Analysis
-
max time kernel
174s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2023 23:23
Static task
static1
Behavioral task
behavioral1
Sample
Quote 1345 rev.7.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Quote 1345 rev.7.exe
Resource
win10v2004-20230220-en
General
-
Target
Quote 1345 rev.7.exe
-
Size
1.5MB
-
MD5
e67a119b25c041892a38c6147fd54c60
-
SHA1
8c3c63629929b9754c62fbad1e731f33758d2d2d
-
SHA256
2bfafdc20b461ef574d77bd7c29d586c6a7c3ad6b3ad9bbecab8c014308b07d9
-
SHA512
414e8de5219f34c4abcf885444dfab93e794abf69808d9c2e9e70f8de806da9e2159ba3d58dec41991be675955d7bb99b596e6b358a4cf7b3a32881cbbad1776
-
SSDEEP
24576:OwwBIEAbPY00PXKtW93ZwJGRNI7MhXOd+DsyFqcpVsZB4yYH:0BIENBvDIwmeqcpVSed
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 22 IoCs
pid Process 4412 alg.exe 5092 DiagnosticsHub.StandardCollector.Service.exe 5000 fxssvc.exe 3940 elevation_service.exe 1608 elevation_service.exe 2108 maintenanceservice.exe 4536 msdtc.exe 4716 OSE.EXE 4544 PerceptionSimulationService.exe 5108 perfhost.exe 928 locator.exe 4528 SensorDataService.exe 4604 snmptrap.exe 3876 spectrum.exe 5084 ssh-agent.exe 3800 TieringEngineService.exe 4324 AgentService.exe 5036 vds.exe 4444 vssvc.exe 4088 wbengine.exe 392 WmiApSrv.exe 4784 SearchIndexer.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\vds.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\vssvc.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\System32\msdtc.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\locator.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\AgentService.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\SearchIndexer.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\System32\alg.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b2aa1d1150d0d086.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\TieringEngineService.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\wbengine.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\dllhost.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\fxssvc.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\System32\snmptrap.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\SgrmBroker.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\spectrum.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\AppVClient.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\SysWow64\perfhost.exe Quote 1345 rev.7.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1556 set thread context of 4796 1556 Quote 1345 rev.7.exe 83 PID 4796 set thread context of 2668 4796 Quote 1345 rev.7.exe 92 -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Quote 1345 rev.7.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE Quote 1345 rev.7.exe File opened for modification C:\Program Files\7-Zip\7z.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe Quote 1345 rev.7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Quote 1345 rev.7.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe Quote 1345 rev.7.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4796 Quote 1345 rev.7.exe Token: SeAuditPrivilege 5000 fxssvc.exe Token: SeAssignPrimaryTokenPrivilege 4324 AgentService.exe Token: SeBackupPrivilege 4444 vssvc.exe Token: SeRestorePrivilege 4444 vssvc.exe Token: SeAuditPrivilege 4444 vssvc.exe Token: SeBackupPrivilege 4088 wbengine.exe Token: SeRestorePrivilege 4088 wbengine.exe Token: SeSecurityPrivilege 4088 wbengine.exe Token: 33 4784 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4784 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4796 Quote 1345 rev.7.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1556 wrote to memory of 4796 1556 Quote 1345 rev.7.exe 83 PID 1556 wrote to memory of 4796 1556 Quote 1345 rev.7.exe 83 PID 1556 wrote to memory of 4796 1556 Quote 1345 rev.7.exe 83 PID 1556 wrote to memory of 4796 1556 Quote 1345 rev.7.exe 83 PID 1556 wrote to memory of 4796 1556 Quote 1345 rev.7.exe 83 PID 1556 wrote to memory of 4796 1556 Quote 1345 rev.7.exe 83 PID 1556 wrote to memory of 4796 1556 Quote 1345 rev.7.exe 83 PID 1556 wrote to memory of 4796 1556 Quote 1345 rev.7.exe 83 PID 4796 wrote to memory of 2668 4796 Quote 1345 rev.7.exe 92 PID 4796 wrote to memory of 2668 4796 Quote 1345 rev.7.exe 92 PID 4796 wrote to memory of 2668 4796 Quote 1345 rev.7.exe 92 PID 4796 wrote to memory of 2668 4796 Quote 1345 rev.7.exe 92 PID 4796 wrote to memory of 2668 4796 Quote 1345 rev.7.exe 92 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2668
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4412
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:5092
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4620
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3940
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1608
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2108
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4536
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4716
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4544
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5108
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:928
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4528
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4604
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3876
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4420
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
PID:3800
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5036
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:392
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD50716b840f4b2dd12949e78cb8a7da8d9
SHA1b9a8f4cb198550692c9e25b584e82257dec581c7
SHA256c559dfbda9d0ace09a754eb723d48143d79bff256228e4f29e53bca2e608c280
SHA51269b06ca9075a2a33646b5d896b5d6e749dd6f63b366c0690de0c268dbb4fc4a64970a5cfd111182bf4ea4eed851bbfcaef6af010100f7efb47233a6aac764687
-
Filesize
1.4MB
MD5f54b3e28632581a9c7a24cbe87799b47
SHA1761997d0933c057d9cf89d1f67da953c62f533dc
SHA2563f87bab31f692fe47a57576cc995e504db7ad34457ed0abf2d2f8845a7a38bf3
SHA5120b1159eb86c0bd5236a3f6ff835984af6a96d329402508f68e3db6cfdf611f123e80f87d9afe0155961d4061bfc1dfc8425e4b91d465d85b21e9a54733d23721
-
Filesize
1.5MB
MD512ab1b223547eca04931c22668122f1e
SHA19219b85c474a3131132e76d4ec0aec3e4f3bb8db
SHA256e5de78c994bf5bfd700b36d6d524f97c7a6a15fd1a193bebba7fb657ff1c6e43
SHA512678dcaf6d09278bba2873af751f85c0b46ab5bca7c7e2005ccf5204b4afd5e96ac427e78577d1064e5a22d923b4986fd9d51b2c9381330c1680d8acdd1b6877e
-
Filesize
2.1MB
MD559bdd8880a4c116b25e3183147038dd3
SHA120322dffd57f673f76d15694d7842934a8649f0a
SHA25622feee728794960abe27594577b590312a1fa3ae8a199f4fd048d1e2a16a3573
SHA5126c4f4f6d2247cd2a739f760d6a7328c273dfc1ee17e559a052bcd4320d168fe748cae759cf4aaf03f3956ff633a32a364b6369f36c9eaf7dfd3c6a598176ebed
-
Filesize
1.2MB
MD5bc7ff843e258977b25d00e2e2303ab04
SHA1a36ee7e906865951396b6dbe956781e97104c3ac
SHA2569975f4b94331573af7d5da534938ad2e2dcc9f95d0b262a91a7b873c603d6faf
SHA5126c3b7196d10a746a053faa67b257a38c824b3e8aec84b44c056e80aae4297377356ebe34001790ecdf288b4c5691a5eb3954f2a2139269df629ae922aaae0c4c
-
Filesize
1.7MB
MD554425541c7098b753c960a4afda2f49d
SHA17667f811f6f1087b118f8f2d2859912bf9238357
SHA256bb90a0537f9f5125e72caffaaa63362f613c9b99eb4d2e55f0f811fc3fa8283d
SHA512515ad4b7711965a2d1701ffd1b2bc23b3799e309c0df0fed9cdfd08559e9b15aaf8c77b323f320de2f88b8b4f19dd289b4d72cf34487a5d252c3c53ad358c006
-
Filesize
1.3MB
MD545b13beba4090a6261d8ff5c63ea8bec
SHA195da5cbeff05ba99f32e5a8d1d9eba8638a4b25a
SHA256e2edfe71f47785958d534d70a1d608973410d6f1ec04db2511a827f493b09bdc
SHA51244c9fd999728b38ce24db0c56466fb8fb88540b7872a0a3a579a8acaed39bef464794a2dd6665e36327adfaa665b5d270649a517b4985e987146fb900d47deb9
-
Filesize
1.2MB
MD5947d74488469832aa4ed929bbce978bd
SHA1b4dfb3f7a6a7675ad7fd86c64c478943d713860a
SHA256bc749e566c8511f505d3ab92163599078358dfd37975434a25d1db92fd23f4e5
SHA512aa260d76c5f387222ee9e2d3746c1e9069c530a75f63716b205cc39c3901248b0b57b6f7ee4ce4d17295619410449bb8793ba6d081ac39709ecdcaf516dd1d40
-
Filesize
1.2MB
MD5ad81b4726f40aa764f1b4311acbd1823
SHA17ca873cead96c0c54a5506b8a889e52a7f3358a2
SHA256878b238217f264cd3394682c2334bc54a6ce7f9978fd543b86c71f91813ad189
SHA5123fe9baffb3cfdff7e3eb87a4d7c3a5c705c7c4c6d7755c1d4c45991bde44dcb12566e50f88ada29e64d77ca15bee8e2dbc16031a0c7389b93fc9c1b9c25ba358
-
Filesize
1.6MB
MD5b03a6a54f04eca12c8c0028451095c51
SHA1ddf4c67cc8f89614c57f08f419481df296a6cb5e
SHA2567463d2518a2911843aaeaec018978c4ac4fdc6c871a7ad5b326a2782289696fc
SHA5124f00b2533645f8b5c54032ef2872d4e0a79a50b69e8bd61ec490d05489d726b5d0204b540d85c17b7e24835864963ff7808672b0eae2e5a924032b92488b0639
-
Filesize
1.6MB
MD5b03a6a54f04eca12c8c0028451095c51
SHA1ddf4c67cc8f89614c57f08f419481df296a6cb5e
SHA2567463d2518a2911843aaeaec018978c4ac4fdc6c871a7ad5b326a2782289696fc
SHA5124f00b2533645f8b5c54032ef2872d4e0a79a50b69e8bd61ec490d05489d726b5d0204b540d85c17b7e24835864963ff7808672b0eae2e5a924032b92488b0639
-
Filesize
1.3MB
MD5cdf9b39fc5be04ae5a8ab1e21ce079bf
SHA14c6bfe29bb866893a445cdd235af50285a799725
SHA2560821b32251a8a7fce9118a435113f2deefc6c118fc692e0a46f31a0e00291b9f
SHA5126624384660e803a6eb7860ccd5f8e0cdf60bdd9ac462aae844f6b24bb8437e5ff1093df019d7fbe2a2344c1805c8f183bddd47e8345246735201217138cce44f
-
Filesize
1.4MB
MD5b3f8f06d54d6617bc161458637e2f7af
SHA17a36555239f7052c570d1b9686f569407866c475
SHA25614d800e4ed1af197dfbaebca4c74c54a073c1e7e272639ba75203fb94337d753
SHA5121c3028d7617df5435ccfb0886da08ceb3140146a74fe159b328796cd23d96238a8db2881da3c93b8844b8df6cea5d2ddc3ca5c4d5c91fef27ac8be8057906526
-
Filesize
1.8MB
MD58af9df4a29794dcbede7e83baffa4210
SHA1358383858deb33ac12c127e9a6e5e186a0a57d83
SHA2566ce51d483513af6c0b0b326132f1d9c72b6e21f5423107c4f95cd39a528eb5cf
SHA512b9d027f6fb71003ecc17c0d44526d45aceef32e7af6cdb3f74f5707c36bf07e3e52fc5328e436543b0381ac2235a1376b9d51ba094c98eb6749b075a428f1261
-
Filesize
1.4MB
MD5eb63fa21fdbb9c3364da478d62c04734
SHA1d5039df908de24749727f155fbd5171753e87a65
SHA2563321006b33d0900a4c1e3877559eba687f09bf67e775715610321f0cb67875a9
SHA5123d3d280b94164d9d384da85804cd6584a39a76c3c29a56ccfaf5fbb8560e90bba8df722c79f57c00fd321c311f0283766c4a8a3f93a428cccd5d61c9aa1a7055
-
Filesize
1.5MB
MD58e951e8042db4945115d4de3cac0052a
SHA1a131281b4ceec68a1616546ddeb10427956b9c23
SHA2561b7084fd8ea40cd01a114c45e2ab0c67c2ee697f01c3f15f697cdb0654c03f48
SHA512bb93ddd9844d53567909ced7b507a9f3430e69160752dbc1e6bcfbff16b195818ae7693a7072aaa16e9809f58061b21a5c3a53c88a17b0af65cb98e6be0a0adc
-
Filesize
2.0MB
MD5752bc3ec621fe4425bffff96ea2b791b
SHA181e958e101bc1bd70c664521d68764588015a585
SHA256e0e24b67c14b497d884d58aff1029127bc64cf0c1c14e03e86ffd41ec64af199
SHA5128b11d3f3ce076c5ce3fea4648218dcaefea8175331e57b38de28fd12d8df936f945da6bb086406697dedcac03f34b503c5a7546ac09ca55e1c32dfd38e5f21d9
-
Filesize
1.3MB
MD575616f40f5f8410173e4a054fe5f29fb
SHA1b2a39cbcadf4e3393ba630f2be256781fe9384e9
SHA2563900069f79def0ee4c1a47c722f6342e61e93b9fac48550eedc95574ecde1862
SHA512df6c6b5ff83ee8d89d861a6f1a712c78fffdf40d69e86d9203e53d0ebc02ab2eb239baf773ae223acf412abefb10c53a6068e2e752b77d6c3d73d3b5c0bb453b
-
Filesize
1.4MB
MD52ec6f0aa94e8ae24bf3e41ebaa4af275
SHA1610eed6134a75f29a6d434785f039a7a9a7c1ae1
SHA2566690b8d148bc3c14049ef3f033d7c095181e2782c5a40aa940a6cda05394e700
SHA5123542ee36aefc67a4bca2a0c25b0997b14933cf361045d18860882c43271aa4975503f2546edb9d43d89d050a16f66adc2fc4c77b3361e4bc4fd8f7946f233f67
-
Filesize
1.2MB
MD5a53376906f84810868246a2fb2bdc175
SHA1e9f1639f0fc5090d4df3b840f6d32ec7d984f2e8
SHA256ce96d1601fd1c4fc1bae02e013d7686605de1211b076741e634be51fe496b177
SHA5123f8265a226138cde414d4d0a8d0ad1c31f0afb8747a8cda06f70101f4590b2010d58e47c9866c8a6e0f6d4c12425381e072db359a3ac7f044c8a558a132ac031
-
Filesize
1.3MB
MD56f0dc039e9fd17cc2b096d436c7a8691
SHA102d78d07d0cad058063cee7da4f8a945f27206d2
SHA2569e3350977c47f1b97e772a3673f5ca557f4d72165bc13486271446c8e5983305
SHA51240bcde1dcf778ae4c80890166c8415f94012e18160f2a7554f716fc4deda9ae489c61c4379041b114adf9b7b64180847544b6b2e93b5cb3f7a20103fce017146
-
Filesize
1.4MB
MD57795a79e1a0fb0743643cec9ea97210f
SHA10166b9ea4db988caa3cd419c2f8081116b3e5f7c
SHA256d58ac306ad93e01dc8e27d61c26a8c97ebb3c494162b2e53b45bb0578354ce37
SHA5120275b29c8e611c87fbf81eacac736ba4d2b6179b389824cce70953fb42d9c35c922f99a054ed23d201f16362e7c8fe81d9b08473ff7e8c76ea0ea4715eef4da3
-
Filesize
2.1MB
MD519b90cea264e049ff8435fb6b10d15c5
SHA1f504a1c39ee91c40b458abdf3cee5b6317b10ae8
SHA2569a81cccdb53e194ae0089183a43224974d0846b099ee56f928d64da305dbe895
SHA512e1ac601d66d91f5c5c4a4069ddaedb20c2dc665d956f9539684ff752f3a15e47cd8402fe984f204ceeb6dfd5328e07f3472739213e8cf3e2ce99c4dd9e359395