Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04/05/2023, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.TrojanX-gen.29310.exe
Resource
win7-20230220-en
General
-
Target
SecuriteInfo.com.Win32.TrojanX-gen.29310.exe
-
Size
1.6MB
-
MD5
3d1072986b88dc6184e40ba0df6acfc2
-
SHA1
3dced4443af3c9591c948c827ac5b02bd0d31029
-
SHA256
8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5
-
SHA512
6b072f7e1b617a1426faeffdc14b80259f2601f29f5df65953694917cfa9611379976424ec37ffe3d139f5abd1bff02146d968f6a47d96d57ab4de1bb32a626b
-
SSDEEP
24576:rPKokfY5HGAg4y2oLeeHlQFwSohxt3jIwYg94ZIgUZ8K5BEuww4sXpA5jp9DTS2I:LZWY5mz4yJSfu/9IwYgeJuw7sX0jpd
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046
Signatures
-
Executes dropped EXE 53 IoCs
pid Process 464 Process not Found 1072 alg.exe 1932 aspnet_state.exe 1880 mscorsvw.exe 1820 mscorsvw.exe 2008 mscorsvw.exe 1608 mscorsvw.exe 1420 dllhost.exe 1768 ehRecvr.exe 1980 ehsched.exe 1404 elevation_service.exe 1500 IEEtwCollector.exe 1120 mscorsvw.exe 992 mscorsvw.exe 2152 mscorsvw.exe 2172 GROOVE.EXE 2324 maintenanceservice.exe 2428 msdtc.exe 2444 mscorsvw.exe 2624 mscorsvw.exe 2724 msiexec.exe 2912 OSE.EXE 2960 mscorsvw.exe 3020 OSPPSVC.EXE 2080 perfhost.exe 2164 locator.exe 2256 snmptrap.exe 2396 vds.exe 2228 vssvc.exe 2544 wbengine.exe 2744 WmiApSrv.exe 112 wmpnetwk.exe 300 SearchIndexer.exe 2920 mscorsvw.exe 484 mscorsvw.exe 2856 mscorsvw.exe 2180 mscorsvw.exe 2424 mscorsvw.exe 2660 mscorsvw.exe 1616 mscorsvw.exe 2152 mscorsvw.exe 2624 mscorsvw.exe 2344 mscorsvw.exe 2536 mscorsvw.exe 1764 mscorsvw.exe 2580 mscorsvw.exe 948 mscorsvw.exe 3000 mscorsvw.exe 2116 mscorsvw.exe 2132 mscorsvw.exe 2524 mscorsvw.exe 1224 mscorsvw.exe 1260 mscorsvw.exe -
Loads dropped DLL 16 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 2724 msiexec.exe 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 748 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\system32\IEEtwCollector.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\snmptrap.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\vssvc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\alg.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\msdtc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\locator.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\vds.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\wbengine.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\dllhost.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\fxssvc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\msiexec.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\SysWow64\perfhost.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1b178fe2a5fe7035.bin alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SearchIndexer.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1716 set thread context of 580 1716 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 27 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{C04B3A16-0AA6-4535-B606-13B42F7DBF8B}\chrome_installer.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\7-Zip\7z.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\7-Zip\7zG.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Drops file in Windows directory 29 IoCs
description ioc Process File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8FCBB3C2-5924-453A-8A2E-61CFD685B2ED}.crmlog dllhost.exe File opened for modification C:\Windows\ehome\ehsched.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8FCBB3C2-5924-453A-8A2E-61CFD685B2ED}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Modifies data under HKEY_USERS 52 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{043838B9-9EA8-4E89-81B0-10DE839B0C0D} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{043838B9-9EA8-4E89-81B0-10DE839B0C0D} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 484 ehRec.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeShutdownPrivilege 2008 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 2008 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: 33 1616 EhTray.exe Token: SeIncBasePriorityPrivilege 1616 EhTray.exe Token: SeDebugPrivilege 484 ehRec.exe Token: SeShutdownPrivilege 2008 mscorsvw.exe Token: SeShutdownPrivilege 2008 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: 33 1616 EhTray.exe Token: SeIncBasePriorityPrivilege 1616 EhTray.exe Token: SeRestorePrivilege 2724 msiexec.exe Token: SeTakeOwnershipPrivilege 2724 msiexec.exe Token: SeSecurityPrivilege 2724 msiexec.exe Token: SeBackupPrivilege 2228 vssvc.exe Token: SeRestorePrivilege 2228 vssvc.exe Token: SeAuditPrivilege 2228 vssvc.exe Token: SeBackupPrivilege 2544 wbengine.exe Token: SeRestorePrivilege 2544 wbengine.exe Token: SeSecurityPrivilege 2544 wbengine.exe Token: 33 112 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 112 wmpnetwk.exe Token: SeManageVolumePrivilege 300 SearchIndexer.exe Token: 33 300 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 300 SearchIndexer.exe Token: SeDebugPrivilege 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeDebugPrivilege 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeDebugPrivilege 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeDebugPrivilege 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeDebugPrivilege 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeShutdownPrivilege 2008 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1616 EhTray.exe 1616 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1616 EhTray.exe 1616 EhTray.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 580 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1548 SearchProtocolHost.exe 1548 SearchProtocolHost.exe 1548 SearchProtocolHost.exe 1548 SearchProtocolHost.exe 1548 SearchProtocolHost.exe 1544 SearchProtocolHost.exe 1544 SearchProtocolHost.exe 1544 SearchProtocolHost.exe 1544 SearchProtocolHost.exe 1544 SearchProtocolHost.exe 1544 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1716 wrote to memory of 580 1716 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 27 PID 1716 wrote to memory of 580 1716 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 27 PID 1716 wrote to memory of 580 1716 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 27 PID 1716 wrote to memory of 580 1716 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 27 PID 1716 wrote to memory of 580 1716 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 27 PID 1716 wrote to memory of 580 1716 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 27 PID 1716 wrote to memory of 580 1716 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 27 PID 1716 wrote to memory of 580 1716 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 27 PID 1716 wrote to memory of 580 1716 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 27 PID 2008 wrote to memory of 1120 2008 mscorsvw.exe 41 PID 2008 wrote to memory of 1120 2008 mscorsvw.exe 41 PID 2008 wrote to memory of 1120 2008 mscorsvw.exe 41 PID 2008 wrote to memory of 1120 2008 mscorsvw.exe 41 PID 2008 wrote to memory of 992 2008 mscorsvw.exe 42 PID 2008 wrote to memory of 992 2008 mscorsvw.exe 42 PID 2008 wrote to memory of 992 2008 mscorsvw.exe 42 PID 2008 wrote to memory of 992 2008 mscorsvw.exe 42 PID 2008 wrote to memory of 2152 2008 mscorsvw.exe 44 PID 2008 wrote to memory of 2152 2008 mscorsvw.exe 44 PID 2008 wrote to memory of 2152 2008 mscorsvw.exe 44 PID 2008 wrote to memory of 2152 2008 mscorsvw.exe 44 PID 2008 wrote to memory of 2444 2008 mscorsvw.exe 47 PID 2008 wrote to memory of 2444 2008 mscorsvw.exe 47 PID 2008 wrote to memory of 2444 2008 mscorsvw.exe 47 PID 2008 wrote to memory of 2444 2008 mscorsvw.exe 47 PID 2008 wrote to memory of 2624 2008 mscorsvw.exe 48 PID 2008 wrote to memory of 2624 2008 mscorsvw.exe 48 PID 2008 wrote to memory of 2624 2008 mscorsvw.exe 48 PID 2008 wrote to memory of 2624 2008 mscorsvw.exe 48 PID 2008 wrote to memory of 2960 2008 mscorsvw.exe 51 PID 2008 wrote to memory of 2960 2008 mscorsvw.exe 51 PID 2008 wrote to memory of 2960 2008 mscorsvw.exe 51 PID 2008 wrote to memory of 2960 2008 mscorsvw.exe 51 PID 300 wrote to memory of 1548 300 SearchIndexer.exe 62 PID 300 wrote to memory of 1548 300 SearchIndexer.exe 62 PID 300 wrote to memory of 1548 300 SearchIndexer.exe 62 PID 300 wrote to memory of 3032 300 SearchIndexer.exe 63 PID 300 wrote to memory of 3032 300 SearchIndexer.exe 63 PID 300 wrote to memory of 3032 300 SearchIndexer.exe 63 PID 2008 wrote to memory of 2920 2008 mscorsvw.exe 64 PID 2008 wrote to memory of 2920 2008 mscorsvw.exe 64 PID 2008 wrote to memory of 2920 2008 mscorsvw.exe 64 PID 2008 wrote to memory of 2920 2008 mscorsvw.exe 64 PID 2008 wrote to memory of 484 2008 mscorsvw.exe 65 PID 2008 wrote to memory of 484 2008 mscorsvw.exe 65 PID 2008 wrote to memory of 484 2008 mscorsvw.exe 65 PID 2008 wrote to memory of 484 2008 mscorsvw.exe 65 PID 2008 wrote to memory of 2856 2008 mscorsvw.exe 66 PID 2008 wrote to memory of 2856 2008 mscorsvw.exe 66 PID 2008 wrote to memory of 2856 2008 mscorsvw.exe 66 PID 2008 wrote to memory of 2856 2008 mscorsvw.exe 66 PID 2008 wrote to memory of 2180 2008 mscorsvw.exe 67 PID 2008 wrote to memory of 2180 2008 mscorsvw.exe 67 PID 2008 wrote to memory of 2180 2008 mscorsvw.exe 67 PID 2008 wrote to memory of 2180 2008 mscorsvw.exe 67 PID 2008 wrote to memory of 2424 2008 mscorsvw.exe 68 PID 2008 wrote to memory of 2424 2008 mscorsvw.exe 68 PID 2008 wrote to memory of 2424 2008 mscorsvw.exe 68 PID 2008 wrote to memory of 2424 2008 mscorsvw.exe 68 PID 2008 wrote to memory of 2660 2008 mscorsvw.exe 69 PID 2008 wrote to memory of 2660 2008 mscorsvw.exe 69 PID 2008 wrote to memory of 2660 2008 mscorsvw.exe 69 PID 2008 wrote to memory of 2660 2008 mscorsvw.exe 69 PID 2008 wrote to memory of 1616 2008 mscorsvw.exe 70 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:580
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:1932
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1880
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1820
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 23c -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 234 -NGENProcess 240 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 260 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 230 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 244 -NGENProcess 230 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 180 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 1d0 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 230 -Pipe 164 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 258 -NGENProcess 180 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 1d0 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2660
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 1a8 -Pipe 234 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 27c -NGENProcess 278 -Pipe 180 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 248 -NGENProcess 270 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 280 -NGENProcess 274 -Pipe 230 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2344
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1a8 -NGENProcess 244 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2536
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 248 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 28c -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1d4 -NGENProcess 274 -Pipe 1a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 290 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2116
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 27c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2524
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 154 -NGENProcess 15c -Pipe 168 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1224
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 154 -NGENProcess 15c -Pipe 16c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1260
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1420
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1768
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1980
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1616
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1404
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1500
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2172
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2324
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2428
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2912
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3020
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2080
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2164
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2256
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2396
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2744
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:112
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1548
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 596 600 608 65536 6042⤵PID:3032
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1544
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD53ccfbf18932df75beb791839ad0942bd
SHA1e01fe862b98cdba5b545a2ef71828e2cf8194b3f
SHA2568a7890fe0dc29613be109577f60a89ae9ae374c8436a0cc3e22da3e21dc93210
SHA512100a76882d919e5573ac241b8545006817fec2907beafc81aede0cbb859a2c69210e6ed993622b46543818e3b091b116fd3035741aa6241169989bbd157c15e9
-
Filesize
30.1MB
MD59d1a14c74ca6e3c4d3bb4083da12dd8d
SHA1cd02242dc22d26b92401e1f95fe1b6405584e312
SHA256d4ad80618ebf36641161635a7478ee770ad1316fe6c2a3b11cbd227a652f4aad
SHA5120ab6d31f5fdd4c04166f3faecc11958eddc4b3d1a048d4c7cb782c9b2d612b5ae5f9c1ad36889c2d872b1926f6a039480b40c08521036fbaec5b985b40e2189b
-
Filesize
1.4MB
MD50a034fc0f23c584271d476dcc10fef61
SHA154b8ae0cf9319f5fbc750bc6686970fd3925f42a
SHA2560f6f7cbf0ac629e39f29d41bdbcc4ff288b814af56a04d13d9f0900c20a9cd15
SHA5128e4ecf55c5b8a04fc121e719cf670bfc1332e8ad7cc048290f07c475e81f91499a95af5c8616e1e6298017157faf067431b3df08601c84cb73999c6cd37c96ee
-
Filesize
5.2MB
MD563781df2cab3cdbb52faf6e589624a53
SHA1ee457ee8a1d1fd85739171359b3b93361e44f387
SHA256e75c2eb1f6e4c40d2d27261879d45cc48a074d49f20fe35bb339bc662243ed46
SHA512d36c90dd22f311824fc7e243e092ec1ab2009d742bd7dd5e6ca68193eab2aeb6e62bc6b81dc5853da4c1decdf7e4d20d5d6e50b6519681769fb61263c43d3654
-
Filesize
2.1MB
MD53888e0bf3f10c9b2143d300fc300b755
SHA1a08eee879f85df81ceecd58cdbfc99b1ac043156
SHA256e09edea4709f4d32707c6e5e205ec372919c177585be172e76868dd571c10986
SHA5124dc2a5bd081a6c2b054103dfc22402a6737d697ef39a90043815aabfec192debfab2ce440fbf5df31ebb9c0fe91bda9ab2f6a2715e6f731f73a5c3f18d43b0ec
-
Filesize
2.0MB
MD595deacf317fafe2e1ed45b8d324dcf7a
SHA14d97c892fe4eafa8a2bb7304abcfa232c703db70
SHA25654bb956802ff9ff1a0219ec127581a55338961c38f9a01d0d12d9751a1af8711
SHA51251819c2a28352859b879c2c34c9ab86379246657eb9de953c99cc04ffb94aaeebb6b5af54ad5accdfb55ad25cba457e7d533bf06e34ce4f9fd95dba79e09403a
-
Filesize
1024KB
MD580b878b71b411b285250f5d77e03ded8
SHA1793a99e4843cf613d5b176c34ad2d0e74b2d26ba
SHA256bf483d543349eacdfdf8988dfd6d08adf9ea017965f9e0d757e783c1bd868d1c
SHA51225f311fd427092639ecabc1b30da7b51c7fe9c60cfcfda01dda917c0aee48f0ac6cd6879dc8f9e8ec9422666c8c72681a1815961d651d2d272258a8b3c56c17e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.3MB
MD5f5d0b06bf1ebc980878d0226c9000ce7
SHA1563083f7f5a17ddd2cee7fa8fd30a385cdead89e
SHA2561df6c4b13c6778f955a2e6bbe75e7e96d4d2bfdeccc0fd2482f85ab3f2a8f0ab
SHA512df3d7e4e36931e5459383cc014a5ac9d5551886ed7a9836fc077fb8e07e5bf10cd7dbc228c018fbc290eddfedcf09ec3f75f899237483bdcdde22ecdb56227a5
-
Filesize
1.3MB
MD5f5d0b06bf1ebc980878d0226c9000ce7
SHA1563083f7f5a17ddd2cee7fa8fd30a385cdead89e
SHA2561df6c4b13c6778f955a2e6bbe75e7e96d4d2bfdeccc0fd2482f85ab3f2a8f0ab
SHA512df3d7e4e36931e5459383cc014a5ac9d5551886ed7a9836fc077fb8e07e5bf10cd7dbc228c018fbc290eddfedcf09ec3f75f899237483bdcdde22ecdb56227a5
-
Filesize
872KB
MD5cc454a16435a8ee87e992d78a3efc1f9
SHA17ba7877d276a210d8e4ac39f768ee5e96fae2edf
SHA25669735b1c49b5ed681737f811f970b05c1b8335ebc897b4527d8b097076c96dea
SHA512b7a88afe0688e66cd0df0d9d0343ccaa0399f331878dd400438b701709a5eab7757c9e3c41ae7bfe130a167cc94344c3a68f0d890d873ab4f669d15e511d54b1
-
Filesize
1.3MB
MD50f43c2b85a074430dbe08ad6003d1cd1
SHA1654b2bde08ac880cf077f3717f5fd2f72db334c3
SHA25674b51149d60ed878da24bfdc0bca25b4dbfa7bbcbe738c022ab10542f30b7a2e
SHA512b830e5b188eff66d84a85d0ad2286032035aa864471d2597001061a2a63ba965bc51673236e09bf2bcc5ba41bc76aaa022268f2697d7ffc8c7e62b40f2a0d220
-
Filesize
1.3MB
MD5aab5bb02f6e54347fc3ef357c8b8171e
SHA171d7d6204a3fb63fe5dea6fe178c10a43df0945f
SHA256c8dffbd443a7e457ff2b329e8db2e34f5b5d4d65311e3e5a07dea13bfdb0fed2
SHA512bec479e58ae148052ceeb45450d39a1abf45e8affbe16082b1587d22a2b091ad225eade2d7b21ced1e6fa038c0f6e53790e9baa681ddcfb2e7dee65b1e7d9c80
-
Filesize
1.3MB
MD5aab5bb02f6e54347fc3ef357c8b8171e
SHA171d7d6204a3fb63fe5dea6fe178c10a43df0945f
SHA256c8dffbd443a7e457ff2b329e8db2e34f5b5d4d65311e3e5a07dea13bfdb0fed2
SHA512bec479e58ae148052ceeb45450d39a1abf45e8affbe16082b1587d22a2b091ad225eade2d7b21ced1e6fa038c0f6e53790e9baa681ddcfb2e7dee65b1e7d9c80
-
Filesize
1.3MB
MD524202e20a075e5d71cbedefad71c1a9e
SHA1db078828e1130f85719da5b4f3698cac0d31bfdc
SHA256df2fab888634b9b7b8def3d010163e159fbc194bebd3acc749fa9caf2a796288
SHA5129d05eaaa5600b46ebc0621dd0cd7ba9f035165f12ae562be0fca0ad68efe1d4bb4cd8f6cf17a695324eea491a833847ecd39c821a31a0ca67e79e588a841e370
-
Filesize
1.3MB
MD524202e20a075e5d71cbedefad71c1a9e
SHA1db078828e1130f85719da5b4f3698cac0d31bfdc
SHA256df2fab888634b9b7b8def3d010163e159fbc194bebd3acc749fa9caf2a796288
SHA5129d05eaaa5600b46ebc0621dd0cd7ba9f035165f12ae562be0fca0ad68efe1d4bb4cd8f6cf17a695324eea491a833847ecd39c821a31a0ca67e79e588a841e370
-
Filesize
1003KB
MD562481774a3de53d62df364dcd8396f5e
SHA18d9a33529140bff403f5449fa9c57631cbe19d85
SHA25645e7ac2477b68050a34bbdc3d241edf6169af5d7db4ed52a276485e7315a27d4
SHA512c0405ef6f164f2c75aa0593877513e0a5da89bbc4f4318f304d3b5e8f9b6bdf41ec31d77d153cbc550dfea0e594d144c53d4d98acf9f5fd8ad423487e7d7cc51
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.3MB
MD5300411cd115386b7fb7cee49906a11a8
SHA1e58015f41ed2c150486def165b2646cf5f470738
SHA2569671c529fec90d48dedc179b039e8d2c381676d4f0a26cdef7dff48e1deb0705
SHA5126f1d69d36a19baef8b11edd08ca78000cccd9c03fad1e7cec3a8f0447e11aacbae2560dff1ddf2f656fe926c94c4546942f0371d1f37b468d65e4981c7f3e0a5
-
Filesize
1.2MB
MD58eb3275c0a43f190db522be949f6d0ec
SHA1623bd3c0a4f65bd6ab6b277f2b24726df1637a20
SHA2568ccc87391731806a9caa13f8fb5431b2167c277d4a819ec853e71d775a400f33
SHA5120a3f3f1d0cdb62aa8b066d1b31dd56737df74880acdcecaa07c87343dd07b876f1e32740688400ff90a9c96dc951b1979e93bb6036056d83e272d7222b752b3f
-
Filesize
1.2MB
MD5bad844ca48e1ba1da420c4c98c3891f4
SHA180c12badcccdda58d69eaa359a4b96157233736d
SHA256cb347a9aca7903a0155ee0b7816fa86e07236bc8e494c0f377c22a4a442b1c88
SHA512756cb228eee272bfad61874f8f51df776676873d97779b3bec437dddf16472279ec691da216f47dd8b8cb6a53f485d19e411f37a31997bde7a20635bde5e12fe
-
Filesize
1.1MB
MD5fd677db12091e1306004658684fbe0e2
SHA1adc29b9729dfa46b9b22dbff359035e49dbdc85e
SHA256d5306d49c41b2e076b86b58e56a3ee9d7c47bb08187735aaf0780e039e16cf8d
SHA512c53c5a647d12c077b90ddd0142393b2a7859117e6955c7f4a29f1cd16ff8537fa26d44165e32f3faabddfe9c426c8280ca61f54179761c43e56e55d3bdecd0d6
-
Filesize
2.1MB
MD5de5d837f368a7acb12ae3f7bee296980
SHA19c0ca21a205dbd382d1d573d0e0d8c1aa4b8f5b0
SHA2569d430c3348de38452feac45a687157949d1a66f545d39af8e9febe423a21dc3e
SHA512c9ceef96a686856fb80c9d1fba3ce7b9349b5ca9fdaf50064dd97cc17dd8a91756ee461808a734fc31f0f1f55c04cdef1a2420e69d01f52ee5d4afe7f5e08bf8
-
Filesize
1.3MB
MD53268bd7ab562bb714c1ce3e68c1a31ba
SHA12d24725585238f0b895d48620c33796960eed632
SHA2566615441122ea45908a5ae0336245408920df61289325e89460cdbd7d6539ef98
SHA5120c881172c435c8e9a5b1c3bfde909b55e974d0937002a92cd94959cfa1bb251e5881606de88985502895f143a7744f572293876e49e3bd1e56a66bd521846ef6
-
Filesize
1.2MB
MD5756c6f541d4c1dde055dc4674ab44621
SHA1b29f97e3b2f9ec012ee6af710104dfbcc08a3138
SHA256bdfef4e2bb3ae273f38d3797474c204c8e5e5c54567ab916adb529f34c5790fb
SHA51240cdba6a9c97bc4cb6e4644438f4b8f6fce41d70503291834432e30a12aac0fbd9eff558dea80258fbe74cb47786c418d0aea145696c68b1fa6f551d9ad4ce7b
-
Filesize
1.3MB
MD5c4fa8f024aa31767ac8ac089d6dfc5d0
SHA1d9ac8685f9f74b1974da069480212c5251a727c9
SHA256141c60b3912e7f3f4b83f1d69fb591f84d568be0923c6b0ee5fac7f17166b364
SHA512a13ff9d71f82529f31ea992255cd4244eea66947861c48656a2f3652b9f3338f3e3abe905b8833969d1e2c994248a4922a5e5ae676c004218b7889ed4c847ea2
-
Filesize
1.4MB
MD5cd67083a5281fc816c2e8ea3363f1de3
SHA1bc4d6e618623455d616d8c55e2b4e2451feda941
SHA2563434df292178539f105b2efc74b83f847782f8951c84f187497be33cdfc5489c
SHA5128169c84217990abfe81e6d5e949e7855c4b9d8a82139849a16c54f023b22e4b3328f46b3755a8658fe3b4d767f983500769806792b35ff2f4c3a217660598113
-
Filesize
1.3MB
MD5a3687b1823456083e1e610da33fe3ae4
SHA1ebc5751dafdb0b7e34642b15cab273bf649bc6b8
SHA256abee9d6188cc3eb0a87932057dd5eb93dcb4799f3fe699bb4cf3fe81d6d7ba09
SHA512e7391f31eb042c38647ff264f115300cb3cb8fff18bc1cadda426334f24abd6ee3bdbd2cdb47ef891bb968a942fa987e53b72fa093e7d444372d78b9059eef5c
-
Filesize
1.2MB
MD56154ed78dd41ffca074fe03cf75499ab
SHA1e8a734ef3949bf12457a3c82926fb9bf511da7ae
SHA256ff405ed87c9b5f0c79020a89630eaa21e38c99bb8a90f187f039707d469f39ed
SHA512b28f3781175bd2cf713246ebe79032c2fdc7dfc1540abfc7b30905840684686f81a678b18a43f432ba464584b9fc4f966fc9c27d914d638535d99c1192512fd1
-
Filesize
1.7MB
MD58471cd8961ef992da6c4d51ffe028c9e
SHA1be1c544a033ef1064a68d6f1ecd3777824764707
SHA256976d65136e27c14081c8c883af73fd274e42915bf974fcb65ea1b2e86fda430c
SHA512f2f9e746bc88f664da1fa86da94160686a520ffd9e503051add908130010dada9a7a8f8dfe6cdef7adb5d88df795cc9039afbab6db14da8f891d3065dff4eb50
-
Filesize
1.4MB
MD5bfc3353b3a85ab36f12429b940a172b0
SHA1eaf34890851048a522eeea79dabdff0e1a1e95f7
SHA2567d0ccdbf65e11cacf4abad9ea1fad5775970230190674b047dce52bf683ef4db
SHA51237543dce5e13d4ed2cb461cb12b33a032613179e1a9792bac152a7059d3a3308f39d9715a3987a1d419823bde9d099b734caa3030770134a027e9353c3f00426
-
Filesize
2.0MB
MD5c85986e7d44001365edbe040b402fe6b
SHA140021c114436a3b3b964e92ee6006e35cba0f2cb
SHA256605c85d069d873d860c185fdc91e05f933cd1480fa0bad2c0530e5bdd87e78bf
SHA5120ce0aa28d128b1d63f5705b8650184142071433c8ffec7e3d06289f39d4f0c2d8af6c75a857dc74141029a579432139de25b7716d2e0917d40177268ecac62e4
-
Filesize
1.2MB
MD5f0fe843d6bd4e421e0db9945a984ad43
SHA1a92b4e4c54708cfeae395e0f564a922d2cea4a51
SHA2567c88cd275fd3da4c58a92f886d317f4bfc5f69d973374559a116bb446c72a097
SHA512cf69b5e4a55f51a16650aa4a6354c40aa0e354a91c38ac76d91b1031392bdc45332817baae75a7dfc8964c63cc42a30e6e1b5784b638f00dfc0e353899406ff3
-
Filesize
1.3MB
MD561a38cd3393ec5e745824ab234ab7e37
SHA1983bfc7305f3c813473ad583333ca76bbee4ef2f
SHA256934bc00bbe502ee985012ec4335892db6c14e1f21372496ccf3ea5b0b24ec1b8
SHA512472cb21f048cb1331cd00131e4c120e94686621cc14b56930e4e07258f4496386ca214edae1887633a724b26435bb06a417be80ceb46c114581dda29ce056af9
-
Filesize
1.3MB
MD5a3687b1823456083e1e610da33fe3ae4
SHA1ebc5751dafdb0b7e34642b15cab273bf649bc6b8
SHA256abee9d6188cc3eb0a87932057dd5eb93dcb4799f3fe699bb4cf3fe81d6d7ba09
SHA512e7391f31eb042c38647ff264f115300cb3cb8fff18bc1cadda426334f24abd6ee3bdbd2cdb47ef891bb968a942fa987e53b72fa093e7d444372d78b9059eef5c
-
Filesize
2.0MB
MD595deacf317fafe2e1ed45b8d324dcf7a
SHA14d97c892fe4eafa8a2bb7304abcfa232c703db70
SHA25654bb956802ff9ff1a0219ec127581a55338961c38f9a01d0d12d9751a1af8711
SHA51251819c2a28352859b879c2c34c9ab86379246657eb9de953c99cc04ffb94aaeebb6b5af54ad5accdfb55ad25cba457e7d533bf06e34ce4f9fd95dba79e09403a
-
Filesize
2.0MB
MD595deacf317fafe2e1ed45b8d324dcf7a
SHA14d97c892fe4eafa8a2bb7304abcfa232c703db70
SHA25654bb956802ff9ff1a0219ec127581a55338961c38f9a01d0d12d9751a1af8711
SHA51251819c2a28352859b879c2c34c9ab86379246657eb9de953c99cc04ffb94aaeebb6b5af54ad5accdfb55ad25cba457e7d533bf06e34ce4f9fd95dba79e09403a
-
Filesize
1.3MB
MD5f5d0b06bf1ebc980878d0226c9000ce7
SHA1563083f7f5a17ddd2cee7fa8fd30a385cdead89e
SHA2561df6c4b13c6778f955a2e6bbe75e7e96d4d2bfdeccc0fd2482f85ab3f2a8f0ab
SHA512df3d7e4e36931e5459383cc014a5ac9d5551886ed7a9836fc077fb8e07e5bf10cd7dbc228c018fbc290eddfedcf09ec3f75f899237483bdcdde22ecdb56227a5
-
Filesize
1.3MB
MD50f43c2b85a074430dbe08ad6003d1cd1
SHA1654b2bde08ac880cf077f3717f5fd2f72db334c3
SHA25674b51149d60ed878da24bfdc0bca25b4dbfa7bbcbe738c022ab10542f30b7a2e
SHA512b830e5b188eff66d84a85d0ad2286032035aa864471d2597001061a2a63ba965bc51673236e09bf2bcc5ba41bc76aaa022268f2697d7ffc8c7e62b40f2a0d220
-
Filesize
1.2MB
MD5bad844ca48e1ba1da420c4c98c3891f4
SHA180c12badcccdda58d69eaa359a4b96157233736d
SHA256cb347a9aca7903a0155ee0b7816fa86e07236bc8e494c0f377c22a4a442b1c88
SHA512756cb228eee272bfad61874f8f51df776676873d97779b3bec437dddf16472279ec691da216f47dd8b8cb6a53f485d19e411f37a31997bde7a20635bde5e12fe
-
Filesize
1.3MB
MD53268bd7ab562bb714c1ce3e68c1a31ba
SHA12d24725585238f0b895d48620c33796960eed632
SHA2566615441122ea45908a5ae0336245408920df61289325e89460cdbd7d6539ef98
SHA5120c881172c435c8e9a5b1c3bfde909b55e974d0937002a92cd94959cfa1bb251e5881606de88985502895f143a7744f572293876e49e3bd1e56a66bd521846ef6
-
Filesize
1.2MB
MD5756c6f541d4c1dde055dc4674ab44621
SHA1b29f97e3b2f9ec012ee6af710104dfbcc08a3138
SHA256bdfef4e2bb3ae273f38d3797474c204c8e5e5c54567ab916adb529f34c5790fb
SHA51240cdba6a9c97bc4cb6e4644438f4b8f6fce41d70503291834432e30a12aac0fbd9eff558dea80258fbe74cb47786c418d0aea145696c68b1fa6f551d9ad4ce7b
-
Filesize
1.3MB
MD5c4fa8f024aa31767ac8ac089d6dfc5d0
SHA1d9ac8685f9f74b1974da069480212c5251a727c9
SHA256141c60b3912e7f3f4b83f1d69fb591f84d568be0923c6b0ee5fac7f17166b364
SHA512a13ff9d71f82529f31ea992255cd4244eea66947861c48656a2f3652b9f3338f3e3abe905b8833969d1e2c994248a4922a5e5ae676c004218b7889ed4c847ea2
-
Filesize
1.4MB
MD5cd67083a5281fc816c2e8ea3363f1de3
SHA1bc4d6e618623455d616d8c55e2b4e2451feda941
SHA2563434df292178539f105b2efc74b83f847782f8951c84f187497be33cdfc5489c
SHA5128169c84217990abfe81e6d5e949e7855c4b9d8a82139849a16c54f023b22e4b3328f46b3755a8658fe3b4d767f983500769806792b35ff2f4c3a217660598113
-
Filesize
1.3MB
MD5a3687b1823456083e1e610da33fe3ae4
SHA1ebc5751dafdb0b7e34642b15cab273bf649bc6b8
SHA256abee9d6188cc3eb0a87932057dd5eb93dcb4799f3fe699bb4cf3fe81d6d7ba09
SHA512e7391f31eb042c38647ff264f115300cb3cb8fff18bc1cadda426334f24abd6ee3bdbd2cdb47ef891bb968a942fa987e53b72fa093e7d444372d78b9059eef5c
-
Filesize
1.3MB
MD5a3687b1823456083e1e610da33fe3ae4
SHA1ebc5751dafdb0b7e34642b15cab273bf649bc6b8
SHA256abee9d6188cc3eb0a87932057dd5eb93dcb4799f3fe699bb4cf3fe81d6d7ba09
SHA512e7391f31eb042c38647ff264f115300cb3cb8fff18bc1cadda426334f24abd6ee3bdbd2cdb47ef891bb968a942fa987e53b72fa093e7d444372d78b9059eef5c
-
Filesize
1.2MB
MD56154ed78dd41ffca074fe03cf75499ab
SHA1e8a734ef3949bf12457a3c82926fb9bf511da7ae
SHA256ff405ed87c9b5f0c79020a89630eaa21e38c99bb8a90f187f039707d469f39ed
SHA512b28f3781175bd2cf713246ebe79032c2fdc7dfc1540abfc7b30905840684686f81a678b18a43f432ba464584b9fc4f966fc9c27d914d638535d99c1192512fd1
-
Filesize
1.7MB
MD58471cd8961ef992da6c4d51ffe028c9e
SHA1be1c544a033ef1064a68d6f1ecd3777824764707
SHA256976d65136e27c14081c8c883af73fd274e42915bf974fcb65ea1b2e86fda430c
SHA512f2f9e746bc88f664da1fa86da94160686a520ffd9e503051add908130010dada9a7a8f8dfe6cdef7adb5d88df795cc9039afbab6db14da8f891d3065dff4eb50
-
Filesize
1.4MB
MD5bfc3353b3a85ab36f12429b940a172b0
SHA1eaf34890851048a522eeea79dabdff0e1a1e95f7
SHA2567d0ccdbf65e11cacf4abad9ea1fad5775970230190674b047dce52bf683ef4db
SHA51237543dce5e13d4ed2cb461cb12b33a032613179e1a9792bac152a7059d3a3308f39d9715a3987a1d419823bde9d099b734caa3030770134a027e9353c3f00426
-
Filesize
2.0MB
MD5c85986e7d44001365edbe040b402fe6b
SHA140021c114436a3b3b964e92ee6006e35cba0f2cb
SHA256605c85d069d873d860c185fdc91e05f933cd1480fa0bad2c0530e5bdd87e78bf
SHA5120ce0aa28d128b1d63f5705b8650184142071433c8ffec7e3d06289f39d4f0c2d8af6c75a857dc74141029a579432139de25b7716d2e0917d40177268ecac62e4
-
Filesize
1.2MB
MD5f0fe843d6bd4e421e0db9945a984ad43
SHA1a92b4e4c54708cfeae395e0f564a922d2cea4a51
SHA2567c88cd275fd3da4c58a92f886d317f4bfc5f69d973374559a116bb446c72a097
SHA512cf69b5e4a55f51a16650aa4a6354c40aa0e354a91c38ac76d91b1031392bdc45332817baae75a7dfc8964c63cc42a30e6e1b5784b638f00dfc0e353899406ff3
-
Filesize
1.3MB
MD561a38cd3393ec5e745824ab234ab7e37
SHA1983bfc7305f3c813473ad583333ca76bbee4ef2f
SHA256934bc00bbe502ee985012ec4335892db6c14e1f21372496ccf3ea5b0b24ec1b8
SHA512472cb21f048cb1331cd00131e4c120e94686621cc14b56930e4e07258f4496386ca214edae1887633a724b26435bb06a417be80ceb46c114581dda29ce056af9