Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 19:32
Static task
static1
Behavioral task
behavioral1
Sample
a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe
Resource
win10v2004-20231215-en
General
-
Target
a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe
-
Size
1.3MB
-
MD5
43d79758c4e559fb06bcd479224964d4
-
SHA1
b79894f6816e2cf20a34c69a2e58eddefce870ba
-
SHA256
a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1
-
SHA512
e8462af270091a86f62cb28950c41dfe0c03dd79fa96c8c80eb345dcd8be1434becc2eace541011037542cdfefd53568f906d3db6b07792804d4cc0b9f3a3f3a
-
SSDEEP
24576:8A9B9Cks7WE9F5pwg8zmdqQjC60jiHkU:8g9Cks7R9L58UqFJjskU
Malware Config
Signatures
-
Executes dropped EXE 36 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exemscorsvw.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemscorsvw.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 464 1576 alg.exe 2096 aspnet_state.exe 2732 mscorsvw.exe 2540 mscorsvw.exe 2336 mscorsvw.exe 2988 mscorsvw.exe 2824 dllhost.exe 444 ehRecvr.exe 1208 ehsched.exe 2200 elevation_service.exe 1440 IEEtwCollector.exe 2164 mscorsvw.exe 1068 GROOVE.EXE 2460 maintenanceservice.exe 1596 msdtc.exe 1108 mscorsvw.exe 2580 msiexec.exe 3012 OSE.EXE 2436 OSPPSVC.EXE 1960 perfhost.exe 2100 locator.exe 1572 snmptrap.exe 2664 vds.exe 2712 vssvc.exe 2480 wbengine.exe 1976 WmiApSrv.exe 1776 wmpnetwk.exe 2868 SearchIndexer.exe 1968 mscorsvw.exe 1364 mscorsvw.exe 1548 mscorsvw.exe 2352 mscorsvw.exe 2556 mscorsvw.exe 1944 mscorsvw.exe 1436 mscorsvw.exe -
Loads dropped DLL 15 IoCs
Processes:
msiexec.exepid process 464 464 464 464 464 464 464 464 2580 msiexec.exe 464 464 464 464 464 760 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 19 IoCs
Processes:
a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exealg.exeGROOVE.EXEmsdtc.exedescription ioc process File opened for modification C:\Windows\system32\locator.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\System32\alg.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\System32\msdtc.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\SysWow64\perfhost.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\system32\msiexec.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\system32\wbengine.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\system32\vssvc.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\system32\SearchIndexer.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\System32\vds.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c995897c0d5d3a4.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\system32\fxssvc.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe -
Drops file in Program Files directory 64 IoCs
Processes:
a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exealg.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE alg.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe alg.exe -
Drops file in Windows directory 34 IoCs
Processes:
mscorsvw.exemsdtc.exealg.exemscorsvw.exea56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exemscorsvw.exedllhost.exemscorsvw.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\ehome\ehRecvr.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D4BC4806-D804-4568-ABA8-83D6AC0805A4}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D4BC4806-D804-4568-ABA8-83D6AC0805A4}.crmlog dllhost.exe File opened for modification C:\Windows\ehome\ehRecvr.exe alg.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe -
Modifies data under HKEY_USERS 54 IoCs
Processes:
ehRecvr.exeehRec.exeSearchIndexer.exewmpnetwk.exeOSPPSVC.EXESearchProtocolHost.exeGROOVE.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{E75A5AEB-17C5-4A65-8620-620517EF00B5} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{E75A5AEB-17C5-4A65-8620-620517EF00B5} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
ehRec.exea56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exepid process 1632 ehRec.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe Token: SeShutdownPrivilege 2336 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2336 mscorsvw.exe Token: SeShutdownPrivilege 2336 mscorsvw.exe Token: SeShutdownPrivilege 2336 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: 33 1904 EhTray.exe Token: SeIncBasePriorityPrivilege 1904 EhTray.exe Token: SeDebugPrivilege 1632 ehRec.exe Token: SeRestorePrivilege 2580 msiexec.exe Token: SeTakeOwnershipPrivilege 2580 msiexec.exe Token: SeSecurityPrivilege 2580 msiexec.exe Token: 33 1904 EhTray.exe Token: SeIncBasePriorityPrivilege 1904 EhTray.exe Token: SeBackupPrivilege 2712 vssvc.exe Token: SeRestorePrivilege 2712 vssvc.exe Token: SeAuditPrivilege 2712 vssvc.exe Token: SeBackupPrivilege 2480 wbengine.exe Token: SeRestorePrivilege 2480 wbengine.exe Token: SeSecurityPrivilege 2480 wbengine.exe Token: SeManageVolumePrivilege 2868 SearchIndexer.exe Token: 33 2868 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2868 SearchIndexer.exe Token: 33 1776 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1776 wmpnetwk.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeDebugPrivilege 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe Token: SeDebugPrivilege 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe Token: SeDebugPrivilege 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe Token: SeDebugPrivilege 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe Token: SeDebugPrivilege 2012 a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeDebugPrivilege 1576 alg.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe Token: SeShutdownPrivilege 2988 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 1904 EhTray.exe 1904 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 1904 EhTray.exe 1904 EhTray.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid process 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 2040 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 2040 SearchProtocolHost.exe 2040 SearchProtocolHost.exe 2040 SearchProtocolHost.exe 2040 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
mscorsvw.exeSearchIndexer.exemscorsvw.exedescription pid process target process PID 2988 wrote to memory of 2164 2988 mscorsvw.exe mscorsvw.exe PID 2988 wrote to memory of 2164 2988 mscorsvw.exe mscorsvw.exe PID 2988 wrote to memory of 2164 2988 mscorsvw.exe mscorsvw.exe PID 2988 wrote to memory of 1108 2988 mscorsvw.exe mscorsvw.exe PID 2988 wrote to memory of 1108 2988 mscorsvw.exe mscorsvw.exe PID 2988 wrote to memory of 1108 2988 mscorsvw.exe mscorsvw.exe PID 2868 wrote to memory of 1892 2868 SearchIndexer.exe SearchProtocolHost.exe PID 2868 wrote to memory of 1892 2868 SearchIndexer.exe SearchProtocolHost.exe PID 2868 wrote to memory of 1892 2868 SearchIndexer.exe SearchProtocolHost.exe PID 2868 wrote to memory of 2724 2868 SearchIndexer.exe SearchFilterHost.exe PID 2868 wrote to memory of 2724 2868 SearchIndexer.exe SearchFilterHost.exe PID 2868 wrote to memory of 2724 2868 SearchIndexer.exe SearchFilterHost.exe PID 2336 wrote to memory of 1968 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1968 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1968 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1968 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1364 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1364 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1364 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1364 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1548 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1548 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1548 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1548 2336 mscorsvw.exe mscorsvw.exe PID 2868 wrote to memory of 2040 2868 SearchIndexer.exe SearchProtocolHost.exe PID 2868 wrote to memory of 2040 2868 SearchIndexer.exe SearchProtocolHost.exe PID 2868 wrote to memory of 2040 2868 SearchIndexer.exe SearchProtocolHost.exe PID 2336 wrote to memory of 2352 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 2352 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 2352 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 2352 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 2556 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 2556 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 2556 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 2556 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1944 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1944 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1944 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1944 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1436 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1436 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1436 2336 mscorsvw.exe mscorsvw.exe PID 2336 wrote to memory of 1436 2336 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe"C:\Users\Admin\AppData\Local\Temp\a56f79bee5a8f027d60ebe261c3724f1b6bcf400b0524e342a78a96bd6952df1.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2096
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2732
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2540
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d8 -NGENProcess 1e0 -Pipe 1ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 24c -NGENProcess 234 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 248 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 240 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 120 -NGENProcess 248 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1436
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1108
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2824
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:444
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1208
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2200
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1904
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1440
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1068
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2460
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1596
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3012
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2436
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1960
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2100
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1572
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2664
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1976
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-452311807-3713411997-1028535425-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-452311807-3713411997-1028535425-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1892 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:2724
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD56b7eff47662a2cc85f7febb077c7c5a9
SHA18674d9776dfdfe90c1c179f21e36a221ee014cbb
SHA25653cac811f7278b1c455ca1ccbab7e353b365348d3adf134c8f1b943b100c2ff8
SHA512a4051d4d1fe1b35e4a5456d7de690a8e6d1a8377055c24cf5bf63808b3c82c4b523128c17defc96abb76c5cfaa9e81f7eff29e1f1a60ed64061b40c5093202e2
-
Filesize
1.1MB
MD5c07599d147bd2a07e731407b86029b6d
SHA1f54ad8762f3b8fdc2c5327a9171787c37be56601
SHA256c9ff6ede5bc8dc49dc8134ec82a0ae0bed8d45669aaaf079d070c80e560c7a6f
SHA51247776c627db8ffff66e121f2c3408ecc6821d63b46d36a8b3947cade5e2d36eab262b78e2f3295f675536ad5f2e6c68d325fe348e4fc53354e78b7869b0c86d6
-
Filesize
1.1MB
MD5ebcb8d252a2686506f3d7927af4c0eb3
SHA180b817733a2229f7ea6686fe73f47b98f3137a05
SHA256ca3bea714cee850ca6079dd2256b1d4f05bcae06156aa0f54bb93b95ac992e1e
SHA5129e5ff74affae1543d9dff1e6fcf3b0b7d8fa05c64cc0a45c10546dd01997017ee82c9e15ca64c86ecd8bf013ffaad80d8158875618fdd1564db6ff3f6f258f06
-
Filesize
320KB
MD5c5d91257326408fb288dd5c0bc18ea00
SHA1e824e3f906cef96068c5ebf18d859577fd27af24
SHA2566d1de6d0993e07e38e6e75ae4633c9e47039a4ffc9462d2551d4d1a5b60228a6
SHA512299c80d6f1cf2986c94afca743ec81cf11093747762736b32ba5f8c153c53fccbecd1bc88710a145f7c1bf50c08c4365f91259fc71ccae8a3a18bfab2e288590
-
Filesize
1.3MB
MD5281fc3cfce3ca6581efe54eb892aee97
SHA14f59df7920bf4494d0c377922ed32381680041ad
SHA25644b6c4cfa1ec10865fb35253a1894547c3675ce1b91a7ef8a5fea38530c27027
SHA512ba9f7b8d62cb3925b20324b9dc3a4411fa8a976cc4134d63d5767b0daa5b8b31ef6c7c5750b4d49a6b00c920b6b8a6b1b3617a7101542d573440fdc5930129e9
-
Filesize
1.9MB
MD5152ec162f265ff8830fc1ff556517f48
SHA1b75ee017a90a1e4401b1ddb441e76a3b2eb62e57
SHA25690497e14d6311f0e1be53ec0b2df746fab04664d12b98c07b39664015a95db39
SHA5129115f2447430adce2784fea4a3ae6d3d7a6d32412ce4014e90721d318315c9e0dbec067268be72862fc5d99c873c8b48c15cf837abffd080e9b6734f5bbfb8ac
-
Filesize
1.4MB
MD587d17650dde086803e964f409d7aeed5
SHA160093de15f7cb08bd5744746475b3c66d88af696
SHA256cc88381bf121c965ad0255fecd2b5d1d46d2b5cf6206f3c9694afc1ea2a725c4
SHA512d6ff93d487738f4fadacc7384998ff5bb812f809ab361c9fa26132e54bb61d1c101a13a8734928af4128583935f5cfb1961ac7dedc1f6683f54222aec397f432
-
Filesize
64KB
MD55f8f110ac75bad28a7884af2ba010e07
SHA108030cd226c16e345ce5c5663cbc5bc3448c58b6
SHA256e8c5476b50ec00cdc801cfe9357093af5a9198e7a3948b2ceadcabac5387ac39
SHA5127cf57ebce3fb20a912aa0b9608653e43c54d2ca476e70c2957473a0b23131be5ee9a5ba632e11de70aa51b33e8c218db840fd64f7ffd0d46f13b2b9b4de40221
-
Filesize
2.1MB
MD537e31420f5e9c36fe6200fb5c817b134
SHA152ae6bc09f91f11212de39c1fe0f1cf9a4d004ac
SHA256d35e9eeab5b8ae5dd53b5c5afac57b3600aca733b798f284489f03897d53164b
SHA5120c0857f754436c8c8c68bf372031abce1f20d07728d3fbc378efeb725b33c8935470feab56831f567b0262fdd9f0dfad8ba8a84268741d81a54a777bd1391036
-
Filesize
2.0MB
MD5fadb93bdf75406013b9eccafe3a634ef
SHA131ee7eb629b78c020308c26ad9394acceba29448
SHA25636bd465f850cbaa13f2ad79822e378ea4e53ea7f8f174a69e70fcb430a4ba494
SHA512ee6b29d112e86a26ef892785d2229744714e3cc3de833f08b10bbe58e6bf3f2f3cd8b302b610a51f5e38fab9f1481c3f3fa45777072b0742a84375bd73538fa8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.3MB
MD505c9abb0940b5046976b4badfd196eb9
SHA11465794ac1efad103d9745064be6022dac0423aa
SHA256445f4982a9f5bfe232372fb10c11f6dbc70b209f25642c971adf42009884928a
SHA51261e9a331d7a3506d7016b3481993bdacada5210da0013db4f8d861b1e4e9f229225c1d76e08e301205567666a2faa7fd04a3fc63c2881be5fd8c86450d7345c1
-
Filesize
872KB
MD59ceb65236a036f610dc1bd46567a56cb
SHA13f830ed386d9369a8fcbae1382da3351879c9b66
SHA25655652441bab21d6000ef3831f1a0c8b4330223566da36608eb2fa9d054282637
SHA51201dddb0da06bbbab158e3e48f329254ea4fb6617e46ca03991df71707a175cb79520f1e4b22e747cec8236d6a32dee5c806fb22c5f60413850a3aad18cb17147
-
Filesize
1.2MB
MD537cb476b24d22f51cc860771a1e4d78b
SHA12c529f566441226f3a15aec07f00e26ebdb84ac7
SHA256494d63c0190ffae4d3afbbabe6bd0a217a15496817b03f340e700b7f866da641
SHA512085c02a02d0e2734f8856350d4b967838d42cf0a8247fbfce7752ab1779be682ef91c1b7d0e91fae826db88c2feef7df002f088918abda64021e98505068da47
-
Filesize
1.3MB
MD503a338514dcd7c82973206832244d9e3
SHA1adab5c65c76c2d8cf9335c2d71325e8afc795f23
SHA256f6ccc20d1044262384cd12b69e2857e878e7178b937e063943e7a3de9275d330
SHA51283e7e46ba8df9efd5873e6d2f7f039771334bf7a2a9be5ee31a422092cbaef5a4b5b22194e11a912d82d6ce7893b03d602788d7ef54b60851cc704b83c96a527
-
Filesize
1.2MB
MD51d06cd66bf86b6b4e6a059cd5c733cd9
SHA1ed28143794f399a6fafdccc0112d448dab333b0b
SHA256420b80082b8273841dfce79fa887032fdf5ea3cc873cb12d66d73070962829f4
SHA5129a105ec83fbd8bfafa93ff2cebf6d2f318f11182960429f959506b7dd3263c653d6e7bdc4341dca4e19d56cda361b65328ff5a2b482afc5ccc4e0be42ec1ce3d
-
Filesize
1003KB
MD549bd8a6e3efe49a43f9ad9ffb0aa00a6
SHA1773e8786936cd1ec5fa09bcbe4e250f2af71458c
SHA2564f6c22479cb9592d070f0d458b979edc6a446752a9a92df709bd5c3634b10992
SHA51240aeec500e98f49f4eb6d1a5ec456eed09e896fcc17ab140cc8fa864c03c9ba96c993e70666460f5fed8253e6029b3045ba4d4be43af1f30c2a72d9aed9ac4d8
-
Filesize
640KB
MD5c347c71c3ae3d1e7d6ee6bc2eb7c5433
SHA1ad2b7b073565f3375c3d6cb3117b8f5866df9242
SHA256cf58af22cf89debcce68c7d348de294a6995484131b436fb1881eb915e1d0a43
SHA512febebbc9a314142aed76f4d1a9ef32d55825a8d8e3c7b6771649585f60810fd3f2acec719b7c1726544e2356ff1ca9dd6173b104e484f6904a848d74fc8f697f
-
Filesize
384KB
MD5ea461c988140ed0b7d575028be778be5
SHA18aee44cdc4352cba5f25b24cbb812654778af012
SHA256323188d143b65622bf3577e5fdb0c51f8a6639ffd9efdc175d8aa8a2e3c0c266
SHA51211801db58e912765aa469a388e039c735ca018017fabb185a9610fa91cd881f5800061671842a69f226285626d4d9a625a5acddcc45880bf1fcc92cf915f64fc
-
Filesize
1.3MB
MD5ed2a2223b57f4d0e241936d991fc5342
SHA1ccc575f4137496bbca505c255b486da911b9a7c7
SHA25677f63c0bc1aabadc84ee410678baa8393894e4517a57821428838f5465075348
SHA512ac64757753d81146153908d10f86a52047ab896d36e67b461940de89ba4309fae6d5e857d2495395c0c0b43d40bcb9b4c0a30b4676471d4d257dd75047efffd1
-
Filesize
1.2MB
MD5844e7120dd1958360df21a5e53f418c8
SHA1c7b6a9abcc340e61a31fe317dc5586ecf386ab78
SHA256bfe031b9b3e44b853fc4936cb16a8730ed2bc0f9ca2e16b7b9a1889f2317ca97
SHA512d216971a3a1b801bfe61564f9ad2c1b903ca0170a013cdf3bde955b7f58fcca49784a6290243473b2945bf0337b06ddab0d91dbc81490ab020b75309b8c99585
-
Filesize
1.1MB
MD5e855d2d8c2545a3aa2154b0d229925d2
SHA1b03e20ad5a8dda88a871bae1b45c0a47b2c7cf28
SHA25676aec3f9ea10b5dba7f1285fe9aa6cc3025fbd255688808204f5a1e7fc1387bb
SHA512a7139e66f044ad20e51700940abb80275a7dd2f35be8ebfaed11a20cbbb767508bf8ab87df85e5cd95c571dd1e74c92b4764128a466bdc48acb2326b4e3ba1e5
-
Filesize
768KB
MD5948e58c31220a178e2ab7da280f82eed
SHA1901d137bc716604873198df061a282e4d001b864
SHA256beb368a46629f945b7d49455875185d14b1f7b81e7cc570153654170faf8231c
SHA5122d2d9220eade21b0c20f3f3bcdff5cb2bad61225eb4dc638fa6294ba6db7dd4b860be6deafea07030e449bc29eee64f696c7949f277c7a94ca214334bb0d2ed9
-
Filesize
1.3MB
MD5009aae0394923d58038ff2ffa4bf644d
SHA195e9bce21bf45d8d3169412917053c15f5f55098
SHA256ae7f5d34bce22f87cf694ac6810714b64772184c30b6d38e87d56f1eb3e7aafb
SHA512724c7be926d8e3831ddf9cd3abd849d2b5cfdbd69134ba5a5d465a7406cd49897386cf03ada439934ab66ab5dfb8a3c4db7772677215d7d4df9d0f7f8e597723
-
Filesize
1.2MB
MD5d051076ea41f46c49ad4883ba364498d
SHA13656cc3a47c29de8d6850816065723bfee9dca0a
SHA256a6cfec427fcc284a2e51261f2892f8331cd3ecda00272e6f6446ae7fd5c0a56a
SHA5121af6fff595e25c2d30e94f7df5c084e29b18a9f295bc3687ce496e30e338b05abc73d4d0730623ca0780946f7095e0f50af20f66d08d611f4de22d40ba4f6589
-
Filesize
1.3MB
MD56e2467c85ae9cb0f569ed218f26c9061
SHA140fa698164f925622e805927edb342504e42ae37
SHA256ec66b0158eee21043dde19b0e4d28beb6c2bd6e03283a6b878c037e09556c421
SHA512d65a8d5fe17c6120966b5be5d8d905e4d79383ac79044734d72ae9c9e634ee75de9519b75c1081b81a082a176f063dd9e403001e3fa0c9ddb8ae904ae4e2a534
-
Filesize
384KB
MD548558b8da98548dc34683519610ea58b
SHA12ac010ebfc4e525f40867ed8c48d82e418082dd5
SHA25647c40a4b807d0bd53393b14055388aa35bb10e387de41e73e55c6be509848422
SHA5129705f754c4e39de70692843625f8c8dc3d9c225b6f1edf2e492771c8261ba003c753d1b69f37151ea1fb947fb835779428153303da2bb658cc911bd65fd0f8a8
-
Filesize
384KB
MD566e824ca2ba09b1c2fe4d9223ca1b47e
SHA1d132948d15229cb2120da2caf54a7f5326856178
SHA256bae61e9129894c1ad5154edd3943ad6f857f33b0bc1643330d271d45fc9a13ac
SHA512c4855e29240e54c81659da1af51a5d9c63f8dbd7d526b474f55f50c63c2a61d36220fb1e1f4b5345d713376bdff47f019142bb4c05b7f945c097785e8da67173
-
Filesize
1.2MB
MD5e06f27f36fe2393a1ea449d4f3148c25
SHA1cd707a8e1630dd39820130e1477dda7d1213a5e8
SHA2564c54ff027de52c0f1cd08c0a1b228ed3da3fea64a842df57c4788c90db88a2ab
SHA5120be5922000257fa6a8f778e64fb0c44ecfe305414837b445d65253bf475845f94f632ae8e25c41aa6648da3705586d042028c9b4122909b086ff5c9675949232
-
Filesize
1.7MB
MD5306e0a3ff06fb62108b0ee7c6a874911
SHA1dbd56bc60154ce715c31b0e61b09eb9307053981
SHA25692eca376604f52a8ddf4f41b008256ac8e8a623df6ce55f760101950f6707bd0
SHA5120039817fa94f0ad19220f8115f57afb035a75767b89bc39544db6e25d027b12700f58e4e12456478472c26527617b27893b4f77d40928a85256816abde226e68
-
Filesize
1.4MB
MD515bb5baeb81a89cad7b8ed33f01c07ea
SHA1052d9431cd8db609e7271ee14e78d2a99a37d5e1
SHA2565e23dc6421c0a7d453afb38939925cf1b664861daf7a92fb3225a89850749ae7
SHA512972e3ec6a8c30509ce70f6224e71b1a4cae9c2ccede86438379a0735f219266bf0ba4477d3fb73c267a89c12c3c340ff6c5098df36e201fa9e1328c4be7d0506
-
Filesize
1.2MB
MD58381c2bc5e4213e9ee9379cfc346ebe1
SHA116f9af0043e1f90979c244012b9d1e016460deca
SHA2567cb2ab7b6fa6d4b567c9bc640349b58681df97d63b2cfb27298ae546c1276ce1
SHA512745a27055a9987e1e4ab644963d9ae7d7d7c5bdc209d3eccdb427bb9616e66de51b47fcc9471aca72cf9b1cb3422be841665312cadd5a9039952742d78fb4665
-
Filesize
320KB
MD5cdeda19b5b23b8536aa60500067a953f
SHA1277b65a07ae7d2cb6b73eaf7a628aa78f92f1005
SHA2562502ecadc42ce24d253eb179e48c9fd2d46bf5872d900913fcbba35492f88cf3
SHA51267dcf42b3d3d8211059b4368368796bbea97079b150ea2d282a275e4c4b2834e82af6332eb2d05c65a11b3d9d16f5587e55ddb5b1a35b762b222ddbe20c1a515
-
Filesize
1.2MB
MD5e34324d72b708a13576bfec498ee693d
SHA1969cdbe23bdf54626f8fe5fbf999ef701e7a2684
SHA256d174f67eafdbe8fc767d26ced567ae722913e8f4c28ae77c2845170ccffe7dc0
SHA512d91fc80da250c4cb010cce3daf6eb7828a1ed627db4c594e5bc581161f920d3e22f6a581d29bdc7a51fb69d4b4a689e3462507bd886592d890b44df2dd5883db
-
Filesize
1.1MB
MD5ec31cb2a6bd43698fb021d5ced1b167c
SHA19a2cd82e31d1e9fb4d19065ed9d68806800b3010
SHA25619847b45f98fc9200dc44495dcdf8a8d143171d892809d67d21d3571e61dff02
SHA512d5ff17ba23a61accaeaaf3e75bb15311a99ccf89082d4e4d9a310ebada2a0855be93c6caaaeb28ab1763896e40984bd525c45b3f795a5f50b3761f8194569f68
-
Filesize
896KB
MD57aad30ed354858849d50cf83956d3c6f
SHA11aa7d7561ef6b6add7d95320ccc85d366073f501
SHA256f851f73afa40100f80dfe546bc5c34b1c5373e1f688bed373a192ca96a6f16f0
SHA51209853eb0885f3d303143d90cab1e544e469028752da20eb0951c9eac8c9ee763db4ae5c431d8275b0bded188ea453fe3fdb31469d5982ee7dde4ccfa798b734a
-
Filesize
1.2MB
MD5942be66cea7113e3063a707e16bb1c9b
SHA181702f41b2298f635fc2f1e26ce220064365d218
SHA256a6cf8bbd61d1d0d05b113e092db68cd6514859324448ae1b80af890fc477d21d
SHA51243c699d5f9cf992c0ba0a771546885034e7c3a710951eb084751baf9f7e99797b6ab17b444327bb29b0e56ca109b00329e729c25e0d469dd9b4ac1ee3e8fdd32
-
Filesize
448KB
MD581bb9280f21402ccc5ac872948c07e17
SHA1ca5bcad9351fa9c873bd07e3fa529273eb138126
SHA256df85c33551b83579c9d784e5f66766950238c1adee801e9a43f10438461cdec7
SHA512668596792ad976b5800a528e8c5a1d6012c356270b94b61cebd31149e11e94fee78b7179a17d3144ebf7acedc9aff998220d520f93eb9bde4a10805a466d7ee0
-
Filesize
512KB
MD5eccbbfc64a61ccced376098e0026cb42
SHA136155cd5cbcbc94f3aefc70a3d0683788ee46943
SHA2566b2734a5363bc45b0db36c71ece79283f0d2bac47531807bb8d84eac972d2ae6
SHA5128412031de6835a05826a79d25c36a9d6170541d02a2cc03c7050d35ccfd8478a7fde814356a374895009cb6cb0e4f71246e0891228c06baf1750e43ad0116c6b
-
Filesize
320KB
MD5a425c3906f17fc1e6af81c6c98b5ee37
SHA1738cd19646e1cc3950915ab0888805917cc0ef94
SHA2563b9c96f196f9bd95f93466bb763ec54ae2a871c4db5d68a73fd0b4d4dfedbd5c
SHA512eeb20136d054c23a610bdb5d5d1f963ff747b6014fd4aa6e8399a766056629232eb130de58e5582c9ea49b650dcf356436e20997942b52911bfb98a6c1310924
-
Filesize
832KB
MD506b4bedf84e495ff536580619a953070
SHA1faf1e0c997b9c601bc920985985d610626be642e
SHA256f18c68adaac1896b3e6eeee76b5d8dae5f1d425ce691c844ddb8644dd2c8e75f
SHA512b97e17d96b9947f295727844320aff3abd9d728021527620bef25b850f5c6c722c50bc64cae736b600a68fca0e35dd878b598835d42b03a370d86e7de227732f
-
Filesize
1.3MB
MD5bac799a357b60c91c694e20b0da64822
SHA15fc1a8a068462c8f4d6f93c1e02ae03f4f1fcc0d
SHA256b8497dc817748e3fc2b0dacab048319e81ca1e13645568fe14d683783d290c7f
SHA512fcd8e4fdb0cd1ab37e601cdb4717d78c852537b4eb8a9511d95b1df42a83d686a8ba2a96bf7ebb75496835fa946e38f6c1fcf4f8547c9cadc9f662433deba2ae
-
Filesize
2.0MB
MD58209cfabaa7cd7425bba165114a3718a
SHA111a285926b0888984b4c6a05856a7dc2895bc84f
SHA256c362b50eee2a5241065880f8ca3e33c175cd18bbd24e8fdd8fb884afbe991873
SHA512dd830401efa9f829e112d4349387502ae336dcd7125b9150dac69b2ea1830a9a2bfc5a6b1ac079008e8431290c5fe88aacab05bc5b5636030210c62e7fd779c8
-
Filesize
1.2MB
MD5e93481f8dbf3dbbb4328cefabe8bd466
SHA1f14c710862b4b590329cd1ce775e00beff28a751
SHA25615fbc29a87c5ed3e4e3ad7b8ffe3e610f5349a05bc37e3abeb9597befa778103
SHA512258c7765feb98eadd642ef5e015a86611df1d37b76abdec4caff90c597a0135e059a706647a2e3d05d15d85d5a95c8374c109e89ed1d5533c34e2040b6ab5bbb
-
Filesize
384KB
MD5e80e7ac8136359138ccf6d2aed9ad867
SHA104d107ecce28843f27c153532b01e8a86a9a1d02
SHA2560e45b5a73f2b4cc8f14a70a03fc8e4e877559e166802ed2d8715703e49c89122
SHA512526f5d0bdbd3a9bf339008a4846dbc863f32cdb2eb50c40784c7e3de752470bc5d04cb0a85018176a17b5da2d74e8bcf48d0584e30b1a420aefb432a419e535e