Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2024 15:45
Static task
static1
Behavioral task
behavioral1
Sample
6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe
Resource
win7-20240708-en
General
-
Target
6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe
-
Size
3.7MB
-
MD5
8873846b9663e1fb72778a220667c010
-
SHA1
1a10dc17e957cb85d9ccdde65f262077d438b68d
-
SHA256
6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9
-
SHA512
85fdab0152ea521e9d366358c1d19a0e65673ca1121736d8cbc5013d69b5dbb465de7afe10e6bfc1a24bfd6f50c5549aecbb94ec0a2c93a98ab6585e39d035f8
-
SSDEEP
49152:IrasJSuxF9rdUbJ2wMt7QjKuBQucLjaVd1JScFItNYUy3U9ATAP9nPLM8wFVEkb7:WxD6vJw3YUSHAPa9fn4c1d/prj
Malware Config
Extracted
remcos
RemoteHost
23.95.235.18:2557
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-E0JKXE
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2888 alg.exe 4936 DiagnosticsHub.StandardCollector.Service.exe 3964 fxssvc.exe 2076 elevation_service.exe 3036 elevation_service.exe 3404 maintenanceservice.exe 3004 msdtc.exe 1848 OSE.EXE 460 PerceptionSimulationService.exe 3372 perfhost.exe 4832 locator.exe 4476 SensorDataService.exe 4368 snmptrap.exe 3352 spectrum.exe 4072 ssh-agent.exe 220 TieringEngineService.exe 3184 AgentService.exe 2024 vds.exe 1004 vssvc.exe 3444 wbengine.exe 4708 WmiApSrv.exe 940 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe msbuild.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe msbuild.exe File opened for modification C:\Windows\system32\AppVClient.exe msbuild.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\27e5eac3ffa85a2e.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe msbuild.exe File opened for modification C:\Windows\system32\msiexec.exe msbuild.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe msbuild.exe File opened for modification C:\Windows\System32\SensorDataService.exe msbuild.exe File opened for modification C:\Windows\System32\snmptrap.exe msbuild.exe File opened for modification C:\Windows\system32\spectrum.exe msbuild.exe File opened for modification C:\Windows\System32\alg.exe msbuild.exe File opened for modification C:\Windows\system32\AgentService.exe msbuild.exe File opened for modification C:\Windows\system32\TieringEngineService.exe msbuild.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe msbuild.exe File opened for modification C:\Windows\System32\vds.exe msbuild.exe File opened for modification C:\Windows\system32\vssvc.exe msbuild.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe msbuild.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe msbuild.exe File opened for modification C:\Windows\system32\SearchIndexer.exe msbuild.exe File opened for modification C:\Windows\system32\wbengine.exe msbuild.exe File opened for modification C:\Windows\system32\locator.exe msbuild.exe File opened for modification C:\Windows\system32\fxssvc.exe msbuild.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe msbuild.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4256 set thread context of 4968 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe 86 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe msbuild.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe msbuild.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe msbuild.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe msbuild.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe msbuild.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe msbuild.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe msbuild.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe msbuild.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe msbuild.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe msbuild.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe msbuild.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe msbuild.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe msbuild.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe msbuild.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe msbuild.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe msbuild.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe msbuild.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe msbuild.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe msbuild.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe msbuild.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe msbuild.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe msbuild.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe msbuild.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe msbuild.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe msbuild.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe msbuild.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msbuild.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000554f1598bcf0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f47afa95bcf0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b18c2c96bcf0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008de9aa96bcf0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a6b4f97bcf0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004955f395bcf0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b9b4298bcf0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dea38897bcf0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073094d97bcf0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe 4968 msbuild.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe Token: SeTakeOwnershipPrivilege 4968 msbuild.exe Token: SeAuditPrivilege 3964 fxssvc.exe Token: SeRestorePrivilege 220 TieringEngineService.exe Token: SeManageVolumePrivilege 220 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3184 AgentService.exe Token: SeBackupPrivilege 1004 vssvc.exe Token: SeRestorePrivilege 1004 vssvc.exe Token: SeAuditPrivilege 1004 vssvc.exe Token: SeBackupPrivilege 3444 wbengine.exe Token: SeRestorePrivilege 3444 wbengine.exe Token: SeSecurityPrivilege 3444 wbengine.exe Token: 33 940 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 940 SearchIndexer.exe Token: SeDebugPrivilege 4968 msbuild.exe Token: SeDebugPrivilege 4968 msbuild.exe Token: SeDebugPrivilege 4968 msbuild.exe Token: SeDebugPrivilege 4968 msbuild.exe Token: SeDebugPrivilege 4968 msbuild.exe Token: SeDebugPrivilege 2888 alg.exe Token: SeDebugPrivilege 2888 alg.exe Token: SeDebugPrivilege 2888 alg.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4256 wrote to memory of 4968 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe 86 PID 4256 wrote to memory of 4968 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe 86 PID 4256 wrote to memory of 4968 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe 86 PID 4256 wrote to memory of 4968 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe 86 PID 4256 wrote to memory of 4968 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe 86 PID 4256 wrote to memory of 4968 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe 86 PID 4256 wrote to memory of 4968 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe 86 PID 4256 wrote to memory of 4968 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe 86 PID 4256 wrote to memory of 4968 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe 86 PID 4256 wrote to memory of 4968 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe 86 PID 4256 wrote to memory of 4968 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe 86 PID 4256 wrote to memory of 4968 4256 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe 86 PID 940 wrote to memory of 4776 940 SearchIndexer.exe 115 PID 940 wrote to memory of 4776 940 SearchIndexer.exe 115 PID 940 wrote to memory of 436 940 SearchIndexer.exe 116 PID 940 wrote to memory of 436 940 SearchIndexer.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe"C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4936
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1608
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2076
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3036
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3404
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3004
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1848
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:460
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3372
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4832
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4476
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4368
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3352
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1552
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:220
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2024
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4708
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4776
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD59f95a84527e291f5d0e3ef83f2e87325
SHA1e3ccdd115d3aad7312e6accb6c7e3ae95d98587f
SHA256c0467e5a0d224ca9ea248f538ec7ef607b5fb12867cd2684c507a4d109b2e6aa
SHA5125f161de79d680871a203ce9984d63bfbaca79c3281d79c94284ad6d421e63a771312133060f0462cfa3df5e1818927eebb03eebea35d64fa39f2abaad6114c2c
-
Filesize
1.4MB
MD5bdf5325656563cafec8dcf8832705616
SHA15513f561ecf4e95fe705a5cdd647a9a77c68df01
SHA25637d3d36cea35f48ce596d63edb88839749a9bd889b8a5ea5887de765fc574c8c
SHA51219377818be67678f1d5f7056e5b2c117ef5c74c70eab36377cf8970f266842c1e1a4e1c5d0a0de3a4994bc5bdd1b2aa6aa442971dfd8969b8c4e563ecc47fed8
-
Filesize
1.7MB
MD51b300db6bca8e94e95793d8263e255d8
SHA114e335159d5bdb4edd32fbf8ebf7a578c46d0f38
SHA256d43dac0d25d7cd00ac704d790d77b8be31c8dde827a9ce345569f072cd69d53b
SHA51275d6778d6a0aa4be985200e77ffdfc38cf9ec9819221e727839bf527dcce4102686edeefbef4bfa42c3bb8dfc80458abfe41c1a8f8cee28f509561dc2da93a37
-
Filesize
1.5MB
MD5ecd8a2255336b3669ee3058501525634
SHA1aded1d8c936a4e2738f113fc03cb2f36a987e2b1
SHA256dae06749c5a9bae86c565abceab7a0d390069c6183fd5a3c3a244522c6c4ea48
SHA512aa4f6a11a7b2bacf309b4fbdf967f42e5f76792bbec6e81571a5b79fbfba527b76d617e1d47f7234b1969fb3558ead833c95a3dc4733144abbe5633ee66dc017
-
Filesize
1.2MB
MD512b4c13c3f54a67b929d93c4a2aafcf6
SHA18a5d9516905cc9f183850fbf91238ae0ca81f1e9
SHA256b9f389371f559083cbb12392a85689085c1a27fdbb405597b9b34f702d397fd1
SHA512947c014eb325e755e59764f9a18c6f6fa31797e6100921cf5b47da00943b7068282edc1651d642d3f8797086a7601c3946fd8092630f173c8bd467459bc9c2ae
-
Filesize
1.2MB
MD5f100052ec57ce95dcc000b4b7da5439f
SHA1ccec646f728d7c04fd3e2c0daa452269260ad034
SHA256b118eb40764eb2a17e9a2d95decb039bd254fa172287dd64009ba28acc337c49
SHA51277254e786520c07063a7d57494bcaa873a071f455a4a107dd700ccde177966b713c8abc4b394ef4eb5ba31a94f1dfaeb386e9c9b5608b2dc2244056e2eb5817e
-
Filesize
1.4MB
MD5dfcb5830815160fd59714e6f8dc28bcf
SHA13b80e800ce424c7425629195b660f2bfa8799381
SHA2568bc770da48425f5d4a3d3cec3d0c826a2c3aa44a4f5251231985172abea7391d
SHA5120f9fda274e86f8e068615a6357a1373276b5ac4fb1915b83fc056ab386f3e3376e9b90c0cc1016742f61758da08ece2c8971e9573b1840cdd59259671f80c302
-
Filesize
4.6MB
MD564445d1deea4d95e98516a55be803b6f
SHA11f2bc964e22db5b6743145a636874267ae252127
SHA25690c752ee2ab0c070986dd54027784f7af4571881e225ad78f9f7ebd5920769ca
SHA51259683c3c0f6d737a4376a60ad6db6c5916a3a5b27a5997fff2cef392806d2a9b1c02bdf37ce00260a26a55989a642665f4273106eb35f03706701e7cbd3bd191
-
Filesize
1.5MB
MD560a0fe36d370b86c2f24feb7cfd200b1
SHA1579d874f2b2e7e9e8045c58606a0d145cfdabc6a
SHA256b502a6d3aa1511a127bcc98700e531d365c3ff5b74824f288be1796893176cca
SHA5123fbd5508ef3068f2a2c86ed2ace326951c97f2117ad0c2b5650a3272942c84a5e2d29b007c7f5e10c753896f70dc76bf3d81e45c2560e5e093df1604b1ad6ca5
-
Filesize
24.0MB
MD533c4361f125fbf3d67dba64f311c2b5c
SHA14eef8d8447e8acbe7cadc35f87bbb39b5a42d873
SHA25673bee7c1f2b58682da60db1d5863f208ce8797f496a32a710ae86447d559bdd7
SHA512dc6925a072c61062411df4774a550d45def72b10679117190ffdf78a59b99bb3fe2f3b709a69acd20e4fe1ce7f397998228500cc79c0a760c19aab9f8e83af5d
-
Filesize
2.7MB
MD59ff9e0eb98ba3d413b5f6c2b7ede9844
SHA1a42c9968af2619b6bcaf9fa9590bc878800fe1f9
SHA25655fe75442c474c8bbf8d755d5b5e5bc13e9a33bb5e22dfcaf9f0eb6566c04fea
SHA512fcaf496aed33cae63dfc5b9981430cbae12e4db4fdbb4b07ddfa07922592c007635fff87e821c83e8fabc893a47bc3c763cd328d6a52157074a7d98cc20f2a14
-
Filesize
1.1MB
MD5e0754ceacdfe98dd1c93b7bce881231a
SHA196cf38a8c1970a0406bc33303a7d7bbd2468a84b
SHA256afd7e9db0c06acad8a6b61b50c2dc41777a66ce8ffd50cfc899652837f4334f6
SHA51249547f7a6009defe6cca642fec27233c658e1adffe3cc05a3b955d9d9b979356270998c254372597de5c08b802bc1cf32bfe959967a9fe1a70d6d4cb8319593a
-
Filesize
1.4MB
MD507ec6594e3b99286146cffebe128929c
SHA18f0105a3cbca67d62cfbb3a52da39e49abec457e
SHA2565e41508e33ddc290784093a8fec84e0ba9cb25a30cecd5d52538faaae688a681
SHA512fd15f06cf68da39a51dbede90916d4ba5bb8b9acb95c107b93d924799eeaeaeee6f848f2884c26ad09c7493a2a133dd496e51b66c155acc50e7e3ed406942048
-
Filesize
1.3MB
MD5a4b1033940537f3f94aed727b10fc962
SHA1ec3b38467c000f7b02ebef4619214e611882570f
SHA25624d97b5ac521420991e28045c5c673ef81d7f0eb142cb83ff7386b892dd63538
SHA512da8987e17dca296271e2dad64afac01230e561c17a9ed70ba04513f7ee3c926e7bf2b164f5f2616f7d79a7d04bd3a2274f570a9964776e7ec15d9ed120f2a894
-
Filesize
4.6MB
MD5d5e618d4fda9631660bf13614a59bb89
SHA1227effa1f8097661da0ad277974b09a0c7683e19
SHA256644ea568b299115bee9bccda0ba20bdd29b29f54555d24b13a4d15a31115649d
SHA5123b34240c914ebf80a955fb4d11c6fe9145bdc5db094783e85b80938860ca0dbe395d08d9863693e101744eb7bc78d1d2af2478f981e85ae1e8cadfe469cb71a0
-
Filesize
4.6MB
MD5a3efb90e7a50d6d03b19bcff9033a0bf
SHA16288d096ab4eb9d4a5c13647ff7e88934d1d7995
SHA2569204dd3ddfe5eb5b3bf6687b62531126d8e6aee2586b907062cfe9a088ea4e9a
SHA5127cc4ba66ce1e0db470d6bd96311cfbb379423e1cd88ca0a5cd473adb101b38ebbb595225956d889d4872ae4ed00f5663b047d928d5f0ee066869672659a7c29e
-
Filesize
1.9MB
MD594d1b4c20995f7009d8e6b8f388b2aff
SHA135f2a2c815ff1edf69b3ec1765296d8e6bdd50ae
SHA2560fec7b56e60e927f242a570d48655ac6292a15dac7bd1d0aeb6a6fff5df4b144
SHA5120aeb7d56c7b2604d9e18ecf52d7e29cb0df088f28fb2e8ff59dff8837df32e6855c4783d566c29e89e5ad0912cb75784c9c075844ea707dfe84c728e825de989
-
Filesize
2.1MB
MD5458e46dbafaa20305922ee12e19e80c2
SHA1f8699463d41674bbda1a5420d4a7dbe521f65421
SHA25657af6b115580ed87aa87572f9c3f36a76af966ced3a5b06e9c2ce283ac777f90
SHA5128164da83c6d5dd05adbcf9f8bd5c2b056101626d7bdc02ad2b75024648477026e15f5386f24239178ec440e6fca9efac1da34152b7f7dfe22c99bf17c847aa19
-
Filesize
1.8MB
MD5dac3b8dc26801850ae562e73a558f585
SHA18821d39f42274142066cd75706c9b8cd568455a7
SHA256afc1f65704e8a72d91366b6873486595552aca48232830f34ef3ff27a5af122f
SHA512b2a978d7541fbd296cc4e670fa6c8e726b533e9ff2a860c77e352ab066db001e083d759edacd05f52e8d8c2263243d2e291fe7ce1563f16c091ccb6f8cfa69b2
-
Filesize
1.6MB
MD535e262c367578b09af4220391faf3f78
SHA1f865b7638ecdbaf2630afeb5024c47d1d14d90cb
SHA2566d5bad050a4a1fb9affedff7fbd77e467640bb684d726a973a59a81c51c37487
SHA512e4bb4598487b53712f8991570ff17cf1a53226b72181f5f3c1e75cb1dbd710c7423c7703188b5c4a6b1f1ea4828036c11f8634bb03e4540ce09181d6dd5d5602
-
Filesize
1.2MB
MD51c9d6bca3bbbbb728ac054cf49eae053
SHA11fcfbf4a60fffe0aa7844912205a2957b3de4049
SHA256c2c8cffc8391be5bce80c08440ec4443f9b41b65eee6e30abfec65ddf3239259
SHA5123fe4db324fc2c9e27998f754ba47afbfae89bb926567838e255576f258a8580740bc166f04664673fc314b791f09853b3a4b49530955cff9a7f6dfd241404c49
-
Filesize
1.2MB
MD5c8b3609735664658bbd26fae9581b7a7
SHA1d0442362dacba4506fbefd411700134da9b25f4e
SHA256951a10a97d3be91e52127e5a63b10a8535002c753ce529cd03378d1dc7339cca
SHA512f37e7cddffce0135008b8c1c3d3788322113ff44b1b0550cf7e7adb1747b01c17499c78f0f2079e638341d08d2d9b4afed6c8c14b3ecfc750ffc7efb96742a02
-
Filesize
1.2MB
MD522a765a610231115b4ec198ebfab0835
SHA17f07a8f0b3d012063d21631567ee217e258c01c9
SHA2561d5b09bfa2f058bf122c0dfdbeb59702486da42fd2039c45915a8676b32b9f0d
SHA51242109b0f7a59b4f46ff52ad48c243472733fc34cb74b78a8995d6d9ba15f80d8175c6a34382ba44188f22a5d807e6252d93c1e00b2349b78d28f6c5ac892d57a
-
Filesize
1.2MB
MD57768da43f8d762c1241b6516a23585a9
SHA1213ca05f3509e3a5632008b9602b0c2c557759f3
SHA2568f9100f96d169b1f5eb1e1e602c645de7226a3bbab6d9daffdbc2d36ed3ec17b
SHA5123adeca8164539294e5abe5676b1e0e7c1888617ce58b0e7df728de2da1ec5fc10cee393cc59b6ce2e7ed6c931d034db483c403592841f37fd124a66169448e56
-
Filesize
1.2MB
MD50819bcb29033d61c5c6bdb1395d13161
SHA1140c11449e0b1d5fefa523b5464351f4af8b92c8
SHA256de68c44a51a6e49cf3e965dd414562ed40f7024794df51bd68e6631b737f99b2
SHA512228495a58f97f73fd96054ffdfb99dced9b22f3ee8f86b0a08a3ab72f1d7560d11338a325a2f7f0a6cf953f21549a8cc0d1629b829082625af02c332d9035cc2
-
Filesize
1.2MB
MD50fa1f463c108cb48b15e7d5833a6d0f0
SHA10511cc2fcd84b2f9cf68e0dc014d2db915b3c47f
SHA25678c83e2af3e514590838a642f9de2e9ee150b7be2adfea1bbcc8aa267f0af350
SHA5127f72cbc0ba01a9d23177116d66ab99627b0ae58a0286c1248bb0f49a96d51c6efcf656f3c95d00469a6e36ddd5e9e69a8916f142df99003d509400299ef10b64
-
Filesize
1.2MB
MD5f6ceff374838bd6da1af8cbc314ec329
SHA1393f8e44850b85dbcf6ff1d48a2ed4077077e6ab
SHA25617e581067d78abfca01d5e9f7ea6fc09fd3823f3dfae2287d8ae58908b5cb794
SHA51281c49cce25140e18669d355e4138879f3d254293a040fe54edd2af6aa72242e3d170530ebe9658c4468aa82ab26aaaf3f8e42843d07dc5abd0ab2aa8b8b56ac6
-
Filesize
1.4MB
MD5fbcdbcd59a8e959da592dd6f28eb1b54
SHA17f6c5fd0bf4c425c1d3ee7d0e1bd9734f5a546cf
SHA256fbfbc1c4c186a40fce8748ea73d7b9f741d5638503047892bc9ba20c6d5e2c0d
SHA512a701afc23409747216bef246e0f18a6b25d9e3a6fe2373bd00c930729dea25c5fb2180664479317ea6663da2477d778f7f9e04fcae90231b334e309a87fdea6e
-
Filesize
1.2MB
MD5154de4ade05ce6a2167bea45d983c68b
SHA1861abe9d0720e10869a59d9cc88811482e61dde2
SHA256702f83d421e684df0fdfac120e90bddcc92f2be03ade4d329b88319d666b6f71
SHA5122e3b24ef3c882aa7296f81a486e4c50dac1f7c31269fc3f4b28a293f578d187c2a0cc6e9a3a529a285179361ca1fd6ddbf1e125bc83f7b3f3d2864bb6f3d144b
-
Filesize
1.2MB
MD5173b384090c947df091c870da94d9fa0
SHA16870544b54a70fd65ef8ef6f663cfc269e52df45
SHA25681d0f0eb7ad3596f023671bf8058d128a4fb4bae4cf9094d521c0cac2d878da9
SHA51224a391f2e23aa4a63defa742266f0088ac326a04a46a80629408a0570801f298a4ccdbb8562b19207a1d51b3d3ed5f6cf4816be9bd1a073c9cf396760a505801
-
Filesize
1.3MB
MD5c6be7082149081123906178148d80a1b
SHA1a1fe50460c11b5e1128838794b0f8eb4e9fea434
SHA256f0b2e17f98b4cd75f3a64fd454f77367d743f09d43d45912a92349981fdbad1d
SHA5129d20c3a539b611cc3b783c4bbea13e22e1919c3c53b2ec7159bf845c1a2d8bc9211c9c2fbd97694c43b5d2282f3f194486d73c8ee539ac7c0a8cc4f9e470e258
-
Filesize
1.2MB
MD562cd295dc711dfaf830059040a4b938a
SHA10eeddf2f7a3e904dc9119524464ca53957c71b5f
SHA256956782ac00981f823cdb355d4bf1692b3927509b5548afeff9bedad061d938b9
SHA512c199c339cac6e6f0e6cd7668075b3fc4301cffd842fd2c91f1ebb43bd001093fc1200c1750e35abc65fb23958ef88084d298bb86a0be3381a0f09bfdb03e70c4
-
Filesize
1.2MB
MD58e2a41047f64e34fd2781dfe674972e0
SHA1a29b8c13417379d0c232c7c272ec5742290ebad6
SHA256c5f356712ca567ff2ac1cfbc25d67d79dda408b95821913445a24fa10b1ecc31
SHA512062e86eb33cab2459f95e8e0b3579729e72bca4b2de410f6f808e880391c3d11394b0cfbfa9c7a53438a8de15acdab8f7119036f47a4e739ffb3ab7d7f356e29
-
Filesize
1.3MB
MD56f59db5e509bf5b4a2ecee392f5e231b
SHA154f01743ef012105ce61c78c217cd9a7c9340cec
SHA256dadbe6f83c25c158dea6d4e529cbda3b5c10d6489abb158d5ea6de55f0d4ede6
SHA5123c6139091bbf0bee807cb52cddf4e6e9e10546872a6a51887d91e60cf5043db17e02c9a3858352e4efa2c8b1f1c21f913d735439ab4f5e9baf9bce57f6572533
-
Filesize
1.4MB
MD570d94902edeb72cb41d0cee1e436f748
SHA1278899810a97091ee0b43b835714d1bf3cb98fea
SHA256a6347bbad9010f445f4919491de2908d2b9dc8ce874b32796b1a119927b78125
SHA512e91b10a589cfe2fc2a61c1bb1f038a1f3fff633b06cbebc9ce0ce9ed88ed08a4e1f86f59b8c06e0cb4c44cbbf4aac503b186556643743a38b5d425d03031d8c3
-
Filesize
1.6MB
MD51be704bb3c0f338f00c8c2b7e3ea70ab
SHA1af3fc7e3c0acc2cc8b5c46b88a6d806641f2cee5
SHA25670f716fd627cd079456a610db4aeff434706811072daf243ddf33f94092a57e3
SHA512d35f89effa297fdb5da8954f5e15eaccfdb87d382e41b78c6d815a205058f1bf1b3605bb79ed5209ce1933603dc1da496ac117007b95dd0631d2f97f18cb7783
-
Filesize
1.5MB
MD5a13bb6ead87af97260e5dfc7656ef41b
SHA131e3378565cfb9ea30f873b3cd84b9fb978608d4
SHA256a9e3ea30639e93ca9095bf2b9e766cf31a7a956e0be1148ab2e202cd67993026
SHA512b2e92522e68bd15957e3f5fbcd015739c1430ec4034ca6a8ec2da2515aa234c8fe0969cce545ff23f55cc019fffb99ca7c4d749885ae5b920af062c112435597
-
Filesize
1.3MB
MD576311b67ea92d989f315f2b272a22d22
SHA1853615ca947c2e513e1df4db191ae545e5450e1f
SHA256a5582d1cd3e081a7829e0961ce9c84b01da2f5b4c4b49b9aba274212187b54ee
SHA5126eb1e53edb52c51108df7ca9368f0e80943608a0a61912c18d8617c1e98f9095c9a03b8f7a0680695abeab82f3a5f0355b9e7a9d7328e0383653f9bfc59f522f
-
Filesize
1.2MB
MD5c7da7554a9a505a0936fab43df3fc5f8
SHA13d5cd6a74ab8a0a13f0f16a004ed40f17ec2dd04
SHA2560543da047d16ec8225561e9b00b081d65f6a22a5b8e028a8bdda1631f5de8aa7
SHA512fb36a10696714273087582c796194fc117a1a86f14cae9aed57751609328494e4ba3ba6373e040bb846b679edbf1baffc795a7de2ea87d69fc109244ddb059f4
-
Filesize
1.7MB
MD53ab44be038654feb900a4ca88c056e7f
SHA1a7b0f2bfaf567232637ca17961c9e256fab3a09b
SHA256416b8b48116ab29f2b79315401a3d770bccd711ce18149e179134a4b94934b08
SHA5123fc3d7f15e2acd94fec3be09cfb0c170abc3900e9c57d46a2dfc34b689d9b082b643ccc3cb781b1a745379deee85f4a26977fadb8ce39373caaaef41c184397e
-
Filesize
1.3MB
MD5344adac1b455e16a4b4c82de8fb9ec80
SHA194e781e326e50ec968e5964da37c622cd4149a72
SHA2562af8e352faf558292df4f37c6fa32366e17032192b0c4b7ac939fc9227571cdd
SHA512892f6f4f491786ecc3f09bceab40f7b8cecef97f7b43d01b21684858011eba0d1a53e28eae55e602b2ecefc1ce0402e2a24b07925e3ec8d993ea0fcac0065b7d
-
Filesize
1.2MB
MD5f8cc84d9b5ce93243fa0975f6e82b115
SHA1a552f1fe8ea166701fdd04fd6150db1d1b8675ef
SHA256fe781035cf9ca0b326abd3220f578313bb5f9bf78c00183f1402b335d26542e9
SHA5128758e96cc126cb026fb5256ea149e131fe947ee28a5ef10b6ef3d0035d66ba5bb90b93477cb712d3844344d049af70c8060f5d7e35b57f0e64f3ae2b51f67e36
-
Filesize
1.2MB
MD59860ac05543afbc157a58e68dbcefb2b
SHA1d07242523add9a81aa4a1ce13135c34f5b8412a1
SHA256667ce50cc430041fffe9f58883495dfcda54fcf790bffaab3439eefdfa2a98ef
SHA5129fdb266b2c35ced85faa73f51c0dd026ecad70042e53ea1d8eeaca1244b85980891099fae680f00672380436c78f06ac394d9a184bd31f6aeec0e42aeaee61a4
-
Filesize
1.5MB
MD53ca872b218f4ef944987219a6f553e32
SHA1c7d429aa9dda5acafbd9807b33b6094470fe5354
SHA256f40751b225cc1851bd055c034bd211f2734e24413de3617d35f085c90ac35b29
SHA512463e754b8a2e330390b09543ea97d4e53b11fffdfcfcedfca850aecd4c6a60efad36c55f7594fbb8b589ce73f01b4ab13e8897083b1f76efbe15650bbc3785e2
-
Filesize
1.3MB
MD5a64df127f041707b42bb4ae6d4c1525c
SHA196d8459f063430aa5e6e729ac09cc9f2693f5626
SHA256941d3db38d5555f24dab8a25c66701416da198ced2f282559c768be612318611
SHA5127ca0be55b6869d65b5dcfebba5c1da90b277e07c41653a11a749691595c3eb5da31a17e30de06c3413e671e49b33f7ad575c262a4e1198946601ef58259b0fcf
-
Filesize
1.4MB
MD5f7050c15af436533f18a1080ffbc77e8
SHA1882e5bb86d31cfcbc79e4892c3fdc000ba4ebad1
SHA256004bf272fa41c5eaa48572d6803d7912c7d17b4b926240055c0071a292cdb1b6
SHA5128470a83cab3f777692c693df6c21ab359ae28941456abd8eef45a669307306347094e16a1d26cf9763ac855281535992460fabaa5dce471b8f5afa096c8807b8
-
Filesize
1.8MB
MD54248dbb22304fa1211afea40bbe5ab77
SHA109e66c6f59806fc682d6b16f6dd93ff66512732a
SHA256021ca1e78ffdeeab29296bdf9851635108f88b7d9ff1f40b9d944656cdbb0ddb
SHA5128f825d33255f2456f332d079fac0a3f732cf945702dac0e319054f17f846158226c0908db4775d3d0732f4402db3699c0c5ff7d7708df4ae30a6ce8f234206b4
-
Filesize
1.4MB
MD504ad7233130c2461dd1950720c1e6c73
SHA125db91479cc3a78fb468c48c55501be02e3853df
SHA2562f4d8ea0c67da761992bbe2f3e51b14a726f4f89f49a2b3ba0b0bd051e2fa8e4
SHA512471cc30edf4b7352720bd2ef4f91bdb3382f52543e7cd3ac5d0cc2f6bdfe479b28be9eed5605a79eb110ebb2218559ac08c26cbac3384e53c33b929ba509bed6
-
Filesize
1.5MB
MD551d2e908a5b7ac371873d7492efb0336
SHA12ed36e2e0217747a3a6e8cbb4d34db3d56a89574
SHA256b47ac7febf61937ace1e6379fd2fe1ec9de9bfe05f8bea9a7e66a7dee46e0210
SHA51202d0b0bbcc1c838a21dab0e8d8cc6011acc441849a9a7946927c736cdc2973cf6290befda028b3d5554a2a673de7f91e13660740bf46e4c4e35b9bd414782f0b
-
Filesize
2.0MB
MD53c7ba00e6ed34417c1821150f3fcc2b4
SHA1e048ef86cf5c12437f1cb63e519784fa6e9b2100
SHA25686dac878e74e0a682796a177bcac35f97ba0982d7e4d72b34e6ad3eead29c6cb
SHA51202f1edbc934ff926bde231556e909f768e75598330899b8e69893f4dbb9c0d6458224f8ee22c9e250eac241f93ab1432a4a905fdc37d5583673c38383eb69dc6
-
Filesize
1.3MB
MD521cd2451e9a920042c06071fbdb23ff2
SHA1e79f500b8bf81bd0a39fdf012dbc96d4f103c7d8
SHA256aa2bd16d5356eac527c8520b89a9994c18b125097cf78d7c0dfea986d2cf8513
SHA51204b0bea5e2bc7b1c4a7346a412222a48a1baf5d3d592cd42a0481d243225cc358193f8156a03878e2eaa6a8615186770292b358e0363427249748305f2dd85c1
-
Filesize
1.3MB
MD553c239c5eb1f40cfc876c398a01400d7
SHA12ec48b3ddafd7c31d415da330457997d3cba403d
SHA25629bc23190306edc79a0d55a7868139d18c57488db289a27fd44c5528ce81e5a4
SHA512b0e5476803425fedefd464fa87412ca77de250bb00e7b453efb0a16079fb91d341231bc15f6386bd9076ffc15d9f95378951cca2490ff13c4b584fd868ab0284
-
Filesize
1.2MB
MD5080cad1521653125c5c195263654b45f
SHA168e066662f5ba9739961956ee2559d42cd9aa824
SHA256ac757a21405a5f6a34c0105975ba5ed69bd3608657d608cdae056cb995785427
SHA512db21cd6f064c9510f3ec9307e07e46b77989e40e484223f83c9b99ed3f6443c5e329a3a91fc1a43a47960234f93a9833a354a98b9c93226a01417513ba127f65
-
Filesize
1.3MB
MD5df3d885f3107af1a0cce09d459b54900
SHA18e72a5a8bfc52315c5d2f0392db2caa3d8bf6847
SHA25634db4b4aff7d4c1d603863db7a0bb064f310ac342c191843179c9da62f1f18b1
SHA5129a28e597469bb34dc867fb30897d2e906c26f037e68dd2ea3012b82d9cb1d18dce0409a4c813bc05d7b4532482b33236741bfec2f2af06255ac058a2955445ee
-
Filesize
1.4MB
MD51335c122bb9687d62deb2ed16e96e554
SHA11eeb9ed8c512e5c59d7f22dd4f2f718d6bf51bd5
SHA256a05eab5016422dc7cdc284fb9d3e68c616217ef2dff72abdb90c69ff0d8bf4a0
SHA512c14cbd989b1a8b2d1b75aa12d4adf2c4b864e62989071e8bb407b06817c43071fa53bdfe97e75b3327bdb5ee8764601df19cbfcfdbb0b0286443780092b7058a
-
Filesize
2.1MB
MD51fb2716d1ed6d08bdc6737cadd34fde5
SHA16733ffe74409c4d83c56b08bdaf24bc9a7184c89
SHA256630f6aedcc825f0f5d84ac37e9aa1a6b528eb12a5266bd77fddf9e20ffb3d9e3
SHA5127a5547d3fd421f584a0e0fa12dbb0960b8fa9d90d0439d441de41f1c27f4ead8f3458d9085d9da6d4f28478bd0beff847978d509a53dc65370641454ef23038f
-
Filesize
1.3MB
MD54b16d698b35dc232511f0693912d34f7
SHA14e8eaa5d11e9b25c4cc5938615e57e3e272a4644
SHA256026d23cd337478cdc62f4a2994b8461b739c08b091ea47d0512a79bd67a60112
SHA5129cc81ffdd96071eee81404334f9ba8cce7822d3643b4320ac2e162f0453f6b0f4518f3daa880afe45662d6513d16a184d7f531f25e333598c34036a6cb6eb3ad
-
Filesize
1.5MB
MD518fe3de1b6ec67641e21ca7bd16b1ed4
SHA1c8867e807c0eb9e62c3a53f972629084b2d76a3c
SHA256d520f2eecbc9a8209620a221840e0507e0bc772aa76663a366e164c32017de05
SHA5121770bdfb9bb7cddc00c29fa559f741a794f8f174043e2b06c64aeb584d749eec15e340e13a672921f52c543512ce11ef7eb11a4cbd020b19230fbcc4700a0ae2
-
Filesize
1.2MB
MD5505a8d930315e51229f504e0938c4915
SHA106182b79039ef2e7aea1300d3ce494e01e0fd905
SHA256f657ed3a8eff32c38a76f8b39b1fd1703f394def1c73e2c67fd76a60c894a237
SHA512b4161e8878135cacd0af66942eef10847b41cb1e7b134943827b3bb43e1011088ee5b8cd500c896fddd73a27f86fc27f8f6d19daef64519e0a533ba2373ff4ef