Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
24/11/2023, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
Resource
win10v2004-20231023-en
General
-
Target
bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
-
Size
1.8MB
-
MD5
9b49a7aa16b37e4a5dc0d7dadd2d62f4
-
SHA1
2cb7867e65c8c2772f40af2f7298717f8d581de1
-
SHA256
bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba
-
SHA512
135ac8b7e953a0a2be5f9ba7f9735cab3352995a44e05c0b432106f4aef2cda01b35a3f959dc4bb767f6cf47c2c6c5892a18efe137a2b549a27039cda829b6d4
-
SSDEEP
49152:qx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAEgDUYmvFur31yAipQCtXxc0H:qvbjVkjjCAzJCU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 57 IoCs
pid Process 464 Process not Found 2628 alg.exe 552 aspnet_state.exe 1104 mscorsvw.exe 1980 mscorsvw.exe 2808 mscorsvw.exe 2320 mscorsvw.exe 2040 elevation_service.exe 2240 GROOVE.EXE 2272 maintenanceservice.exe 2176 OSE.EXE 2532 mscorsvw.exe 2716 OSPPSVC.EXE 2824 mscorsvw.exe 1644 mscorsvw.exe 1700 mscorsvw.exe 1836 mscorsvw.exe 2708 mscorsvw.exe 1456 mscorsvw.exe 1760 mscorsvw.exe 2356 mscorsvw.exe 620 mscorsvw.exe 612 mscorsvw.exe 2876 mscorsvw.exe 2124 mscorsvw.exe 1924 mscorsvw.exe 892 mscorsvw.exe 1664 mscorsvw.exe 2616 mscorsvw.exe 1580 mscorsvw.exe 472 mscorsvw.exe 2576 mscorsvw.exe 2792 mscorsvw.exe 2568 mscorsvw.exe 2264 mscorsvw.exe 1952 mscorsvw.exe 2044 mscorsvw.exe 2272 dllhost.exe 1152 ehRecvr.exe 2620 ehsched.exe 3024 IEEtwCollector.exe 2120 msdtc.exe 928 msiexec.exe 2952 perfhost.exe 2372 locator.exe 2824 snmptrap.exe 1672 vds.exe 860 vssvc.exe 968 wbengine.exe 1068 WmiApSrv.exe 1460 wmpnetwk.exe 2916 SearchIndexer.exe 1328 mscorsvw.exe 1088 mscorsvw.exe 1296 mscorsvw.exe 1588 mscorsvw.exe 972 mscorsvw.exe -
Loads dropped DLL 15 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 928 msiexec.exe 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 748 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b424bbec2abf0469.bin alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\dllhost.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUMBDD3.tmp\goopdateres_mr.dll bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7z.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBDD3.tmp\goopdateres_bn.dll bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File created C:\Program Files (x86)\Google\Temp\GUMBDD3.tmp\goopdateres_ar.dll bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBDD3.tmp\GoogleUpdateComRegisterShell64.exe bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUMBDD3.tmp\goopdateres_hu.dll bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBDD3.tmp\goopdateres_id.dll bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUMBDD3.tmp\psuser.dll bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE aspnet_state.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUMBDD3.tmp\goopdateres_zh-TW.dll bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File created C:\Program Files (x86)\Google\Temp\GUMBDD3.tmp\goopdateres_uk.dll bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe aspnet_state.exe -
Drops file in Windows directory 35 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{135F6FB5-CD26-4959-9B42-F07E1256CF0C}.crmlog dllhost.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{135F6FB5-CD26-4959-9B42-F07E1256CF0C}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 55 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{AD40E661-DC3A-4AFC-912E-734E326FC566} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 552 aspnet_state.exe 552 aspnet_state.exe 552 aspnet_state.exe 552 aspnet_state.exe 552 aspnet_state.exe 1964 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2028 bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2320 mscorsvw.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2320 mscorsvw.exe Token: SeShutdownPrivilege 2320 mscorsvw.exe Token: SeShutdownPrivilege 2320 mscorsvw.exe Token: SeDebugPrivilege 2628 alg.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2320 mscorsvw.exe Token: SeTakeOwnershipPrivilege 552 aspnet_state.exe Token: 33 2548 EhTray.exe Token: SeIncBasePriorityPrivilege 2548 EhTray.exe Token: SeRestorePrivilege 928 msiexec.exe Token: SeTakeOwnershipPrivilege 928 msiexec.exe Token: SeSecurityPrivilege 928 msiexec.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2320 mscorsvw.exe Token: SeBackupPrivilege 860 vssvc.exe Token: SeRestorePrivilege 860 vssvc.exe Token: SeAuditPrivilege 860 vssvc.exe Token: SeBackupPrivilege 968 wbengine.exe Token: SeRestorePrivilege 968 wbengine.exe Token: SeSecurityPrivilege 968 wbengine.exe Token: SeDebugPrivilege 552 aspnet_state.exe Token: 33 1460 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1460 wmpnetwk.exe Token: SeManageVolumePrivilege 2916 SearchIndexer.exe Token: 33 2916 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2916 SearchIndexer.exe Token: SeDebugPrivilege 1964 ehRec.exe Token: 33 2548 EhTray.exe Token: SeIncBasePriorityPrivilege 2548 EhTray.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2320 mscorsvw.exe Token: SeShutdownPrivilege 2320 mscorsvw.exe Token: SeShutdownPrivilege 2320 mscorsvw.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2320 mscorsvw.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2320 mscorsvw.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2320 mscorsvw.exe Token: SeShutdownPrivilege 2808 mscorsvw.exe Token: SeShutdownPrivilege 2320 mscorsvw.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2528 SearchProtocolHost.exe 2528 SearchProtocolHost.exe 2528 SearchProtocolHost.exe 2528 SearchProtocolHost.exe 2528 SearchProtocolHost.exe 2528 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2532 2808 mscorsvw.exe 40 PID 2808 wrote to memory of 2532 2808 mscorsvw.exe 40 PID 2808 wrote to memory of 2532 2808 mscorsvw.exe 40 PID 2808 wrote to memory of 2532 2808 mscorsvw.exe 40 PID 2808 wrote to memory of 2824 2808 mscorsvw.exe 42 PID 2808 wrote to memory of 2824 2808 mscorsvw.exe 42 PID 2808 wrote to memory of 2824 2808 mscorsvw.exe 42 PID 2808 wrote to memory of 2824 2808 mscorsvw.exe 42 PID 2808 wrote to memory of 1644 2808 mscorsvw.exe 43 PID 2808 wrote to memory of 1644 2808 mscorsvw.exe 43 PID 2808 wrote to memory of 1644 2808 mscorsvw.exe 43 PID 2808 wrote to memory of 1644 2808 mscorsvw.exe 43 PID 2808 wrote to memory of 1700 2808 mscorsvw.exe 44 PID 2808 wrote to memory of 1700 2808 mscorsvw.exe 44 PID 2808 wrote to memory of 1700 2808 mscorsvw.exe 44 PID 2808 wrote to memory of 1700 2808 mscorsvw.exe 44 PID 2808 wrote to memory of 1836 2808 mscorsvw.exe 45 PID 2808 wrote to memory of 1836 2808 mscorsvw.exe 45 PID 2808 wrote to memory of 1836 2808 mscorsvw.exe 45 PID 2808 wrote to memory of 1836 2808 mscorsvw.exe 45 PID 2808 wrote to memory of 2708 2808 mscorsvw.exe 46 PID 2808 wrote to memory of 2708 2808 mscorsvw.exe 46 PID 2808 wrote to memory of 2708 2808 mscorsvw.exe 46 PID 2808 wrote to memory of 2708 2808 mscorsvw.exe 46 PID 2808 wrote to memory of 1456 2808 mscorsvw.exe 47 PID 2808 wrote to memory of 1456 2808 mscorsvw.exe 47 PID 2808 wrote to memory of 1456 2808 mscorsvw.exe 47 PID 2808 wrote to memory of 1456 2808 mscorsvw.exe 47 PID 2808 wrote to memory of 1760 2808 mscorsvw.exe 48 PID 2808 wrote to memory of 1760 2808 mscorsvw.exe 48 PID 2808 wrote to memory of 1760 2808 mscorsvw.exe 48 PID 2808 wrote to memory of 1760 2808 mscorsvw.exe 48 PID 2808 wrote to memory of 2356 2808 mscorsvw.exe 49 PID 2808 wrote to memory of 2356 2808 mscorsvw.exe 49 PID 2808 wrote to memory of 2356 2808 mscorsvw.exe 49 PID 2808 wrote to memory of 2356 2808 mscorsvw.exe 49 PID 2808 wrote to memory of 620 2808 mscorsvw.exe 50 PID 2808 wrote to memory of 620 2808 mscorsvw.exe 50 PID 2808 wrote to memory of 620 2808 mscorsvw.exe 50 PID 2808 wrote to memory of 620 2808 mscorsvw.exe 50 PID 2808 wrote to memory of 612 2808 mscorsvw.exe 51 PID 2808 wrote to memory of 612 2808 mscorsvw.exe 51 PID 2808 wrote to memory of 612 2808 mscorsvw.exe 51 PID 2808 wrote to memory of 612 2808 mscorsvw.exe 51 PID 2808 wrote to memory of 2876 2808 mscorsvw.exe 52 PID 2808 wrote to memory of 2876 2808 mscorsvw.exe 52 PID 2808 wrote to memory of 2876 2808 mscorsvw.exe 52 PID 2808 wrote to memory of 2876 2808 mscorsvw.exe 52 PID 2808 wrote to memory of 2124 2808 mscorsvw.exe 53 PID 2808 wrote to memory of 2124 2808 mscorsvw.exe 53 PID 2808 wrote to memory of 2124 2808 mscorsvw.exe 53 PID 2808 wrote to memory of 2124 2808 mscorsvw.exe 53 PID 2808 wrote to memory of 1924 2808 mscorsvw.exe 54 PID 2808 wrote to memory of 1924 2808 mscorsvw.exe 54 PID 2808 wrote to memory of 1924 2808 mscorsvw.exe 54 PID 2808 wrote to memory of 1924 2808 mscorsvw.exe 54 PID 2808 wrote to memory of 892 2808 mscorsvw.exe 55 PID 2808 wrote to memory of 892 2808 mscorsvw.exe 55 PID 2808 wrote to memory of 892 2808 mscorsvw.exe 55 PID 2808 wrote to memory of 892 2808 mscorsvw.exe 55 PID 2808 wrote to memory of 1664 2808 mscorsvw.exe 56 PID 2808 wrote to memory of 1664 2808 mscorsvw.exe 56 PID 2808 wrote to memory of 1664 2808 mscorsvw.exe 56 PID 2808 wrote to memory of 1664 2808 mscorsvw.exe 56 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe"C:\Users\Admin\AppData\Local\Temp\bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1104
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1980
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2532
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1644
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 1d4 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 250 -NGENProcess 1d8 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 260 -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 244 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2356
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 254 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 288 -NGENProcess 254 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 260 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 284 -NGENProcess 290 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 278 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 278 -NGENProcess 284 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 298 -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 298 -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 2a0 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2264
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 230 -NGENProcess 22c -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1328
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 25c -NGENProcess 2a4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1088
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 274 -NGENProcess 270 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1296
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 230 -NGENProcess 240 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 22c -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:972
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1952
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2044
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2040
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2240
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2272
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2176
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2716
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2272
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1152
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2620
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:3024
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2120
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:928
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2952
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2372
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2824
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1672
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:968
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1068
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2916 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3618187007-3650799920-3290345941-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3618187007-3650799920-3290345941-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2376
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:1936
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD549b4e663add885f2f365be597eedd835
SHA153749901e71a5fb91f84099e8487f74b2c90a33d
SHA256f8a1c5bdc23bd87a95037684f7eec7749b1bfc9858d293a0231b22ada64f5e39
SHA51291449e53696e58b8b4fa047027b28344aacd24c18e9fd67aff965cde413064babd933ad230e2254c499fb28f2b4ce191eb3aadad410874f396a663a42a3e468c
-
Filesize
30.1MB
MD5370cff2d0b94646b0ee2d6813bef3905
SHA1761c0ef5e680e7748331272fbca851f44457d3d7
SHA2565d0099961ff8f52916a169f920ac774570936d865f095f482fb687838fc9a2e2
SHA51207ca883caae3ee1cfc9067557387314d51b33899f7d2a0effa9e0ca257473c96c28254d057557a7ce63e19840a0e1d31e41596a2278ae2bf392e4fcd8a77b363
-
Filesize
1.6MB
MD5efc2903543d4e84526c7f7f13c0da5e4
SHA1d15ded44535ce1f710cc16b4d0f0b2aa6093541c
SHA25667b13ad84ff212b4fa6a0a8bccd3ec987ef97960d13bb61e984a4342e7e30e0f
SHA512d818b4cc21a7c2a6fa9e76a91822efa331404d15b510c975761492bb1c65d34219b0227f21c15e18747a4ca5f784962c3668aa0c837e353a7789ecbaba6be504
-
Filesize
1.6MB
MD5efc2903543d4e84526c7f7f13c0da5e4
SHA1d15ded44535ce1f710cc16b4d0f0b2aa6093541c
SHA25667b13ad84ff212b4fa6a0a8bccd3ec987ef97960d13bb61e984a4342e7e30e0f
SHA512d818b4cc21a7c2a6fa9e76a91822efa331404d15b510c975761492bb1c65d34219b0227f21c15e18747a4ca5f784962c3668aa0c837e353a7789ecbaba6be504
-
Filesize
5.2MB
MD591c9a3f447c0376b67742f4f5edafcb4
SHA19114783008b1571b1d331e706b3ca4b67efba212
SHA256fc10b80e270fc940a41ae75c4fdefb8aa50e3f61ae9ce12ffe3759406ddad524
SHA5127604931326c2b63d79b53132affe9a9d9b32747930f407ebbcc3fb3bb402e954c17cd4e74d324fe0f305a2679389101c98b21e10c69d8862e464fdf9c3abde78
-
Filesize
2.1MB
MD59862b83f9eb0a9ec36d20c9e9607eeb9
SHA1bbc9d56db8727febeade7cfedf22758f74db1056
SHA2569ecd27a3c6b2c4b67a88872e22e2167c962ac883a2449c91b9f1e553bfa62b6b
SHA51206174efea2ef83437d61b66f1cf17e4f080c07eb240ce1442c7af4a202fdbc898b931166480aff393382739d4a633b991fcf4cb97d85e96312c210413684732d
-
Filesize
1024KB
MD51db916940271f23ec35b3b5cf3a35f2e
SHA1ff6a4e490e59707716de26fbb8db44f82e279405
SHA256b7aadeda32d1798a567c4372caadca92a947c07c611d5a1ff419103c259525fb
SHA512d9dc838b7afd88c8a91c7b5cf021e6ae80b2868345141e7f0fdd31f636925525b5076d2c0f7b2cb733a9344a7913396c509348b72333d60f2aabad60e730d6a2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.5MB
MD5ce4bc33fccb4a19a7a05bbcd2d933be7
SHA129295a8fd8625df8512b674cdf263198f611f930
SHA2568cf5bdcfd00c1829269a292b0510493013418ab3c6b52a5a00af4ddf039c6a25
SHA512346a82966969631153ed37575f502b8aaae41bddb6bff985ed3f5767784cc76f83f16e07d519dca9015e48d4a6f57fe357e6a9d27b5c36f5660d65453939d9bf
-
Filesize
1.5MB
MD5ce4bc33fccb4a19a7a05bbcd2d933be7
SHA129295a8fd8625df8512b674cdf263198f611f930
SHA2568cf5bdcfd00c1829269a292b0510493013418ab3c6b52a5a00af4ddf039c6a25
SHA512346a82966969631153ed37575f502b8aaae41bddb6bff985ed3f5767784cc76f83f16e07d519dca9015e48d4a6f57fe357e6a9d27b5c36f5660d65453939d9bf
-
Filesize
872KB
MD5a04b36c471984ddd45827935c9143247
SHA164774b47f49a9fd17198a0ace25c1e867b493125
SHA25634619ab884615203c00a8cfff0df31d3330a51fcdac95318326f23a6b33dc1b9
SHA51294d13e3dfe1522275b41039b4129706216f15b5ece8248b0da67d7133b3af81233509aa525ad6b5749c5a32ab8d9fe734f2086304522f7dae9ee60c6a0743dbe
-
Filesize
1.5MB
MD54a84464f66498c87089972481afba2c4
SHA17e1c13d575d5c4c87d191b8f75f5d7c1373d4709
SHA256fdc23ed065c2d9a3e0573dfe5aefcda62e599056f8075ab9fb7e44feec12e643
SHA512468ea08661cf0b4e2eb5fb7a6686b0a040b0047005d01dad674a8265ab7928ca51042822ce7aa4468238793846f4806448dd3edb6015b91d3c3a6d97e5046760
-
Filesize
1.5MB
MD54b71470cc246a68443af2490a0875d03
SHA12145dfc6cf357708193ddf2f3f0b6cd005e54b30
SHA256a7a2295dbd17c97eb762afe7739a02a013938fd9fa79bff27e85061ae3272cd8
SHA512a26bda4300b85c096be9140865c57d779b51434890797624e47d9051d3329f9f13190779e383bae2379d0362958b95baf37e2d741b1080d950eff7f21127f84e
-
Filesize
1.5MB
MD54b71470cc246a68443af2490a0875d03
SHA12145dfc6cf357708193ddf2f3f0b6cd005e54b30
SHA256a7a2295dbd17c97eb762afe7739a02a013938fd9fa79bff27e85061ae3272cd8
SHA512a26bda4300b85c096be9140865c57d779b51434890797624e47d9051d3329f9f13190779e383bae2379d0362958b95baf37e2d741b1080d950eff7f21127f84e
-
Filesize
1.5MB
MD54b71470cc246a68443af2490a0875d03
SHA12145dfc6cf357708193ddf2f3f0b6cd005e54b30
SHA256a7a2295dbd17c97eb762afe7739a02a013938fd9fa79bff27e85061ae3272cd8
SHA512a26bda4300b85c096be9140865c57d779b51434890797624e47d9051d3329f9f13190779e383bae2379d0362958b95baf37e2d741b1080d950eff7f21127f84e
-
Filesize
1.5MB
MD54b71470cc246a68443af2490a0875d03
SHA12145dfc6cf357708193ddf2f3f0b6cd005e54b30
SHA256a7a2295dbd17c97eb762afe7739a02a013938fd9fa79bff27e85061ae3272cd8
SHA512a26bda4300b85c096be9140865c57d779b51434890797624e47d9051d3329f9f13190779e383bae2379d0362958b95baf37e2d741b1080d950eff7f21127f84e
-
Filesize
1.5MB
MD5c31de44bc0d326752bc7fd6981812b3d
SHA12a67424c94d682c537f30f72dd2329fca71d0443
SHA256c482fce17222f464189b48eed2819f5e465b12efc7c4b81d4c6b48af5906ba41
SHA512cf11e0133eec5d96d4006cf8c1b64eeff281808ce84b3b6a02615fbf14f1a3eea2a44a6c577829b5511eca98d5811cdc959a06de9f3ed4a4e61c71647fcf349e
-
Filesize
1.5MB
MD5c31de44bc0d326752bc7fd6981812b3d
SHA12a67424c94d682c537f30f72dd2329fca71d0443
SHA256c482fce17222f464189b48eed2819f5e465b12efc7c4b81d4c6b48af5906ba41
SHA512cf11e0133eec5d96d4006cf8c1b64eeff281808ce84b3b6a02615fbf14f1a3eea2a44a6c577829b5511eca98d5811cdc959a06de9f3ed4a4e61c71647fcf349e
-
Filesize
1003KB
MD584742ea550b10d8001dbd2e16a63815b
SHA1d2a447c4783b8f49c2b2fd6b8a097784faf95ae2
SHA2561658a0f009bb1fbd044b5972aaca57ee3858f75c675e5253cc8c04b6fd5796c5
SHA5123a4980476a00ffb193acf127a3c5b83a2e921369ea5be936dcc65ea0c6c742a2d1942b3cf7c4ca45e0d54fc328f757e967e0ab4d7477b20dd6abb18c9bc26f28
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.5MB
MD5e67f4ec6a68aac377dd5408a5804e402
SHA1b0bd80e33569eb07977592086c2c29a4a0dafff0
SHA256ce30a8bfda210ed9aac7107be22e44e1828456ef1bbd810623dddb97ee413576
SHA5124c68103ca6a3d4641207c5ea4123e19c34de973715b7725cfc7b39057abcb234a6685f350ac53a9f0ccfe15ad9ae7f5982855a511d5dfd72eacf4a3818e67487
-
Filesize
1.4MB
MD5fc9e4e860440f701c587576716d4f17b
SHA14b2a82ab99d97abe15f704e64d54bba0dcebb449
SHA2568b6eff9fd3c1c94ba053b030fcd2767712e5e14a0366a241a2c53eeb80cf84c7
SHA512b493fdb94a6bed00c27bdf9e2f6783a13ec3d3efe4474284da6889a553e39fbc736c56d2feec3ac1cd63489c868a5cb9c665f50bf186f29ab3b45f5d5eaceb26
-
Filesize
1.4MB
MD5409c3c73e6fea496b7db8df4ba156f42
SHA1e6c900978b9ef2f8e4bb028ea11cb504b78d0312
SHA256bd865ac4aeb249a483c1e46791ff23ccede15a57071c1b7addf94c57f37568ea
SHA512c86b4c29c64ee5458ff4f2a794d4f31a83a362d72967831bee445cb089742ceaedfa8541e62294f7a84d93e4a7e3ce5fcf67ce55786b26765873380605b50fcd
-
Filesize
1.5MB
MD5b4bebc487d01400aa64d2c1a6e9f7b8f
SHA1d0196683648dbe3951067ecb51624a88db476a71
SHA256a3bd1903e3d0c5f9d97649993ae58d62aca13ab39ef7594f53bca4e1f17b040c
SHA512273d279fc6edf4b02ae38b2fcc92f0f96cc246b60a21a719cb699312faac549457f9b916e24f37d269efb7a5b805bbcedaf44d6fa53d93932f79018a523f2eb4
-
Filesize
1.4MB
MD58aec763ac134ecf0a9647d479070b0d6
SHA106fa7cb6a2604303a684024c2b0226f5e026d7f2
SHA256d78d063e2b6d1823847c6721e40d905e87300b3da22ef176fbb96a790e7728dd
SHA512fa574a6889a3c91f2e716fee656c105f8ad70f469f08dfd1ce3f3cbc3acc91c35066aac83b090a36ddb588311a379d2b26c32ec4cea7efa80b3003c9d5a67138
-
Filesize
1.5MB
MD5156ff6515290a68c0306ac4d76e81ef9
SHA1453d41fbfdd89f982a359fc7080bb2260b321398
SHA256ecadd7091eaa2180986f2c3e28b5407920c18a7a6bcf0055c35258457bb56c83
SHA512db171f36569702dc8d8ff3548cc1e77da87b98366e563d10d29deca3e0c1788a1795a52a37ffe371763e5b1788dac86fc5461358e34a2b8fd031484668b07699
-
Filesize
1.6MB
MD5b2217b93c6e9af5871f2a187c99b0bb8
SHA1f30862505b681f2de4fb628bf71f9b19fc45344b
SHA25697005107b34e9d33154671d9822e7ed89315942b6f489828cc46ba5cd8999153
SHA51242b89ac54d9b7a1e4f2f367fe1031ea8d0ea38eb1214d3335fed634b66282a75da92a9c7042066bde49369d2ecb94a68085e6d99dc5d1ba5ffb002f0ff1b472c
-
Filesize
1.5MB
MD541ab4ce7a773dff467fb8f93d5fe74fe
SHA1fa7469f695e8da89d63ad085249be954a1a392cb
SHA25622626e1252d37d2600565b1aa82d7a208a6ba897171120e9013caccb3fdebfca
SHA512cecd9fe59f8dfee4721355347205628c1ad168422a79a0a7073f9c59c10ef13231d04169417b41eeda8877efd2fa8f4011997a5c0dbd9a0bb5a3e95fb0da4e19
-
Filesize
1.4MB
MD5bf96590479a5f6fd9b7425d12b577177
SHA15ac4f59ac6db1d160971e459e21ef78f57208253
SHA2561d56843138f590fa56c73ff1a9674c2762e97e46acc32ab83e379034e1630a0c
SHA512d8df14436e74c1a6511e232d231297e18fdefae384c186363fb517a2b3a01f19c6fe83cf936391f406a7a0a9516a8715c01980a3de0cbcfbf6201e8ec9a5c767
-
Filesize
1.9MB
MD5d095fd0df4f4f712b5ca568e4c979a35
SHA1eff63e8229b36291d88fc9f0cc1c89b6657d73a1
SHA256363a9ada0cadc3f2e1ae4cad8d32ddc31f7a76830c8fffdfa4a537aad769e548
SHA5129d70edbbb9541703f2f18f8319b9152a29cc95290dd65450e5d70a0c14c5ae71507cb92e3eec4ef7b2c2a5c07a0cd6550920bb1aeadf63acca23c0901f9e8791
-
Filesize
1.2MB
MD5cfb242bb138bba3da2937aaee8760685
SHA1254d2fa02bd8bf7368ef7660b0598896aebc69a0
SHA2562898d3feb451a7d2feef01ed73d2528db8ec7b20d56dc65a66588cd1a358c5e4
SHA5121a9e47f721b28336511d009951e50f786462c44e34c707d04ca236c3e8a70640b3bd44485c99d0c84464f9066078f9d67e4818fa1486f1b214f67732e50070ef
-
Filesize
1.6MB
MD5831cbde60e231462f54308dbd37c9bcb
SHA107055537b67da069d31596bfa94402971db3292a
SHA256906450a04495c2e71579c3a1986fa8f560d8200d136284dfc68edcd9c0d9ebc9
SHA5124635e5f5ae352338d987966509a00073b5e36f94523db03a8887d8830850f54de56ce40a3837b25657cf9fdc0020ed803989e0eb6a5ee1316ed1dd3c06eb8906
-
Filesize
1.5MB
MD541ab4ce7a773dff467fb8f93d5fe74fe
SHA1fa7469f695e8da89d63ad085249be954a1a392cb
SHA25622626e1252d37d2600565b1aa82d7a208a6ba897171120e9013caccb3fdebfca
SHA512cecd9fe59f8dfee4721355347205628c1ad168422a79a0a7073f9c59c10ef13231d04169417b41eeda8877efd2fa8f4011997a5c0dbd9a0bb5a3e95fb0da4e19
-
Filesize
1.5MB
MD5ce4bc33fccb4a19a7a05bbcd2d933be7
SHA129295a8fd8625df8512b674cdf263198f611f930
SHA2568cf5bdcfd00c1829269a292b0510493013418ab3c6b52a5a00af4ddf039c6a25
SHA512346a82966969631153ed37575f502b8aaae41bddb6bff985ed3f5767784cc76f83f16e07d519dca9015e48d4a6f57fe357e6a9d27b5c36f5660d65453939d9bf
-
Filesize
1.5MB
MD54a84464f66498c87089972481afba2c4
SHA17e1c13d575d5c4c87d191b8f75f5d7c1373d4709
SHA256fdc23ed065c2d9a3e0573dfe5aefcda62e599056f8075ab9fb7e44feec12e643
SHA512468ea08661cf0b4e2eb5fb7a6686b0a040b0047005d01dad674a8265ab7928ca51042822ce7aa4468238793846f4806448dd3edb6015b91d3c3a6d97e5046760
-
Filesize
1.4MB
MD5409c3c73e6fea496b7db8df4ba156f42
SHA1e6c900978b9ef2f8e4bb028ea11cb504b78d0312
SHA256bd865ac4aeb249a483c1e46791ff23ccede15a57071c1b7addf94c57f37568ea
SHA512c86b4c29c64ee5458ff4f2a794d4f31a83a362d72967831bee445cb089742ceaedfa8541e62294f7a84d93e4a7e3ce5fcf67ce55786b26765873380605b50fcd
-
Filesize
1.5MB
MD5b4bebc487d01400aa64d2c1a6e9f7b8f
SHA1d0196683648dbe3951067ecb51624a88db476a71
SHA256a3bd1903e3d0c5f9d97649993ae58d62aca13ab39ef7594f53bca4e1f17b040c
SHA512273d279fc6edf4b02ae38b2fcc92f0f96cc246b60a21a719cb699312faac549457f9b916e24f37d269efb7a5b805bbcedaf44d6fa53d93932f79018a523f2eb4
-
Filesize
1.4MB
MD58aec763ac134ecf0a9647d479070b0d6
SHA106fa7cb6a2604303a684024c2b0226f5e026d7f2
SHA256d78d063e2b6d1823847c6721e40d905e87300b3da22ef176fbb96a790e7728dd
SHA512fa574a6889a3c91f2e716fee656c105f8ad70f469f08dfd1ce3f3cbc3acc91c35066aac83b090a36ddb588311a379d2b26c32ec4cea7efa80b3003c9d5a67138
-
Filesize
1.5MB
MD5156ff6515290a68c0306ac4d76e81ef9
SHA1453d41fbfdd89f982a359fc7080bb2260b321398
SHA256ecadd7091eaa2180986f2c3e28b5407920c18a7a6bcf0055c35258457bb56c83
SHA512db171f36569702dc8d8ff3548cc1e77da87b98366e563d10d29deca3e0c1788a1795a52a37ffe371763e5b1788dac86fc5461358e34a2b8fd031484668b07699
-
Filesize
1.6MB
MD5b2217b93c6e9af5871f2a187c99b0bb8
SHA1f30862505b681f2de4fb628bf71f9b19fc45344b
SHA25697005107b34e9d33154671d9822e7ed89315942b6f489828cc46ba5cd8999153
SHA51242b89ac54d9b7a1e4f2f367fe1031ea8d0ea38eb1214d3335fed634b66282a75da92a9c7042066bde49369d2ecb94a68085e6d99dc5d1ba5ffb002f0ff1b472c
-
Filesize
1.5MB
MD541ab4ce7a773dff467fb8f93d5fe74fe
SHA1fa7469f695e8da89d63ad085249be954a1a392cb
SHA25622626e1252d37d2600565b1aa82d7a208a6ba897171120e9013caccb3fdebfca
SHA512cecd9fe59f8dfee4721355347205628c1ad168422a79a0a7073f9c59c10ef13231d04169417b41eeda8877efd2fa8f4011997a5c0dbd9a0bb5a3e95fb0da4e19
-
Filesize
1.5MB
MD541ab4ce7a773dff467fb8f93d5fe74fe
SHA1fa7469f695e8da89d63ad085249be954a1a392cb
SHA25622626e1252d37d2600565b1aa82d7a208a6ba897171120e9013caccb3fdebfca
SHA512cecd9fe59f8dfee4721355347205628c1ad168422a79a0a7073f9c59c10ef13231d04169417b41eeda8877efd2fa8f4011997a5c0dbd9a0bb5a3e95fb0da4e19
-
Filesize
1.4MB
MD5bf96590479a5f6fd9b7425d12b577177
SHA15ac4f59ac6db1d160971e459e21ef78f57208253
SHA2561d56843138f590fa56c73ff1a9674c2762e97e46acc32ab83e379034e1630a0c
SHA512d8df14436e74c1a6511e232d231297e18fdefae384c186363fb517a2b3a01f19c6fe83cf936391f406a7a0a9516a8715c01980a3de0cbcfbf6201e8ec9a5c767
-
Filesize
1.2MB
MD5cfb242bb138bba3da2937aaee8760685
SHA1254d2fa02bd8bf7368ef7660b0598896aebc69a0
SHA2562898d3feb451a7d2feef01ed73d2528db8ec7b20d56dc65a66588cd1a358c5e4
SHA5121a9e47f721b28336511d009951e50f786462c44e34c707d04ca236c3e8a70640b3bd44485c99d0c84464f9066078f9d67e4818fa1486f1b214f67732e50070ef
-
Filesize
1.6MB
MD5831cbde60e231462f54308dbd37c9bcb
SHA107055537b67da069d31596bfa94402971db3292a
SHA256906450a04495c2e71579c3a1986fa8f560d8200d136284dfc68edcd9c0d9ebc9
SHA5124635e5f5ae352338d987966509a00073b5e36f94523db03a8887d8830850f54de56ce40a3837b25657cf9fdc0020ed803989e0eb6a5ee1316ed1dd3c06eb8906