Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
181s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
24/11/2023, 17:08
Static task
static1
Behavioral task
behavioral1
Sample
78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
Resource
win7-20231023-en
General
-
Target
78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe
-
Size
1.8MB
-
MD5
2e44a0605f61ead10fd05c924a344d3a
-
SHA1
62055dd8cbcc83e7bf36c0c44f5ef0bd09883769
-
SHA256
78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f
-
SHA512
2bd89a51b4b53a41752c3afd3982da4f89491c65fee55e95ab7317ca3a095e9845916fa9280ca99d9bd883d3b0d1cc59973b855d9db108cc87d85733b156b74a
-
SSDEEP
49152:Fx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAmDmg27RnWGj:FvbjVkjjCAzJzD527BWG
Malware Config
Signatures
-
Executes dropped EXE 32 IoCs
pid Process 468 Process not Found 2684 alg.exe 592 aspnet_state.exe 1940 mscorsvw.exe 1624 mscorsvw.exe 856 mscorsvw.exe 1476 mscorsvw.exe 1464 dllhost.exe 2132 ehRecvr.exe 1712 ehsched.exe 2124 mscorsvw.exe 2652 elevation_service.exe 2612 IEEtwCollector.exe 1984 GROOVE.EXE 2892 mscorsvw.exe 1788 maintenanceservice.exe 696 msdtc.exe 1372 msiexec.exe 1688 OSE.EXE 2076 OSPPSVC.EXE 1840 perfhost.exe 2244 locator.exe 564 snmptrap.exe 1764 vds.exe 2620 vssvc.exe 2664 wbengine.exe 2880 WmiApSrv.exe 1756 wmpnetwk.exe 956 SearchIndexer.exe 2592 mscorsvw.exe 3068 mscorsvw.exe 2552 mscorsvw.exe -
Loads dropped DLL 15 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 1372 msiexec.exe 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 748 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\bf32b3019c8e5786.bin aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\system32\dllhost.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\GoogleUpdateBroker.exe 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\GoogleUpdateSetup.exe 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\psuser_64.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_da.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_nl.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_it.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdate.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_th.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\GoogleUpdateComRegisterShell64.exe 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_am.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_cs.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_uk.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_es-419.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_gu.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_ms.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_ja.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_sk.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_ta.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe aspnet_state.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\GoogleUpdateCore.exe 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_en-GB.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_et.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File created C:\Program Files (x86)\Google\Temp\GUMBAB7.tmp\goopdateres_ru.dll 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe -
Drops file in Windows directory 29 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B9C5C34F-DB72-4262-8527-13C19CD61CF1}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe aspnet_state.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B9C5C34F-DB72-4262-8527-13C19CD61CF1}.crmlog dllhost.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 40 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{1B18720E-439D-4613-8136-339AA31A3584} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{1B18720E-439D-4613-8136-339AA31A3584} wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2532 ehRec.exe 592 aspnet_state.exe 592 aspnet_state.exe 592 aspnet_state.exe 592 aspnet_state.exe 592 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2776 78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe Token: SeTakeOwnershipPrivilege 592 aspnet_state.exe Token: SeShutdownPrivilege 856 mscorsvw.exe Token: SeShutdownPrivilege 1476 mscorsvw.exe Token: SeShutdownPrivilege 856 mscorsvw.exe Token: SeShutdownPrivilege 856 mscorsvw.exe Token: SeShutdownPrivilege 856 mscorsvw.exe Token: SeShutdownPrivilege 1476 mscorsvw.exe Token: SeShutdownPrivilege 1476 mscorsvw.exe Token: SeShutdownPrivilege 1476 mscorsvw.exe Token: 33 2928 EhTray.exe Token: SeIncBasePriorityPrivilege 2928 EhTray.exe Token: SeDebugPrivilege 2532 ehRec.exe Token: SeRestorePrivilege 1372 msiexec.exe Token: SeTakeOwnershipPrivilege 1372 msiexec.exe Token: SeSecurityPrivilege 1372 msiexec.exe Token: 33 2928 EhTray.exe Token: SeIncBasePriorityPrivilege 2928 EhTray.exe Token: SeBackupPrivilege 2620 vssvc.exe Token: SeRestorePrivilege 2620 vssvc.exe Token: SeAuditPrivilege 2620 vssvc.exe Token: SeBackupPrivilege 2664 wbengine.exe Token: SeRestorePrivilege 2664 wbengine.exe Token: SeSecurityPrivilege 2664 wbengine.exe Token: 33 1756 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1756 wmpnetwk.exe Token: SeManageVolumePrivilege 956 SearchIndexer.exe Token: 33 956 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 956 SearchIndexer.exe Token: SeShutdownPrivilege 1476 mscorsvw.exe Token: SeDebugPrivilege 592 aspnet_state.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2928 EhTray.exe 2928 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2928 EhTray.exe 2928 EhTray.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1832 SearchProtocolHost.exe 1832 SearchProtocolHost.exe 1832 SearchProtocolHost.exe 1832 SearchProtocolHost.exe 1832 SearchProtocolHost.exe 1332 SearchProtocolHost.exe 1332 SearchProtocolHost.exe 1332 SearchProtocolHost.exe 1832 SearchProtocolHost.exe 1332 SearchProtocolHost.exe 1332 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1476 wrote to memory of 2124 1476 mscorsvw.exe 38 PID 1476 wrote to memory of 2124 1476 mscorsvw.exe 38 PID 1476 wrote to memory of 2124 1476 mscorsvw.exe 38 PID 1476 wrote to memory of 2892 1476 mscorsvw.exe 44 PID 1476 wrote to memory of 2892 1476 mscorsvw.exe 44 PID 1476 wrote to memory of 2892 1476 mscorsvw.exe 44 PID 956 wrote to memory of 1832 956 SearchIndexer.exe 59 PID 956 wrote to memory of 1832 956 SearchIndexer.exe 59 PID 956 wrote to memory of 1832 956 SearchIndexer.exe 59 PID 956 wrote to memory of 1936 956 SearchIndexer.exe 60 PID 956 wrote to memory of 1936 956 SearchIndexer.exe 60 PID 956 wrote to memory of 1936 956 SearchIndexer.exe 60 PID 1476 wrote to memory of 2592 1476 mscorsvw.exe 61 PID 1476 wrote to memory of 2592 1476 mscorsvw.exe 61 PID 1476 wrote to memory of 2592 1476 mscorsvw.exe 61 PID 856 wrote to memory of 3068 856 mscorsvw.exe 62 PID 856 wrote to memory of 3068 856 mscorsvw.exe 62 PID 856 wrote to memory of 3068 856 mscorsvw.exe 62 PID 856 wrote to memory of 3068 856 mscorsvw.exe 62 PID 956 wrote to memory of 1332 956 SearchIndexer.exe 63 PID 956 wrote to memory of 1332 956 SearchIndexer.exe 63 PID 956 wrote to memory of 1332 956 SearchIndexer.exe 63 PID 856 wrote to memory of 2552 856 mscorsvw.exe 64 PID 856 wrote to memory of 2552 856 mscorsvw.exe 64 PID 856 wrote to memory of 2552 856 mscorsvw.exe 64 PID 856 wrote to memory of 2552 856 mscorsvw.exe 64 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe"C:\Users\Admin\AppData\Local\Temp\78375734256ec0496d502d83f423be349d98bdc68f8022eb2dc537c607785e8f.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2684
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1940
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1624
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1e8 -NGENProcess 1f4 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1e8 -NGENProcess 1f4 -Pipe 254 -Comment "NGen Worker Process"2⤵PID:2856
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2892
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2592
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1464
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2132
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1712
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2928
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2652
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2612
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1984
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1788
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:696
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1688
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2076
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1840
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2244
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:564
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1764
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2880
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3425689832-2386927309-2650718742-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3425689832-2386927309-2650718742-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1832
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:1936
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Suspicious use of SetWindowsHookEx
PID:1332
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5c5e8dfe8a2519cb4db038ec61b65d7b5
SHA13d9b6ab33fc6aeb0a473a789817aba4accf2955c
SHA256fb1716976d69e537e5057eb01d0bedc411ef86bd56e367571e04ce15686a73a2
SHA5127b15fe209db2843763a10be1846c36dcce06be022840dc722b50d5ba88b99c5c71136106f5e6691d79ab878a70eb96a9ba94bfbf6311310eba080b8c2fa691aa
-
Filesize
30.1MB
MD5d283a2d8a50c63d64f82f3829110d309
SHA1653e45b6786fb5b7d9a4681b03d1aca40310739f
SHA256f92da5e7a1dd8f2a1eef81ede1581a0653a44731f043158ab7e77896e8d2f694
SHA5120eab123ade4db16ec8d748aa17a67295127ffd5e5cef02f9c78762c19cb043059de91a05fcf4c9695765033f2a4a4c038781358bec7772adfc9fbd98d9a54432
-
Filesize
1.4MB
MD5c3bd7eef7fbb01f41831b5f835f61fac
SHA1e8f3b804eb2830ca83c946e1e879669890a76399
SHA2562d637ae4654e1c5cfaaadbbdc22c55f07b3f390d663417f6d1255fab492f238a
SHA512837ec18012a0504b56d04e449457982a0b750093607d94f2829bc5013b4ce6308e8c6be738fab7a4d8bd9855e283d6bd2e112641f05665f737a9be68c632fa6a
-
Filesize
5.2MB
MD56e49332f3b02b9a8bf456c4fe109d82b
SHA13f25c03aea050fcc0f8f36c5ef2e8238a3eba0fb
SHA256277d2b2e6bb75975667c52bd708303d4e798795a047ef26c8a6c1a1389e6a052
SHA51204d9eb4798595d4f5b931cc77b724a313f20377f82b1060232c46d148e4a5c4761ba5ea070f81250287e90f9a4a9a5d17606333801846ce3b5e55ae425e5f7c3
-
Filesize
2.1MB
MD50fbccfbc326b589bf0c962e5dbee5484
SHA1f31838e8acabbcf5b56b2be983a87b334455a3ac
SHA25684213d52107e7a981149a11197de7a171efafddf6c3620f707574b847c89bd76
SHA512c6ea8838c91e99699ba6de5edc2335ad09e5f028afac06b0291d9cdc1ed0227312a3f58f331225b4229bbf8ded57fb660b55e331390c83b62616411689a35c30
-
Filesize
2.0MB
MD5d7ff3d0a227cb8086b1b10ed9531bdf7
SHA1f641d66739448d2f4d72d1abb9749db6460afff7
SHA2563ee28acc979ce5ddf7f8c5a9ade43d3502cc9cc5dfdb4fe589808be5dcad46d4
SHA5127b22f844f69e8d14db3b97ac190bf4a41e5f7a6f1a87a031ee44ad1c360d6bd435fca5165fc7be2521c334ea6fe237bbce742dc31d19e1d8d16d814c5667fe15
-
Filesize
1024KB
MD5e287c6a78097236228e7c7bf1c126917
SHA14646ea95b4383c61e4f53833976f30be8502dbfa
SHA25612b50e27230031e40ba27cb602d67f1e8b5023a2679654b5937a1d95e5416973
SHA512f5de435bcb5f814ed0f9a994d49a10a3028da147b654e307bad81aeaba7efadb1518015bfe18a5985427847bc2fc1e384264e97b221655d012e1d2448133adb4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.3MB
MD5808a369997c72dea75e2faf1c14c90db
SHA130377ddb79f80e4dba6d8fcefdb1c43b6e27b9a1
SHA2568b498c755984f88401487708b4d184cf73c37bf6afe6e43753200a145d1d1ea7
SHA512501a6806a48dcd9d63e90981933a9a3ba0fb83ef5032bf1dcd99ca8b6462e697f52006707e920f66a3686ddf2b0fe2152dcbf6da06ef50facd0b68a72bd3a8c9
-
Filesize
1.3MB
MD5808a369997c72dea75e2faf1c14c90db
SHA130377ddb79f80e4dba6d8fcefdb1c43b6e27b9a1
SHA2568b498c755984f88401487708b4d184cf73c37bf6afe6e43753200a145d1d1ea7
SHA512501a6806a48dcd9d63e90981933a9a3ba0fb83ef5032bf1dcd99ca8b6462e697f52006707e920f66a3686ddf2b0fe2152dcbf6da06ef50facd0b68a72bd3a8c9
-
Filesize
872KB
MD528d3d4a3b265e6f978ae4dad33706298
SHA1e9608cb83b546d962df783cbef4e5b9461dc7ff7
SHA2562a29188d330a09f133cadb92c6339d904547d060545058e8668fc07ec3eb82b0
SHA5126941a4ed621cbcee2faa3d580449c2a4d80ede688da4056accc21cbe3aa180b40fbec956c6533a2c8c95e38f1237f3d31149bf39a2a401b91a528a86f67b661b
-
Filesize
1.2MB
MD5b64712b62175123eea3c1fb9fc53d4c7
SHA17c1a0b022e24213149ae6e6755bf1400504341f2
SHA2566659dfd89ba455d2bd2ff7078829b4c4805635f8598806bbae48b7a0e06a996a
SHA512b8eaa465dd06ecf2d067006d43a1c1d9acfaaa906bfc376b3ad3452d1469bceb822b157ca08ae7377fe8d425306a41a32ecc75a2e3dfd27b2a0020c6b62f4566
-
Filesize
1.3MB
MD551f6d5a5d1b7f1f2d666e90ea8bad002
SHA10328aced25a11a0b4b65b1a85adc2cb71123364b
SHA2561323623ec3f6be25f5700149c832af54e98bea58cf9af77aed63cd8a9babb3bf
SHA512a0556fb038fa2085f467f8dcca8add263f9f52e8e4ff310ed0d425f3d15ef09a0e736aedf9bc5946c3759ce1ab928bcf5f40792d7ecd4532e5689c53f86431a2
-
Filesize
1.3MB
MD551f6d5a5d1b7f1f2d666e90ea8bad002
SHA10328aced25a11a0b4b65b1a85adc2cb71123364b
SHA2561323623ec3f6be25f5700149c832af54e98bea58cf9af77aed63cd8a9babb3bf
SHA512a0556fb038fa2085f467f8dcca8add263f9f52e8e4ff310ed0d425f3d15ef09a0e736aedf9bc5946c3759ce1ab928bcf5f40792d7ecd4532e5689c53f86431a2
-
Filesize
1.3MB
MD551f6d5a5d1b7f1f2d666e90ea8bad002
SHA10328aced25a11a0b4b65b1a85adc2cb71123364b
SHA2561323623ec3f6be25f5700149c832af54e98bea58cf9af77aed63cd8a9babb3bf
SHA512a0556fb038fa2085f467f8dcca8add263f9f52e8e4ff310ed0d425f3d15ef09a0e736aedf9bc5946c3759ce1ab928bcf5f40792d7ecd4532e5689c53f86431a2
-
Filesize
1.3MB
MD551f6d5a5d1b7f1f2d666e90ea8bad002
SHA10328aced25a11a0b4b65b1a85adc2cb71123364b
SHA2561323623ec3f6be25f5700149c832af54e98bea58cf9af77aed63cd8a9babb3bf
SHA512a0556fb038fa2085f467f8dcca8add263f9f52e8e4ff310ed0d425f3d15ef09a0e736aedf9bc5946c3759ce1ab928bcf5f40792d7ecd4532e5689c53f86431a2
-
Filesize
1.3MB
MD551f6d5a5d1b7f1f2d666e90ea8bad002
SHA10328aced25a11a0b4b65b1a85adc2cb71123364b
SHA2561323623ec3f6be25f5700149c832af54e98bea58cf9af77aed63cd8a9babb3bf
SHA512a0556fb038fa2085f467f8dcca8add263f9f52e8e4ff310ed0d425f3d15ef09a0e736aedf9bc5946c3759ce1ab928bcf5f40792d7ecd4532e5689c53f86431a2
-
Filesize
1.2MB
MD51f72047c4d0e76cc782c76e45967b13a
SHA1ff6a6935c66074d11f695dfd2cdd75a6085e53a1
SHA2563650b02d135b4a8e750ee640abf2848fac67cc2c5b33b101b064137d4d799b81
SHA512ae7c6c5b6029c1f16b4aa0ceae8247bbfbf61e53a7c8d15df9541029df03cde71262444811d57500d9e8c9c6c74945e34add7e288a3bd10238ae1080e8ea3505
-
Filesize
1.2MB
MD51f72047c4d0e76cc782c76e45967b13a
SHA1ff6a6935c66074d11f695dfd2cdd75a6085e53a1
SHA2563650b02d135b4a8e750ee640abf2848fac67cc2c5b33b101b064137d4d799b81
SHA512ae7c6c5b6029c1f16b4aa0ceae8247bbfbf61e53a7c8d15df9541029df03cde71262444811d57500d9e8c9c6c74945e34add7e288a3bd10238ae1080e8ea3505
-
Filesize
1003KB
MD52b6a4bdc26c1e2dc4cd1dd3468c72022
SHA1bf3731b5c4f12b7a233d08b3add2bcd6233ef15b
SHA256a625f8b137c84bc2dec4c2a118a06d0f0f9d7367bd37a7711dce1bebb47f8322
SHA51227a516517c1d89fa50295b3b9c4e3ecaad43dc6b6d17fc06d37a32b4f745e40a5d03f170686e1c294e0db2290c22fb2f9fcf207a8b2ac8474c4681ed5d917ecf
-
Filesize
1.3MB
MD513549a1046562aebe511cd858b3edc8e
SHA176bef4cbfd6e6ea0ebf31f45f3d122a841a69b9f
SHA256386e36406d4e44791f5a1b5e5bb5ee49b35d6eb6edea5b68e702f78fe5aa1c6b
SHA5122cc364ddf6c472e20bed73e7e4633dc5820fe5fe3272af0b1135815b09313f5a4634add4602cfe51a0b8b249cb93d291f367a044a6d3b1431e11ed1af503da46
-
Filesize
1.3MB
MD513549a1046562aebe511cd858b3edc8e
SHA176bef4cbfd6e6ea0ebf31f45f3d122a841a69b9f
SHA256386e36406d4e44791f5a1b5e5bb5ee49b35d6eb6edea5b68e702f78fe5aa1c6b
SHA5122cc364ddf6c472e20bed73e7e4633dc5820fe5fe3272af0b1135815b09313f5a4634add4602cfe51a0b8b249cb93d291f367a044a6d3b1431e11ed1af503da46
-
Filesize
1.3MB
MD513549a1046562aebe511cd858b3edc8e
SHA176bef4cbfd6e6ea0ebf31f45f3d122a841a69b9f
SHA256386e36406d4e44791f5a1b5e5bb5ee49b35d6eb6edea5b68e702f78fe5aa1c6b
SHA5122cc364ddf6c472e20bed73e7e4633dc5820fe5fe3272af0b1135815b09313f5a4634add4602cfe51a0b8b249cb93d291f367a044a6d3b1431e11ed1af503da46
-
Filesize
1.3MB
MD513549a1046562aebe511cd858b3edc8e
SHA176bef4cbfd6e6ea0ebf31f45f3d122a841a69b9f
SHA256386e36406d4e44791f5a1b5e5bb5ee49b35d6eb6edea5b68e702f78fe5aa1c6b
SHA5122cc364ddf6c472e20bed73e7e4633dc5820fe5fe3272af0b1135815b09313f5a4634add4602cfe51a0b8b249cb93d291f367a044a6d3b1431e11ed1af503da46
-
Filesize
1.3MB
MD513549a1046562aebe511cd858b3edc8e
SHA176bef4cbfd6e6ea0ebf31f45f3d122a841a69b9f
SHA256386e36406d4e44791f5a1b5e5bb5ee49b35d6eb6edea5b68e702f78fe5aa1c6b
SHA5122cc364ddf6c472e20bed73e7e4633dc5820fe5fe3272af0b1135815b09313f5a4634add4602cfe51a0b8b249cb93d291f367a044a6d3b1431e11ed1af503da46
-
Filesize
1.2MB
MD555773d095682aee05966529e2e8f10fc
SHA1327903a912d7d3472c8b6282d26cece2a57eb263
SHA2565c83c0054714f9472758c2e19064b795c2edb7f79dc8d1e332161cd1afa2b347
SHA512a11b593a903cc0d8584da1bc45eda9187b1e8a31b31a6d7f487f3b8efa6f9e3a96e3a05358f89847b5f04c309de423c313c211edc0f7d561451ea85a2ec8d9f2
-
Filesize
1.2MB
MD53d6352fecf768159e1d7e460dd62d7bd
SHA1c780fcf8a5087e03cefc5a3227293678cdd71b88
SHA256dce95d57e277a6694fefb0a75dbf73f20b3fd832ef1f982990e75859da1352c4
SHA512dff98085d8fc2c6d2610d1f1b3737e0e1910a29d952b84a90c0cf77b5ccdb397720cbc1ca274fc565e99453ca2e729725f855d54fc4eedd262943923b37d2366
-
Filesize
1.1MB
MD5ca86b9bb6d91c908ec7bcb468b329f80
SHA1785e7fae3307631ac4137ff077f6e533e0cd3d48
SHA256385ac1d3b9178b8a8b02f9f0a3820deacd1411501cf7c817fc1853fcd3d8992b
SHA512ed47bd898154a2b0618e9246cfdd4438a3dc633cc483019e48876e8f7226c85ac50bd7f16e1c682a79c26a9a639e771ffef50df3160be1edd7902bcf735a069a
-
Filesize
2.1MB
MD57327f54ea7f072d015eff5058f4df3d4
SHA16ca79947ff13295d4bab93d819f9cd6c10b4c14b
SHA25635d98d6e75847b3c96d5185522e1e0adaaf6a65626468e2e44037b59c2a6f963
SHA512f06ae261dfa7d2e966ace92797fdcb0853f1719b188e2b1d82b11d0a938dd67d4a3e2f0509c7166f7ad8dab12d5e1bb71140b999b14b3dcac9fbbe3edb968034
-
Filesize
1.3MB
MD594b092197e6efdef3c5b7801791cf29d
SHA1f21a142c68b86aeb4a9d64a332ac775e1728f371
SHA2569762d2774e6c09d8c0c952d51b9eb8d289f6344002f3997debc64705b58e25af
SHA5121cfd7a1fd1b075159b1bc946df9ec582dc07aa7ca59fdeb026721437ac8b5dac59ac5be54690c4a2362e6941bc0855df858c6e9520d58cacd76ff553c8e98610
-
Filesize
1.2MB
MD5cd04afd0828c253036b54c5cfb4483cd
SHA1fdc4b0665474358e839e5ff7086437f645816248
SHA256b305bc873ffa7b579dfe792884ff54ca2191e46906678192be063c6c877f486c
SHA51220eba0daf9db51bf6d3a0046987d84bf9f4658e45e992c3249c0d13c0a274d04f73a7952accd5894f1cb794ad083dbeeb3b0af7aed4e826f01c078b87579c703
-
Filesize
1.3MB
MD5b824bbaaf5e8b8787b3b19bf26fb9cfb
SHA1402479585c5e94afe463991cfcb46c2ad6671be2
SHA2560c42e2a689fa925b4960163c0590b24b3affd5d488c6b118268d97b1e7bfc8bb
SHA512fabd84936562d7d1ed62a16d2c471e9ab31e3a1bed19b940b24a215ec3e82cee81bf0db5f59e47867186dd90ab7acbc8f6250aad9ed26f6e83091bdf5a446928
-
Filesize
1.3MB
MD5de8416e620110b225f1d105231f7c16f
SHA1b9b90e4cf924e85c3f2a30cc56c003ff7c17908d
SHA2566ceba271c05731bbbfcadb9714047dc2dd8416b82392fd7d3035f5eb6e7b54ce
SHA512a2a663310015e6cf87172916c2c9bbc638c1a7207a82f78b6eca3895bfcd6fa29026efa4a744aa2f402e80cd8b7633bc3e4673ba3e13e45e456e221eddfe97fc
-
Filesize
1.3MB
MD54cf6af9fa8669e8e024fa5aa66a2d6a6
SHA1c5f13f6bd7fc7c4646aedb5193e473f097143fcc
SHA2569dba6bc58b6134e130ce65ff029cb2e3550bdf70ad123f657473604424987041
SHA512982c98ba7c1b80110215f7580dd03b731ebe2c4530f77ad658b7e05bf1ba4955f46e099988eb14cee8357ddb36f49c8f0d0126772dfa20f898528fae14c7ee86
-
Filesize
1.2MB
MD5401ca59b0c6f85fc4d7c1894128a2179
SHA159e62ab2bf2642df994337f2757a59828ebd9215
SHA25649a7ab54a77327cae800df5e0b86d3ba0f16c9e18338a5e85b8f6849d118dfc3
SHA512eaeeffc373b2b00d13222ccb37f7cc3bf4067d45305e61d89b9b09b967bc89d9b90e466d73915f543860887e81648bc7ee44e7c25eb2590ccff71ab3d6a92fbf
-
Filesize
1.7MB
MD51b3327229d67567008882120780979e8
SHA149d2f98b179815b449fb58d4ae8e263a3743d6b6
SHA256731e6389c2cb51baac02eb5994953d2dc102f9f9ba5e409f60d0234466a64f3a
SHA51292a60e021431a0be73730b84c889740ef8a17fa317c63c56702672cafa7f6c85778cee1e1ed7e3504a621447135359cbfe9dbcc6ed6bb0c3bafaa75369704f36
-
Filesize
1.4MB
MD58c646a417c8d624f2478cd12d0ee5738
SHA115067b90aa7d3eb852a26607a0768e5f7d730f6b
SHA25641c817d3a843567a13e7539432faedc26165612ae14c8bf0f21da529aab3c7b2
SHA512646320ddf6a13c799b1d635f0f2505d07ad09d741e2aa2783967e11f7bdca17f7f644a5422755f8254e86b95e7bf8f4295ffabdeaa17769fb6203e8330fc3b59
-
Filesize
2.0MB
MD56dd2f01084e3ef46351fcac1ed99cd34
SHA1c0f2f2ceb601d1ee992b61ab58e81a84bbe83997
SHA256d805d304185ad7ae4035ce604c89b8187fbc1805bb01e46585efd9451671ad84
SHA512c34fd1d62740b04b8a831a079ccf8a98cf0e7c825d3fe58e79ac374d9c7aab861562743f94b81eb3e0dd89976040fce94c079b01bc64f224455b70f4336b1ac7
-
Filesize
1.2MB
MD51d32aba48449065b7f0be714cba28ff1
SHA1a4256c9521116af3be51a112c1eaede6eb59a9da
SHA256bdfea8ebad9487b5b4c3a0bab7ceaf2ce7f633608fe62a2aa247dbf3659b6fd4
SHA5127f2a5305df5a5ee273a0adde87ac02a0fa5f13280cb3938b15620a16a015072fed4fb35355169af95ddc7c736e822f1b3e550dafeeab5b28d2b7f344fef6ba88
-
Filesize
1.3MB
MD5eca493ddce69bbcc1f30f19703e3a049
SHA11bd177c55abdcb97729c55003dfd105c401111ef
SHA256d56faa59e7132a63ff56735fa0fb5f63862ca1f46237b35c7c7ecda45872e1f7
SHA512602f28af640db67dfa34b1717bbc7ec6458ba0ec2dd4f338192c381f07107760ea61bbffd763de1474f24279d3255913d8391970730876de0c8cddb4cddd13f9
-
Filesize
1.3MB
MD54cf6af9fa8669e8e024fa5aa66a2d6a6
SHA1c5f13f6bd7fc7c4646aedb5193e473f097143fcc
SHA2569dba6bc58b6134e130ce65ff029cb2e3550bdf70ad123f657473604424987041
SHA512982c98ba7c1b80110215f7580dd03b731ebe2c4530f77ad658b7e05bf1ba4955f46e099988eb14cee8357ddb36f49c8f0d0126772dfa20f898528fae14c7ee86
-
Filesize
2.0MB
MD5d7ff3d0a227cb8086b1b10ed9531bdf7
SHA1f641d66739448d2f4d72d1abb9749db6460afff7
SHA2563ee28acc979ce5ddf7f8c5a9ade43d3502cc9cc5dfdb4fe589808be5dcad46d4
SHA5127b22f844f69e8d14db3b97ac190bf4a41e5f7a6f1a87a031ee44ad1c360d6bd435fca5165fc7be2521c334ea6fe237bbce742dc31d19e1d8d16d814c5667fe15
-
Filesize
2.0MB
MD5d7ff3d0a227cb8086b1b10ed9531bdf7
SHA1f641d66739448d2f4d72d1abb9749db6460afff7
SHA2563ee28acc979ce5ddf7f8c5a9ade43d3502cc9cc5dfdb4fe589808be5dcad46d4
SHA5127b22f844f69e8d14db3b97ac190bf4a41e5f7a6f1a87a031ee44ad1c360d6bd435fca5165fc7be2521c334ea6fe237bbce742dc31d19e1d8d16d814c5667fe15
-
Filesize
1.3MB
MD5808a369997c72dea75e2faf1c14c90db
SHA130377ddb79f80e4dba6d8fcefdb1c43b6e27b9a1
SHA2568b498c755984f88401487708b4d184cf73c37bf6afe6e43753200a145d1d1ea7
SHA512501a6806a48dcd9d63e90981933a9a3ba0fb83ef5032bf1dcd99ca8b6462e697f52006707e920f66a3686ddf2b0fe2152dcbf6da06ef50facd0b68a72bd3a8c9
-
Filesize
1.2MB
MD5b64712b62175123eea3c1fb9fc53d4c7
SHA17c1a0b022e24213149ae6e6755bf1400504341f2
SHA2566659dfd89ba455d2bd2ff7078829b4c4805635f8598806bbae48b7a0e06a996a
SHA512b8eaa465dd06ecf2d067006d43a1c1d9acfaaa906bfc376b3ad3452d1469bceb822b157ca08ae7377fe8d425306a41a32ecc75a2e3dfd27b2a0020c6b62f4566
-
Filesize
1.2MB
MD53d6352fecf768159e1d7e460dd62d7bd
SHA1c780fcf8a5087e03cefc5a3227293678cdd71b88
SHA256dce95d57e277a6694fefb0a75dbf73f20b3fd832ef1f982990e75859da1352c4
SHA512dff98085d8fc2c6d2610d1f1b3737e0e1910a29d952b84a90c0cf77b5ccdb397720cbc1ca274fc565e99453ca2e729725f855d54fc4eedd262943923b37d2366
-
Filesize
1.3MB
MD594b092197e6efdef3c5b7801791cf29d
SHA1f21a142c68b86aeb4a9d64a332ac775e1728f371
SHA2569762d2774e6c09d8c0c952d51b9eb8d289f6344002f3997debc64705b58e25af
SHA5121cfd7a1fd1b075159b1bc946df9ec582dc07aa7ca59fdeb026721437ac8b5dac59ac5be54690c4a2362e6941bc0855df858c6e9520d58cacd76ff553c8e98610
-
Filesize
1.2MB
MD5cd04afd0828c253036b54c5cfb4483cd
SHA1fdc4b0665474358e839e5ff7086437f645816248
SHA256b305bc873ffa7b579dfe792884ff54ca2191e46906678192be063c6c877f486c
SHA51220eba0daf9db51bf6d3a0046987d84bf9f4658e45e992c3249c0d13c0a274d04f73a7952accd5894f1cb794ad083dbeeb3b0af7aed4e826f01c078b87579c703
-
Filesize
1.3MB
MD5b824bbaaf5e8b8787b3b19bf26fb9cfb
SHA1402479585c5e94afe463991cfcb46c2ad6671be2
SHA2560c42e2a689fa925b4960163c0590b24b3affd5d488c6b118268d97b1e7bfc8bb
SHA512fabd84936562d7d1ed62a16d2c471e9ab31e3a1bed19b940b24a215ec3e82cee81bf0db5f59e47867186dd90ab7acbc8f6250aad9ed26f6e83091bdf5a446928
-
Filesize
1.3MB
MD5de8416e620110b225f1d105231f7c16f
SHA1b9b90e4cf924e85c3f2a30cc56c003ff7c17908d
SHA2566ceba271c05731bbbfcadb9714047dc2dd8416b82392fd7d3035f5eb6e7b54ce
SHA512a2a663310015e6cf87172916c2c9bbc638c1a7207a82f78b6eca3895bfcd6fa29026efa4a744aa2f402e80cd8b7633bc3e4673ba3e13e45e456e221eddfe97fc
-
Filesize
1.3MB
MD54cf6af9fa8669e8e024fa5aa66a2d6a6
SHA1c5f13f6bd7fc7c4646aedb5193e473f097143fcc
SHA2569dba6bc58b6134e130ce65ff029cb2e3550bdf70ad123f657473604424987041
SHA512982c98ba7c1b80110215f7580dd03b731ebe2c4530f77ad658b7e05bf1ba4955f46e099988eb14cee8357ddb36f49c8f0d0126772dfa20f898528fae14c7ee86
-
Filesize
1.3MB
MD54cf6af9fa8669e8e024fa5aa66a2d6a6
SHA1c5f13f6bd7fc7c4646aedb5193e473f097143fcc
SHA2569dba6bc58b6134e130ce65ff029cb2e3550bdf70ad123f657473604424987041
SHA512982c98ba7c1b80110215f7580dd03b731ebe2c4530f77ad658b7e05bf1ba4955f46e099988eb14cee8357ddb36f49c8f0d0126772dfa20f898528fae14c7ee86
-
Filesize
1.2MB
MD5401ca59b0c6f85fc4d7c1894128a2179
SHA159e62ab2bf2642df994337f2757a59828ebd9215
SHA25649a7ab54a77327cae800df5e0b86d3ba0f16c9e18338a5e85b8f6849d118dfc3
SHA512eaeeffc373b2b00d13222ccb37f7cc3bf4067d45305e61d89b9b09b967bc89d9b90e466d73915f543860887e81648bc7ee44e7c25eb2590ccff71ab3d6a92fbf
-
Filesize
1.4MB
MD58c646a417c8d624f2478cd12d0ee5738
SHA115067b90aa7d3eb852a26607a0768e5f7d730f6b
SHA25641c817d3a843567a13e7539432faedc26165612ae14c8bf0f21da529aab3c7b2
SHA512646320ddf6a13c799b1d635f0f2505d07ad09d741e2aa2783967e11f7bdca17f7f644a5422755f8254e86b95e7bf8f4295ffabdeaa17769fb6203e8330fc3b59
-
Filesize
2.0MB
MD56dd2f01084e3ef46351fcac1ed99cd34
SHA1c0f2f2ceb601d1ee992b61ab58e81a84bbe83997
SHA256d805d304185ad7ae4035ce604c89b8187fbc1805bb01e46585efd9451671ad84
SHA512c34fd1d62740b04b8a831a079ccf8a98cf0e7c825d3fe58e79ac374d9c7aab861562743f94b81eb3e0dd89976040fce94c079b01bc64f224455b70f4336b1ac7
-
Filesize
1.2MB
MD51d32aba48449065b7f0be714cba28ff1
SHA1a4256c9521116af3be51a112c1eaede6eb59a9da
SHA256bdfea8ebad9487b5b4c3a0bab7ceaf2ce7f633608fe62a2aa247dbf3659b6fd4
SHA5127f2a5305df5a5ee273a0adde87ac02a0fa5f13280cb3938b15620a16a015072fed4fb35355169af95ddc7c736e822f1b3e550dafeeab5b28d2b7f344fef6ba88
-
Filesize
1.3MB
MD5eca493ddce69bbcc1f30f19703e3a049
SHA11bd177c55abdcb97729c55003dfd105c401111ef
SHA256d56faa59e7132a63ff56735fa0fb5f63862ca1f46237b35c7c7ecda45872e1f7
SHA512602f28af640db67dfa34b1717bbc7ec6458ba0ec2dd4f338192c381f07107760ea61bbffd763de1474f24279d3255913d8391970730876de0c8cddb4cddd13f9