Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 12:06
Static task
static1
Behavioral task
behavioral1
Sample
Technical Spec.exe
Resource
win7-20230220-en
General
-
Target
Technical Spec.exe
-
Size
1.5MB
-
MD5
66a9b6a55484f435f0fb7c84f71bc611
-
SHA1
721833332c2fbc136adaebdf57013af384fb2cf7
-
SHA256
59171f457fb4915d408fa293f0ca3cdfeb613a20d6fadc50ae88b1cf58f0b004
-
SHA512
4aa631e503a41b597285fbb35c92f09c3c277e461f1845c0982006f86fc60fdf1242a4aa59c0ab976b5849da846fa17d36f89e9a1a7bcb4ef55986f7d6251f52
-
SSDEEP
24576:gvPHgPdvk6fvDNL0mN3OnC/e4jGyIiDWXrPcTwCKvtB2zPJo0:g3Qvzfbd0ZC/eg1NWX6wCKVB2L
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046
Signatures
-
Executes dropped EXE 43 IoCs
pid Process 464 Process not Found 1504 alg.exe 1608 aspnet_state.exe 1556 mscorsvw.exe 1756 mscorsvw.exe 1564 mscorsvw.exe 1684 mscorsvw.exe 1772 dllhost.exe 980 ehRecvr.exe 864 ehsched.exe 996 mscorsvw.exe 1636 mscorsvw.exe 1304 mscorsvw.exe 1040 mscorsvw.exe 1368 mscorsvw.exe 1356 mscorsvw.exe 1384 mscorsvw.exe 1576 mscorsvw.exe 1936 mscorsvw.exe 832 mscorsvw.exe 1536 elevation_service.exe 1004 IEEtwCollector.exe 1120 GROOVE.EXE 1556 maintenanceservice.exe 1356 msdtc.exe 2104 msiexec.exe 2244 mscorsvw.exe 2284 OSE.EXE 2356 OSPPSVC.EXE 2456 mscorsvw.exe 2500 perfhost.exe 2596 mscorsvw.exe 2620 locator.exe 2760 snmptrap.exe 2848 vds.exe 2936 vssvc.exe 3020 wbengine.exe 928 mscorsvw.exe 2088 WmiApSrv.exe 2312 wmpnetwk.exe 696 SearchIndexer.exe 2784 mscorsvw.exe 2860 mscorsvw.exe -
Loads dropped DLL 16 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 2104 msiexec.exe 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 760 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe Technical Spec.exe File opened for modification C:\Windows\SysWow64\perfhost.exe Technical Spec.exe File opened for modification C:\Windows\system32\dllhost.exe Technical Spec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\snmptrap.exe Technical Spec.exe File opened for modification C:\Windows\system32\SearchIndexer.exe Technical Spec.exe File opened for modification C:\Windows\System32\alg.exe Technical Spec.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe Technical Spec.exe File opened for modification C:\Windows\System32\msdtc.exe Technical Spec.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe Technical Spec.exe File opened for modification C:\Windows\system32\vssvc.exe Technical Spec.exe File opened for modification C:\Windows\system32\wbengine.exe Technical Spec.exe File opened for modification C:\Windows\system32\fxssvc.exe Technical Spec.exe File opened for modification C:\Windows\system32\msiexec.exe Technical Spec.exe File opened for modification C:\Windows\system32\locator.exe Technical Spec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f056041e831f2d02.bin alg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1304 set thread context of 540 1304 Technical Spec.exe 28 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe Technical Spec.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe Technical Spec.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe Technical Spec.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe Technical Spec.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe Technical Spec.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe Technical Spec.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe Technical Spec.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe Technical Spec.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe Technical Spec.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE Technical Spec.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe Technical Spec.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe Technical Spec.exe -
Drops file in Windows directory 28 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe Technical Spec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Technical Spec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe Technical Spec.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Technical Spec.exe File opened for modification C:\Windows\ehome\ehsched.exe Technical Spec.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{079C300A-76CF-41D3-B78A-C790865AB8DE}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe Technical Spec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe Technical Spec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{079C300A-76CF-41D3-B78A-C790865AB8DE}.crmlog dllhost.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe Technical Spec.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{AA370EA1-28D7-4B88-8BFA-13AD062E1B87} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{AA370EA1-28D7-4B88-8BFA-13AD062E1B87} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe 540 Technical Spec.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 540 Technical Spec.exe Token: SeShutdownPrivilege 1564 mscorsvw.exe Token: SeShutdownPrivilege 1684 mscorsvw.exe Token: SeShutdownPrivilege 1564 mscorsvw.exe Token: SeShutdownPrivilege 1564 mscorsvw.exe Token: SeShutdownPrivilege 1564 mscorsvw.exe Token: SeShutdownPrivilege 1684 mscorsvw.exe Token: SeShutdownPrivilege 1684 mscorsvw.exe Token: SeShutdownPrivilege 1684 mscorsvw.exe Token: SeRestorePrivilege 2104 msiexec.exe Token: SeTakeOwnershipPrivilege 2104 msiexec.exe Token: SeSecurityPrivilege 2104 msiexec.exe Token: SeBackupPrivilege 2936 vssvc.exe Token: SeRestorePrivilege 2936 vssvc.exe Token: SeAuditPrivilege 2936 vssvc.exe Token: SeBackupPrivilege 3020 wbengine.exe Token: SeRestorePrivilege 3020 wbengine.exe Token: SeSecurityPrivilege 3020 wbengine.exe Token: 33 2312 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2312 wmpnetwk.exe Token: SeManageVolumePrivilege 696 SearchIndexer.exe Token: 33 696 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 696 SearchIndexer.exe Token: SeDebugPrivilege 540 Technical Spec.exe Token: SeDebugPrivilege 540 Technical Spec.exe Token: SeDebugPrivilege 540 Technical Spec.exe Token: SeDebugPrivilege 540 Technical Spec.exe Token: SeDebugPrivilege 540 Technical Spec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 540 Technical Spec.exe 2516 SearchProtocolHost.exe 2516 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1304 wrote to memory of 540 1304 Technical Spec.exe 28 PID 1304 wrote to memory of 540 1304 Technical Spec.exe 28 PID 1304 wrote to memory of 540 1304 Technical Spec.exe 28 PID 1304 wrote to memory of 540 1304 Technical Spec.exe 28 PID 1304 wrote to memory of 540 1304 Technical Spec.exe 28 PID 1304 wrote to memory of 540 1304 Technical Spec.exe 28 PID 1304 wrote to memory of 540 1304 Technical Spec.exe 28 PID 1304 wrote to memory of 540 1304 Technical Spec.exe 28 PID 1304 wrote to memory of 540 1304 Technical Spec.exe 28 PID 1564 wrote to memory of 996 1564 mscorsvw.exe 38 PID 1564 wrote to memory of 996 1564 mscorsvw.exe 38 PID 1564 wrote to memory of 996 1564 mscorsvw.exe 38 PID 1564 wrote to memory of 996 1564 mscorsvw.exe 38 PID 1564 wrote to memory of 1636 1564 mscorsvw.exe 39 PID 1564 wrote to memory of 1636 1564 mscorsvw.exe 39 PID 1564 wrote to memory of 1636 1564 mscorsvw.exe 39 PID 1564 wrote to memory of 1636 1564 mscorsvw.exe 39 PID 1564 wrote to memory of 1304 1564 mscorsvw.exe 40 PID 1564 wrote to memory of 1304 1564 mscorsvw.exe 40 PID 1564 wrote to memory of 1304 1564 mscorsvw.exe 40 PID 1564 wrote to memory of 1304 1564 mscorsvw.exe 40 PID 1564 wrote to memory of 1040 1564 mscorsvw.exe 41 PID 1564 wrote to memory of 1040 1564 mscorsvw.exe 41 PID 1564 wrote to memory of 1040 1564 mscorsvw.exe 41 PID 1564 wrote to memory of 1040 1564 mscorsvw.exe 41 PID 1564 wrote to memory of 1368 1564 mscorsvw.exe 42 PID 1564 wrote to memory of 1368 1564 mscorsvw.exe 42 PID 1564 wrote to memory of 1368 1564 mscorsvw.exe 42 PID 1564 wrote to memory of 1368 1564 mscorsvw.exe 42 PID 1564 wrote to memory of 1356 1564 mscorsvw.exe 43 PID 1564 wrote to memory of 1356 1564 mscorsvw.exe 43 PID 1564 wrote to memory of 1356 1564 mscorsvw.exe 43 PID 1564 wrote to memory of 1356 1564 mscorsvw.exe 43 PID 1564 wrote to memory of 1384 1564 mscorsvw.exe 44 PID 1564 wrote to memory of 1384 1564 mscorsvw.exe 44 PID 1564 wrote to memory of 1384 1564 mscorsvw.exe 44 PID 1564 wrote to memory of 1384 1564 mscorsvw.exe 44 PID 1564 wrote to memory of 1576 1564 mscorsvw.exe 45 PID 1564 wrote to memory of 1576 1564 mscorsvw.exe 45 PID 1564 wrote to memory of 1576 1564 mscorsvw.exe 45 PID 1564 wrote to memory of 1576 1564 mscorsvw.exe 45 PID 1564 wrote to memory of 1936 1564 mscorsvw.exe 46 PID 1564 wrote to memory of 1936 1564 mscorsvw.exe 46 PID 1564 wrote to memory of 1936 1564 mscorsvw.exe 46 PID 1564 wrote to memory of 1936 1564 mscorsvw.exe 46 PID 1564 wrote to memory of 832 1564 mscorsvw.exe 47 PID 1564 wrote to memory of 832 1564 mscorsvw.exe 47 PID 1564 wrote to memory of 832 1564 mscorsvw.exe 47 PID 1564 wrote to memory of 832 1564 mscorsvw.exe 47 PID 1564 wrote to memory of 2244 1564 mscorsvw.exe 54 PID 1564 wrote to memory of 2244 1564 mscorsvw.exe 54 PID 1564 wrote to memory of 2244 1564 mscorsvw.exe 54 PID 1564 wrote to memory of 2244 1564 mscorsvw.exe 54 PID 1564 wrote to memory of 2456 1564 mscorsvw.exe 57 PID 1564 wrote to memory of 2456 1564 mscorsvw.exe 57 PID 1564 wrote to memory of 2456 1564 mscorsvw.exe 57 PID 1564 wrote to memory of 2456 1564 mscorsvw.exe 57 PID 1564 wrote to memory of 2596 1564 mscorsvw.exe 59 PID 1564 wrote to memory of 2596 1564 mscorsvw.exe 59 PID 1564 wrote to memory of 2596 1564 mscorsvw.exe 59 PID 1564 wrote to memory of 2596 1564 mscorsvw.exe 59 PID 1564 wrote to memory of 928 1564 mscorsvw.exe 65 PID 1564 wrote to memory of 928 1564 mscorsvw.exe 65 PID 1564 wrote to memory of 928 1564 mscorsvw.exe 65 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:540
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1504
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:1608
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1556
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1756
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d4 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 260 -NGENProcess 1e8 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 23c -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1356
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1384
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 23c -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 24c -NGENProcess 1e8 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d4 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 27c -NGENProcess 23c -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2244
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 27c -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 270 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 270 -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2860
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1772
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:980
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:864
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1536
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1004
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1120
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1556
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1356
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2284
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:2356
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2500
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2620
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2760
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2848
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2088
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:696 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2961826002-3968192592-354541192-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2961826002-3968192592-354541192-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2516
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:2684
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD52b30a389e308da60d3f8d7bf52250953
SHA19f85c53290d743f1f73f30611e5280b3c6789fd7
SHA256f3b8458acbc5ba86f908c8a1c481e39024702ad2a24c0e9b6641e83085b7f7ee
SHA51202af8787fd1767e015c3dde50fc6f169506a85b788beb2cb82db27659ee688762d259b4d0b2b98245312c1c60c48a04c24883a82ef54ab10e75a02110ab9646d
-
Filesize
30.1MB
MD5915ee8677cd82d1ad0a497f729f36752
SHA17081f360fc8307f2d24a0caecea8e899167df4cb
SHA256b203fe226f354e108aee589bbca7692afede68b84856c24d337f27723d4f402b
SHA512221f46a2b102039925cc79776d43554476a2b4c96331b24e9df0cad34b1a0efb90df10a681f0c50edcde0cfbb7dea301879d77c707e260a8fc60ff2c716a5099
-
Filesize
1.4MB
MD593865117e7ac5bea1978327e18cfb9c3
SHA1849713cc79d15953a6f2ca9680dc4021ad40683e
SHA256fb7efbb83962685707d09cf49e3f44d0dbe5e2e5f11314fd4ca4de895cd76105
SHA5123217a57cbfb0f1a3d857bf0fff94caee58c0d106afe1496ec96e1539db803476d2bf74073bfd9bf5da3e4d05403c3355e93cd0f8a61c51beacc697514728a941
-
Filesize
5.2MB
MD52a5233c9c0af73b391a29d32227e5f37
SHA10b6ce201240d45fbbffd2b8e3b4078ad3eaaa950
SHA256650b799a8fde41496d8805f6ce0ea51195beb3ee42d6d64d0b6ac85646160089
SHA512845d3f720ee329d943c26614340c2bcce0ebb43f757fc3c33b808b9d9ce13eac6556c33d553800b980df17d48f5aae83f8670610b39fd4ccda2b459c6705d714
-
Filesize
2.1MB
MD52ea5636e011aaac0905b826356c72a0e
SHA1bca98b8fbe547f692b916defe4a383d60b938d36
SHA256546a585313d03b04e6aca9d6f5485550923b95031361bd1401cd111228f3c044
SHA5120050f706fba65643cf6bd65f07c75eb420a94121b4deab81baa3bf1b4bd65f2b74c830c0d9991a51d47c0b597be8c16e4f519967166cf9c7aaf9521b45a38f1f
-
Filesize
2.0MB
MD59224e3177f319d1602090b3aaf93d8e6
SHA1ce9649b4b7484eb31df62c12ff064a2f74bb34a5
SHA2567ea30ffdc7726fb24981911d83761f852efb86adb2e0e6ff34bade4297cbb617
SHA5127f059aab635aeb6ba0a918cd7caff144eb0ee239a4f23930fab0fbe1fd318de79878249c5a78ddb9a7dd951622ad937c041ce71d12caea1f426e7c808c3cd12c
-
Filesize
1024KB
MD56a9f0a3c37057ac66f14d4864a9e1eca
SHA15505ac51b9f5137daf17bc80a01b6e830386f6c4
SHA256643fafe9b62afaf2838ea400c0ed91dcd70f1b5a90c7bbfa4bc83c9ae1652042
SHA51298839fdfbdc3323cc1fc0b886f012418f043b771857f63831bdcda97efd5c4b2cceb70553ab934a1d6e31c1f281ded31e8997ad826ff8fb99115ba7da69c6c8e
-
Filesize
1.3MB
MD56359b02b1de304137054bd64322c84d5
SHA1fcf0a3f7ca59d4de2ed3abd147bc4a0048058839
SHA256f301ea8e63ba1b635ce20af004c962de4a4cf49c8bbd58e250fbdeff27080358
SHA5123b0afa6035f907b46b9ea847ec2b0a72ea7f8cea47dd3d0a2a47401706be4e5277555577e0b8bf29003b42514e0a1469ca6b8a8f2c86c1d1f03888197091c128
-
Filesize
1.3MB
MD56359b02b1de304137054bd64322c84d5
SHA1fcf0a3f7ca59d4de2ed3abd147bc4a0048058839
SHA256f301ea8e63ba1b635ce20af004c962de4a4cf49c8bbd58e250fbdeff27080358
SHA5123b0afa6035f907b46b9ea847ec2b0a72ea7f8cea47dd3d0a2a47401706be4e5277555577e0b8bf29003b42514e0a1469ca6b8a8f2c86c1d1f03888197091c128
-
Filesize
872KB
MD559ff6ca2f69397ad60235bfe493e58b5
SHA12140bc474ee68009754b7f8f510351e63934681f
SHA256b811ef943c4320d06bb01700f95167cefdf5ee0ab59bd277a9cc4904615ded35
SHA5121d00633474a1686aa7295a0cdc8129856d6c051bf69e3a42184cd68b0398f6c89359a25e6f959f77025bb04a17cb481157afdb0ba4c8b734929ff7958a88185b
-
Filesize
1.3MB
MD5dbaa2599cb675b385f83c7c02a25bf54
SHA1a27ef0bd5b3f30f9900507b4a3d17cff566a2bbd
SHA256f4cad8c992432c40a501047f5d90bd1e35c38c5435765f851c316218eacc69c9
SHA512e189a312af9cffd19c757cd49418422cd6bd78ffcc024aa0eae3189e4d60dd4b1891d43822468f421cfa5f95c432d8db0dff73914344eb3ed0c9cedb9746b8e2
-
Filesize
1.3MB
MD55df581ca218242ea43437501ffa65390
SHA1381d748a186de7f7bc3a2a5e2062c3750436d8b1
SHA2561fbfa18eb0fc5f43317973934e19600682b0b090bcbe65ae95a8f8f1b067730b
SHA51227e77bb345d3e49fcbc13c8b56959fcbb9489832c046afc51a7f8224ea405198973da9582fad3f03154ffa30f58c1094841c3f323a7b68a5bf5feb94dfdaccf9
-
Filesize
1.3MB
MD55df581ca218242ea43437501ffa65390
SHA1381d748a186de7f7bc3a2a5e2062c3750436d8b1
SHA2561fbfa18eb0fc5f43317973934e19600682b0b090bcbe65ae95a8f8f1b067730b
SHA51227e77bb345d3e49fcbc13c8b56959fcbb9489832c046afc51a7f8224ea405198973da9582fad3f03154ffa30f58c1094841c3f323a7b68a5bf5feb94dfdaccf9
-
Filesize
1.3MB
MD519afbae44ebba56ccc6e1e4051d3ddf6
SHA14b126f923a0c6f946b9b134ea3ec31532c8cc176
SHA2562eeab36e82a6dee243889b08a46b08faaff72af67251f70e5d9c0cbcc63201d3
SHA5128ee9624e1c25c8c70cd2299bc3e09e803dae00ac61eb557db3f1f3f6a51743e8d7eded0533c22c46b65d3ac195f5b4ae8ae2812d6cb1176190de82c55742e41e
-
Filesize
1.3MB
MD519afbae44ebba56ccc6e1e4051d3ddf6
SHA14b126f923a0c6f946b9b134ea3ec31532c8cc176
SHA2562eeab36e82a6dee243889b08a46b08faaff72af67251f70e5d9c0cbcc63201d3
SHA5128ee9624e1c25c8c70cd2299bc3e09e803dae00ac61eb557db3f1f3f6a51743e8d7eded0533c22c46b65d3ac195f5b4ae8ae2812d6cb1176190de82c55742e41e
-
Filesize
1003KB
MD533ad352714ede8229d60ba9aff0a7771
SHA1f9128f74e0cb2a8ac3fef258de6478852c5cc28d
SHA256fc588d4033f8b6e69867a660f33d37e491ff7f77d301ccaff8b47f5578bb7462
SHA5127a783043ff12d3dbf7ecdc5a4db7f0886616cb85c015499ca8b49a9ff9ae7c777c6a7a52652064095e1b1e3cb3bde6857f374358dfc46f07f388b43c3d259941
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.3MB
MD5f30604f41ad059f0f944d77d9f1e09cd
SHA1df0a97be8b7aa42c5cd9297b77e40857b8d30858
SHA256328c3e60fa80c9075bd91f0efc1f0893fc3444de7aed45d48db1220dca55879f
SHA512ea07855879162293d06237337518881624148ea89b260c096adf1fe69a71073b9ba1889c2eb3252724b904d1fec63ec129e95af8ade001280e422ad59a244d88
-
Filesize
1.2MB
MD5a6a606efb7536b9ec68f0933eed3ed31
SHA16c1ad2777c20878f473dba81a57639bb55ad5c5d
SHA256948965ed8c72bafe5177eaeb0ab3bc3a088942fa98667a800c062d70113e4a8e
SHA5122e5d024b1c18424c3b15385987f48cfda5369415bada09013fbe5b2118e2aad0cac7d182c7b4b064a7d10c571c7c531663d4f5357ca8688b9019b75fea2c54b1
-
Filesize
1.2MB
MD5f47689261ede2faec0fcfe4bccf9b5a1
SHA1efb7e8fe3aa89b82c62d2c049e3b28f6ecff8b23
SHA2565480beb014b60e0b0e9b596fc19d24fa3ec19222f9607c087b981364059012c7
SHA5123ff409d7163abf30ba9a3f10c87891aa4640db1f4ccae215b0e422ae11dd6a0ace13f16cdbf51daaa47c5b0595f1b426d164c3dba6b99a0d2fb5efc604116326
-
Filesize
1.1MB
MD51c6744b81e2a829165c8ad2acfe5981d
SHA159ac2b0c088cbdac275ea61aaf46ff0aa877fb11
SHA2566386c719f931c57b30324cbb7efe332fc4cb834b9fb5810b216eb4923decdadd
SHA512c5ce470ce7e768e29df76022e7e0a0f1f2655a80f182e935dd124d46096738ae974e572f951aa20148cdc37107b61d89f1b6ffe8eb2a367260b596e0d8897ebd
-
Filesize
2.1MB
MD51cccda0dbdca1386867b2a57ef0e0876
SHA13a48d192f2e3b0b046d115e103d88895dc4e6b28
SHA256b043b3fdd900dbc70fbd1ff31f4a25b1828f40de190419f73649ffda9978f515
SHA512a65cd4ee8a5dfcf7f34d27f52e107b38dcefe52519d319d4795b3d27aad1a98fd48c6f9af4b115490f41c9277ca5d551b437871125b019bee28f685b607bea33
-
Filesize
1.3MB
MD5e76864c09e8a167a5783c1684be004f1
SHA15d83499d0a8a52c288219678ce1541b07956e83f
SHA256ab4c9dd29b4b0e1dafb95dbc5323e6c2470fce7d198ba10bbfa10a7f0dacea17
SHA512f387a0fe4948bc9975b7b1fc5bc70f7da0405a97d090c9a994ca904619a97e46d8e7d972da4d6c44b0f13a1c59733dafd17e3f45c76226578cba8a586ca480d7
-
Filesize
1.2MB
MD5d1ffa60544689307ee0d4d3429e0cc01
SHA197adfd32a74502eaf8a38eacad57a05946085d34
SHA256c3eff96dadf0b759a3c5a08f2d4ac198bb007ec7453adf6e0f95353784e631c8
SHA512b80e32b00f2b5d59b99a2623d85bee10d2af80aad1b30e06d7e8b5800f1915162721e9e302069e608f1ef21f5db54d8ff73a510bf3a04e7a09b97d76c8d5500f
-
Filesize
1.3MB
MD566f53f51e67ed6b978a65d221bad0104
SHA108236a1990b3033f887edafbc68e1dedce084e56
SHA2562381c9010e158511d681ab12e43fa7d2f8eecb0286bcc39851befc8340d46dd6
SHA512636db87b422546b32d8c8ddb0ba24fa7465ae752e5ed3be8c94cb87602664fc998fe6c8cdfb9c4cedca6e0fb504ad653ba9b0ea56a39d846b4e1529623c4b0ee
-
Filesize
1.4MB
MD513d91cd9f721526fbf94f5ba824cc0e0
SHA1f5455f3c0d64127f90cf611e77bf141c6afb6e2d
SHA25683f7aaa92cf9cec31a58ed898dcb3d351218a2549073f50554c18487637981b5
SHA5125913073db2a02fee127b5e6ef9ef1115b4fdb0815ab6c263cf588f491ae590466331598a1a89298d0659689d4095305cb86e14bdb2b24ef13fdf68a911d89962
-
Filesize
1.3MB
MD582cb5e4596f155794b0803fd96345189
SHA1b23fb2a5c678d3da10e6960fba67e8fec49d69f0
SHA2568325e219b08fb8384046b01e0e127c6cadbd4438fe23760edb622f14c69aa26f
SHA5120b6ac74a4faac3fac12ba147e94ad908e81d579e10aa1cbfcced98b33cf2a722cbe43bc92fb6bf2998bc65c1b5c267e85ca559e82c9346a4eecd716a720ec998
-
Filesize
1.2MB
MD5d93cbd8dd6aa6fe35f5a19c21830da44
SHA105c31a4110bab95cbdd220d7553c8a7e34efe99d
SHA2563dd146ffda625df4df35c03e49331167ae4454f7c51e315719ba97fc85fe2645
SHA5121b0689744f23c45bd091a5a27df276de14e55a0537401597100eaba9ba37af0b07e8bb39b2c33f4a5d5bb1b9a59eae049284470eb2e20194c78eeb33912b27c9
-
Filesize
1.7MB
MD5d045646505068bab1ee251d4d27e1f6c
SHA1df6379dde1a9821ba0bb77137200b2dfb7da2c3e
SHA256671d2110ae8b3d1e87635165de76cbea40bf3d7051596e07225e3da53ea33ee9
SHA512577c9a30936cfb311d17e6fa81d7e2289bd3133eac45c77d4823e5bcdf22fbd2ca1a8c6809e93968dc11bc3e2f8164a804a5ca2fe58c790f7cec16d54fd0bbaf
-
Filesize
1.4MB
MD57e905478edd2e1507843ba37aaaca287
SHA18d2b5723ba57b3c6e9d3f7f39d1817264fd59b03
SHA256c42c906dc961502883e54e9b6b4808a62a52f0e542115ebc08bc3f7f43264148
SHA512c0ad36e8bae50ae388b6b559b58ed984457ae7665565e72619bb8de9bb0c52260f0fd7388036b25628d65db0bd78c3cfb0b76b5857618b0c495cd5cf3ccf70f3
-
Filesize
2.0MB
MD5c7ae2ba59672c1349d4a651e7ab3d1c9
SHA17b32edf3da492bcda2fa9fa7cb2bd3f65eaafeb1
SHA256ddeeb062e8f2b5be48ef6591960e53654a0a0f16d1566ea773ba288aaebe8754
SHA51215be3cffb9c05756009d90a0ab215a25972602acdc9b31a0aa30a5875f071dcbed7953e076b210b6e99fad0a0b2bed36b297e076997927df045d7a2c6ed29bd1
-
Filesize
1.2MB
MD5f957bfe4830ef573723c95f014328ae7
SHA16af1b9fae2c260a9c0d71c4f5e32e2a00508560a
SHA256854ed62541388aca06dd8b40cfeff6549488f26efc4ad9461d93d23c92cbd351
SHA51216dcfdf452a1cb1ea2276f801ac8eb09eb3ac27db42ef95483acc8210d4f689b68c10791f13116a44d842ffa0fae1acd6be5503cad6ba9612119fe0550d11a59
-
Filesize
1.3MB
MD5b1b92779a6ba3812bfbda2f47b0e8973
SHA12325b2bc28deded5a2551199f5d40a3b3f151e7d
SHA2565cb02748aac95c443a2445a4eb297269d1f565f9b703142e550a3588ecbaae81
SHA512bcb89666b78ecafbfc4fcf4b183aec9e6285414afd330e7301a78b8348404c32585e14a9acaab69132f65910fe2e632eb353162e211cb2a5b361688a5a6d7d75
-
Filesize
1.3MB
MD582cb5e4596f155794b0803fd96345189
SHA1b23fb2a5c678d3da10e6960fba67e8fec49d69f0
SHA2568325e219b08fb8384046b01e0e127c6cadbd4438fe23760edb622f14c69aa26f
SHA5120b6ac74a4faac3fac12ba147e94ad908e81d579e10aa1cbfcced98b33cf2a722cbe43bc92fb6bf2998bc65c1b5c267e85ca559e82c9346a4eecd716a720ec998
-
Filesize
2.0MB
MD59224e3177f319d1602090b3aaf93d8e6
SHA1ce9649b4b7484eb31df62c12ff064a2f74bb34a5
SHA2567ea30ffdc7726fb24981911d83761f852efb86adb2e0e6ff34bade4297cbb617
SHA5127f059aab635aeb6ba0a918cd7caff144eb0ee239a4f23930fab0fbe1fd318de79878249c5a78ddb9a7dd951622ad937c041ce71d12caea1f426e7c808c3cd12c
-
Filesize
2.0MB
MD59224e3177f319d1602090b3aaf93d8e6
SHA1ce9649b4b7484eb31df62c12ff064a2f74bb34a5
SHA2567ea30ffdc7726fb24981911d83761f852efb86adb2e0e6ff34bade4297cbb617
SHA5127f059aab635aeb6ba0a918cd7caff144eb0ee239a4f23930fab0fbe1fd318de79878249c5a78ddb9a7dd951622ad937c041ce71d12caea1f426e7c808c3cd12c
-
Filesize
1.3MB
MD56359b02b1de304137054bd64322c84d5
SHA1fcf0a3f7ca59d4de2ed3abd147bc4a0048058839
SHA256f301ea8e63ba1b635ce20af004c962de4a4cf49c8bbd58e250fbdeff27080358
SHA5123b0afa6035f907b46b9ea847ec2b0a72ea7f8cea47dd3d0a2a47401706be4e5277555577e0b8bf29003b42514e0a1469ca6b8a8f2c86c1d1f03888197091c128
-
Filesize
1.3MB
MD5dbaa2599cb675b385f83c7c02a25bf54
SHA1a27ef0bd5b3f30f9900507b4a3d17cff566a2bbd
SHA256f4cad8c992432c40a501047f5d90bd1e35c38c5435765f851c316218eacc69c9
SHA512e189a312af9cffd19c757cd49418422cd6bd78ffcc024aa0eae3189e4d60dd4b1891d43822468f421cfa5f95c432d8db0dff73914344eb3ed0c9cedb9746b8e2
-
Filesize
1.2MB
MD5f47689261ede2faec0fcfe4bccf9b5a1
SHA1efb7e8fe3aa89b82c62d2c049e3b28f6ecff8b23
SHA2565480beb014b60e0b0e9b596fc19d24fa3ec19222f9607c087b981364059012c7
SHA5123ff409d7163abf30ba9a3f10c87891aa4640db1f4ccae215b0e422ae11dd6a0ace13f16cdbf51daaa47c5b0595f1b426d164c3dba6b99a0d2fb5efc604116326
-
Filesize
1.3MB
MD5e76864c09e8a167a5783c1684be004f1
SHA15d83499d0a8a52c288219678ce1541b07956e83f
SHA256ab4c9dd29b4b0e1dafb95dbc5323e6c2470fce7d198ba10bbfa10a7f0dacea17
SHA512f387a0fe4948bc9975b7b1fc5bc70f7da0405a97d090c9a994ca904619a97e46d8e7d972da4d6c44b0f13a1c59733dafd17e3f45c76226578cba8a586ca480d7
-
Filesize
1.2MB
MD5d1ffa60544689307ee0d4d3429e0cc01
SHA197adfd32a74502eaf8a38eacad57a05946085d34
SHA256c3eff96dadf0b759a3c5a08f2d4ac198bb007ec7453adf6e0f95353784e631c8
SHA512b80e32b00f2b5d59b99a2623d85bee10d2af80aad1b30e06d7e8b5800f1915162721e9e302069e608f1ef21f5db54d8ff73a510bf3a04e7a09b97d76c8d5500f
-
Filesize
1.3MB
MD566f53f51e67ed6b978a65d221bad0104
SHA108236a1990b3033f887edafbc68e1dedce084e56
SHA2562381c9010e158511d681ab12e43fa7d2f8eecb0286bcc39851befc8340d46dd6
SHA512636db87b422546b32d8c8ddb0ba24fa7465ae752e5ed3be8c94cb87602664fc998fe6c8cdfb9c4cedca6e0fb504ad653ba9b0ea56a39d846b4e1529623c4b0ee
-
Filesize
1.4MB
MD513d91cd9f721526fbf94f5ba824cc0e0
SHA1f5455f3c0d64127f90cf611e77bf141c6afb6e2d
SHA25683f7aaa92cf9cec31a58ed898dcb3d351218a2549073f50554c18487637981b5
SHA5125913073db2a02fee127b5e6ef9ef1115b4fdb0815ab6c263cf588f491ae590466331598a1a89298d0659689d4095305cb86e14bdb2b24ef13fdf68a911d89962
-
Filesize
1.3MB
MD582cb5e4596f155794b0803fd96345189
SHA1b23fb2a5c678d3da10e6960fba67e8fec49d69f0
SHA2568325e219b08fb8384046b01e0e127c6cadbd4438fe23760edb622f14c69aa26f
SHA5120b6ac74a4faac3fac12ba147e94ad908e81d579e10aa1cbfcced98b33cf2a722cbe43bc92fb6bf2998bc65c1b5c267e85ca559e82c9346a4eecd716a720ec998
-
Filesize
1.3MB
MD582cb5e4596f155794b0803fd96345189
SHA1b23fb2a5c678d3da10e6960fba67e8fec49d69f0
SHA2568325e219b08fb8384046b01e0e127c6cadbd4438fe23760edb622f14c69aa26f
SHA5120b6ac74a4faac3fac12ba147e94ad908e81d579e10aa1cbfcced98b33cf2a722cbe43bc92fb6bf2998bc65c1b5c267e85ca559e82c9346a4eecd716a720ec998
-
Filesize
1.2MB
MD5d93cbd8dd6aa6fe35f5a19c21830da44
SHA105c31a4110bab95cbdd220d7553c8a7e34efe99d
SHA2563dd146ffda625df4df35c03e49331167ae4454f7c51e315719ba97fc85fe2645
SHA5121b0689744f23c45bd091a5a27df276de14e55a0537401597100eaba9ba37af0b07e8bb39b2c33f4a5d5bb1b9a59eae049284470eb2e20194c78eeb33912b27c9
-
Filesize
1.7MB
MD5d045646505068bab1ee251d4d27e1f6c
SHA1df6379dde1a9821ba0bb77137200b2dfb7da2c3e
SHA256671d2110ae8b3d1e87635165de76cbea40bf3d7051596e07225e3da53ea33ee9
SHA512577c9a30936cfb311d17e6fa81d7e2289bd3133eac45c77d4823e5bcdf22fbd2ca1a8c6809e93968dc11bc3e2f8164a804a5ca2fe58c790f7cec16d54fd0bbaf
-
Filesize
1.4MB
MD57e905478edd2e1507843ba37aaaca287
SHA18d2b5723ba57b3c6e9d3f7f39d1817264fd59b03
SHA256c42c906dc961502883e54e9b6b4808a62a52f0e542115ebc08bc3f7f43264148
SHA512c0ad36e8bae50ae388b6b559b58ed984457ae7665565e72619bb8de9bb0c52260f0fd7388036b25628d65db0bd78c3cfb0b76b5857618b0c495cd5cf3ccf70f3
-
Filesize
2.0MB
MD5c7ae2ba59672c1349d4a651e7ab3d1c9
SHA17b32edf3da492bcda2fa9fa7cb2bd3f65eaafeb1
SHA256ddeeb062e8f2b5be48ef6591960e53654a0a0f16d1566ea773ba288aaebe8754
SHA51215be3cffb9c05756009d90a0ab215a25972602acdc9b31a0aa30a5875f071dcbed7953e076b210b6e99fad0a0b2bed36b297e076997927df045d7a2c6ed29bd1
-
Filesize
1.2MB
MD5f957bfe4830ef573723c95f014328ae7
SHA16af1b9fae2c260a9c0d71c4f5e32e2a00508560a
SHA256854ed62541388aca06dd8b40cfeff6549488f26efc4ad9461d93d23c92cbd351
SHA51216dcfdf452a1cb1ea2276f801ac8eb09eb3ac27db42ef95483acc8210d4f689b68c10791f13116a44d842ffa0fae1acd6be5503cad6ba9612119fe0550d11a59
-
Filesize
1.3MB
MD5b1b92779a6ba3812bfbda2f47b0e8973
SHA12325b2bc28deded5a2551199f5d40a3b3f151e7d
SHA2565cb02748aac95c443a2445a4eb297269d1f565f9b703142e550a3588ecbaae81
SHA512bcb89666b78ecafbfc4fcf4b183aec9e6285414afd330e7301a78b8348404c32585e14a9acaab69132f65910fe2e632eb353162e211cb2a5b361688a5a6d7d75