Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 15:36
Static task
static1
Behavioral task
behavioral1
Sample
fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
Resource
win7-20231215-en
General
-
Target
fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe
-
Size
1.8MB
-
MD5
55dd7caa96c700a762ad3741e6202656
-
SHA1
5b4b07e2f08dc0549ac1974b52e349f0ab162995
-
SHA256
fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8
-
SHA512
454d982e1d9e430b8ebe2d64be0f2bd3c89804ea5a787096d54f713d8575a53e245f1fac18b3e3deb80695b278a0191debb50cde8b630b5f1ce6fe7153c731f1
-
SSDEEP
49152:Ex5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAyaB0zj0yjoB2:EvbjVkjjCAzJcB2Yyjl
Malware Config
Signatures
-
Executes dropped EXE 53 IoCs
pid Process 472 Process not Found 2792 alg.exe 2992 aspnet_state.exe 308 mscorsvw.exe 2020 mscorsvw.exe 756 mscorsvw.exe 2476 mscorsvw.exe 2360 dllhost.exe 2644 ehRecvr.exe 684 ehsched.exe 2932 elevation_service.exe 2664 IEEtwCollector.exe 2676 GROOVE.EXE 592 maintenanceservice.exe 2816 msdtc.exe 308 mscorsvw.exe 292 msiexec.exe 2484 OSE.EXE 2940 OSPPSVC.EXE 2104 perfhost.exe 1328 locator.exe 1528 snmptrap.exe 2912 vds.exe 2108 vssvc.exe 588 wbengine.exe 2648 WmiApSrv.exe 2168 wmpnetwk.exe 2988 SearchIndexer.exe 1808 mscorsvw.exe 2768 mscorsvw.exe 3032 mscorsvw.exe 2800 mscorsvw.exe 912 mscorsvw.exe 1132 mscorsvw.exe 2400 mscorsvw.exe 812 mscorsvw.exe 2552 mscorsvw.exe 2740 mscorsvw.exe 808 mscorsvw.exe 1604 mscorsvw.exe 2884 mscorsvw.exe 2632 mscorsvw.exe 1688 mscorsvw.exe 2424 mscorsvw.exe 440 mscorsvw.exe 1012 mscorsvw.exe 2408 mscorsvw.exe 2628 mscorsvw.exe 1672 mscorsvw.exe 2384 mscorsvw.exe 2216 mscorsvw.exe 2596 mscorsvw.exe 2472 mscorsvw.exe -
Loads dropped DLL 15 IoCs
pid Process 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 292 msiexec.exe 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 760 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ed44f9e6223c682a.bin aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe File opened for modification C:\Windows\system32\dllhost.exe fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe mscorsvw.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\System32\alg.exe fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_fil.dll fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_uk.dll fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_hu.dll fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_sr.dll fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_zh-TW.dll fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_ta.dll fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\GoogleUpdateOnDemand.exe fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_el.dll fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\psuser.dll fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\GoogleUpdateSetup.exe fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_ro.dll fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F2D1DCEA-3974-4AE2-AC88-A893D86175E3}\chrome_installer.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_zh-CN.dll fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_id.dll fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File created C:\Program Files (x86)\Google\Temp\GUM5976.tmp\goopdateres_th.dll fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe mscorsvw.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe aspnet_state.exe -
Drops file in Windows directory 36 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File opened for modification C:\Windows\ehome\ehRecvr.exe fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E7068FA0-F933-4F82-9B50-E25B4AD1EB58}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E7068FA0-F933-4F82-9B50-E25B4AD1EB58}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{10146251-8D75-44F0-B92E-6DED3A5EBA3D} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a09465ebed55da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents." SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a034eec2ed55da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music." SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e00461f4ed55da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options." SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2748 ehRec.exe 2992 aspnet_state.exe 2992 aspnet_state.exe 2992 aspnet_state.exe 2992 aspnet_state.exe 2992 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1756 fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe Token: SeShutdownPrivilege 756 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeTakeOwnershipPrivilege 2992 aspnet_state.exe Token: 33 2804 EhTray.exe Token: SeIncBasePriorityPrivilege 2804 EhTray.exe Token: SeShutdownPrivilege 756 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 756 mscorsvw.exe Token: SeShutdownPrivilege 756 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe Token: SeDebugPrivilege 2748 ehRec.exe Token: SeRestorePrivilege 292 msiexec.exe Token: SeTakeOwnershipPrivilege 292 msiexec.exe Token: SeSecurityPrivilege 292 msiexec.exe Token: SeBackupPrivilege 2108 vssvc.exe Token: SeRestorePrivilege 2108 vssvc.exe Token: SeAuditPrivilege 2108 vssvc.exe Token: SeBackupPrivilege 588 wbengine.exe Token: SeRestorePrivilege 588 wbengine.exe Token: SeSecurityPrivilege 588 wbengine.exe Token: 33 2804 EhTray.exe Token: SeIncBasePriorityPrivilege 2804 EhTray.exe Token: 33 2168 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2168 wmpnetwk.exe Token: SeManageVolumePrivilege 2988 SearchIndexer.exe Token: 33 2988 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2988 SearchIndexer.exe Token: SeDebugPrivilege 2992 aspnet_state.exe Token: SeDebugPrivilege 756 mscorsvw.exe Token: SeShutdownPrivilege 756 mscorsvw.exe Token: SeShutdownPrivilege 2476 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2804 EhTray.exe 2804 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2804 EhTray.exe 2804 EhTray.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 2348 SearchProtocolHost.exe 2348 SearchProtocolHost.exe 2348 SearchProtocolHost.exe 2348 SearchProtocolHost.exe 2348 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe 1592 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 756 wrote to memory of 308 756 mscorsvw.exe 44 PID 756 wrote to memory of 308 756 mscorsvw.exe 44 PID 756 wrote to memory of 308 756 mscorsvw.exe 44 PID 756 wrote to memory of 308 756 mscorsvw.exe 44 PID 2988 wrote to memory of 2348 2988 SearchIndexer.exe 58 PID 2988 wrote to memory of 2348 2988 SearchIndexer.exe 58 PID 2988 wrote to memory of 2348 2988 SearchIndexer.exe 58 PID 2988 wrote to memory of 932 2988 SearchIndexer.exe 59 PID 2988 wrote to memory of 932 2988 SearchIndexer.exe 59 PID 2988 wrote to memory of 932 2988 SearchIndexer.exe 59 PID 2988 wrote to memory of 1592 2988 SearchIndexer.exe 60 PID 2988 wrote to memory of 1592 2988 SearchIndexer.exe 60 PID 2988 wrote to memory of 1592 2988 SearchIndexer.exe 60 PID 756 wrote to memory of 1808 756 mscorsvw.exe 62 PID 756 wrote to memory of 1808 756 mscorsvw.exe 62 PID 756 wrote to memory of 1808 756 mscorsvw.exe 62 PID 756 wrote to memory of 1808 756 mscorsvw.exe 62 PID 756 wrote to memory of 2768 756 mscorsvw.exe 63 PID 756 wrote to memory of 2768 756 mscorsvw.exe 63 PID 756 wrote to memory of 2768 756 mscorsvw.exe 63 PID 756 wrote to memory of 2768 756 mscorsvw.exe 63 PID 756 wrote to memory of 3032 756 mscorsvw.exe 64 PID 756 wrote to memory of 3032 756 mscorsvw.exe 64 PID 756 wrote to memory of 3032 756 mscorsvw.exe 64 PID 756 wrote to memory of 3032 756 mscorsvw.exe 64 PID 756 wrote to memory of 2800 756 mscorsvw.exe 65 PID 756 wrote to memory of 2800 756 mscorsvw.exe 65 PID 756 wrote to memory of 2800 756 mscorsvw.exe 65 PID 756 wrote to memory of 2800 756 mscorsvw.exe 65 PID 756 wrote to memory of 912 756 mscorsvw.exe 66 PID 756 wrote to memory of 912 756 mscorsvw.exe 66 PID 756 wrote to memory of 912 756 mscorsvw.exe 66 PID 756 wrote to memory of 912 756 mscorsvw.exe 66 PID 756 wrote to memory of 1132 756 mscorsvw.exe 67 PID 756 wrote to memory of 1132 756 mscorsvw.exe 67 PID 756 wrote to memory of 1132 756 mscorsvw.exe 67 PID 756 wrote to memory of 1132 756 mscorsvw.exe 67 PID 756 wrote to memory of 2400 756 mscorsvw.exe 68 PID 756 wrote to memory of 2400 756 mscorsvw.exe 68 PID 756 wrote to memory of 2400 756 mscorsvw.exe 68 PID 756 wrote to memory of 2400 756 mscorsvw.exe 68 PID 756 wrote to memory of 812 756 mscorsvw.exe 69 PID 756 wrote to memory of 812 756 mscorsvw.exe 69 PID 756 wrote to memory of 812 756 mscorsvw.exe 69 PID 756 wrote to memory of 812 756 mscorsvw.exe 69 PID 756 wrote to memory of 2552 756 mscorsvw.exe 70 PID 756 wrote to memory of 2552 756 mscorsvw.exe 70 PID 756 wrote to memory of 2552 756 mscorsvw.exe 70 PID 756 wrote to memory of 2552 756 mscorsvw.exe 70 PID 756 wrote to memory of 2740 756 mscorsvw.exe 71 PID 756 wrote to memory of 2740 756 mscorsvw.exe 71 PID 756 wrote to memory of 2740 756 mscorsvw.exe 71 PID 756 wrote to memory of 2740 756 mscorsvw.exe 71 PID 756 wrote to memory of 808 756 mscorsvw.exe 72 PID 756 wrote to memory of 808 756 mscorsvw.exe 72 PID 756 wrote to memory of 808 756 mscorsvw.exe 72 PID 756 wrote to memory of 808 756 mscorsvw.exe 72 PID 756 wrote to memory of 1604 756 mscorsvw.exe 73 PID 756 wrote to memory of 1604 756 mscorsvw.exe 73 PID 756 wrote to memory of 1604 756 mscorsvw.exe 73 PID 756 wrote to memory of 1604 756 mscorsvw.exe 73 PID 756 wrote to memory of 2884 756 mscorsvw.exe 74 PID 756 wrote to memory of 2884 756 mscorsvw.exe 74 PID 756 wrote to memory of 2884 756 mscorsvw.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe"C:\Users\Admin\AppData\Local\Temp\fe3b09d6694f5d4d103cb6395574cfca6c25a5d9926d43aec87f475f900925b8.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2792
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:308
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2020
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1808
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 23c -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 1e0 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2400
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 1e0 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2740
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 23c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:808
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 284 -NGENProcess 23c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1b4 -NGENProcess 188 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 290 -NGENProcess 23c -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2cc -NGENProcess 2d0 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2d4 -NGENProcess 2f8 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:440
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2f4 -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1012
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 30c -NGENProcess 2ec -Pipe 308 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2e0 -NGENProcess 314 -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 258 -Pipe 318 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2384
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 304 -NGENProcess 2cc -Pipe 30c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2216
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2596
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2472
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2360
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2644
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:684
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2804
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2932
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2664
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2676
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:592
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2816
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:292
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2484
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:2940
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2104
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1328
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1528
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2912
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:588
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2648
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1603059206-2004189698-4139800220-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1603059206-2004189698-4139800220-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2348
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:932
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1592
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:2644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
815KB
MD5c2ec7fd2ba6247553bf0818a7406e26c
SHA19dae4c39b849bf63388363be86332a4837a28a59
SHA256b4fdff4364b8f8174875e4c4bbf55f9b71c57d61ae6904ee3c947e606471c72a
SHA5128f0519eacb33a0e7f639e6c45b953844bc4ac5c2866e482f6129585b4fd486c560d3ae119924749082a486f0a86df2c0dfe32baf2942245bc6159641cc68aa81
-
Filesize
4.6MB
MD58e9eb9feee5a4b5a8d84dd1b4b132df1
SHA1eb5cf87402eaa3620ce0138ca23f9565aeab4745
SHA25605bc59c33c783c439ce7b4666f0bd18b6ca6adaf2ad8520048824b24c1f1183d
SHA5123b8d62219fb4f98ef00b61f5cc6b03da8ecc174d28ebac4b4567e8c9dd2fd77a6c5231370abd6b3289243ee5ba5c30cc43d3c23b41d43059e0b2b45abea427d1
-
Filesize
1.6MB
MD57b2908d13059513e03ab16610a7d22b6
SHA11ef1e9a9d14b8d90bc0f1775042d227ad47a9499
SHA256228754f86a00de091fd4c44b507301c3d4cd5054fa3c1d32cdec6c50eccb8b26
SHA512a8e5209a9dff6151dadf216a8588b9b8461f0fc2e6f7ca42911388a6754a2eebc3303e54cc7a2c3b18cdecc28b170733ce238f8bb5a5f772496cc195889c2e2f
-
Filesize
795KB
MD5006aafddbd0d3148ad4032e92a7d8a11
SHA135bafe5120ae9c6bc54b96c6d0c14265e7154865
SHA256682aef62a6796a72c635f11d99ade06a159459234e7ee0a5d89f154354b3bd08
SHA51203d3406515f4e6c458020fa858bfe2b3755f6a44ef32f06f47400d965bc31eceaa562a79ce29843c891fdebc6c82641f14716e439ce4da49fd07607e48ce93a4
-
Filesize
1.8MB
MD5e92332fec24be4816ef945cd68d6e3ca
SHA109383f6e379ef497293f1044840592879eebfaf3
SHA2561e20f6744d67dd327b8e445bf9a263b6bd34a3c0f3e6bf0726640025a8862fbb
SHA51227201f166ca5b2ea25ff05755e1e060ac18d0162e0c57f695c68cdc2b8b26b45b1132affddc12411e839dcb08bfa6d57c376fa6c80f129fe571776f79831df16
-
Filesize
294KB
MD56dbd3d96dc448fcd4180a2279e778521
SHA1d34ee0033732958d339c2a35a51a0b121ad3a40d
SHA256f2597e1e9337a9f7c5dc2789000ec192c5102472ce85924e57face0e971167e6
SHA51236a537e25bec671ecf837a7c8bedffc266cdd871dc0e4e30a32aaeab2a69ba1076fc78236918e1fa8c11a24a6c49beacbcb1dd0c7b18ff920c069c2b55930cf9
-
Filesize
8KB
MD5c1f5cb4ea815eaf1863c48339277f22c
SHA1f61588a1a77e2c91fd89fbcd5a0a8e989345afb1
SHA256860a105da0925606d57a79b161a34cc6c5334261acb4446e00c815b448a78c30
SHA512704eb52140b633b2ccdc7d50002385f286c1080cbea2fc458e88cadd05a604bae55e8591ed584f032395338746f9ab77aa62ef94bb32e811b2fb7363f58009ea
-
Filesize
1024KB
MD56dd344290eaca3175552a8713f8ea4e7
SHA15027123405915bd3e1ec90b6846d0d333406045a
SHA25692c24e5a452b3364186bce10e0b6e961ec6537aeec15279ed4ceddcb3d93b520
SHA5123b7405576f2750e6c048fed28940d107ff560edce8c0a258d8eeb0dd3d04b7174a48cb82b91c383f2a9b92826ad807b4e6c45ccf508c33a96434712ddb4f82c0
-
Filesize
832KB
MD5fd35034e9b7b1ae76cc38adf7a24662e
SHA1e634e393db77e436f1008cd146fbd51bebe48fab
SHA2569da3b57d7cf3246aee5ccdd57e49d1f14fc4beded7e8223089dd84b410fb16b3
SHA51218079e8a9e3d7f7aea5428741627cb66fd225b84f17674d4d731ca6a0ae7fa992f52495b97bfdafab9f87a7a91abf85a163cd3cce843981ca57debf49bc1ac2a
-
Filesize
872KB
MD5c5c270329cc4e013c48a6ba0fbba0598
SHA125dbb9ff529c7472aad13a0f4f6d63682680615a
SHA256a8c500610240e33ed19082c2983702ffe24f058c07c2f74e6f20eaf4404c5fb3
SHA512f67409514bce815d1877db5086cffd65350f8658bed08244dc185e0555f9a60758b0ad9d8a5f36c45967decae0be82862a02bc0bd166e8da06195bd351fc57eb
-
Filesize
1.5MB
MD5eb2e94bcc93bd84514e7160d0391abf9
SHA1f91e625071a85163ab3365f723cb4ee6a87c6b41
SHA256d8aa22131985f1c45d4e3b7868676d31638b53a3f759193b02807b4e68cf01e4
SHA5123977f1f9c17bb3c1e8068dce536390023c1e4f57840a2b370267af8110864623850c644aa4afd36949195271c94739a8ef439b5d7bf702363cf5d75a9cba24dd
-
Filesize
1.5MB
MD527961748d951b294eb0fb2b84d899f72
SHA152a1f699e7d52654804a02e6ae1ff5eda98bb399
SHA256a0d2e0d0a2eaaa24ae5291c6727dddc1bbe3fd6249ce5ca6f5cd73d7732e6cd2
SHA5120290dfee954f96dba139d7dffa8dd6088671ad100b43228e609d0760c5ab2617899c95be17ba55ee573c66ce41749169b8d42dffd3c768130e8d8d198fd7961e
-
Filesize
1003KB
MD57facb45148cc3c24e4da6aeb33537dfa
SHA19cddbdebd328759213c81d089bd2c9629181e734
SHA2564dee0a1ff85c0cc5ee60b974e28013c15336655ab0c76c026ede8225142bcb41
SHA51296552e42753d367e05c3382a37a9237fed3d0c0aa6a0e1719f957454a2c00d9753b493ede6078212ce10651d21fa20642f408632b3c05f072ea7616ec8e66135
-
Filesize
1.5MB
MD5b9a4108b2dc48d6221af95971d6a42d8
SHA18ba7ec4e663f49e6e40df6fc73cd3a57c884077f
SHA25602d6fb1e8da3d3008c012193e1e03e2ea232a607d0b97915d0edba7dab3df1ab
SHA51288ffa63957cd977aebcdb1d0c7919320eb8bdabc5f60b0220d5612dc86a71420eab75ce206b4642b814d330c77e7d1e889fe5419e9cb00ef17bb9d19ddc81f06
-
Filesize
1024KB
MD5aa62918f96e08a89f283b89ff0f1dc8d
SHA1db0e20c71ef1fd90977d9b09f383429af5916d86
SHA25612b0b5d5cfc5b0bb11766e16a72c6806fa6310629c1d1671a96109481aed6050
SHA512e8561910787ba51ec875b557b1ec9e6e499c0bd50928a4b6a51a38e585061d9e6bd984bb28cbb92601eec707fcb023863ecb2a39a68cfadadb661e4759d40226
-
Filesize
512KB
MD5ca357fa6ee2ccf82482b1c7505f7bb19
SHA1ac66c9cf1220b858e7c41e82181521e609a79cd1
SHA2560cf0b8d5989856a5680431647fe6e297d290d74f52bed2724eb6f67e8de03424
SHA512dc770779a91543c1cb721b08a7c795881a90c82a6d4a9105eb838b1827d15f189acc455fefb6c68c8dd29d3c42ecca696e511b5e68c32514149651e65c879ac2
-
Filesize
186KB
MD55e6f3105bc703002c3f94966a9cec7bf
SHA1414cf2e5810fc544a375ffdc9f9f4f783f8780aa
SHA256782bcff0c06927398019b4247ed5f93965bf0d2b28d64aefe5505da1e054f83f
SHA5121a9df4abcd2da5cf5e8e728c4bc9971b2e6d36bd4c27b819feaa5386215a2bbc64b14de701d566a2e9afd4b70896a13c0fbe9ce4d1bfa78bed11a469ef7d95c8
-
Filesize
423KB
MD577c9f30c469cb4507a8ffd49aae1d487
SHA1547452d6caced9d6478ed496383c63316fab10c3
SHA25680cc55c0c47572338fa948e413cd63d6e15a0bd6a4067221698317901addb48f
SHA512c251f6646f1418e07e1ef297ed169fdcc93666e632d5454ddab9498b02ea872a8907e1d6d0a1682fc59e1962ff8ab875f9b4fcdea8d80574bae93dfea3965db1
-
Filesize
992KB
MD5bc1ac7c58942d331ba5b2a63b10945ec
SHA1a03ee2acff7b6e5d0b96f925a2aa42e55facb4ad
SHA2560ade882fabfef05afbdb96ed4618cce0f4a58efb9a0de6f71da143702322aa83
SHA512f449662778da1bba79705acc61ed65b0d49668209c0ca5f4de65a441b8e3c979a1d3a7c7133d4747c9523adfff530ba8ada515d3477c1a61caa2cb568179a0b9
-
Filesize
215KB
MD5f0eb6b034f437717c5746b3585781b7b
SHA17e2cdae27481ed64916f63a3d7dd3024bef681c4
SHA2569ea79e00acd6958c7c7b296ff5d3d5877e5cc4125ada41b0b80853185085aa70
SHA51299e99b95f99a820e5c27ecfe72079e53fb9d86e66bd14481ae2185f23c2db5910ffa8df983e177ab3b72ff4cdd7de20e6cd8728c94fb27c836a5594e3b671464
-
Filesize
326KB
MD51ce071cbccd60b3a6abdd5bd013762c5
SHA1d6a36c8e5e13fa2b55c2c0d9320aeb1ffc66b56d
SHA2560494847de0629bcf6295bd167edef4290010d74f66bf32f4199a674fcda37b40
SHA512154368cc87148dc47c6f6007d53e885c031c40c3a0cd0fad327c085fdeec936b89da6e6769411c84f159de1bb9905b15fa63654c451db8f4561f06a15d68ae88
-
Filesize
704KB
MD5ba5b80e9820696d855ca4a113941bee6
SHA1dd36025a8cd3128244e2a6cce6f2f9da7343d2f1
SHA25683a3a552d652c390b899d8503716c11eb62caccdd0c89f34e4efbc9e8ed799dc
SHA512535cac6449b00d142f7f05182fe098e18ba8b3a3d17b8293993edd9ede94f4fe0c6f834c126b42bfccb19365df0612d3b545d161161829cb4de7ad780f41d412
-
Filesize
502KB
MD5b824594d837e7f2b898f96c2f43f7ad2
SHA1c32aa81e6e079e498b84c68943f34534f7dc40d7
SHA256dc103a1cd6aa2db386b40b900b62450d8112e7e39f2525e24eb11eb6be6a8d26
SHA512df111cc90c0ef19f245c4f8390bc07ddc19d66b651baa411e9a4a2681ab62b8f4de4e4c1953aac1fc48ad86220ccb08086787f1332c136db6b79e07ee905fe50
-
Filesize
403KB
MD5e268b323e318cfefc569d93a71f9ead1
SHA1008ff098945f01c412f30e86f2142ba7578bb0a9
SHA256addb07eb2cfeb9ffdde493e3e2c55885e0ba93863f02d922c178496508308789
SHA512fe8f99c1457afc583d5184d76cbea1f0189ce1d861190a25152e93e14b36c92ecf433db7c7d3943ff9ce4ee1de74ab539cba9148d7412ff0761d1b02141c892f
-
Filesize
652KB
MD5f3765a023756d7fe4cef2a8e45ba0cc0
SHA193e802fb99232184171927c6893a743656c93c3b
SHA256edf7923f256d8510ee680a9ecef5a2f163c2097488b257f91be65f7a29247729
SHA5126bf32b964f14ef78eee7d1163f9fbb4550049fb3b1e0a601988bfbd961a19a4978fd249b593f2fc8de5bc1cb8c236b5a7a306f838fee2e4cd83be03d3df64526
-
Filesize
608KB
MD528b75086e3c5d4dff2b15cd96bbe1c4b
SHA18fb58dbb227d2f65edff213814cc2d99eb330ebc
SHA25618d6693c82d829a90cd83ba36447de4e5ab276047fb021f81312618409963d9c
SHA5127e92004b50ce48a0c92821682494800c78b767fa11ea26649d6819898ad71031c6177ad4640679f81aa507249a9a81648d6cc24f25848a8a7c5e42d24bf49e1b
-
Filesize
1.6MB
MD5cce8d8609b6bad6f104d9ffc79aee7ad
SHA17224cad7fb2aeabb1177884a38a7d72a55299332
SHA2563f05d3eef25da66d4873651298ab2862ee5f43e28563140db35e20898c750d40
SHA512651b39cf6f942d4189dad61f1c4ede6663985316e6301542058d57964d0936921f60c2c8c46ab8b9a5a2571284cc353be86485c138cea28ccf5cc5e603f15262
-
Filesize
340KB
MD5271ee41db24bf6be461fa60f18c4dd88
SHA154a7b95dcb9b46e33541901b9b0666f1a92b0b06
SHA25680bd28732d6ab9ac3bac694ff455ae2e6aa5197a998969f84fc15c0282f1e389
SHA5126e4e09986fbca84e739b495e348090e29222d682d44c8da845c712fd7c1530792fe3699cae81c008beed5e1836c59a29d3379fbc48cb51d6a8b7757e02ace40a
-
Filesize
267KB
MD5231e889ef39f6f616194373ce5fc07d3
SHA15fa02d414d90ab475bf448f66407c388ee4b7aaa
SHA256f7028e5df0d882c89758735a25bc2f8f9c82fdb3de9f68698002059c49ed1d68
SHA51217424482c6bd16989819dc7753fe7f053fcccadb5ed0acc6ec6ed34e5d9d15132a20aa96313deb00c9994be278b97ec5f1dd77e45c627abc28ebf251c37bccb2
-
Filesize
1.5MB
MD55cd898fb81d80157c4a748bc95d1cd5d
SHA10d5b530abfdba313174caffe000f64322312a36e
SHA25645441019b15d2422708ec7d98248c2e62d054fcde668da6268a67eb4c3352cf2
SHA5121b9f717639b4a751ae0cd236795a65c62c7934a083dd30a3c2a7aa29e8c68efc64feaff1d851660e3ee1caba07a3586f09c4a4b3fc9d43b00a39b6010994dd5c
-
Filesize
1.5MB
MD562f3a0346d756577e6d15c0c5589e5ec
SHA1f98505d78b5533be8475c95c3d359c089c931398
SHA256a083816601ee4a7eb1938ab94f6e5d7ff8f79374a8c59836b61de45a9a5b307e
SHA512c600167b57d760555eb22efe289b0763281492be7f7b677a8ff25a0971d34bab915be945dfa851395f7e39c07b40e5adbc807f8f79e98275880b600c683eab14
-
Filesize
946KB
MD542d4e75de97d99d3732bed2cd536a4b1
SHA13ac03afb086faf5bb9f15bf4f355cc1120061b56
SHA256fab4c551abf322ad68ddd282fa72109598678d791b7dd373fa7c827c1e431264
SHA512b12efa7ee304eaf4653a86c62f259f70237ae4a1ddf0444beb39b8d5aa20eea27f07464b01a761a6649709d767d2782fecd6f789c9106c30f83146b18ba7af4d
-
Filesize
1.5MB
MD5da2a01912330cca516d8efb9abdebee6
SHA19144cd1e99f53dc0d8f3740d4f6e9040bfa92984
SHA256af6b53034b9a3eb85e35eb1d0473675a61b55a97aedebc925db88ae0f983ae5d
SHA512509e5e22b6c1885b5876786a29336be3f3761fa66dc2745ae028fb23a9c5138b5eb51c6b39a8dbfaa63b6689505cf380c47e474010875571e7b82027872371ee
-
Filesize
1.4MB
MD5a6ccc195ce1e90ca5463c6b6765e1a26
SHA151196a5255f4a6330f23d150a868bf2f0a491bbf
SHA256673c6f2882f7dc7e096398e6282fe47143194b7ff41f155f6b62d797732d9a70
SHA51297ef42f937a3f3d075e35948fb0dc886bc22fce2f4e52af3b07efa9bc5aaa7b973e39d00bd3fdb2c81ccb3042d2a56c0618ffddf1a8456b5934ed0c61a92e93f
-
Filesize
1.5MB
MD54632019270d242732a787bd62059820b
SHA12af3f988510001710fe45f4a8a79530a5b9c7b24
SHA2562b3d6de06a2cf2c7aae8cccf549b8e01529914203b9aa805e20042c8901943a0
SHA5121248cd0400b505e3ea72bfd73ddacfd0841279a596724e812a929661e10a22e4bbe17436190eec8d3167a66d7396ec19d33b5a814cc2d277ed710fd0a028e986
-
Filesize
1.2MB
MD5ab639e2e5599620b01e0ea2cd08c5398
SHA107d17e3b6e62594b53bc76f938473d8546749dfc
SHA256bafeea54c48fe4db293658aa27d768f9c7ca217c56631a2f5f27a656bcc10961
SHA512fcfcd9367020ecc42d8a619e0fcc0382f5b730f77d074e9cf28ddb965199695abf23d93ee46b68c0948fc58a8e46ca10c446b11bba7b7aed63b5e528e823a021
-
Filesize
1.6MB
MD52f1fd85625244e970af1bfc6fa1d7895
SHA114021824cda4d1a2138034fe5d09edf04cb03f12
SHA25650e95fea1e8be29acf2584c01e7466f23adc5453014bf8240c7c529a5c79e7f8
SHA512ef8c86f238d6f8dd062875f2e7abe3e09289e1c99c9e7b8c8b781a49f759d8cafa803c37787e1567a3d9eecee8a083bd1f4750658c4e91f16c59facebbf857ba
-
Filesize
515KB
MD5037a6ce6cde5903c65b15fe48918cd28
SHA1fb5f1f5b466f4cfa000e804f8b729c1f6e77d9ca
SHA2564415c93cf263340a73995caa364c030804411fc99ef44e94278b2e54bd049f81
SHA512e80a66cea74c0fbc27746b337109fd5940ea08736914dc77779701bdf19646e771568242cd99094d60aa5af381fc693c6643bcbefbb60f94eb32d165a64c25eb
-
Filesize
773KB
MD5e0553a75533fac07cfbb3f8ce8d285e7
SHA190016953afe51d3099950fb31be56299408d4ae8
SHA2561e6db9eed849ce7a766f6df708cbd9df75c1b3596b4f531a995856b639df99d2
SHA512d12ff4ab23606d4b568f31330b7c700ef1c737ab1402bdd81dd5a9a6e3e18015dd90cb06eef07e37256a8d03946135203d31493ca1ea10c2002380e59a7aa8e8
-
Filesize
879KB
MD51e50656b092a5b7c4b0bdcc80ad2447b
SHA10c429ecffa16f68110b0c6a58e7c87723efb9c2a
SHA256dbf1b635e712b3c291110b47d78c8c1af820bdbafe9bb8055d0772c7d5aca81e
SHA5125e28882fc55865d909a7651682a4f5a3a474310265e8ca13c1ce62bce1842387128269a3cf19ac50860d10b4465bcad60a4ddd86b0fcaa02f945759faa7653b6
-
Filesize
1.2MB
MD51d8e0e0a431a84bce74181be18579011
SHA1fa490da24234bb4843c848b72f1faa4f68980ebf
SHA25622be637794bdc690b67be7a06f7158e9ab39f54dd728f6dcd9d7bf01a3ef239b
SHA512d4f7a060243de6d4edc9adb81dc371973bcf7d16fb88a6f6d9da65919d88e06882ae8c529513e5d6636d900b695baf1987f98ec08e716c0da7fcdbf6a5d0216e
-
Filesize
256KB
MD5b7e4b8f955dcf8820a284ecc1e8d5ab9
SHA1444bae7c618e5a2c357e962246e5f1bbd65442f7
SHA25626f1124571cb56b73235c803aa501e459d8ec7a9f9b32a98ebe724a81fced743
SHA512cda3d60d6584206502ca6a60897053288d081c4b78ea984b8d1b668436b0ea8f868f049955ddcf85167b4e8d1ae7728ea0b2b378de0b492686089d9b4f51588c