe 87 PID 2888 wrote to memory of 3748 2888 Quotation.exe 87 PID 2888 wrote to memory of 3748 2888 Quotation.exe 87 PID 2888 wrote to memory of 3748 2888 Quotation.exe 87 PID 2888 wrote to memory of 3748 2888 Quotation.exe 87 PID 2888 wrote to memory of 3748 2888 Quotation.exe 87 PID 2888 wrote to memory of 3748 2888 Quotation.exe 87 PID 5072 wrote to memory of 440 5072 SearchIndexer.exe 119 PID 5072 wrote to memory of 440 5072 SearchIndexer.exe 119 PID 5072 wrote to memory of 776 5072 SearchIndexer.exe 120 PID 5072 wrote to memory of 776 5072 SearchIndexer.exe 120 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2980
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4036
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2944
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1676
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1552
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:632
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1928
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:388
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4288
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2388
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4104
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4896
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2360
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4444
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:764
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:920
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:376
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2928
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:440
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c5e26d828e49e9d4b8c77cea31f6bd62
SHA17f0a81cd76b75ec84bd5faa1e588b0cd7d38e767
SHA2565de8656c84541cf04227e137bcbcc5165bc539a0e11ef31dc450232cc3ffca29
SHA5126974d81851c9195924540ff4cdf423f6d12d9d9ce370d38f6ae4cccb4ebc924be7dc0ca7f42d7886b027f9bb19e2c393963e6df27dca2e1208f38cd8324e7f1d
-
Filesize
1.4MB
MD5be143982b4dae56dfcda28aa31b66b19
SHA19ad60a5e17dfc688430b884caef2b7d16d1dcd75
SHA256238bf5f273a77a74e534326784eabb2c463be213c65c407eea156487757f1c45
SHA512daf512aa66b147de569f11a058056240f8c900c71e3d6a7cd048013278694895aa5102ffd0981a3d4c4afeba5c6450bd394f52860c0729c002a44b01c7ca9dc9
-
Filesize
1.7MB
MD59f0eeec75e07ac07ca15e65f8b8f7752
SHA1532243d957bbf18e82dd1031e19c706425f9c728
SHA2567b6383933b1c66c3dbd583c6fe8147f49fc3124fd381a4b693a9fdcc48cfd495
SHA5120de0a4e5762bff6ad079d8554878bdcd64a2383d4cb4d0574f26315dbd9542cd96d69de6936df45c0dd9f6167fd6bc591d2847582c06cc0074c39f52273dce3c
-
Filesize
1.5MB
MD54a41549f92902b42e4caef0fbebba0f8
SHA15489be7bb4ad8f0596197065e0317cb9206e551b
SHA256044dbc9ac0f8b533d8d2261dd8e4d91a78d7e632f123faa95310c68985ac3496
SHA51244f584618eea4489f3b67827df423bf227e8fab3dec06a1eb35e2e4ae1f732ac594a256e75e6b7cb5e6eecb940f47369da24a53f9d2a43d73d26a71e4c27725e
-
Filesize
1.2MB
MD59e5fb76fdd81ce87d20ff16feb9d296f
SHA18e70fe791f506d2e1dcaabeb8fb734d85c510083
SHA256ef6322927ee1deec384edc78321b7695f1fba7722527f357ae772638b7afaa38
SHA512d28565756a4dbd4b87036ea0530574f5425d4b79a6e8fab1bc99c9ad660a80375cbd5a37df24de007b6d8f3aed56e512de8ffa67ee3c5c721f26327330a3fc14
-
Filesize
1.2MB
MD57ecdb9800378a94d9aaed27b602d2e92
SHA144982bdb6c7c23286c7f1f6481f7ba909667c20c
SHA256b9662fc2b5f384ce994c81b9cd0acead29de03db7a69079ce32adb5dff466cd8
SHA512f931a1e4d8cdc96a865d85e9b8be22405d4c72502e36c56d5076bda4eec38de3840a77f8646e7001ba4842424534b53f70bacbdb634999fb4af2584c5b31cde2
-
Filesize
1.4MB
MD536a7ba344b79c64460421d8d07c9d579
SHA11e0aa85000a2cb32df05f0b397b6bf696e6791f6
SHA2560e42a2d039c6a26c2ac2efff0b1b00db0eb306bab7607aad7039ac706fb35ee2
SHA5120fd7028301fe3014fe6a6bbe887ba6d3dfb478997d9a37129950747e81e89e7d58000ddf56de2c8cf3c4d3e7ee73ce61f710ced6faab76a2d89021abf981fb5b
-
Filesize
4.6MB
MD51ea80555e05fd8b0cd24c9135b26fae2
SHA123eea894fb893447beadaf3e695d1df6e591c0db
SHA2569e84d9a99846f455ed20597762c49351480660a73f99f687bf8de7ce01d2f612
SHA512f388c49ceeaf9c38ad54fa57d86eb4d81ec6e1395e6ad02edcfa5f9961f30d4ea8a4eed41a418cbd6ff77a4c588be0e35749446cea6739abf674a1b9e0c5939c
-
Filesize
1.5MB
MD50b29aafa4a19a3a748d038a2eecc9d5c
SHA113567a55bf422c9069d09f72dee68adc8ee34b74
SHA2562775ad0183d02e4ad9c69af748fbf616b0915275b5d3e7b2036243a4f76f2a04
SHA512e87262083f41968062e5a07e5183f7896d279bd469a5f8c0e2cf8bc1b690f97f8ae56006f796ab5260d6d53e71bdaec2647ad4db3382de1624368d052bb6f85a
-
Filesize
24.0MB
MD55e5a17db844e71851188b54d9fafcfd1
SHA1be192abf6b84ca36a78ef85366e7815a35b3ab29
SHA25674ba3b4dc19d341680f519e5239acd1708bc694e3111ef86009eca650ba72676
SHA5124e93a60ed68c50789302d41a7279c935d9884febc333478f995cb89651c63dcedd9bd4367d777750eae52114c460b2b308de5b9de704446197363addbb514aaf
-
Filesize
2.7MB
MD5ffae23fca224065218b1b5f325c4e830
SHA16d855d745dfd3dd2a1201c3162f45cc04844fd65
SHA2564e512de2243ce4c4d3bea7c79b126f4901bb24df26d9e6d8159ab98e21c78ba0
SHA512bd7d9da25a17a153f303d362e2eb5238413431fd0278f4578cfefe9bbbdb3f8e8eff0a6662dbd20c3949a872b88aa4fd16d738bbdb16b5a5aa9d35b8b84cce44
-
Filesize
1.1MB
MD5e543160d1abfd1b7016549d61e1430d6
SHA1794031b45b7e1a8fbc629e8cba0525f0ea9186cd
SHA256205c69b9973aae6528d7abb74bdd5c95eca89f27cdae00957f53ff8cd1c4042c
SHA5127fde4248d696e80c3d4e2235915719569b13fca40bcb5fdc12bc65e5a166a2389a2693e11b25e613ee31621795ae66acddb8a7ecf44048205bed18293d231a16
-
Filesize
1.4MB
MD5b47d73e171f15160fb36875c01481964
SHA11697c5cc72fd7c4a492d8dcdf1c15053afd5edc6
SHA2566393ebf6b3cc8dabcd6fc47c96b5547b6c375a3fa62670ad71acf0647821e219
SHA51239218e7ce0a4ccc003ceb7bc9c880112d3822731dd51b4f498e7daef4c56a10297a135ec995113c05a7f47dbc25090a3445bfbcb86611db89bf94a966421a889
-
Filesize
1.3MB
MD5d3adc0bd49e1c9fd8fe8bb1702a805f3
SHA1b0754a372b139ffbaef9d1494d94307d2d0ce85d
SHA256d542b502657bce1715378e547c30ffa11b25cfd223e884c822991b0622d18317
SHA5127cf5187ff69b9c1afd9f0126d4445664ebf9674275df334bd324e8c34cb62516971f4cd552ffd58b966e406e0fb1099b7de3b0dccffad6525c26d87cfb111371
-
Filesize
4.6MB
MD5203f1aa8b6fd6f0a0b083077dc31b35d
SHA17f4069324c107515a3360d5398f4d6d06674f55f
SHA256c7a9e5a87a4d378c9540dbc004ed2e01a0715cd48fb2a0bda6cf1e3204c7039b
SHA512da7bdf9b7b613d6d83e91fd2e20cbc928c696b4f3a8e9a96a4fcdf8718fca71bdfb52f515e0269eac53560ed83979e7b92d75267c8db948d23fae622637bc46f
-
Filesize
4.6MB
MD5d6531121f424e8a585b10540c24314e6
SHA12c5bd01ac47ec0d58583599fa90a3977136c1163
SHA256d7499837bcbf9567e24baeeae5aac0d8ecb36d3593e799ff782b4a11c7651fb5
SHA5121572236433ec5052e5b7f011d74e10d3ea835d5ffee7dec68da095201259588e97eb9e60f0ebff309798caf9204943261326480a63622b9361e4babb8974a46e
-
Filesize
1.9MB
MD5091c7818b1f8fb29c59cffe0bdee1614
SHA10fa0c5699bd7c9a4f8fa991b87e56934edbf71ac
SHA256e1d1e0f2ed22f6ec126a2b7843a21e8bc58670fe40737670fcee6f122afb53b9
SHA5121be75ee74f9c225e44a14157bb39c4056c83fc99514d088f08718cda5013c05bada0bf4fd9ede1dff3332b509c5beb90ac075c2b6d694aad554f4b339eb7af2a
-
Filesize
2.1MB
MD5b3bafe8b4e9c7f58d322dd650c6fc966
SHA1dc906ac13df9a3866f0beed45b96eba327d6d991
SHA2569ceb36a620e873a6f49e7c29ee1dcde3bd0c86546c7ada14367f6467b61cca4b
SHA51281b0679e42b49e6a2af65b2b46b156de458605ac35154ba9e5debcbccc8f0683bbada6bfcd6873a5898034df26c1a313ec2a803dcae10963f7cc5f5ade592bd4
-
Filesize
1.8MB
MD56b6962873d70a7cf01967c72e3a96574
SHA17aef13640804d590163338ca98619fb2198d62e1
SHA256b7f0a4bded8d7b6ae47b28751396d3a924dd8ba811356d47dfc34c377e99256c
SHA51234f433d942e0201342f5fa86f8684531f147d748bcb0c4af68a65507d1b1d246d943badcd2948ba592f432991442ab3819989cd33236c55543c0440a4df8dd86
-
Filesize
1.6MB
MD57aa952969cc3ddf9e329687de6bc18d0
SHA150d7a47f73037eb12d02f9b0942c8b1f94d6f7c7
SHA25600295fd28015cc737b34760f7880fc187b25ae874353a1c172f84a65d566066e
SHA512804cbf0c615522bbb90f516024db3671228f6965704b59226a117c5ec23c59b64a6e4e6d9d55e942e7afc8386d37a182be77ed1c68bdd34ce219e68ec16df8a0
-
Filesize
1.2MB
MD525202cba07d247f57253a5cab3913ceb
SHA10530d53b67af0327386e88d05a11f5b630e51aba
SHA2565772b007fff7eda489893e60beef11ed1333e1545cc117f838915b4fef3b7499
SHA5122e015602e827a99cde53342b2a5baf628ff56b664f27527d14dbc8cb06f55fa401024a7220f5c1fa07587151b6a8efa672e7d83f0aa412ad1bf055bda77291c9
-
Filesize
1.2MB
MD5545c8c026f6d64786071ddf6fd39c97d
SHA136142c9bc56dfeab097deeb8745c3cac26cdf8f6
SHA256300de4fe8abab89dafd810d43410098e1369ae764e3580830006345eb2e38ebd
SHA512b6999dd8361197cb87ae53bc4024fac72cf63fd715e41d64e2b4ef02d525d0db6c96984dfb2fbac31bfc60c09a9b18e6f12799e55d96976c8f26863798caf9fe
-
Filesize
1.2MB
MD5d9573ce22ed114b57427908b1d9fca82
SHA16b18813a5308dff516862942253490bb5cd9480e
SHA256c2e5c42e2bd2bf9b79829f3889bac7d458eaa1b96addd0002e776a47a093f35b
SHA512a3bfd89ecd755d7e93bc4b635425b39468a53ef86a8016b4729930a474f5b1be57f819d45634afd2b4ca7bd1d7dc51315ed46a590ee17a4419378ed4fb50d178
-
Filesize
1.2MB
MD528dc23f411437b1a9d77f3594332a8aa
SHA1beba56a9f08c0ae3500be615e540cfca6005f09c
SHA25633f058df4c5145a866c512c1c16d973034c5047a774e0f59c9b5b4f875ddf56c
SHA512a7079904520518fa4249ff3360e1ddec9eb9aa7b2a919dc253efd798a29b0479b8871735079d9a0aa735ce3208dd3452a9d53236a2a78b0b884626b742291e19
-
Filesize
1.2MB
MD5998ca61d58a269c53644bad92c5e398b
SHA165ac50abd115dcff253b0b6d69e8e22474a11405
SHA25698aeadf4f2b8a9cae5bea2555b088e79c6ea850f28c644da392496880eadaea4
SHA512541e0c01b0787e424848b0774d084baf8f943da781c5684d4db64952428ebb168f8b88b77fbedb7f685d28b80dcc810ca33726033b794631bcac58a8a7ab168d
-
Filesize
1.2MB
MD5006f1e1c57b190ade6c8bb41fe5f57be
SHA1f22b3d4323f98313f641ed6d62ac4d47ef39efbb
SHA256538566ddd4884c5358d1ae373351ae67993680208374ddec673134311e0f53e2
SHA512d74e3ba85a4a2bc9ab0142aadee85d89c6be5c6d542e9e0aa66e8c92490a84afd63841cbd05fb9ecfe2f0fa46b63167ea08ed3d34e79e23e9e9e160674064f31
-
Filesize
1.2MB
MD5416fb1eae03faa3d8e44fa1f345d5e0e
SHA1f86dcdb5b163760881279d605906ffecd16c3144
SHA25683ab6bb53e6d7feef2b62e6d64363c98c99277de2511f697ae3d0dc2726dedfe
SHA51214761c14ccba51258776889f85d3049aa4b7bd0ac9179501759c9ed4a1155f88a968c6d1f3cce935e77043fbf90df4eee4fc0e6de9ceef81a4df5a05f98e2574
-
Filesize
1.4MB
MD573a179c6016f35f136ad404d1e45677c
SHA1a3bd42933d5832ff63da52bdedd5b157c1df5377
SHA256f0bf3826d5d7566dc60cc377f58cd292ed3f01ae41e727a5c32e175b2f66e0d7
SHA512b2424d965e3412447ac3bacb274259fa4f9464e381205bbebea50a32b4e0458a91facdae85d574c2b52ff3b34a0a2bf74a48e4b9ed59d1154264591677bb6fec
-
Filesize
1.2MB
MD5d119899de53c23ac9c5ffe183faeb010
SHA13a4c57410d247aa7872bbd06f3fd21c097532cbf
SHA2561e5e41773ea9430e30a15620ef0abbd46c6b2395aea5fce6a7bcffbb71160202
SHA512dfff5d2b1fd79e38db91c9d42c0af9b60d7bf20511a2890588d0075df96fc9c379b71f1973d047df57a35dbbfa6ec15122c4d55406e9fc6439f6a87f9647f06b
-
Filesize
1.2MB
MD5148d9fa3762c8847a28e7cb2bf9e6b74
SHA1b650ffc9499e8a39da0b7cae91548b7a1b65b23b
SHA256d1b78ccc92b5b3053041dc42df5820b30701ca21a74e4845250bae33f256c988
SHA51221401655ff59238162b95a0390d8b3151d24c9dc452fe11c60bc472b96d156313b8b4c699b15520112ae68b716913f5c5af1cef0725c803f6681cc2735e881ad
-
Filesize
1.3MB
MD55eae31fb72d7cad15e86a7c54e7d7f4c
SHA103ffb1bc981a4bafd8f88c3e37bda72a763d4782
SHA256ee11edb45df3693bdd55d131bc16b9a43ddb2c47faf1e5dbb2f558639ff81bfe
SHA512ac44151ccc5a635ba7a16bf421942cb08b423c8aa34cc335de25089e7b1842b6bf325ef5a80ff3394557595dacbe849bc64c85b314c273ea5961a4e6627becf9
-
Filesize
1.2MB
MD5e27957b684487098fd6893b0b42e1569
SHA11be3e391d63518e6a92aee87441615b3d15f5df7
SHA256daeedc38970b5635684b31388e04a60c580ae34accb96b0645d3a23f26343481
SHA512abe0abe537cd2b1aaff8756764ed73f164808c4f43e2fef118c162c6d2bc269920e4255655afcff4b8e5e3d10f4a44f5525707d4329a2279edcb204eb433bde8
-
Filesize
1.2MB
MD53554dd637f2775c6d500b2b9b63c7d08
SHA1dbeb74a23a519a3e6f27fe9388a8a944ce203b97
SHA256ca658a70a6258945053e488274c0afab0512489087eaa95172ae8ea909b79bf0
SHA5129afc059186b57a23927be03af1ade0b2bf603f16495dcfcd8f5abcb8974087247eac8b046100f631761383a6a07cbf850bc0def62fb84de0231efc56075feb87
-
Filesize
1.3MB
MD56a6b9e28747c52a2f4cef34659a32acc
SHA14798ab6d19f722a3dd0a03b2bd42200470a2bd98
SHA2561388d2d471001aa1630667dee26dacfbd4919e7554cdb7a37393a4d2f6f79ae1
SHA512e5786d059bcb7a79b977ea04eaac2c922f4ef29986a7ae094f56258cd81dfe4b8f6eb4cb61af82d2fe4bbb4424df21ccc2df07d7abc6a7edbb8fa732a56d1273
-
Filesize
1.4MB
MD5bf495e38666ed7c6476ddd7c14582021
SHA1d97f5185bef5a1e9c7e746ab946e30deca02eccd
SHA2567a2eadb24b12fc4f2a357509e48d9c22cd0d0eb01382f628bc7a4d348ad275b2
SHA512d8c2a7b1843be47a24d29d5da76865aeb66dba9e3e020ae819b41456be5a917d44f8e37ad975d8b5b309d1a169aa4e77cf5d89e56450f6e91d85273619ddc72c
-
Filesize
1.6MB
MD5bdc9f305c2749ddce57c138e6422b4b3
SHA11944ed5fad6e0b7dcf784beb856187dde93883a1
SHA25647e951e43aaf355cdb16a42880c5814bbe31cdffa05daa506ed74375acbc793b
SHA5127ad5b6fd408345acea013e72b5d9c09bd31a9469db32831a71d1bc6ee7ed2ccaa0106e4c802c95e4681d1128ea8806f76cff7e51ef11bd03e4c049d2e01cd500
-
Filesize
1.5MB
MD594095c4198c8ccb5a90fc25333ffd689
SHA13182edc80241587db01008243973ffef62112304
SHA256779277ae2a9deba4e57474228dc127d4f924f4a7e5b0c8be2e91760549b2905b
SHA512cf4997186800297ec91eeccb3a7203ffe06aaaf762bab001472579b2d6c802e218935700c0254e6d2776c777b118c35d2ef630a11ee4ca3875781452746f1e5c
-
Filesize
1.3MB
MD55eab4972c8a435e0097288c5800d94cc
SHA1f1818df1bffaefe1b6949c457a57442d6bbb4fb6
SHA256a965d9314b07230ce599121636c170c744e2cce97747b6733650098ce0396b3e
SHA512a949a608ae89e7e127c06e9ab7535dd5a6ea447d2b04ea78e2b2b8436cd42281dc5bf9cee4ede9958ce6f8f2245575829001334d159b3084afe131f641fc9a0a
-
Filesize
1.2MB
MD54c1c8fa55a307a0fe8507074ee215c20
SHA10163ce66edb5f95845a0af319d631405fe03ea02
SHA2561e5d08eee34d539b3b96b501852b2af18d1d25d9faf9572d0579a28ba87cdcfc
SHA512cbcd95d4f7bc4e0c88c69f5c0713d36e44efbacb62b3fc4afa0debb055e8c3c88b289ca82fdea7931d8eeb053c545d141938f491b2c13eca7b137eed4df03ac9
-
Filesize
1.7MB
MD5f93035f05f334dccf8bea7dd5dacca8f
SHA102c50b897e150f9b2b1d852de6cdf9ba236b86ce
SHA256bb610ce7e6f7ab237c51dc912fac25baf375dc7086732abd327a043dfd2aeef4
SHA5123697bc08f9bf6df262d1ba8c39422d31e15a621b4b20c4e3a32a7a8d68d016b3b1bb273e8940372e08ed49d902b29632ee76f7923954d765f09a4a9e9f67ab01
-
Filesize
1.3MB
MD5c64fec09ae5d02d9053e481ae9fc2c23
SHA18aa8e53c97e93e70fe2c63ba7436ff701d5d2d7d
SHA256684d0db2e868791c1079b3617d339586f3379b09152b9b92c937377d79190e9c
SHA5122db422ae4ca528ba814b71f929dd3f4840963b0cb421d94b83bbeda5c69be54b1e7f594124991eafead07994e3412fa3d67dfcf10bed9cd1d7647d9a590b61a3
-
Filesize
1.2MB
MD56bf0b3b1b337d9259d2d166c9fbba24e
SHA112366d1d1da108cd5f4d6dd3b88d53540c8741f5
SHA2563d9eeb8b54907c271ec94038bd446f4a9ded8fc13768e6d2d4c60fadba1d8335
SHA5124be22dc798dab59b0ccea4a26a50a0a8fd504b048b1e7b9e5e856cc818e64acec0c05b1256e4ccc7e28e5b8115fab0f2e51e91b492123eb5378be0653f296521
-
Filesize
1.2MB
MD51044c6c1e88e2df8757afea681682f2c
SHA159a24b3e91a1a9eb2b6928d75fd4c21a3a84a5b9
SHA2568313002a45da6afdf8fed3e2f8f883652fe5d0165f7af55417885cd1fd835000
SHA512d0fc6b3d32b3732d7d4f039423e74890e268c50fe3359ad9ac33fef8110efb1e144f75ec2018e6a2db1504da2c0e5a6177ddf6bfad40296677c9059f7181d407
-
Filesize
1.5MB
MD568a2f4402b1f7c3bfd0ddd298c291eca
SHA1358af7901cf8a41778b5272b4c413b0a9c298039
SHA256d2b5b0ecc4e1c17fa26ac834665ff84c7843bda0ecd78fb2658ea3435f7a7a1b
SHA512fb98a4af2105e7f55c535fe97a977c088a056031fb224df9dfdedeed12d166dd712f2397ecf34b4f1a51f5e387000d8a91f2005e5f316fbc35442388931f5978
-
Filesize
1.3MB
MD5f79ed5fc935d97f01a27d8abc412b49f
SHA1a4d8a675ab928f33911b9925b02a1ce17fc30556
SHA2561e23be6adc93d4d68dae60422ff0a5ec8a6fbc0167df89f0bd44d3c12b20b094
SHA51230a5ad32ee6091032dc8f1a6413f766d5002f3a649f72272ca58b1e26484780174d7635cc27022541f2428d9939a34adafeb8e3deb8de0506ffdcd5e2b860c1c
-
Filesize
1.4MB
MD5aa56150d56c88b899b3c3cd7b0580a8e
SHA191d8c999d595933905c95b0571a862131c0faeab
SHA256c7e0733006ec51d8aa5f4d2a54bcb56e73059b2d6110635172f8a90c59f75e3d
SHA512d0054519b42d45c266930c1983eff96a8c641a236fce9de256962f203aa33465129fa0e6a67ab68a938354f92da56805e99a63a10a78d4905bc9bace431c1668
-
Filesize
1.8MB
MD5b97763d20c4c04371305bd803014c8d7
SHA137be0d624578d9da82fc9056e442a0782955cb3e
SHA2560b041f409db5dc088d42e2546a21b7d55e33e011a6ef817eabe213593e6678f8
SHA51221442aa1a98385fdbba9a090dbf83a9f00c725497234700911f516f75108fd3d10e5d807ce75c2668c4e5b3fd70763befec34ee4146aec37fcf1cd6ceecf547e
-
Filesize
1.4MB
MD584326bb64de19f5e0ece4902d5f8daa3
SHA166d9e17586c492ef0d19edcb9f619606541797f4
SHA256b876f34e55e22bc0a5253c65966d1ab6a50a5c3142e930c61501f6ab5bd5fc29
SHA512be35783ee76f428b4af3d18014221d2d320848b8c05634668a2233e54cedfc4fdf4301bfb5fa04c8ad3b0224b340cc67e58243dc4df63cf64f43080a75aaf53b
-
Filesize
1.5MB
MD5eddbfcf64437d3d8c9c641473166a295
SHA1f622b4d7057b5b8ca342d33d1350145ccd58627e
SHA25644e5655fe46c72c9409825b1a19f56f4fc040f74c561061c24aed56f59bdd9e9
SHA51256d0c043eb5b27064ed1d8e46c52dd57292f7b4c7580997a64c925e27d0bbce695a031765d01cda11c7fc9e44f2d383cb0a2dfb4cad7c6c053a3f4b50a266b52
-
Filesize
2.0MB
MD559ca4578ea74e7f639b52d150ce731a7
SHA1163f25260a64098c6c1ee0a40fe125636af755cf
SHA256c98c31415f2d7f51e1a9cd15c3068aba76312ae81606886bc65f330d99a3f99a
SHA51202fe5fb98149cc900a52d542590719ebe4e3b316aa6b01e3a2d0c09d5da01e5e8391bd7b14ada5ac7d674c24f6e187b134e624a401c389eca2c3f8adee67fe1f
-
Filesize
1.3MB
MD56ca2ac07fa3f945e20b77c06ab8fa942
SHA1fe1e3d65b9fa219b7cccd5b4139a8668956a8cfc
SHA2560e12e7f2c911da50f219f57e759dcd695a700503e96eca3e74c62d698471e2e4
SHA5120ffacedb4a8c890237193e52cdb6584d41696492582aaa29b6bd5ce0a5dba9c27973bce730447a267bb7100b9b704e90f0a18b0a3ea4dd3754aea72250d6f804
-
Filesize
1.3MB
MD579ca0cb2d137d4153fbfabf921c76a9f
SHA1bc1f1460e3e3daeb0d6b93bced4dc4d15b070db3
SHA256ea5aa18d53fa8be1c126fbc91601ae2959787bd988ee88aed2b96b18ae143d88
SHA512a603af7dab96d4658e5eddbc0b2d4612e129f5ec7f5454cf936a7120ec941854acc19eabf828babe4b264f7fd2fb24a5d5b3cd5ce1205374ba37c57a08ef842d
-
Filesize
1.2MB
MD5f676d2c83c809d71743edd8555972c10
SHA10bdabfe67900e64af002a78efb43e4a2d3eb6496
SHA2567c90647bd249750608aec1e76a2c1b97069ab1d2ff06829435c75122b45de764
SHA51236e99749250feb3e33750d21066747924e1ae9207f7715e2418d217dd8ccdcc87fcd39e66fcf833dbae744c6eae9954ac16ec1d5e7ee5eb33100d49a34a53740
-
Filesize
1.3MB
MD5e6ebbe97d6051e3ef75155bed75ff593
SHA1c85b0cc8554462172d857bbd58c6c7c49379f4aa
SHA256f6c5bc7a2c15872d2cf4569ed27b5c08e808d3e6d386623ed489f588040c6da3
SHA512a20f6291f1071af1e608ce42462094f701636556200f83d605a66ba0a459fe27bd900f67ec55f85e214f607accd5bd9c8c0da0cbff538b838191599d96ebc23f
-
Filesize
1.4MB
MD56b40702dba7c9c39226a1d1f8b922c44
SHA1aba45099988435aa67b19725d44b8f6c523ca49e
SHA25681aaecd53bedab0af0d2bd3284c74a0c4c0a267076019afb52c928c8fd3c694c
SHA512aedfae0e441469a77adf8f0fe5d7bf16234f4df31d12130571b6e0891fb8b2e6449d8a38b9b62b5928b11e284e32357224e08b82154a994732758b59cf9ff715
-
Filesize
2.1MB
MD5554939babd14c4cb116f8e6dbc391bda
SHA13e78e71ffaef163998fc49f18cb1ec3244339a6b
SHA25636cf2c281b057e7793b915f88f51393daee1126f0ca969fd0823c4825d8d12a9
SHA512f09226b4a24482e728f93aa6dda0578b4b2bbff2a136c3ddae3f24b17c9d0aec6a04b8996cb212be23c7c578c1a462dc82d75506acc745d075450ddc97f0768c
-
Filesize
1.3MB
MD5447cf55363fdf2b417d12cb529dc896a
SHA19c4d07d33f0c94fe11fa314a0dd15b0370f442a3
SHA2568f40c34cbcbd28cdb5a51aca54847f140e7f06da5b6c57719cb5097e50b9a32f
SHA512836d99dcf6f880772950bb636c180175fa926f677aa064c3c436c3702a075d233af307e3188c2e85bd48bb41e237cb179cd0b818487f31367929a962680d3cc4
-
Filesize
1.5MB
MD549edd1ed12296276baaf502fa72fede2
SHA11353791b3b515fd8815c76479c1edceb9932aac8
SHA25647d9b49ec67c477b30cfa5c1ada2438169fe080f27ccc17cd3a3804432be20ad
SHA512ea407ec875a29a9e130ca543af44f2a7848824bfa76b323b39e916406a2c22169faec28157944135c190e76a7ee4f2ea9c3b4450f0802fd9cd608a52de0491ce
-
Filesize
1.2MB
MD56818b5f2fb8788fe98b0a1e767333bec
SHA149377615b05131f4e88d524a6e01267327fc5435
SHA25600c6fc6e1f23842e30df72da0b3f42ec6ce4644b1f30ef6fcc0a1ca00776b76b
SHA512b9ac6b4c25223df0aa15da92f43e12ff052423aba33649e37fde1df2bb56ae417dc2ebf207119ff9ab5d47e22ce1453a65a0864651041893e115c9b2897d198d