Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04/05/2023, 02:01
Static task
static1
Behavioral task
behavioral1
Sample
fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe
Resource
win7-20230220-en
General
-
Target
fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe
-
Size
1.4MB
-
MD5
d6d89eff8ae95f17795daf44ddc35389
-
SHA1
a7cf42f11071fe319b4e73203ca8269fb38f008c
-
SHA256
fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b
-
SHA512
7228480e71aeca16edbfa221879c931090868eb95a59155520065785573994f201613460c6441861ac2ae575abe74717696fdfc2d14d484310ce723fea19fbc5
-
SSDEEP
24576:4AETCN6fdDv7X8E7Rf/vj6ksjurjtBEmDUheyX7TFqktKOpnAxWB:Yw61XNxmkQismIhXNtZpAc
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046
Signatures
-
Executes dropped EXE 44 IoCs
pid Process 464 Process not Found 844 alg.exe 316 aspnet_state.exe 1252 mscorsvw.exe 472 mscorsvw.exe 1212 mscorsvw.exe 1092 mscorsvw.exe 1776 dllhost.exe 1700 ehRecvr.exe 1524 mscorsvw.exe 1176 mscorsvw.exe 1940 mscorsvw.exe 884 mscorsvw.exe 1892 mscorsvw.exe 636 mscorsvw.exe 1596 mscorsvw.exe 980 mscorsvw.exe 884 mscorsvw.exe 1816 mscorsvw.exe 1104 mscorsvw.exe 944 mscorsvw.exe 1396 mscorsvw.exe 532 ehsched.exe 1596 elevation_service.exe 612 IEEtwCollector.exe 2000 GROOVE.EXE 1388 maintenanceservice.exe 2072 mscorsvw.exe 2184 msdtc.exe 2300 msiexec.exe 2432 OSE.EXE 2480 OSPPSVC.EXE 2604 perfhost.exe 2664 locator.exe 2748 snmptrap.exe 2844 vds.exe 2944 vssvc.exe 3028 wbengine.exe 2104 WmiApSrv.exe 1060 wmpnetwk.exe 2348 SearchIndexer.exe 2548 mscorsvw.exe 1736 mscorsvw.exe 2648 mscorsvw.exe -
Loads dropped DLL 16 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 2300 msiexec.exe 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 764 Process not Found -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\System32\msdtc.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\locator.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\SysWow64\perfhost.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\System32\vds.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\wbengine.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\fxssvc.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\msiexec.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\SearchIndexer.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\System32\alg.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\bbe60a4826a969e.bin alg.exe File opened for modification C:\Windows\System32\snmptrap.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\vssvc.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1260 set thread context of 772 1260 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 28 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe -
Drops file in Windows directory 23 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\ehome\ehRecvr.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{91834A6D-9812-4934-B72E-D04009A0D244}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{91834A6D-9812-4934-B72E-D04009A0D244}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 34 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{F4A44E56-033A-4463-B530-ACAD03B5BA56} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{F4A44E56-033A-4463-B530-ACAD03B5BA56} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2572 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 772 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe Token: SeShutdownPrivilege 1212 mscorsvw.exe Token: SeShutdownPrivilege 1212 mscorsvw.exe Token: SeShutdownPrivilege 1212 mscorsvw.exe Token: SeShutdownPrivilege 1212 mscorsvw.exe Token: 33 880 EhTray.exe Token: SeIncBasePriorityPrivilege 880 EhTray.exe Token: SeRestorePrivilege 2300 msiexec.exe Token: SeTakeOwnershipPrivilege 2300 msiexec.exe Token: SeSecurityPrivilege 2300 msiexec.exe Token: SeBackupPrivilege 2944 vssvc.exe Token: SeRestorePrivilege 2944 vssvc.exe Token: SeAuditPrivilege 2944 vssvc.exe Token: SeBackupPrivilege 3028 wbengine.exe Token: SeRestorePrivilege 3028 wbengine.exe Token: SeSecurityPrivilege 3028 wbengine.exe Token: SeManageVolumePrivilege 2348 SearchIndexer.exe Token: 33 2348 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2348 SearchIndexer.exe Token: SeDebugPrivilege 2572 ehRec.exe Token: 33 1060 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1060 wmpnetwk.exe Token: 33 880 EhTray.exe Token: SeIncBasePriorityPrivilege 880 EhTray.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 880 EhTray.exe 880 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 880 EhTray.exe 880 EhTray.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 772 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2800 SearchProtocolHost.exe 2800 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1260 wrote to memory of 772 1260 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 28 PID 1260 wrote to memory of 772 1260 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 28 PID 1260 wrote to memory of 772 1260 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 28 PID 1260 wrote to memory of 772 1260 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 28 PID 1260 wrote to memory of 772 1260 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 28 PID 1260 wrote to memory of 772 1260 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 28 PID 1260 wrote to memory of 772 1260 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 28 PID 1260 wrote to memory of 772 1260 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 28 PID 1260 wrote to memory of 772 1260 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 28 PID 1212 wrote to memory of 1940 1212 mscorsvw.exe 39 PID 1212 wrote to memory of 1940 1212 mscorsvw.exe 39 PID 1212 wrote to memory of 1940 1212 mscorsvw.exe 39 PID 1212 wrote to memory of 1940 1212 mscorsvw.exe 39 PID 1212 wrote to memory of 884 1212 mscorsvw.exe 40 PID 1212 wrote to memory of 884 1212 mscorsvw.exe 40 PID 1212 wrote to memory of 884 1212 mscorsvw.exe 40 PID 1212 wrote to memory of 884 1212 mscorsvw.exe 40 PID 1212 wrote to memory of 1892 1212 mscorsvw.exe 41 PID 1212 wrote to memory of 1892 1212 mscorsvw.exe 41 PID 1212 wrote to memory of 1892 1212 mscorsvw.exe 41 PID 1212 wrote to memory of 1892 1212 mscorsvw.exe 41 PID 1212 wrote to memory of 636 1212 mscorsvw.exe 42 PID 1212 wrote to memory of 636 1212 mscorsvw.exe 42 PID 1212 wrote to memory of 636 1212 mscorsvw.exe 42 PID 1212 wrote to memory of 636 1212 mscorsvw.exe 42 PID 1212 wrote to memory of 1596 1212 mscorsvw.exe 43 PID 1212 wrote to memory of 1596 1212 mscorsvw.exe 43 PID 1212 wrote to memory of 1596 1212 mscorsvw.exe 43 PID 1212 wrote to memory of 1596 1212 mscorsvw.exe 43 PID 1212 wrote to memory of 980 1212 mscorsvw.exe 44 PID 1212 wrote to memory of 980 1212 mscorsvw.exe 44 PID 1212 wrote to memory of 980 1212 mscorsvw.exe 44 PID 1212 wrote to memory of 980 1212 mscorsvw.exe 44 PID 1212 wrote to memory of 884 1212 mscorsvw.exe 45 PID 1212 wrote to memory of 884 1212 mscorsvw.exe 45 PID 1212 wrote to memory of 884 1212 mscorsvw.exe 45 PID 1212 wrote to memory of 884 1212 mscorsvw.exe 45 PID 1212 wrote to memory of 1816 1212 mscorsvw.exe 46 PID 1212 wrote to memory of 1816 1212 mscorsvw.exe 46 PID 1212 wrote to memory of 1816 1212 mscorsvw.exe 46 PID 1212 wrote to memory of 1816 1212 mscorsvw.exe 46 PID 1212 wrote to memory of 1104 1212 mscorsvw.exe 47 PID 1212 wrote to memory of 1104 1212 mscorsvw.exe 47 PID 1212 wrote to memory of 1104 1212 mscorsvw.exe 47 PID 1212 wrote to memory of 1104 1212 mscorsvw.exe 47 PID 1212 wrote to memory of 944 1212 mscorsvw.exe 48 PID 1212 wrote to memory of 944 1212 mscorsvw.exe 48 PID 1212 wrote to memory of 944 1212 mscorsvw.exe 48 PID 1212 wrote to memory of 944 1212 mscorsvw.exe 48 PID 1212 wrote to memory of 1396 1212 mscorsvw.exe 49 PID 1212 wrote to memory of 1396 1212 mscorsvw.exe 49 PID 1212 wrote to memory of 1396 1212 mscorsvw.exe 49 PID 1212 wrote to memory of 1396 1212 mscorsvw.exe 49 PID 1212 wrote to memory of 2072 1212 mscorsvw.exe 56 PID 1212 wrote to memory of 2072 1212 mscorsvw.exe 56 PID 1212 wrote to memory of 2072 1212 mscorsvw.exe 56 PID 1212 wrote to memory of 2072 1212 mscorsvw.exe 56 PID 1212 wrote to memory of 2548 1212 mscorsvw.exe 71 PID 1212 wrote to memory of 2548 1212 mscorsvw.exe 71 PID 1212 wrote to memory of 2548 1212 mscorsvw.exe 71 PID 1212 wrote to memory of 2548 1212 mscorsvw.exe 71 PID 2348 wrote to memory of 2800 2348 SearchIndexer.exe 72 PID 2348 wrote to memory of 2800 2348 SearchIndexer.exe 72 PID 2348 wrote to memory of 2800 2348 SearchIndexer.exe 72 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe"C:\Users\Admin\AppData\Local\Temp\fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe"C:\Users\Admin\AppData\Local\Temp\fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:772
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:844
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:316
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1252
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:472
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 23c -NGENProcess 240 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 1d4 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 24c -NGENProcess 248 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 26c -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1f0 -NGENProcess 248 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 274 -NGENProcess 24c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 1f0 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1396
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 280 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 268 -NGENProcess 294 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 294 -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 294 -NGENProcess 264 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2648
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 16c -NGENProcess 170 -Pipe 17c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1524
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 16c -NGENProcess 170 -Pipe 180 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1176
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1776
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
PID:1700
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:532
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1596
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:612
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:880
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2000
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1388
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2184
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2432
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2480
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2604
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2664
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2748
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2844
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2104
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1283023626-844874658-3193756055-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1283023626-844874658-3193756055-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 596 600 608 65536 6042⤵PID:3036
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD58c0ac33c474f7941c5505619221d9197
SHA135db2ad58e3add44106e82b43c118b1014b201ed
SHA25630a8fa3b60b23555de2e2ae2e837484d4e48e05bd0ab304311c8ed5541abca7c
SHA512366b7e59912daa94dc7c49bfec4b3c118fc9ac1814a3901ccebba7d574de3f9a851d1053e7e0106ddaf6077e62b61140e49ea9a0f45690d6a9e889cc8baf221b
-
Filesize
30.1MB
MD5a8f10a7d67f1d52dbe309680d2e65f06
SHA1307f6d52e18d0f3b94cdff67ce67c0c36b6a03c8
SHA256ebe2ea1cc6f5c551a363fa3e881e26a8e26d22f79f1150a49cdbe3a02c7d3a33
SHA5125c93a39c942a270a97582474a86441313f6dcdf41a7d9757e7638af8a9349956714d1057795b67bc546bf32e7d385defec4ea60339d58f1580416af83d4c553d
-
Filesize
1.4MB
MD5cf4a160b51a74e199b19a6bf2df3c255
SHA1b4ad721dda60ec737ec2bf94b5e4143b938c3232
SHA256b6bb673e1a1f5be86a858ed9782a4272bc3ebc566ff89984fa73f74fe194ecd3
SHA512d3cd5517d35ba34c9e5c2f50697c2fc3a2e0195b918457600831d5d2be1a927837b54baac1bedf7449ba0b1d426e874f97526b0694028b5e9058fae2c9ffc6dd
-
Filesize
5.2MB
MD57ffa41525ac204db71284b6c86c20895
SHA1d5f47d2ac25b109fcda5502528c5c4f1152e30f1
SHA2566f92c12174878c3dfec5dba9aa6384ee2de98bae744a6c1dba782483fa648da3
SHA512ccf30e8678ae0580d5a55eaad27c16197833f9e3ed4c42abb62ad7a8c02f6cf335ac7145eec9a239512be52b025f3d1e225ae09ed3344ac13b4ba83a4625b531
-
Filesize
2.1MB
MD54892d8bf37ed59639aff75e6c5363b27
SHA138c79e4481d1ba6af9dae3e241dbba1997850e87
SHA256285685b9d8126f3397c863455517cdc6ea3793bb3af649294dae2248de95de54
SHA512fc61f4657a9d3b752dc6a6a2928f78cc16c501794d7c5715a2f9b5571e72204371b29d53967e0c42e0828529bd6f686391d97cc0c95039487ed3003950fe5b74
-
Filesize
2.0MB
MD5addfbcf3b74a3a0780839b517dfdef6c
SHA10292e57270678a9eb787fa25f11e1059646e57a3
SHA256f73ed83d6db8f95a1fec577791543c4b932c359461eda633992a7970f74804a2
SHA512260b9626e4b3bea4abb8df3e3fcd314b23cbc9101e8c8406e08c78c42a27521c18201a6e69090558d2d52499443d2378e45161ae77e7110f4b4584efe9553ede
-
Filesize
1024KB
MD5799d113a8c86b6cbace6bcf31b44ae92
SHA13b65338cc2472593acd647d19a010ce29d08f31d
SHA256fceef6857cf96621c3bde221105dc8693f33282826248d0af03be72cf4fb7624
SHA5121aa44b19466184ee8ded91698da2bdf99d9b55b217a7b56f63e48af96e0aa932bdeaf90ec686151b312bc8def771015820d533e2bfd18a9b45d4dea4d8e6e3b9
-
Filesize
1.3MB
MD58dca48c21c74c673bc77409c238b421b
SHA11ed5b5af57d5b262af362d52ccd01d8c855765f9
SHA25602b526812b3bca2f6fbaf7a1548dc55bb7be29ec34b1d42af25d8967bffc5ad6
SHA512c703777ec690ba13fef6f9e9ea9aa4d417888cd03fcd6b87e7fe8b4b6dd46c9554055f0b029d0c50392119b3bc994a536b8edd9f9608cd138407000a2676d5db
-
Filesize
1.3MB
MD58dca48c21c74c673bc77409c238b421b
SHA11ed5b5af57d5b262af362d52ccd01d8c855765f9
SHA25602b526812b3bca2f6fbaf7a1548dc55bb7be29ec34b1d42af25d8967bffc5ad6
SHA512c703777ec690ba13fef6f9e9ea9aa4d417888cd03fcd6b87e7fe8b4b6dd46c9554055f0b029d0c50392119b3bc994a536b8edd9f9608cd138407000a2676d5db
-
Filesize
872KB
MD52a6e5bd09fbf858cace12c91112ad17a
SHA194e2153e218af8c529abaa3ecfa0f920f8171b6d
SHA256993b4bb7f6cb3fc484ba17b01862369a747ac7f9880dadc493c773a253f9b7a0
SHA512e8f798e269a6f133deeb83b8fb0d998fbc8e2739234293173889eb4c0d5361c4de5b3aed334db80379ee2043d95299a9b80e82dc453364019ada9a8ced8d397a
-
Filesize
1.3MB
MD5f38f19ddea367db1cad66d74e4cc8a87
SHA1e68c473611fbd8c9407620ec88b95388aaaa791d
SHA256309be08192eb4147ffd39aff63727d72da39027b74e4bc2040a56a2e2e4ee2c8
SHA5122190f6d1e5996acfab1a7940782275f5c507e51462ce2bb6474aaa844437f5fd69a03ad5f3af6238e845b0e22301e38ede9f97e9acb3091546b69367d479377c
-
Filesize
1.3MB
MD58e40ac8dfcc594c1c0a012f49f1648ed
SHA13a6ddd4b34879c7afd9d62f93ea76f93646d10f0
SHA256bf907f63d345adbe5d129bf058f8ca1e8a457687e174629025c2098695ad3c5a
SHA5124a42ba8e784ff0bb4971f4be14e286c1a974199335a958ca2a96a6e8bb9773b195b3fbc70f3a95d4dc922ca38f66150158983998420d75ff1922d782efc5f6dc
-
Filesize
1.3MB
MD58e40ac8dfcc594c1c0a012f49f1648ed
SHA13a6ddd4b34879c7afd9d62f93ea76f93646d10f0
SHA256bf907f63d345adbe5d129bf058f8ca1e8a457687e174629025c2098695ad3c5a
SHA5124a42ba8e784ff0bb4971f4be14e286c1a974199335a958ca2a96a6e8bb9773b195b3fbc70f3a95d4dc922ca38f66150158983998420d75ff1922d782efc5f6dc
-
Filesize
1.3MB
MD58e40ac8dfcc594c1c0a012f49f1648ed
SHA13a6ddd4b34879c7afd9d62f93ea76f93646d10f0
SHA256bf907f63d345adbe5d129bf058f8ca1e8a457687e174629025c2098695ad3c5a
SHA5124a42ba8e784ff0bb4971f4be14e286c1a974199335a958ca2a96a6e8bb9773b195b3fbc70f3a95d4dc922ca38f66150158983998420d75ff1922d782efc5f6dc
-
Filesize
1.3MB
MD5fff031ce3401da76460fce598a508730
SHA1d38539826e4603740f429556e21f23b902318cc7
SHA2561ce7c211b414f26e3711111061feb8b38ea64677c6a337c2eea32ffc5cdf2eb1
SHA512816b5cc10002a739b77df85d3d1d2457846fb573f55553c9ae4ce84e4db9b21171b299ea89bdab37ef6c2e325e5d100765f456e05d94022beda11ddc19f18cce
-
Filesize
1.3MB
MD5fff031ce3401da76460fce598a508730
SHA1d38539826e4603740f429556e21f23b902318cc7
SHA2561ce7c211b414f26e3711111061feb8b38ea64677c6a337c2eea32ffc5cdf2eb1
SHA512816b5cc10002a739b77df85d3d1d2457846fb573f55553c9ae4ce84e4db9b21171b299ea89bdab37ef6c2e325e5d100765f456e05d94022beda11ddc19f18cce
-
Filesize
1003KB
MD55c5e0f5558d8940d025738f2443bf7dd
SHA190c855b6d2af218dacd28334d46b00ee77eeba24
SHA2565cb380168c3da21037187a7dc16d5d2b04eed5fd0c4877bf4b44c3889d0c440c
SHA5123e0597b37dfc8170fccce775a948a5d3a4dbad1e747684d485b3321da6da04efb452bbc75df8c6a96ecd5a3c053c864b027a3596ae1ba0b3abe5c01805acdab7
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.3MB
MD50982eab248aac62441f41758d740380a
SHA166d5bfaa4ee7c62187bcbbf3710773644de803d8
SHA256d64ac021eb0b053d725cdccf889012b1cbe22e329e9177c2a89b01c79374b49d
SHA512e94c3108e91b35e834580618b18a0e911444918ff73a992d0fc936ec559f20bcf7351a11a2e5b1849b993de698159edb980dd31ea4b8e309729eeb59b23e4d5f
-
Filesize
1.2MB
MD561db0e0c6c0b7ce041358edf24a0bf63
SHA182eb6ac5d6b817a74d092b8bb876749069be9c77
SHA256f0b4a09a208f2ffda6ebaeb62d036c6586b451929366b9de972370a476d61612
SHA51208c239d8b1ed126b9746cf400c256e263dfc2b6cbbf1eccc1decb01f3278a9b01cb068a798706a40e7588d63fe2f592ab578429436c3f7cf50356225c951fdff
-
Filesize
1.2MB
MD5864b33cba0e15a1a8fd77ec1f243b8dc
SHA198096dd534f8796bc75dd8508685bfae9ed3af7b
SHA256672ca7fdb052a6f5cebdd3047f5f03568625686441353e6eb0dac934340fd16b
SHA51224d1669c8f2d946e8b542a6a2ffb033c0b9cd7a92f428a0db1411440d7c6b13b2828613ac43cc9403544ee1b10e419f96b9d9848aa9b69bfcf670597f88e2bc9
-
Filesize
1.1MB
MD5bff3240ee9944b98188a092d57107458
SHA1766fb30d60ba5b3c120b66736059289b8bfbd69b
SHA256337d93e37202614fcc19c38f8fb57aa5c0fc1a4f45d1e7beff700346d8ae33da
SHA51258f173c7396eed2d090d4539cad08a96bc1a77574ae0f5bd00ff5d9be2ed69e77fb90629159c0f8e3cffcd1f2fb117ececef1013c94bbb5f8429d4703d49be92
-
Filesize
2.1MB
MD5a733c58e0a71307c000f52293fb8fe6b
SHA1a6059304496bb825cf185fa0c8f9d95b5f35c33d
SHA2567f359cda57df8f9c7ba40b0e4fc979f897f6d59a233dc47ce2674985ca3b419a
SHA51201b7b6df4bcfaa4b3e1639d284a7d1a61bc7ffa83f46d17c0adbd48ce2c6b2d26a94dd5a9aba926d7b7de287dd25bff1492384a50f189a599e9071ac95fc51be
-
Filesize
1.3MB
MD54f4156da2001bbcf6c32116587618c50
SHA1a0f29ba0d071f1d887ec7cda34820d16bed599d4
SHA2565dbfcf0b97c8197a00bffc2383f22c9d7f0579aecca46d4ca48c3371c9912444
SHA512d4f1783bb3da8264806e070d803f29d9f78a379d4d99e29fd81e4fae881935c830e0b9a1c4a601644c498d696e828a774ee8aeb43d8fb20f425c0ef8d743f86a
-
Filesize
1.2MB
MD55a486288084e2de8c976935a98759374
SHA108ae217e000128b11e54fc553041a0e05d7cc5ae
SHA2561c705726bb9b8a8dea676b3172a88928c717652dcb6b5b78a0aa7d61afcf5b4d
SHA5124d8629b440838f91cf88908b73720a38bca87fe363f5c49e2b2c310ba0eb1c5b9b1031926665a7154ba6389a3284dd8c516b8977218d765c220a5b7660b8b240
-
Filesize
1.3MB
MD504caae227c79554954326ebcdb08ba59
SHA1dc932cd112a6bf4af96590a6fc4f0af24c4de0e1
SHA25697296d73d97eadff61a06ff244412738f8bc50dbc2d5a60ec4ad5810e1e4a887
SHA5122030e0b9ec84fd2b73d8cb74afa4f5264bfdab3d47534da69dfd3ca88557bfb61dd3573b27e3cf8849c1efda3d679f1ac6f03c4ec49484d3a4da6374da55fae9
-
Filesize
1.4MB
MD58bafce7bed0713affc77fd1151b7d327
SHA1cb2ece7dd248802022beb3cfab7191d6471dbb44
SHA256768040949f15ec681f7286d134c247f7690f72ffbd783e5a56ca2e3cab66b511
SHA51242462a57eb7c2f7f0e4f1c28b540bbd42501db40044a94824ccdea51e2b312d176acd6d94c517952966e690f1984f9dff468a81a0e5f1ff09136251934d3a2fd
-
Filesize
1.3MB
MD54584d66cb9c39947b1bc80b567c39124
SHA101c3dea7f8e56a79de978d46bc1631ab776031cf
SHA256faf670bfb310398d6bd5ac64f433f0c8ad7bfe44405168a36bca3d8b05edddce
SHA51294cc3e96562ca0b2231ee4287c66815f297f67ab692fe4e327f8a3074069b2100b0512dd1359f5ea22b598e3b70141de4b9fc0f7fed36326bd0619b5f7abdd0b
-
Filesize
1.2MB
MD502948b611320c81ef31c4149ec54bab2
SHA189f32aa40e9145cca046cc98c28a4b0e80e9be9d
SHA256ec51f061f4ebaa92327a4471ef81df731dc8b20adf97bb7959c2554e13b0ef85
SHA512adbf864ee6fbf743606bd0ccfb08bb600699f7ecaffc61a17d8031eea85c6ffc397a83aa220bbf345c79a59df4c6a027a0ff2f9cec7015688bcb862881da7031
-
Filesize
1.7MB
MD5822b855a0d4beb73d3b0862a28aa34d9
SHA1af18018ff0c1f3644a05afe5cb66f2f11a18dcf1
SHA256303a2989f0ac12fd78bc9a288ee9e4d34130b2e1f83395ce6e2c11fbf4de5f40
SHA512000c959298b9f6f67c97b7ebf638c6bfeb8c5d42594583269b0abf65b14d38d928b05b06430f770bf77e08ed2e2a75a445a3fb733578f488bf730116141db128
-
Filesize
1.4MB
MD5557e813249bab5b87b001c40b9cd0384
SHA15f30dd693b00c152772f6ff08f715ea8b5ce37f2
SHA256644c5f3aac687a009d6414be4db137b1ab114a3d99455e8171ce765d3bd628fb
SHA5121786553aaa60e0f5f5bfa351c4f6e1a333e31a530ab811e5d1a48f2721af71587a5d8aaf33db609068a93a2f9c7e67db6ec05eb2ccc1c5495452e6d9d5d6c645
-
Filesize
2.0MB
MD575612b0d221ff1aa0ed6df9060031197
SHA1ed016719f1c3922c55621904ea7739a8c12f3fd4
SHA256fc3f171d323ea02b609fa0502f4f0cbc88d7438979b403e9ef062a92cbeface5
SHA512b9701c09a8845a03a5725517c93ba8b4939a0d0159c37b970f449b97e667498d8cbf399b2ed9e5191c658a665ec7f2b84c553e16058cc2dd75188805777efde7
-
Filesize
1.2MB
MD59a9a1e5e35fd1e507dcb2ca5850c3958
SHA19102538544a69c06a331b845fbc3f49a212be2d5
SHA256ef83e79c8947697713640fea0c21e2fb1a9967d55d3005fc09fd054116a6d6cb
SHA5128418d943b71bdba1913ed451f145bda410fa9372bd993cf145ecf9a46f9f8a3664debaba1ee117b71c945e4493b50ca28d17d34e89d190a99b15f819abc39139
-
Filesize
1.3MB
MD5b39723407ade8ebdc516a98abd012ce7
SHA151bd64136120383ae92041091d2653921412ec73
SHA256e95dabe5aa94cefe665e56eb7b34b3712ededc42dfb4b713139ff9ed3b209042
SHA51248e6dfc658b6e3df01d49edd35a0963b1ab937d5f5ddb96c47050b3856457755ac4a9defb4736dc776687acbf242e4bcaba4fafadabf0f6fa797b64e6210c84e
-
Filesize
1.3MB
MD54584d66cb9c39947b1bc80b567c39124
SHA101c3dea7f8e56a79de978d46bc1631ab776031cf
SHA256faf670bfb310398d6bd5ac64f433f0c8ad7bfe44405168a36bca3d8b05edddce
SHA51294cc3e96562ca0b2231ee4287c66815f297f67ab692fe4e327f8a3074069b2100b0512dd1359f5ea22b598e3b70141de4b9fc0f7fed36326bd0619b5f7abdd0b
-
Filesize
2.0MB
MD5addfbcf3b74a3a0780839b517dfdef6c
SHA10292e57270678a9eb787fa25f11e1059646e57a3
SHA256f73ed83d6db8f95a1fec577791543c4b932c359461eda633992a7970f74804a2
SHA512260b9626e4b3bea4abb8df3e3fcd314b23cbc9101e8c8406e08c78c42a27521c18201a6e69090558d2d52499443d2378e45161ae77e7110f4b4584efe9553ede
-
Filesize
2.0MB
MD5addfbcf3b74a3a0780839b517dfdef6c
SHA10292e57270678a9eb787fa25f11e1059646e57a3
SHA256f73ed83d6db8f95a1fec577791543c4b932c359461eda633992a7970f74804a2
SHA512260b9626e4b3bea4abb8df3e3fcd314b23cbc9101e8c8406e08c78c42a27521c18201a6e69090558d2d52499443d2378e45161ae77e7110f4b4584efe9553ede
-
Filesize
1.3MB
MD58dca48c21c74c673bc77409c238b421b
SHA11ed5b5af57d5b262af362d52ccd01d8c855765f9
SHA25602b526812b3bca2f6fbaf7a1548dc55bb7be29ec34b1d42af25d8967bffc5ad6
SHA512c703777ec690ba13fef6f9e9ea9aa4d417888cd03fcd6b87e7fe8b4b6dd46c9554055f0b029d0c50392119b3bc994a536b8edd9f9608cd138407000a2676d5db
-
Filesize
1.3MB
MD5f38f19ddea367db1cad66d74e4cc8a87
SHA1e68c473611fbd8c9407620ec88b95388aaaa791d
SHA256309be08192eb4147ffd39aff63727d72da39027b74e4bc2040a56a2e2e4ee2c8
SHA5122190f6d1e5996acfab1a7940782275f5c507e51462ce2bb6474aaa844437f5fd69a03ad5f3af6238e845b0e22301e38ede9f97e9acb3091546b69367d479377c
-
Filesize
1.2MB
MD5864b33cba0e15a1a8fd77ec1f243b8dc
SHA198096dd534f8796bc75dd8508685bfae9ed3af7b
SHA256672ca7fdb052a6f5cebdd3047f5f03568625686441353e6eb0dac934340fd16b
SHA51224d1669c8f2d946e8b542a6a2ffb033c0b9cd7a92f428a0db1411440d7c6b13b2828613ac43cc9403544ee1b10e419f96b9d9848aa9b69bfcf670597f88e2bc9
-
Filesize
1.3MB
MD54f4156da2001bbcf6c32116587618c50
SHA1a0f29ba0d071f1d887ec7cda34820d16bed599d4
SHA2565dbfcf0b97c8197a00bffc2383f22c9d7f0579aecca46d4ca48c3371c9912444
SHA512d4f1783bb3da8264806e070d803f29d9f78a379d4d99e29fd81e4fae881935c830e0b9a1c4a601644c498d696e828a774ee8aeb43d8fb20f425c0ef8d743f86a
-
Filesize
1.2MB
MD55a486288084e2de8c976935a98759374
SHA108ae217e000128b11e54fc553041a0e05d7cc5ae
SHA2561c705726bb9b8a8dea676b3172a88928c717652dcb6b5b78a0aa7d61afcf5b4d
SHA5124d8629b440838f91cf88908b73720a38bca87fe363f5c49e2b2c310ba0eb1c5b9b1031926665a7154ba6389a3284dd8c516b8977218d765c220a5b7660b8b240
-
Filesize
1.3MB
MD504caae227c79554954326ebcdb08ba59
SHA1dc932cd112a6bf4af96590a6fc4f0af24c4de0e1
SHA25697296d73d97eadff61a06ff244412738f8bc50dbc2d5a60ec4ad5810e1e4a887
SHA5122030e0b9ec84fd2b73d8cb74afa4f5264bfdab3d47534da69dfd3ca88557bfb61dd3573b27e3cf8849c1efda3d679f1ac6f03c4ec49484d3a4da6374da55fae9
-
Filesize
1.4MB
MD58bafce7bed0713affc77fd1151b7d327
SHA1cb2ece7dd248802022beb3cfab7191d6471dbb44
SHA256768040949f15ec681f7286d134c247f7690f72ffbd783e5a56ca2e3cab66b511
SHA51242462a57eb7c2f7f0e4f1c28b540bbd42501db40044a94824ccdea51e2b312d176acd6d94c517952966e690f1984f9dff468a81a0e5f1ff09136251934d3a2fd
-
Filesize
1.3MB
MD54584d66cb9c39947b1bc80b567c39124
SHA101c3dea7f8e56a79de978d46bc1631ab776031cf
SHA256faf670bfb310398d6bd5ac64f433f0c8ad7bfe44405168a36bca3d8b05edddce
SHA51294cc3e96562ca0b2231ee4287c66815f297f67ab692fe4e327f8a3074069b2100b0512dd1359f5ea22b598e3b70141de4b9fc0f7fed36326bd0619b5f7abdd0b
-
Filesize
1.3MB
MD54584d66cb9c39947b1bc80b567c39124
SHA101c3dea7f8e56a79de978d46bc1631ab776031cf
SHA256faf670bfb310398d6bd5ac64f433f0c8ad7bfe44405168a36bca3d8b05edddce
SHA51294cc3e96562ca0b2231ee4287c66815f297f67ab692fe4e327f8a3074069b2100b0512dd1359f5ea22b598e3b70141de4b9fc0f7fed36326bd0619b5f7abdd0b
-
Filesize
1.2MB
MD502948b611320c81ef31c4149ec54bab2
SHA189f32aa40e9145cca046cc98c28a4b0e80e9be9d
SHA256ec51f061f4ebaa92327a4471ef81df731dc8b20adf97bb7959c2554e13b0ef85
SHA512adbf864ee6fbf743606bd0ccfb08bb600699f7ecaffc61a17d8031eea85c6ffc397a83aa220bbf345c79a59df4c6a027a0ff2f9cec7015688bcb862881da7031
-
Filesize
1.7MB
MD5822b855a0d4beb73d3b0862a28aa34d9
SHA1af18018ff0c1f3644a05afe5cb66f2f11a18dcf1
SHA256303a2989f0ac12fd78bc9a288ee9e4d34130b2e1f83395ce6e2c11fbf4de5f40
SHA512000c959298b9f6f67c97b7ebf638c6bfeb8c5d42594583269b0abf65b14d38d928b05b06430f770bf77e08ed2e2a75a445a3fb733578f488bf730116141db128
-
Filesize
1.4MB
MD5557e813249bab5b87b001c40b9cd0384
SHA15f30dd693b00c152772f6ff08f715ea8b5ce37f2
SHA256644c5f3aac687a009d6414be4db137b1ab114a3d99455e8171ce765d3bd628fb
SHA5121786553aaa60e0f5f5bfa351c4f6e1a333e31a530ab811e5d1a48f2721af71587a5d8aaf33db609068a93a2f9c7e67db6ec05eb2ccc1c5495452e6d9d5d6c645
-
Filesize
2.0MB
MD575612b0d221ff1aa0ed6df9060031197
SHA1ed016719f1c3922c55621904ea7739a8c12f3fd4
SHA256fc3f171d323ea02b609fa0502f4f0cbc88d7438979b403e9ef062a92cbeface5
SHA512b9701c09a8845a03a5725517c93ba8b4939a0d0159c37b970f449b97e667498d8cbf399b2ed9e5191c658a665ec7f2b84c553e16058cc2dd75188805777efde7
-
Filesize
1.2MB
MD59a9a1e5e35fd1e507dcb2ca5850c3958
SHA19102538544a69c06a331b845fbc3f49a212be2d5
SHA256ef83e79c8947697713640fea0c21e2fb1a9967d55d3005fc09fd054116a6d6cb
SHA5128418d943b71bdba1913ed451f145bda410fa9372bd993cf145ecf9a46f9f8a3664debaba1ee117b71c945e4493b50ca28d17d34e89d190a99b15f819abc39139
-
Filesize
1.3MB
MD5b39723407ade8ebdc516a98abd012ce7
SHA151bd64136120383ae92041091d2653921412ec73
SHA256e95dabe5aa94cefe665e56eb7b34b3712ededc42dfb4b713139ff9ed3b209042
SHA51248e6dfc658b6e3df01d49edd35a0963b1ab937d5f5ddb96c47050b3856457755ac4a9defb4736dc776687acbf242e4bcaba4fafadabf0f6fa797b64e6210c84e