Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-05-2023 07:02
Static task
static1
Behavioral task
behavioral1
Sample
Technical Spec.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Technical Spec.exe
Resource
win10v2004-20230220-en
General
-
Target
Technical Spec.exe
-
Size
1.6MB
-
MD5
b07439ae25abcf2d281132533f2c4aa4
-
SHA1
4137af7edd5400e7e87b1ef31ad3d69da6f77d82
-
SHA256
2a84cd5f54e03590ad92e86ce6618dc5c31cb290e0845bb5de357f8c92af8749
-
SHA512
9c82e054400eba3459fed20bce1e1fbfe41d4459914ef7d6655ec8b06cf9d4fedf11be0de967de4fa0b167a2d835d603d50d121a5463ac0b28aabe2f4d39316e
-
SSDEEP
24576:CPKc2E+VeksjscdkmsRzUHr+3KcQh3GgVqIB5WtS4DW3mkh9YnpZq7ZPGAw1c:GpEE3qzULUhgGgVqIL4DWPhWnpAlnw1
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 44 IoCs
pid Process 464 Process not Found 1536 alg.exe 988 aspnet_state.exe 1132 mscorsvw.exe 108 mscorsvw.exe 1456 mscorsvw.exe 1220 mscorsvw.exe 1312 dllhost.exe 1016 ehRecvr.exe 836 ehsched.exe 1504 elevation_service.exe 1540 IEEtwCollector.exe 688 mscorsvw.exe 1568 GROOVE.EXE 2068 WmiApSrv.exe 2148 mscorsvw.exe 2204 msdtc.exe 2372 msiexec.exe 2528 OSE.EXE 2576 OSPPSVC.EXE 2708 perfhost.exe 2744 locator.exe 2836 mscorsvw.exe 2848 snmptrap.exe 2956 vds.exe 3056 vssvc.exe 2140 wbengine.exe 2068 WmiApSrv.exe 2388 wmpnetwk.exe 2588 SearchIndexer.exe 2084 mscorsvw.exe 2368 mscorsvw.exe 2316 mscorsvw.exe 2608 mscorsvw.exe 1968 mscorsvw.exe 2148 mscorsvw.exe 2480 mscorsvw.exe 1472 mscorsvw.exe 2144 mscorsvw.exe 2420 mscorsvw.exe 2608 mscorsvw.exe 1736 mscorsvw.exe 1776 mscorsvw.exe 2408 mscorsvw.exe -
Loads dropped DLL 16 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 2372 msiexec.exe 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 760 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\system32\IEEtwCollector.exe Technical Spec.exe File opened for modification C:\Windows\SysWow64\perfhost.exe Technical Spec.exe File opened for modification C:\Windows\system32\vssvc.exe Technical Spec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f421b4b37693df14.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe Technical Spec.exe File opened for modification C:\Windows\System32\snmptrap.exe Technical Spec.exe File opened for modification C:\Windows\System32\vds.exe Technical Spec.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe Technical Spec.exe File opened for modification C:\Windows\system32\fxssvc.exe Technical Spec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\msiexec.exe Technical Spec.exe File opened for modification C:\Windows\system32\wbengine.exe Technical Spec.exe File opened for modification C:\Windows\system32\SearchIndexer.exe Technical Spec.exe File opened for modification C:\Windows\System32\alg.exe Technical Spec.exe File opened for modification C:\Windows\system32\dllhost.exe Technical Spec.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe Technical Spec.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1412 set thread context of 472 1412 Technical Spec.exe 29 PID 472 set thread context of 1576 472 Technical Spec.exe 33 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe Technical Spec.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe Technical Spec.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE Technical Spec.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Technical Spec.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe Technical Spec.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE Technical Spec.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe Technical Spec.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe Technical Spec.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe Technical Spec.exe File opened for modification C:\Program Files\7-Zip\7z.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{DAC84675-37FF-4FBE-B599-BD322F822B5F}\chrome_installer.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe Technical Spec.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe Technical Spec.exe -
Drops file in Windows directory 29 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe Technical Spec.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Technical Spec.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{37177CA5-CBD6-4199-A3C9-CC9E5AE19559}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe Technical Spec.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{37177CA5-CBD6-4199-A3C9-CC9E5AE19559}.crmlog dllhost.exe File opened for modification C:\Windows\ehome\ehsched.exe Technical Spec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe Technical Spec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Technical Spec.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe Technical Spec.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe Technical Spec.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 52 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{2FE5833F-CC61-42C2-8E44-9A8F7C012D47} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{2FE5833F-CC61-42C2-8E44-9A8F7C012D47} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1412 Technical Spec.exe 1776 ehRec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe 472 Technical Spec.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 1412 Technical Spec.exe Token: SeTakeOwnershipPrivilege 472 Technical Spec.exe Token: SeShutdownPrivilege 1220 mscorsvw.exe Token: SeShutdownPrivilege 1456 mscorsvw.exe Token: SeShutdownPrivilege 1220 mscorsvw.exe Token: SeShutdownPrivilege 1456 mscorsvw.exe Token: 33 1680 EhTray.exe Token: SeIncBasePriorityPrivilege 1680 EhTray.exe Token: SeShutdownPrivilege 1220 mscorsvw.exe Token: SeShutdownPrivilege 1220 mscorsvw.exe Token: SeShutdownPrivilege 1456 mscorsvw.exe Token: SeShutdownPrivilege 1456 mscorsvw.exe Token: SeDebugPrivilege 1776 ehRec.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeSecurityPrivilege 2372 msiexec.exe Token: SeShutdownPrivilege 1220 mscorsvw.exe Token: 33 1680 EhTray.exe Token: SeIncBasePriorityPrivilege 1680 EhTray.exe Token: SeBackupPrivilege 3056 vssvc.exe Token: SeRestorePrivilege 3056 vssvc.exe Token: SeAuditPrivilege 3056 vssvc.exe Token: SeBackupPrivilege 2140 wbengine.exe Token: SeRestorePrivilege 2140 wbengine.exe Token: SeSecurityPrivilege 2140 wbengine.exe Token: SeManageVolumePrivilege 2588 SearchIndexer.exe Token: 33 2588 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2588 SearchIndexer.exe Token: 33 2388 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2388 wmpnetwk.exe Token: SeDebugPrivilege 472 Technical Spec.exe Token: SeDebugPrivilege 472 Technical Spec.exe Token: SeDebugPrivilege 472 Technical Spec.exe Token: SeDebugPrivilege 472 Technical Spec.exe Token: SeDebugPrivilege 472 Technical Spec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1680 EhTray.exe 1680 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1680 EhTray.exe 1680 EhTray.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 472 Technical Spec.exe 2968 SearchProtocolHost.exe 2968 SearchProtocolHost.exe 2968 SearchProtocolHost.exe 2968 SearchProtocolHost.exe 2968 SearchProtocolHost.exe 2904 SearchProtocolHost.exe 2904 SearchProtocolHost.exe 2904 SearchProtocolHost.exe 2904 SearchProtocolHost.exe 2904 SearchProtocolHost.exe 2904 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1412 wrote to memory of 548 1412 Technical Spec.exe 28 PID 1412 wrote to memory of 548 1412 Technical Spec.exe 28 PID 1412 wrote to memory of 548 1412 Technical Spec.exe 28 PID 1412 wrote to memory of 548 1412 Technical Spec.exe 28 PID 1412 wrote to memory of 472 1412 Technical Spec.exe 29 PID 1412 wrote to memory of 472 1412 Technical Spec.exe 29 PID 1412 wrote to memory of 472 1412 Technical Spec.exe 29 PID 1412 wrote to memory of 472 1412 Technical Spec.exe 29 PID 1412 wrote to memory of 472 1412 Technical Spec.exe 29 PID 1412 wrote to memory of 472 1412 Technical Spec.exe 29 PID 1412 wrote to memory of 472 1412 Technical Spec.exe 29 PID 1412 wrote to memory of 472 1412 Technical Spec.exe 29 PID 1412 wrote to memory of 472 1412 Technical Spec.exe 29 PID 472 wrote to memory of 1576 472 Technical Spec.exe 33 PID 472 wrote to memory of 1576 472 Technical Spec.exe 33 PID 472 wrote to memory of 1576 472 Technical Spec.exe 33 PID 472 wrote to memory of 1576 472 Technical Spec.exe 33 PID 472 wrote to memory of 1576 472 Technical Spec.exe 33 PID 472 wrote to memory of 1576 472 Technical Spec.exe 33 PID 472 wrote to memory of 1576 472 Technical Spec.exe 33 PID 472 wrote to memory of 1576 472 Technical Spec.exe 33 PID 472 wrote to memory of 1576 472 Technical Spec.exe 33 PID 1220 wrote to memory of 688 1220 mscorsvw.exe 44 PID 1220 wrote to memory of 688 1220 mscorsvw.exe 44 PID 1220 wrote to memory of 688 1220 mscorsvw.exe 44 PID 1220 wrote to memory of 2148 1220 mscorsvw.exe 47 PID 1220 wrote to memory of 2148 1220 mscorsvw.exe 47 PID 1220 wrote to memory of 2148 1220 mscorsvw.exe 47 PID 1456 wrote to memory of 2836 1456 mscorsvw.exe 54 PID 1456 wrote to memory of 2836 1456 mscorsvw.exe 54 PID 1456 wrote to memory of 2836 1456 mscorsvw.exe 54 PID 1456 wrote to memory of 2836 1456 mscorsvw.exe 54 PID 2588 wrote to memory of 2968 2588 SearchIndexer.exe 62 PID 2588 wrote to memory of 2968 2588 SearchIndexer.exe 62 PID 2588 wrote to memory of 2968 2588 SearchIndexer.exe 62 PID 2588 wrote to memory of 2680 2588 SearchIndexer.exe 63 PID 2588 wrote to memory of 2680 2588 SearchIndexer.exe 63 PID 2588 wrote to memory of 2680 2588 SearchIndexer.exe 63 PID 2588 wrote to memory of 2904 2588 SearchIndexer.exe 64 PID 2588 wrote to memory of 2904 2588 SearchIndexer.exe 64 PID 2588 wrote to memory of 2904 2588 SearchIndexer.exe 64 PID 1456 wrote to memory of 2084 1456 mscorsvw.exe 65 PID 1456 wrote to memory of 2084 1456 mscorsvw.exe 65 PID 1456 wrote to memory of 2084 1456 mscorsvw.exe 65 PID 1456 wrote to memory of 2084 1456 mscorsvw.exe 65 PID 1456 wrote to memory of 2368 1456 mscorsvw.exe 66 PID 1456 wrote to memory of 2368 1456 mscorsvw.exe 66 PID 1456 wrote to memory of 2368 1456 mscorsvw.exe 66 PID 1456 wrote to memory of 2368 1456 mscorsvw.exe 66 PID 1456 wrote to memory of 2316 1456 mscorsvw.exe 67 PID 1456 wrote to memory of 2316 1456 mscorsvw.exe 67 PID 1456 wrote to memory of 2316 1456 mscorsvw.exe 67 PID 1456 wrote to memory of 2316 1456 mscorsvw.exe 67 PID 1456 wrote to memory of 2608 1456 mscorsvw.exe 68 PID 1456 wrote to memory of 2608 1456 mscorsvw.exe 68 PID 1456 wrote to memory of 2608 1456 mscorsvw.exe 68 PID 1456 wrote to memory of 2608 1456 mscorsvw.exe 68 PID 1456 wrote to memory of 1968 1456 mscorsvw.exe 69 PID 1456 wrote to memory of 1968 1456 mscorsvw.exe 69 PID 1456 wrote to memory of 1968 1456 mscorsvw.exe 69 PID 1456 wrote to memory of 1968 1456 mscorsvw.exe 69 PID 1456 wrote to memory of 2148 1456 mscorsvw.exe 70 PID 1456 wrote to memory of 2148 1456 mscorsvw.exe 70 PID 1456 wrote to memory of 2148 1456 mscorsvw.exe 70 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"2⤵PID:548
-
-
C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1576
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1536
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:988
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1132
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:108
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2084
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 1f4 -Pipe 184 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1f4 -NGENProcess 1d8 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 244 -NGENProcess 1ec -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 264 -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2148
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2480
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 26c -NGENProcess 264 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 258 -NGENProcess 24c -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 278 -NGENProcess 24c -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 27c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 284 -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 288 -Pipe 258 -Comment "NGen Worker Process"2⤵PID:1452
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:688
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 15c -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2148
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1312
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1016
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:836
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1680
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1504
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1540
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1568
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵PID:2068
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2204
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2528
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2576
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2708
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2744
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2848
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2956
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2068
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3499517378-2376672570-1134980332-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3499517378-2376672570-1134980332-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2968
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 596 600 608 65536 6042⤵PID:2680
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2904
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD55cab5b7d4c81ad909428c6fc0685d634
SHA1a45217fbacf8420d76286db9f865496184b33709
SHA256188455d1162604268c863f60f5434a051e0e6a871e2ce5b70df8bf9fc57872a5
SHA51215abaa9faaf427d980545e851dfff28c32bdc8c797241f4b2b76e4e3751f1400df0be72952572d6b016df9398f0e8d92cc13bdc5018f8ab97641ce7fd5df5dff
-
Filesize
30.1MB
MD59c4e7f639cca632ebf71967a060708c3
SHA17c7fe7c38530a2a3186ff49bb385270e01911b37
SHA256fc4c49e89fd526d3e891e36cd070ae2174c50b3791eec6d7a62f9882c3ae76c1
SHA5122c6a2083d68265babcf8031c97965bdc351c36a5b92944c24a23231b69711153f259b53480b340f0ec7f9b4a940c91c78cada5db0d87003221279804220d8135
-
Filesize
1.4MB
MD5ae1ceaa3005bbab4be98e1022bf7cb20
SHA1c5cf27c93ca4fec9ffbad177f6e0e90c94f63d46
SHA256dc52c4d7ebae1e565dee83d0e0ead2a4d8a02cb661556f949a7d785223e0c9fa
SHA512ed677acaf1fe319ba145097f5a5ad68d63907638d1f4639e47563862738c9645b9e58e78883c52f7bd80caed0b635a018124851299b1acd7b3ea37cb6b15d69d
-
Filesize
5.2MB
MD50106459a8bd02066cab72ae88b66a3d4
SHA1a1c544b102b1bb9c196def46ad92cec08779a0bf
SHA256c68293c55fe6270b57b2cf0160becde3bd2cdbbe272a2c89093d34f12f7507ea
SHA51283ed8151680a728d779adb7b0997814fe7ac66bb69fb48265f1f89246aa831b5748165726537708c658dfb7e0f63f5078facb446ed99a8b99a8c5525eaf2637e
-
Filesize
2.1MB
MD5e9dad6d5c0dc2835760f2a1add5943fa
SHA1cab2ce5e3e453b19bd0a28cd0950b8bbb636b525
SHA256ffdb8afa563b56709abfe1812c23c07aaf06428dd5a75ac32b88a404710d8ede
SHA51287b7510ad073555cca2225e0b10c534fc9ede2060cdd9b0aa1cec7fcbd60de38f4d20dfb7cdbc9440933792fa5c223c0d941931d4cc20452e3d90bef7b162836
-
Filesize
2.0MB
MD5cd6253372a4fae103173eb63115be318
SHA16c8ddb657edf1e5eeeacb278f7114dc9c7075030
SHA2563ce3e29ea7bcfe7e0676a81f75f7a7c41a41eafb9147871245217bc821f8ba4c
SHA5122bb19502b517c8c1c0870815672df0d38e9a840a8af8de0ad6334da14f8bfe489e3c77a56ef2a6b6ad26bb9bd87f925ebd5f371f00784543daef2c390208c62c
-
Filesize
1024KB
MD5d29973db8cc9986b245bce0a21d3fa5b
SHA1591fb6a0f026503992e830a354f44b4a9692a401
SHA256cd6ea3a57abbed894ce5e6ce51f0132238e09fb13a624d17898a9e92323fdf6c
SHA5129e7a605768eefaf8e254c2b26bc985becec0888d5403203bc8ae39220ac684e22d2b217eea0e5ab7a2588b7bf0ec73e4381239cbec50522f0ae3cbcea97194d0
-
Filesize
1.3MB
MD547ad670971223620646a0beffa363c13
SHA130e18711ac1b0ad321213af6c5d5386cf16fa402
SHA256e6459428dd470cca7fe9d92995631271eef02fb2ebf6fc4de58c238992e9c941
SHA5120691c42fdee13a615a4968403b797e99863d8d34e1bf3a6c4901f9d064e344fd987e619e31f34db3a1054080c04e94472f7426e856cbefbadac6e971564e7e37
-
Filesize
1.3MB
MD547ad670971223620646a0beffa363c13
SHA130e18711ac1b0ad321213af6c5d5386cf16fa402
SHA256e6459428dd470cca7fe9d92995631271eef02fb2ebf6fc4de58c238992e9c941
SHA5120691c42fdee13a615a4968403b797e99863d8d34e1bf3a6c4901f9d064e344fd987e619e31f34db3a1054080c04e94472f7426e856cbefbadac6e971564e7e37
-
Filesize
872KB
MD5740249db7fc47880136074d3642771a9
SHA152c4050c5e806e8f1ec06cfb1f67bc8a2eb85ab9
SHA25645d66b862e4fd7277e326c9d829caf499f4a4adf9cee5047a0f993dd05b2e121
SHA512925fd819b1f2ac5fa9c9cde33e3df9dfff9105e890d5a2a627e3a43a64c29944944ce301ef52d3d2916b01f4ef756345519d5443f5828ae1d15ea2586212e784
-
Filesize
1.3MB
MD56429e84007e2a8569cb01ea6158b7da6
SHA116962374a4956d951deb888bb20053bbb749841f
SHA2567b7eb5cc7fb8ab50514678e0efa87927bbab49813fdb12c2b029960333fa4a2b
SHA512d4cec1276e778f6cd2b798a1a5c5fcf0c0db660e994215472cda2f22025cb9a9087aa53955649e320414167ddc571c51e825a49baee87a3a5c0cf531b2f029f9
-
Filesize
1.3MB
MD5378ace5db13d50b1b7fb37ef719ed0e3
SHA187b4386b8667b0fd4a2fd4a97de1506eab5d8473
SHA256ccfcc4ce334dd909fc98f99414628ca74ea188dff2ad2b9b61ecb67ac063ea81
SHA512057b4095870ff65bbe0988416c7717ac634ad767cf17c28122f0f066ddd00918ef474f3c601aefb65cb6c3613155cc64710760dbaee4245e7f21f4875eb3368c
-
Filesize
1.3MB
MD5378ace5db13d50b1b7fb37ef719ed0e3
SHA187b4386b8667b0fd4a2fd4a97de1506eab5d8473
SHA256ccfcc4ce334dd909fc98f99414628ca74ea188dff2ad2b9b61ecb67ac063ea81
SHA512057b4095870ff65bbe0988416c7717ac634ad767cf17c28122f0f066ddd00918ef474f3c601aefb65cb6c3613155cc64710760dbaee4245e7f21f4875eb3368c
-
Filesize
1.3MB
MD5378ace5db13d50b1b7fb37ef719ed0e3
SHA187b4386b8667b0fd4a2fd4a97de1506eab5d8473
SHA256ccfcc4ce334dd909fc98f99414628ca74ea188dff2ad2b9b61ecb67ac063ea81
SHA512057b4095870ff65bbe0988416c7717ac634ad767cf17c28122f0f066ddd00918ef474f3c601aefb65cb6c3613155cc64710760dbaee4245e7f21f4875eb3368c
-
Filesize
1.3MB
MD5378ace5db13d50b1b7fb37ef719ed0e3
SHA187b4386b8667b0fd4a2fd4a97de1506eab5d8473
SHA256ccfcc4ce334dd909fc98f99414628ca74ea188dff2ad2b9b61ecb67ac063ea81
SHA512057b4095870ff65bbe0988416c7717ac634ad767cf17c28122f0f066ddd00918ef474f3c601aefb65cb6c3613155cc64710760dbaee4245e7f21f4875eb3368c
-
Filesize
1.3MB
MD5a2bcab8bdd460d12d27f119ff094eea5
SHA15d14b947067559ea55420051c213e5c0a6c7aa6e
SHA256b45325b6d17004336c4830d6798637ba25b30c01064181c191d559dd8f6053f8
SHA512c432d7933315ca2813a6e203867dcac333154442e1c05e389e91aaa29737e081924b754c776de49706f05a5b35f8d7f6415c00afe2ddc1d6e990aaf4d1af2c26
-
Filesize
1.3MB
MD5a2bcab8bdd460d12d27f119ff094eea5
SHA15d14b947067559ea55420051c213e5c0a6c7aa6e
SHA256b45325b6d17004336c4830d6798637ba25b30c01064181c191d559dd8f6053f8
SHA512c432d7933315ca2813a6e203867dcac333154442e1c05e389e91aaa29737e081924b754c776de49706f05a5b35f8d7f6415c00afe2ddc1d6e990aaf4d1af2c26
-
Filesize
1003KB
MD58310f0dc53a4ea367af22997fe72ae4f
SHA11483f7d633d961b3d80283428624e342924d0f26
SHA256156e2fefc9c3439781c2be815973f049fa660e5c0dda3b160b75f069218751e4
SHA51218a78398d5a6567c77ef805a1ac73363cdeece81ac45951250a0f9752015d9f594de2e36cc48ce57fd0ce69d7d2473445bc427986bf9a85f823abf7ac98fd224
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.3MB
MD5e34f0d4fdef0fcb172e45e85486dad40
SHA15b546d3abe77a41eeb6a047d1e48a3feae9d4495
SHA2560082041f26a6d14a5dfbfcab72b7af2749b652853ad886706282d743f44f795c
SHA5121608d3d5f48d6715536683db110690f03c2873f336e8ce56e14370bb318dc4124fed937dfeedc945cdfdc58ef78e6fd72496de41a271934a85c0ec8957eebdbd
-
Filesize
1.2MB
MD542954a0d7a3f6681ccb8b74335d35936
SHA1c39932f8dc45285da42cf1a7caa54907d6c2b94b
SHA2561731983a39adf133724202b646c8256f8197d27951d139f6f22499f2c90acae1
SHA512cbeb8a63ddd63a20391146bd6382a6716d6121b914b975b4da08ad6bd17dd84dc9e7702a9d287d7cb1d67a2d73ff4d1ac4a3bf9afcf48d8585ea9fdc4ee95369
-
Filesize
1.2MB
MD5c51cf446e4db8a9e7c24aacdeacc4a53
SHA1a6ec6c89cf0da00c2fe046dc286c1a401f608591
SHA25671f4892508d08a01f76bb1c1151a4c26e56394528b6806130689d3bd2565531e
SHA51223c541b842979140e325ed9c1067718e692525d0720fc0ffde4cce2390871d3be84929c71960e026b559d421cfedce44cd70fd5c8e34701658b15090da233628
-
Filesize
1.1MB
MD58281594c7af4efe9c321fc0664fdf2a4
SHA116782cb5e9192b244026781029dbf3344a06ea62
SHA2566eb27864840c975688d8214f4e2ce3fc954991586c82ac3285f6165c06e93d45
SHA512eca1697d0190c65ce1e444c65c3300362f96bbe5c463552df31a51c934abe7ff9ac38c9caa06f3050573a1364dfd738ed3e5b839991a7a5eb78a3d4f6998f88a
-
Filesize
2.1MB
MD5e07cef24d54e4029023272c0b9e65d51
SHA14201b09030c804e012c5fe4d01b94e09a15b9864
SHA256229cce036d0e8444df7fbf8226e53c9d471ae83b53b3d17c41b37ac1c7a4aafc
SHA5122a3a6c35b4c7e8565a6b16cd0b87a6c9dd289d09712378fb7926981d8d8703dc188d9b0918a08de70b504123ccf64f7ba81aea380437984ec86f4bbcc5a32ac2
-
Filesize
1.3MB
MD5b021d5b6b9032abee133d5a38ecd9160
SHA174101cbd4026caf17eb4ac2834e3bb338fac4aa9
SHA256fe5ae2d4b58785724d48453656d61d1e218e9b43de1d9c4ba5ba934fbece2288
SHA512d2f7b1a98d8e451b3a916d1f9a2189c15c58367f2d7f509670fa10977762807c0c094c2c47248586e6b876e88c0b0b281f1870efd670c352a82108918969b334
-
Filesize
1.2MB
MD5107e28890ac36261a82eb8129eb31526
SHA15223dc238f556459b940bd801033923213972a33
SHA2568aa29514c26c62e47009eb9201f5b87295ecfacc2df02b791e7f3e58e4c51b04
SHA512ffc8da10804b2ce6be1eb9a43623c8c8c691785f489e0c17069465a94d1f89e20903b10023f0158a93c35114e6ec16ef6b84297861ccfb60fcb225670b2f9460
-
Filesize
1.3MB
MD5f2ac8230cec7a2a13893f84d79cea2f0
SHA18a6a9af8f2c048945e594043b7dac39aee936fba
SHA256089001a21cc6f91a04dd9b4aa83e4384ffd97ffdd0396ce81c30b9f436af6a83
SHA512665ae57670eb69eb7708caad83d70f6e77500e2b9b28dfd0c54fcf23300bb482ebc5f6cdab1dad30bd75cd92b6af07223d93561240940ba20dcda931b748ced4
-
Filesize
1.4MB
MD58bc1d5b56c3c7a96e27a9a763e0ac5ba
SHA135d88b22b7a14423eb3ef51b363eebac8d407c19
SHA256d5b2cf237496e2b24392e13e6483da3bd967f1f18f312bac4681fb7569474f0a
SHA5126c3549fcd9875b991b8f42a408552c753f6af840a34d6dd660a223c9fb42caa4859c8f2e8b13379d917a026b935035d5f232d899672b2fb95e775265f0c3d572
-
Filesize
1.3MB
MD582283ea181d85f9fc27b4e52c88165b7
SHA1b486a3193ee1c316ac791fef260e2eb48fc636e1
SHA256875851a37d8e33bc2e840288ef3b8e6e17ed4773d4ae3c29cc7e1b6868149b6d
SHA512d5e39bfeb769f17a03147a2a84e1667a970eddad3388a4d16a6b3ed48da45aa52318a97d866139fd3239a32ca00a599ccf7b28ffe5cd927b63a72fcd7394943b
-
Filesize
1.2MB
MD5fcce3c411b4b0b9f2f76a355ad9fd54a
SHA1062eb16927960120a9c11d46dd18ac3fb75dc806
SHA256d15d15639017a0b62fd195239535aa224c9e6222870a3465e4b3ca3175a342a5
SHA5128e81bb64e64f46c492f4f9353f3ce56d9eee559b71f970a3d73a17038f410ee566d6cc4f4a6d4fba83b8ac75c22411b0b3b8851caff0cf5086917e72ddca1b30
-
Filesize
1.7MB
MD57286ba0a2e1057d2e90eb91edbce839a
SHA1e1d75bd182acf3f049b5080b384b739492f4096e
SHA25664e6e40ada32524f7064d6bdf15c2246d4d73937c6d75a808fe940b05db6c144
SHA512b902e635c8df68c9cd9fac42bce58aba7f44e916e7e664d0aac77fe531e3d8a6d16c074d8534f72a49e39d1d18f9be48088892cc56b17752bddcaf8189709905
-
Filesize
1.4MB
MD532cd32943d8e37d93a445a3d98d14a33
SHA131cd15691e63df09cfafffc2ec0340faaee48d6c
SHA2562c7fbfcb10f507e4d7eac2373745dcfb6759ac655fb607a86a3c3ea6da11523f
SHA512ea33b956bd230c33ff62ea0456e0d1b2b8d8d0ea33382554856414bef2f3184a918ead4284079f8eb9742c8b9981cd95e2e2120dac7aa61bf10c04c1f8a6ccb7
-
Filesize
2.0MB
MD55cec638007849ea6105dcde0de6b1bae
SHA15ce26c37640b7d38ac19d16a7bab92a45cf29e0e
SHA2569128ac4810c25551a8537fb78458469d5f2207ca1f8a59092ca4990e91174b3e
SHA512cfe750e9d21a8d8092dcdf85e9b68848f874669a079331d52ffe2ee0aa3dc06d04f34fd162264d1580d5de892878a58cc9383e5a4f90bbd71309883522206b00
-
Filesize
1.2MB
MD5455d9d3678ec19f5e2cc4a481537d4cd
SHA1458a9e3f8e39dca2a6d62649b9fd7b8265ec15be
SHA2562dccea30179cb7472188dcb873cb2d14e550f28865afb360279d6cd7a4ec8bee
SHA512bf0d95ba3a85bf6a01619eebb252511b9dcbbf2a7d0dac1891c13d15cfcf31e91f16d2331aea611133b482206e95d05bc25a1bbc900d84337d572c62ff956d58
-
Filesize
1.3MB
MD51a780885d487303ef681860b6a5a3935
SHA18c577046614a4ff09c22b289cad2c93ee5ae57c6
SHA25664e46eb1585bea7d2471631a4fba8a84ecc4ad591f09231afe637b7a531ad81d
SHA5121ae71606219fde7403312978d5cc0fe7ffef2698dda180dffa932408f11392ce3df22075665340a372517dfef34bfd71173c40fb2034afe04e84460cb8227e7c
-
Filesize
1.3MB
MD582283ea181d85f9fc27b4e52c88165b7
SHA1b486a3193ee1c316ac791fef260e2eb48fc636e1
SHA256875851a37d8e33bc2e840288ef3b8e6e17ed4773d4ae3c29cc7e1b6868149b6d
SHA512d5e39bfeb769f17a03147a2a84e1667a970eddad3388a4d16a6b3ed48da45aa52318a97d866139fd3239a32ca00a599ccf7b28ffe5cd927b63a72fcd7394943b
-
Filesize
2.0MB
MD5cd6253372a4fae103173eb63115be318
SHA16c8ddb657edf1e5eeeacb278f7114dc9c7075030
SHA2563ce3e29ea7bcfe7e0676a81f75f7a7c41a41eafb9147871245217bc821f8ba4c
SHA5122bb19502b517c8c1c0870815672df0d38e9a840a8af8de0ad6334da14f8bfe489e3c77a56ef2a6b6ad26bb9bd87f925ebd5f371f00784543daef2c390208c62c
-
Filesize
2.0MB
MD5cd6253372a4fae103173eb63115be318
SHA16c8ddb657edf1e5eeeacb278f7114dc9c7075030
SHA2563ce3e29ea7bcfe7e0676a81f75f7a7c41a41eafb9147871245217bc821f8ba4c
SHA5122bb19502b517c8c1c0870815672df0d38e9a840a8af8de0ad6334da14f8bfe489e3c77a56ef2a6b6ad26bb9bd87f925ebd5f371f00784543daef2c390208c62c
-
Filesize
1.3MB
MD547ad670971223620646a0beffa363c13
SHA130e18711ac1b0ad321213af6c5d5386cf16fa402
SHA256e6459428dd470cca7fe9d92995631271eef02fb2ebf6fc4de58c238992e9c941
SHA5120691c42fdee13a615a4968403b797e99863d8d34e1bf3a6c4901f9d064e344fd987e619e31f34db3a1054080c04e94472f7426e856cbefbadac6e971564e7e37
-
Filesize
1.3MB
MD56429e84007e2a8569cb01ea6158b7da6
SHA116962374a4956d951deb888bb20053bbb749841f
SHA2567b7eb5cc7fb8ab50514678e0efa87927bbab49813fdb12c2b029960333fa4a2b
SHA512d4cec1276e778f6cd2b798a1a5c5fcf0c0db660e994215472cda2f22025cb9a9087aa53955649e320414167ddc571c51e825a49baee87a3a5c0cf531b2f029f9
-
Filesize
1.2MB
MD5c51cf446e4db8a9e7c24aacdeacc4a53
SHA1a6ec6c89cf0da00c2fe046dc286c1a401f608591
SHA25671f4892508d08a01f76bb1c1151a4c26e56394528b6806130689d3bd2565531e
SHA51223c541b842979140e325ed9c1067718e692525d0720fc0ffde4cce2390871d3be84929c71960e026b559d421cfedce44cd70fd5c8e34701658b15090da233628
-
Filesize
1.3MB
MD5b021d5b6b9032abee133d5a38ecd9160
SHA174101cbd4026caf17eb4ac2834e3bb338fac4aa9
SHA256fe5ae2d4b58785724d48453656d61d1e218e9b43de1d9c4ba5ba934fbece2288
SHA512d2f7b1a98d8e451b3a916d1f9a2189c15c58367f2d7f509670fa10977762807c0c094c2c47248586e6b876e88c0b0b281f1870efd670c352a82108918969b334
-
Filesize
1.2MB
MD5107e28890ac36261a82eb8129eb31526
SHA15223dc238f556459b940bd801033923213972a33
SHA2568aa29514c26c62e47009eb9201f5b87295ecfacc2df02b791e7f3e58e4c51b04
SHA512ffc8da10804b2ce6be1eb9a43623c8c8c691785f489e0c17069465a94d1f89e20903b10023f0158a93c35114e6ec16ef6b84297861ccfb60fcb225670b2f9460
-
Filesize
1.3MB
MD5f2ac8230cec7a2a13893f84d79cea2f0
SHA18a6a9af8f2c048945e594043b7dac39aee936fba
SHA256089001a21cc6f91a04dd9b4aa83e4384ffd97ffdd0396ce81c30b9f436af6a83
SHA512665ae57670eb69eb7708caad83d70f6e77500e2b9b28dfd0c54fcf23300bb482ebc5f6cdab1dad30bd75cd92b6af07223d93561240940ba20dcda931b748ced4
-
Filesize
1.4MB
MD58bc1d5b56c3c7a96e27a9a763e0ac5ba
SHA135d88b22b7a14423eb3ef51b363eebac8d407c19
SHA256d5b2cf237496e2b24392e13e6483da3bd967f1f18f312bac4681fb7569474f0a
SHA5126c3549fcd9875b991b8f42a408552c753f6af840a34d6dd660a223c9fb42caa4859c8f2e8b13379d917a026b935035d5f232d899672b2fb95e775265f0c3d572
-
Filesize
1.3MB
MD582283ea181d85f9fc27b4e52c88165b7
SHA1b486a3193ee1c316ac791fef260e2eb48fc636e1
SHA256875851a37d8e33bc2e840288ef3b8e6e17ed4773d4ae3c29cc7e1b6868149b6d
SHA512d5e39bfeb769f17a03147a2a84e1667a970eddad3388a4d16a6b3ed48da45aa52318a97d866139fd3239a32ca00a599ccf7b28ffe5cd927b63a72fcd7394943b
-
Filesize
1.3MB
MD582283ea181d85f9fc27b4e52c88165b7
SHA1b486a3193ee1c316ac791fef260e2eb48fc636e1
SHA256875851a37d8e33bc2e840288ef3b8e6e17ed4773d4ae3c29cc7e1b6868149b6d
SHA512d5e39bfeb769f17a03147a2a84e1667a970eddad3388a4d16a6b3ed48da45aa52318a97d866139fd3239a32ca00a599ccf7b28ffe5cd927b63a72fcd7394943b
-
Filesize
1.2MB
MD5fcce3c411b4b0b9f2f76a355ad9fd54a
SHA1062eb16927960120a9c11d46dd18ac3fb75dc806
SHA256d15d15639017a0b62fd195239535aa224c9e6222870a3465e4b3ca3175a342a5
SHA5128e81bb64e64f46c492f4f9353f3ce56d9eee559b71f970a3d73a17038f410ee566d6cc4f4a6d4fba83b8ac75c22411b0b3b8851caff0cf5086917e72ddca1b30
-
Filesize
1.7MB
MD57286ba0a2e1057d2e90eb91edbce839a
SHA1e1d75bd182acf3f049b5080b384b739492f4096e
SHA25664e6e40ada32524f7064d6bdf15c2246d4d73937c6d75a808fe940b05db6c144
SHA512b902e635c8df68c9cd9fac42bce58aba7f44e916e7e664d0aac77fe531e3d8a6d16c074d8534f72a49e39d1d18f9be48088892cc56b17752bddcaf8189709905
-
Filesize
1.4MB
MD532cd32943d8e37d93a445a3d98d14a33
SHA131cd15691e63df09cfafffc2ec0340faaee48d6c
SHA2562c7fbfcb10f507e4d7eac2373745dcfb6759ac655fb607a86a3c3ea6da11523f
SHA512ea33b956bd230c33ff62ea0456e0d1b2b8d8d0ea33382554856414bef2f3184a918ead4284079f8eb9742c8b9981cd95e2e2120dac7aa61bf10c04c1f8a6ccb7
-
Filesize
2.0MB
MD55cec638007849ea6105dcde0de6b1bae
SHA15ce26c37640b7d38ac19d16a7bab92a45cf29e0e
SHA2569128ac4810c25551a8537fb78458469d5f2207ca1f8a59092ca4990e91174b3e
SHA512cfe750e9d21a8d8092dcdf85e9b68848f874669a079331d52ffe2ee0aa3dc06d04f34fd162264d1580d5de892878a58cc9383e5a4f90bbd71309883522206b00
-
Filesize
1.2MB
MD5455d9d3678ec19f5e2cc4a481537d4cd
SHA1458a9e3f8e39dca2a6d62649b9fd7b8265ec15be
SHA2562dccea30179cb7472188dcb873cb2d14e550f28865afb360279d6cd7a4ec8bee
SHA512bf0d95ba3a85bf6a01619eebb252511b9dcbbf2a7d0dac1891c13d15cfcf31e91f16d2331aea611133b482206e95d05bc25a1bbc900d84337d572c62ff956d58
-
Filesize
1.3MB
MD51a780885d487303ef681860b6a5a3935
SHA18c577046614a4ff09c22b289cad2c93ee5ae57c6
SHA25664e46eb1585bea7d2471631a4fba8a84ecc4ad591f09231afe637b7a531ad81d
SHA5121ae71606219fde7403312978d5cc0fe7ffef2698dda180dffa932408f11392ce3df22075665340a372517dfef34bfd71173c40fb2034afe04e84460cb8227e7c