Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15-05-2023 18:59
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quotation.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Request for Quotation.exe
Resource
win10v2004-20230220-en
General
-
Target
Request for Quotation.exe
-
Size
1.5MB
-
MD5
67683d83541b578498d12ddc5828260e
-
SHA1
679904b6c6101f399811885b42e98c4c8c564e6e
-
SHA256
9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680
-
SHA512
fb3080919598e0bedaa3b429e86f498bbbfcfb257a9c92dc9f6c197e2da9bd17328cc762bd97e7cbb770f0d6f1e8c8c05107a59f6204ce8ebc5ad4996e8e709b
-
SSDEEP
24576:sLOOmjfJ7uGyhgAzbOQ31ubRVTkK09CDg2bCaUwFDyfCTdNuuVIF/gwqb+:sG17uGmPOQ3oNVTkhC/bCaUwpy2wuV32
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 52 IoCs
pid Process 460 Process not Found 1612 alg.exe 908 aspnet_state.exe 1736 mscorsvw.exe 1044 mscorsvw.exe 1896 mscorsvw.exe 1920 mscorsvw.exe 1680 dllhost.exe 316 ehRecvr.exe 896 ehsched.exe 1144 elevation_service.exe 900 IEEtwCollector.exe 1500 GROOVE.EXE 2012 maintenanceservice.exe 2148 msdtc.exe 2184 mscorsvw.exe 2372 msiexec.exe 2468 mscorsvw.exe 2636 OSE.EXE 2728 OSPPSVC.EXE 2816 perfhost.exe 2824 mscorsvw.exe 2908 locator.exe 3000 mscorsvw.exe 3048 snmptrap.exe 2228 mscorsvw.exe 828 mscorsvw.exe 2500 vds.exe 2600 mscorsvw.exe 2608 vssvc.exe 2848 mscorsvw.exe 3032 mscorsvw.exe 2132 mscorsvw.exe 2828 mscorsvw.exe 2452 mscorsvw.exe 2700 wbengine.exe 1976 mscorsvw.exe 2516 WmiApSrv.exe 2604 mscorsvw.exe 3012 wmpnetwk.exe 2264 mscorsvw.exe 2900 mscorsvw.exe 2436 mscorsvw.exe 2960 SearchIndexer.exe 2860 mscorsvw.exe 1232 mscorsvw.exe 3044 mscorsvw.exe 2216 mscorsvw.exe 1640 mscorsvw.exe 3008 mscorsvw.exe 2056 mscorsvw.exe 1168 mscorsvw.exe -
Loads dropped DLL 16 IoCs
pid Process 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 2372 msiexec.exe 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 756 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbengine.exe Request for Quotation.exe File opened for modification C:\Windows\System32\alg.exe Request for Quotation.exe File opened for modification C:\Windows\system32\fxssvc.exe Request for Quotation.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe Request for Quotation.exe File opened for modification C:\Windows\System32\snmptrap.exe Request for Quotation.exe File opened for modification C:\Windows\System32\vds.exe Request for Quotation.exe File opened for modification C:\Windows\system32\SearchIndexer.exe Request for Quotation.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e4bfa8ef831f2d02.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe Request for Quotation.exe File opened for modification C:\Windows\System32\msdtc.exe Request for Quotation.exe File opened for modification C:\Windows\system32\locator.exe Request for Quotation.exe File opened for modification C:\Windows\system32\vssvc.exe Request for Quotation.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\msiexec.exe Request for Quotation.exe File opened for modification C:\Windows\SysWow64\perfhost.exe Request for Quotation.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe Request for Quotation.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2040 set thread context of 1852 2040 Request for Quotation.exe 28 PID 1852 set thread context of 1924 1852 Request for Quotation.exe 32 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe Request for Quotation.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe Request for Quotation.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe Request for Quotation.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe Request for Quotation.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Request for Quotation.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe Request for Quotation.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe Request for Quotation.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe Request for Quotation.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe Request for Quotation.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE Request for Quotation.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe Request for Quotation.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE Request for Quotation.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe Request for Quotation.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe Request for Quotation.exe -
Drops file in Windows directory 29 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Request for Quotation.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{96E7C735-1562-47BC-91F7-4FFF174B9B1D}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe Request for Quotation.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe Request for Quotation.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe Request for Quotation.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe Request for Quotation.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Request for Quotation.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{96E7C735-1562-47BC-91F7-4FFF174B9B1D}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe Request for Quotation.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\ehome\ehRecvr.exe Request for Quotation.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 57 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{69FAD356-224F-4B97-8155-F96558019F78} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{69FAD356-224F-4B97-8155-F96558019F78} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1368 ehRec.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe 1852 Request for Quotation.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1852 Request for Quotation.exe Token: SeShutdownPrivilege 1896 mscorsvw.exe Token: SeShutdownPrivilege 1920 mscorsvw.exe Token: 33 764 EhTray.exe Token: SeIncBasePriorityPrivilege 764 EhTray.exe Token: SeDebugPrivilege 1368 ehRec.exe Token: SeShutdownPrivilege 1896 mscorsvw.exe Token: SeShutdownPrivilege 1920 mscorsvw.exe Token: SeShutdownPrivilege 1920 mscorsvw.exe Token: SeShutdownPrivilege 1920 mscorsvw.exe Token: SeShutdownPrivilege 1896 mscorsvw.exe Token: SeShutdownPrivilege 1896 mscorsvw.exe Token: 33 764 EhTray.exe Token: SeIncBasePriorityPrivilege 764 EhTray.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeSecurityPrivilege 2372 msiexec.exe Token: SeShutdownPrivilege 1920 mscorsvw.exe Token: SeBackupPrivilege 2608 vssvc.exe Token: SeRestorePrivilege 2608 vssvc.exe Token: SeAuditPrivilege 2608 vssvc.exe Token: SeBackupPrivilege 2700 wbengine.exe Token: SeRestorePrivilege 2700 wbengine.exe Token: SeSecurityPrivilege 2700 wbengine.exe Token: 33 3012 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 3012 wmpnetwk.exe Token: SeManageVolumePrivilege 2960 SearchIndexer.exe Token: 33 2960 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2960 SearchIndexer.exe Token: SeShutdownPrivilege 1896 mscorsvw.exe Token: SeDebugPrivilege 1852 Request for Quotation.exe Token: SeDebugPrivilege 1852 Request for Quotation.exe Token: SeDebugPrivilege 1852 Request for Quotation.exe Token: SeDebugPrivilege 1852 Request for Quotation.exe Token: SeDebugPrivilege 1852 Request for Quotation.exe Token: SeShutdownPrivilege 1920 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 764 EhTray.exe 764 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 764 EhTray.exe 764 EhTray.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1852 Request for Quotation.exe 1228 SearchProtocolHost.exe 1228 SearchProtocolHost.exe 1228 SearchProtocolHost.exe 1228 SearchProtocolHost.exe 1228 SearchProtocolHost.exe 2080 SearchProtocolHost.exe 2080 SearchProtocolHost.exe 2080 SearchProtocolHost.exe 2080 SearchProtocolHost.exe 2080 SearchProtocolHost.exe 2080 SearchProtocolHost.exe 1228 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1852 2040 Request for Quotation.exe 28 PID 2040 wrote to memory of 1852 2040 Request for Quotation.exe 28 PID 2040 wrote to memory of 1852 2040 Request for Quotation.exe 28 PID 2040 wrote to memory of 1852 2040 Request for Quotation.exe 28 PID 2040 wrote to memory of 1852 2040 Request for Quotation.exe 28 PID 2040 wrote to memory of 1852 2040 Request for Quotation.exe 28 PID 2040 wrote to memory of 1852 2040 Request for Quotation.exe 28 PID 2040 wrote to memory of 1852 2040 Request for Quotation.exe 28 PID 2040 wrote to memory of 1852 2040 Request for Quotation.exe 28 PID 1852 wrote to memory of 1924 1852 Request for Quotation.exe 32 PID 1852 wrote to memory of 1924 1852 Request for Quotation.exe 32 PID 1852 wrote to memory of 1924 1852 Request for Quotation.exe 32 PID 1852 wrote to memory of 1924 1852 Request for Quotation.exe 32 PID 1852 wrote to memory of 1924 1852 Request for Quotation.exe 32 PID 1852 wrote to memory of 1924 1852 Request for Quotation.exe 32 PID 1852 wrote to memory of 1924 1852 Request for Quotation.exe 32 PID 1852 wrote to memory of 1924 1852 Request for Quotation.exe 32 PID 1852 wrote to memory of 1924 1852 Request for Quotation.exe 32 PID 1920 wrote to memory of 2184 1920 mscorsvw.exe 46 PID 1920 wrote to memory of 2184 1920 mscorsvw.exe 46 PID 1920 wrote to memory of 2184 1920 mscorsvw.exe 46 PID 1920 wrote to memory of 2468 1920 mscorsvw.exe 48 PID 1920 wrote to memory of 2468 1920 mscorsvw.exe 48 PID 1920 wrote to memory of 2468 1920 mscorsvw.exe 48 PID 1896 wrote to memory of 2824 1896 mscorsvw.exe 52 PID 1896 wrote to memory of 2824 1896 mscorsvw.exe 52 PID 1896 wrote to memory of 2824 1896 mscorsvw.exe 52 PID 1896 wrote to memory of 2824 1896 mscorsvw.exe 52 PID 1896 wrote to memory of 3000 1896 mscorsvw.exe 54 PID 1896 wrote to memory of 3000 1896 mscorsvw.exe 54 PID 1896 wrote to memory of 3000 1896 mscorsvw.exe 54 PID 1896 wrote to memory of 3000 1896 mscorsvw.exe 54 PID 1896 wrote to memory of 2228 1896 mscorsvw.exe 56 PID 1896 wrote to memory of 2228 1896 mscorsvw.exe 56 PID 1896 wrote to memory of 2228 1896 mscorsvw.exe 56 PID 1896 wrote to memory of 2228 1896 mscorsvw.exe 56 PID 1896 wrote to memory of 828 1896 mscorsvw.exe 57 PID 1896 wrote to memory of 828 1896 mscorsvw.exe 57 PID 1896 wrote to memory of 828 1896 mscorsvw.exe 57 PID 1896 wrote to memory of 828 1896 mscorsvw.exe 57 PID 1896 wrote to memory of 2600 1896 mscorsvw.exe 59 PID 1896 wrote to memory of 2600 1896 mscorsvw.exe 59 PID 1896 wrote to memory of 2600 1896 mscorsvw.exe 59 PID 1896 wrote to memory of 2600 1896 mscorsvw.exe 59 PID 1896 wrote to memory of 2848 1896 mscorsvw.exe 61 PID 1896 wrote to memory of 2848 1896 mscorsvw.exe 61 PID 1896 wrote to memory of 2848 1896 mscorsvw.exe 61 PID 1896 wrote to memory of 2848 1896 mscorsvw.exe 61 PID 1896 wrote to memory of 3032 1896 mscorsvw.exe 62 PID 1896 wrote to memory of 3032 1896 mscorsvw.exe 62 PID 1896 wrote to memory of 3032 1896 mscorsvw.exe 62 PID 1896 wrote to memory of 3032 1896 mscorsvw.exe 62 PID 1896 wrote to memory of 2132 1896 mscorsvw.exe 63 PID 1896 wrote to memory of 2132 1896 mscorsvw.exe 63 PID 1896 wrote to memory of 2132 1896 mscorsvw.exe 63 PID 1896 wrote to memory of 2132 1896 mscorsvw.exe 63 PID 1896 wrote to memory of 2828 1896 mscorsvw.exe 64 PID 1896 wrote to memory of 2828 1896 mscorsvw.exe 64 PID 1896 wrote to memory of 2828 1896 mscorsvw.exe 64 PID 1896 wrote to memory of 2828 1896 mscorsvw.exe 64 PID 1896 wrote to memory of 2452 1896 mscorsvw.exe 65 PID 1896 wrote to memory of 2452 1896 mscorsvw.exe 65 PID 1896 wrote to memory of 2452 1896 mscorsvw.exe 65 PID 1896 wrote to memory of 2452 1896 mscorsvw.exe 65 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1924
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1612
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:908
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1736
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1044
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 244 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 240 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2228
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 238 -Pipe 234 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 248 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 240 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e8 -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 238 -NGENProcess 240 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1f0 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2264
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 238 -NGENProcess 268 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 268 -NGENProcess 278 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1e8 -NGENProcess 280 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 238 -NGENProcess 294 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1232
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1d4 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 298 -NGENProcess 1e8 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 294 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 278 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 1e8 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1168
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2184
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 15c -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2468
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1680
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:316
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:896
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:764
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1144
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:900
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1500
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2012
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2148
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2636
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2728
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2816
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2908
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3048
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2500
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2516
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2961826002-3968192592-354541192-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2961826002-3968192592-354541192-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1228
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:2900
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2080
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD52e3e8fcdf22b434e0bb9d22ec877971d
SHA1d34a726b3c3e702f3f49bb32f0e104b009ac642a
SHA25678d02d2d8c4852e15f5acff6d589cebea952fe9bb1fdbe561d5eb991002ee8a1
SHA512679939ef1a3372964f179dbdf27560c85fdffe9188b4a4676d96c9bc675a1cb0294c6f834f9af0cefad0458a1e5eb8b4daaa9b4c037595ea6df59f9c2d7f870d
-
Filesize
30.1MB
MD5f5d90e1f29b93cbcf725764a84a15f18
SHA1d919e52eb06f3944cbf274360654dce4e0de59b3
SHA256c866263f55a962eac85d0f36b7d05e64988bd3b6f5294c7ce1a12addb129b85c
SHA512fc0e1a81dc291179d87350ec6ca196743a25a6f255361f8f1ca81b14af6f8dacd1e11195f83a55acdebed45bfa03b8154e07ef94e127115015bfd740c6179798
-
Filesize
1.4MB
MD53d06b02c2c86635b38c08f0c0de3bda7
SHA1784f98ade25853de7360c90851ed72aa937c2651
SHA2567b0734c727281e0721595a4917b28dd13ed12af932565bf70112b21a6afcd0cb
SHA512b88b44c9824c6d365032d6a773b78f97e1f66d12ef5ca0f7a89afccc41bc4e770efbb542eb1da008cb2f1a47fbd77406c59925a356baea2c0566b4fa18233400
-
Filesize
5.2MB
MD5137e58b2628d8499e6459346073bbd86
SHA194588ea9371ccf2e9708d9217fdf6de8cb463c03
SHA256b1032fdf0e75b636751ff241e938b7fe7154c0ea5d479aaf7484ec3ab0ae4e03
SHA5126beaf9d2a79d27ab6c631582b41b8fe1a7d1184fc870efd85ef5636ef54a1ab83f1cea37427a5f7f97c6a230294580eb4168e2471fcbf8d8d27c933d03202823
-
Filesize
2.1MB
MD575304c2a975aff665aeb1ed4fee78713
SHA1c120c0d833b4d5050da3dbb35a1c9356b2b84d44
SHA2566a3ed43549ea6e1241c28e318e7e879b0cf13572a89439b346ea6d26fa1c18a4
SHA51287bcb8af19e5a761b655d4dcee71840ae4216b578cb26d4a6a1edadb23a247a38486a447040803298277c35d541e5e7f4528bfd77d149de263ceb9ea32efe605
-
Filesize
2.0MB
MD567d71fed2c71b8bed19a8dc511413bde
SHA136ef68cf995b26368a32a40980c23b258f072f52
SHA256f56a57dc7ac5c2133de5accd304afc13c6ec149fbf46fdcf372e346bcca5d8eb
SHA512c0fe33bac858412a4bb6a546d7d0a9e0b50a35b663d382807688dff93c02dc579cf5ba1aecc38bd0cc27575fd8e93428f9a96dd21d91c046c488c1a5825547cf
-
Filesize
1024KB
MD56a9f0a3c37057ac66f14d4864a9e1eca
SHA15505ac51b9f5137daf17bc80a01b6e830386f6c4
SHA256643fafe9b62afaf2838ea400c0ed91dcd70f1b5a90c7bbfa4bc83c9ae1652042
SHA51298839fdfbdc3323cc1fc0b886f012418f043b771857f63831bdcda97efd5c4b2cceb70553ab934a1d6e31c1f281ded31e8997ad826ff8fb99115ba7da69c6c8e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.3MB
MD5f22d7f48cea843f0d58a945bf976b1c5
SHA10dd9463f41b6c3800f2b7bed7cfa5953b99a61f7
SHA25672841ab84753baf4fb1f61bd9ffed50fda97e95c4c1bf4845be729aa068849de
SHA512b32812a29266dc4aef9517a196af668ed1f3ee684acb8f840498df020bb2423f38da5fec32081c84aaaa7512a2da0c4d94c4f46bdecfd96c62ea94ac69a0e7fb
-
Filesize
1.3MB
MD5f22d7f48cea843f0d58a945bf976b1c5
SHA10dd9463f41b6c3800f2b7bed7cfa5953b99a61f7
SHA25672841ab84753baf4fb1f61bd9ffed50fda97e95c4c1bf4845be729aa068849de
SHA512b32812a29266dc4aef9517a196af668ed1f3ee684acb8f840498df020bb2423f38da5fec32081c84aaaa7512a2da0c4d94c4f46bdecfd96c62ea94ac69a0e7fb
-
Filesize
872KB
MD5dc1cfcc43a80238a3047918b3734ebf8
SHA1d9c481aee17293057cfc7e4885e4ab0ed4fc6750
SHA2564b24c1564a41e13c7e89726970d38660a406e09f3a2a1c109d942b1b2edf85bb
SHA51262ca744476fb92523822efb3637d400cdcfbd447cf32a1a91d4186b4484b38adbce69c2a4a2ce3964c139f3e9f5e89901d856e1e84c0fbef2564e51a9d8628ab
-
Filesize
1.3MB
MD5bee0afd3aa2e5a6b92036af01ed1b41b
SHA11fd0d7b2e49481dd50c49a58153ede6bb9699260
SHA256f10daaab20814c09a6f69aa8796b2d0033dcc27a115786f4ac5c97dee0d8f85d
SHA5123df2bdeda93f28a0d27b6ba60b62a77fbdb45292a9be50b14dda4a841f2fb6c0e091d7d09cfada59d97ea4927b8fc31801a44608ab88148cceac20546bea941f
-
Filesize
1.3MB
MD5f114a18179a8d1e14259550328d8b89d
SHA13ed5a2cbaf128ed1a128a2973f30bde246c95b16
SHA256412c9bc86a7c3bae92c482bef8ff454d45f46b32a7b7d6a707c3d47ebdb930f7
SHA512db4428339cba5ffd6588e52de01ffb92e1a92e70298ade57a41fe7b452adf640877e1b1184a94d46c13287ea21e7f6d0ca168aad02ff040eb6d735c0b406d3d1
-
Filesize
1.3MB
MD5f114a18179a8d1e14259550328d8b89d
SHA13ed5a2cbaf128ed1a128a2973f30bde246c95b16
SHA256412c9bc86a7c3bae92c482bef8ff454d45f46b32a7b7d6a707c3d47ebdb930f7
SHA512db4428339cba5ffd6588e52de01ffb92e1a92e70298ade57a41fe7b452adf640877e1b1184a94d46c13287ea21e7f6d0ca168aad02ff040eb6d735c0b406d3d1
-
Filesize
1.3MB
MD5f114a18179a8d1e14259550328d8b89d
SHA13ed5a2cbaf128ed1a128a2973f30bde246c95b16
SHA256412c9bc86a7c3bae92c482bef8ff454d45f46b32a7b7d6a707c3d47ebdb930f7
SHA512db4428339cba5ffd6588e52de01ffb92e1a92e70298ade57a41fe7b452adf640877e1b1184a94d46c13287ea21e7f6d0ca168aad02ff040eb6d735c0b406d3d1
-
Filesize
1.3MB
MD5f114a18179a8d1e14259550328d8b89d
SHA13ed5a2cbaf128ed1a128a2973f30bde246c95b16
SHA256412c9bc86a7c3bae92c482bef8ff454d45f46b32a7b7d6a707c3d47ebdb930f7
SHA512db4428339cba5ffd6588e52de01ffb92e1a92e70298ade57a41fe7b452adf640877e1b1184a94d46c13287ea21e7f6d0ca168aad02ff040eb6d735c0b406d3d1
-
Filesize
1.3MB
MD51e13fe81bfc9cc39c76251f66e028569
SHA1827bfbaa5b84b329085194f2d2d40c28311ec73b
SHA256a515c4ad80adaf0990281263c960c12db2c5f8d8de5b7ed2404ede68c32f81f4
SHA512da867716d5fe3272803672369a2289d7abf4913eca35fde6fbd29e468e244bad4b50fdbf2e3dfeba8d8b63f5725691a26959844cdcdedd4e9fc2ee280b8eae7c
-
Filesize
1.3MB
MD51e13fe81bfc9cc39c76251f66e028569
SHA1827bfbaa5b84b329085194f2d2d40c28311ec73b
SHA256a515c4ad80adaf0990281263c960c12db2c5f8d8de5b7ed2404ede68c32f81f4
SHA512da867716d5fe3272803672369a2289d7abf4913eca35fde6fbd29e468e244bad4b50fdbf2e3dfeba8d8b63f5725691a26959844cdcdedd4e9fc2ee280b8eae7c
-
Filesize
1003KB
MD5035a0cd1085e6bac3950b4598d5a87ed
SHA1f6d4bd975c350a99ef87697927928de5be73d7e9
SHA25625771dd911dc957a08149c78d747555475abf8b0633baa81a1d5234df1c0412f
SHA5128cfcdf8811fe68c5d22e80f298bfdb1d3ee4053e682f4e699c3751c19ccba70b8bdb1084dd804e98f1eebb43941c7e377e9ffeb9613e3a8cfc52cc1de0e79c04
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.3MB
MD559de762c00b411a3da795c1d6b21e1b0
SHA1c5925c647ad0d3c5bd4997b1a0e8fc077793348a
SHA25621269f69fb25a741e11750a70898edf231de86372c46837f7fb3527684a07a3f
SHA512713a3bb7ea4fea8a297e1463a7f664cb05708de0671c7fe466437e1f5ca456fa5053a2d172c390243e4464fc3a05c9f8bcb4f12308d7883161b2845134bb7f70
-
Filesize
1.2MB
MD5aa84435d9c437df55069d800605de759
SHA11d3b9cfd57a6631e6c54eb5f3a1ce190aa233933
SHA2562763631f1c3427860ab57aa081a94a946ba941701a37b870adbc39be7babd761
SHA51277810257e61a00110593f65c2ce0af0e8d72828c585ee0be9adf2620f23e7e0f6a0ad63e7b73c26c8bd378e3435ae9927f3811bde06db23c9c6b0b109333f9b4
-
Filesize
1.2MB
MD5c5ebef18891e5d981b19f4c76d1d7e36
SHA19e7e2276fbbf20ccbae098ac24584277fa086bc7
SHA256dd6aa81904034bf38018c810c2f5008f26086ea4bece8673206a325d75f43849
SHA512cea553b038ff3b11f735ea6031f252eaa693f8268ae8290fc95a4c365cab74f9d2422df55a0bb813d60c5706b95481649eca60eada42123ffa267339c2520f99
-
Filesize
1.1MB
MD5a9f1cdc24f397111aa56939d8b0ec0e4
SHA16f1de1a044ba96cdce4255bad015f72844663e9c
SHA2561a7975b1f5980c0ffcc83d560ac4faaa14a1a4fa46e99f842f3098662ef49470
SHA51271ce059b68f61187204bc1066a26a337d5b0e8696321f9b6389ec3411db07f48b9edd8f577a221dc7f533671a0b05e44de3a2beac201249a93cb3e8dc1cebf13
-
Filesize
2.1MB
MD57224cfc62c76678508b6f0cb81fa3727
SHA14ece8e6393b437047b2ab9e2bde9f725679f9532
SHA256e0c93770f5a918289ad22cc04e9ac954efb0686b1f68492bde4923802b10c283
SHA51247cba4c374ba6884ceb5bcd21c212c1e4fe29f7a394de79bec57cb9391188bd3cba21171a774b25a1a16d58b183d693d6d0027596c64b726216043035f718bf1
-
Filesize
1.3MB
MD5f081de1f94d4a3821640ed8a0b55e86b
SHA132b329b02b39de84177e4e6da308e00c1c9f598c
SHA256705542ddbefac5283aab1b2c698d58c35ae0c27dbefb08fb75f87fcf331be719
SHA5126a4cd576ecd3b8dc499a12d4647225b0989d46909a40c060b551732ea5fa9c195115d8cc9e638937997468ca92c461365a955e3d6124b9aa9c3725c3462344f7
-
Filesize
1.2MB
MD579d2dc248e31d6b1f93cd9b838762ce0
SHA1c290fbad249fb67289fd905cc287f94195ed52ed
SHA2566e5aa1e2299b287cf9686b130eac159c76254e1a3bd501763678386ed8a75d1b
SHA5121e3885126c892ba76cec4bd8e3c1bd404b22da55aa346e3d05ecaf4fa85a52654f59b23d6b5b1f0c2e83dc01d77bfd55efc20185aa6561c8fffe1e66b67b7371
-
Filesize
1.3MB
MD5540c7a6eac79367ca01fbeec1cb3327f
SHA16b968deebb6b748fa7fbf44af9e157483aaa337a
SHA256acc0acc80ff1f17d21043b9123727b93e20631dff92ba21fe2c6da9fe277555e
SHA5121461cb96b18e0f5ca72c3134646c71fa6825f1a8168fdd2d845048318dae237cfbb00c1c557ff7e9b4da4b834a4e9f5d6a024be0129db67eaa358b51c948be0f
-
Filesize
1.4MB
MD5e06d9fbff4425980c20aeb3e5908cea8
SHA1dd556cc64dbe09eef6755937c792d06ef3f5bf64
SHA2567d8f853aeb071b15fad03dc5d4d9ce6d5422b7ac0a86ea0f5e361825337fd274
SHA5127a7a0cd808fa45cd355ec0410940954a4854318f9fdb4a3b6d3bada001ff15afabd35ab1937381cb1ab233a3158a00069eebc990f6c77798115f39826b7a030b
-
Filesize
1.3MB
MD58af76cd47ebb13e3e762c8fac461cd8e
SHA121caeff42a8c8b1a6c14a18690abeec622e661de
SHA256f5cb50f78d67848b24243beb82743d4df7e2e7484c167e1596fd09747b24cc74
SHA5127c8c4bfccba9d2171fa5bc85774f2170f031ce8cc5db4ef3e81aa88816e3e08a52af3e67e7626509221b48629cdf0e32b3347d3b6e1afa5c18536a5890144b4d
-
Filesize
1.2MB
MD551829fbe9f24bbd9b74d2b122e9533e1
SHA10c26162d98ca1465819c51dce97288b410b8d555
SHA256d837ca8996c4563a637a6d1270014670aaaf820954514cb8e867bc3f1f18d193
SHA5126e7ca4241d635dcbc75189ef9350655719fab5cab60ebc0c1ee7a2471e0ba72c4149e4d0bf9f8eb34da3ec4d25fc02501236e071ff4a19f9e1d88beb8247589e
-
Filesize
1.7MB
MD53ad42ce307719975b96230c61dc857eb
SHA15ebcd9e9d16bcd75e851bbb75bbff335d7d78d35
SHA25668f2f20d97113a6e52dd70c9551b393da3f98386d315e6348c34b7d5e9090e74
SHA5124b583899746403dd1f6fc91b33b7e0dd6e40145061ffedde2ec5466f138c401ce9d565e15ebb02c38ee93aeeebdcc3b931085434224b8646b11882e888b474d9
-
Filesize
1.4MB
MD521f35e58b1eb45224915a0c4952d1ded
SHA1860c38e285bdc9f206244a6b0fa37fa6c874ced8
SHA256d1deb1103c6d1725e8e1913e357440c803d16fa18733fa8d0f1c906f29b11e77
SHA51259e0d92bbc035671e395edc157b648db6b622e920c7570c879ee26a0015d9e504265a4c6ee98785a32c4cb485f22d7197e59712c3f3f595e3b14248218127040
-
Filesize
2.0MB
MD5bc856a8fc03839604fce65da2d3f6b55
SHA1835e934e90c48d32dc63e91cec0ccbbae6f2434b
SHA25653dd268c744f3da10aa49eb83ec307ef1154b8e81fa2d6909dd42f55e4dcf66b
SHA512a2aa04ad2f8c0e33e4988ebce3a3f18e89a8cf17cff38cb65e0871ba0a2888da1b8898c696b72d2dc2502c2bd8153fb7fba5227b49ff46c95256aad56782996f
-
Filesize
1.2MB
MD5723f832b594cfdaa7758e50a9a9f3986
SHA1fb74d5038c5dd8c9c34d06c215715571877652c9
SHA25622c0ff6d0f4fed21a9809b691718e256c62417b5d056c4b542cd32c83d062e86
SHA512f37455aebe1181d72e75cf7fa89810994cfa7aedd4349a4f9885bf1907466abe588b82f0818e336691e8d7924d0b5396252674a2148c2f4a9415ec19cc7eaf2e
-
Filesize
1.3MB
MD573dd673d6dbc969b692e0e6871c42c71
SHA198d0a8de410ed44089e3f87165ac7abeac68054e
SHA2568d41e370810cd655f36b2e103735bea5458d8ce68721c99f6db1c9b88a528dd5
SHA5122d56557c192cd786f564729a04079fe6821c8435b24a4811f6b5ba81a04aa16bf292460bf110d8ebbfb9620f6e945306eee7445fa6697f21d9ce998f04720a68
-
Filesize
1.3MB
MD58af76cd47ebb13e3e762c8fac461cd8e
SHA121caeff42a8c8b1a6c14a18690abeec622e661de
SHA256f5cb50f78d67848b24243beb82743d4df7e2e7484c167e1596fd09747b24cc74
SHA5127c8c4bfccba9d2171fa5bc85774f2170f031ce8cc5db4ef3e81aa88816e3e08a52af3e67e7626509221b48629cdf0e32b3347d3b6e1afa5c18536a5890144b4d
-
Filesize
2.0MB
MD567d71fed2c71b8bed19a8dc511413bde
SHA136ef68cf995b26368a32a40980c23b258f072f52
SHA256f56a57dc7ac5c2133de5accd304afc13c6ec149fbf46fdcf372e346bcca5d8eb
SHA512c0fe33bac858412a4bb6a546d7d0a9e0b50a35b663d382807688dff93c02dc579cf5ba1aecc38bd0cc27575fd8e93428f9a96dd21d91c046c488c1a5825547cf
-
Filesize
1.3MB
MD5f22d7f48cea843f0d58a945bf976b1c5
SHA10dd9463f41b6c3800f2b7bed7cfa5953b99a61f7
SHA25672841ab84753baf4fb1f61bd9ffed50fda97e95c4c1bf4845be729aa068849de
SHA512b32812a29266dc4aef9517a196af668ed1f3ee684acb8f840498df020bb2423f38da5fec32081c84aaaa7512a2da0c4d94c4f46bdecfd96c62ea94ac69a0e7fb
-
Filesize
1.3MB
MD5bee0afd3aa2e5a6b92036af01ed1b41b
SHA11fd0d7b2e49481dd50c49a58153ede6bb9699260
SHA256f10daaab20814c09a6f69aa8796b2d0033dcc27a115786f4ac5c97dee0d8f85d
SHA5123df2bdeda93f28a0d27b6ba60b62a77fbdb45292a9be50b14dda4a841f2fb6c0e091d7d09cfada59d97ea4927b8fc31801a44608ab88148cceac20546bea941f
-
Filesize
1.2MB
MD5c5ebef18891e5d981b19f4c76d1d7e36
SHA19e7e2276fbbf20ccbae098ac24584277fa086bc7
SHA256dd6aa81904034bf38018c810c2f5008f26086ea4bece8673206a325d75f43849
SHA512cea553b038ff3b11f735ea6031f252eaa693f8268ae8290fc95a4c365cab74f9d2422df55a0bb813d60c5706b95481649eca60eada42123ffa267339c2520f99
-
Filesize
1.3MB
MD5f081de1f94d4a3821640ed8a0b55e86b
SHA132b329b02b39de84177e4e6da308e00c1c9f598c
SHA256705542ddbefac5283aab1b2c698d58c35ae0c27dbefb08fb75f87fcf331be719
SHA5126a4cd576ecd3b8dc499a12d4647225b0989d46909a40c060b551732ea5fa9c195115d8cc9e638937997468ca92c461365a955e3d6124b9aa9c3725c3462344f7
-
Filesize
1.2MB
MD579d2dc248e31d6b1f93cd9b838762ce0
SHA1c290fbad249fb67289fd905cc287f94195ed52ed
SHA2566e5aa1e2299b287cf9686b130eac159c76254e1a3bd501763678386ed8a75d1b
SHA5121e3885126c892ba76cec4bd8e3c1bd404b22da55aa346e3d05ecaf4fa85a52654f59b23d6b5b1f0c2e83dc01d77bfd55efc20185aa6561c8fffe1e66b67b7371
-
Filesize
1.3MB
MD5540c7a6eac79367ca01fbeec1cb3327f
SHA16b968deebb6b748fa7fbf44af9e157483aaa337a
SHA256acc0acc80ff1f17d21043b9123727b93e20631dff92ba21fe2c6da9fe277555e
SHA5121461cb96b18e0f5ca72c3134646c71fa6825f1a8168fdd2d845048318dae237cfbb00c1c557ff7e9b4da4b834a4e9f5d6a024be0129db67eaa358b51c948be0f
-
Filesize
1.4MB
MD5e06d9fbff4425980c20aeb3e5908cea8
SHA1dd556cc64dbe09eef6755937c792d06ef3f5bf64
SHA2567d8f853aeb071b15fad03dc5d4d9ce6d5422b7ac0a86ea0f5e361825337fd274
SHA5127a7a0cd808fa45cd355ec0410940954a4854318f9fdb4a3b6d3bada001ff15afabd35ab1937381cb1ab233a3158a00069eebc990f6c77798115f39826b7a030b
-
Filesize
1.3MB
MD58af76cd47ebb13e3e762c8fac461cd8e
SHA121caeff42a8c8b1a6c14a18690abeec622e661de
SHA256f5cb50f78d67848b24243beb82743d4df7e2e7484c167e1596fd09747b24cc74
SHA5127c8c4bfccba9d2171fa5bc85774f2170f031ce8cc5db4ef3e81aa88816e3e08a52af3e67e7626509221b48629cdf0e32b3347d3b6e1afa5c18536a5890144b4d
-
Filesize
1.3MB
MD58af76cd47ebb13e3e762c8fac461cd8e
SHA121caeff42a8c8b1a6c14a18690abeec622e661de
SHA256f5cb50f78d67848b24243beb82743d4df7e2e7484c167e1596fd09747b24cc74
SHA5127c8c4bfccba9d2171fa5bc85774f2170f031ce8cc5db4ef3e81aa88816e3e08a52af3e67e7626509221b48629cdf0e32b3347d3b6e1afa5c18536a5890144b4d
-
Filesize
1.2MB
MD551829fbe9f24bbd9b74d2b122e9533e1
SHA10c26162d98ca1465819c51dce97288b410b8d555
SHA256d837ca8996c4563a637a6d1270014670aaaf820954514cb8e867bc3f1f18d193
SHA5126e7ca4241d635dcbc75189ef9350655719fab5cab60ebc0c1ee7a2471e0ba72c4149e4d0bf9f8eb34da3ec4d25fc02501236e071ff4a19f9e1d88beb8247589e
-
Filesize
1.7MB
MD53ad42ce307719975b96230c61dc857eb
SHA15ebcd9e9d16bcd75e851bbb75bbff335d7d78d35
SHA25668f2f20d97113a6e52dd70c9551b393da3f98386d315e6348c34b7d5e9090e74
SHA5124b583899746403dd1f6fc91b33b7e0dd6e40145061ffedde2ec5466f138c401ce9d565e15ebb02c38ee93aeeebdcc3b931085434224b8646b11882e888b474d9
-
Filesize
1.4MB
MD521f35e58b1eb45224915a0c4952d1ded
SHA1860c38e285bdc9f206244a6b0fa37fa6c874ced8
SHA256d1deb1103c6d1725e8e1913e357440c803d16fa18733fa8d0f1c906f29b11e77
SHA51259e0d92bbc035671e395edc157b648db6b622e920c7570c879ee26a0015d9e504265a4c6ee98785a32c4cb485f22d7197e59712c3f3f595e3b14248218127040
-
Filesize
2.0MB
MD5bc856a8fc03839604fce65da2d3f6b55
SHA1835e934e90c48d32dc63e91cec0ccbbae6f2434b
SHA25653dd268c744f3da10aa49eb83ec307ef1154b8e81fa2d6909dd42f55e4dcf66b
SHA512a2aa04ad2f8c0e33e4988ebce3a3f18e89a8cf17cff38cb65e0871ba0a2888da1b8898c696b72d2dc2502c2bd8153fb7fba5227b49ff46c95256aad56782996f
-
Filesize
1.2MB
MD5723f832b594cfdaa7758e50a9a9f3986
SHA1fb74d5038c5dd8c9c34d06c215715571877652c9
SHA25622c0ff6d0f4fed21a9809b691718e256c62417b5d056c4b542cd32c83d062e86
SHA512f37455aebe1181d72e75cf7fa89810994cfa7aedd4349a4f9885bf1907466abe588b82f0818e336691e8d7924d0b5396252674a2148c2f4a9415ec19cc7eaf2e
-
Filesize
1.3MB
MD573dd673d6dbc969b692e0e6871c42c71
SHA198d0a8de410ed44089e3f87165ac7abeac68054e
SHA2568d41e370810cd655f36b2e103735bea5458d8ce68721c99f6db1c9b88a528dd5
SHA5122d56557c192cd786f564729a04079fe6821c8435b24a4811f6b5ba81a04aa16bf292460bf110d8ebbfb9620f6e945306eee7445fa6697f21d9ce998f04720a68