Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 19:33
Static task
static1
Behavioral task
behavioral1
Sample
1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
Resource
win7-20231215-en
General
-
Target
1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe
-
Size
1.8MB
-
MD5
98634542919726b66b1e305224ce58bc
-
SHA1
0483a6ec826efffff036c1cbdc57cc9bafc49173
-
SHA256
1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc
-
SHA512
7cb17ddbe7469e8ef17680fd4c76e7e10957286eed0c6b78a2ecbfdf1701b59eab2f5e1699970534d7223d50c1f5abd52019ba3c6a57bdd7b44b486ac636fc28
-
SSDEEP
49152:oKJ0WR7AFPyyiSruXKpk3WFDL9zxnSZEjhMjSax84:oKlBAFPydSS6W6X9lnaQWdO
Malware Config
Signatures
-
Executes dropped EXE 57 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeGROOVE.EXEmscorsvw.exemaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeIEEtwCollector.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 472 2624 alg.exe 900 aspnet_state.exe 2908 mscorsvw.exe 2016 mscorsvw.exe 812 mscorsvw.exe 2084 mscorsvw.exe 2348 ehRecvr.exe 1612 ehsched.exe 1728 elevation_service.exe 2768 mscorsvw.exe 2772 mscorsvw.exe 2000 mscorsvw.exe 2496 mscorsvw.exe 1552 mscorsvw.exe 2164 mscorsvw.exe 2720 mscorsvw.exe 1496 mscorsvw.exe 3000 mscorsvw.exe 2804 dllhost.exe 680 GROOVE.EXE 2248 mscorsvw.exe 2936 maintenanceservice.exe 2564 OSE.EXE 2532 OSPPSVC.EXE 2824 mscorsvw.exe 1044 mscorsvw.exe 1680 mscorsvw.exe 1656 mscorsvw.exe 2560 mscorsvw.exe 2860 mscorsvw.exe 2828 mscorsvw.exe 2956 mscorsvw.exe 2600 mscorsvw.exe 1884 mscorsvw.exe 2256 mscorsvw.exe 2500 mscorsvw.exe 968 mscorsvw.exe 2276 mscorsvw.exe 1948 mscorsvw.exe 2848 IEEtwCollector.exe 2740 msdtc.exe 2688 msiexec.exe 1800 perfhost.exe 1936 locator.exe 2664 snmptrap.exe 1048 vds.exe 1720 vssvc.exe 2796 wbengine.exe 2168 WmiApSrv.exe 2032 wmpnetwk.exe 2780 SearchIndexer.exe 1588 mscorsvw.exe 892 mscorsvw.exe 1884 mscorsvw.exe 2016 mscorsvw.exe 1480 mscorsvw.exe -
Loads dropped DLL 15 IoCs
Processes:
msiexec.exepid process 472 472 472 472 472 472 472 472 2688 msiexec.exe 472 472 472 472 472 756 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
Processes:
msdtc.exeaspnet_state.exe1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exealg.exeSearchProtocolHost.exeGROOVE.EXEdescription ioc process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6a2882403db14c9a.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeaspnet_state.exe1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM7417.tmp\goopdateres_ml.dll 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File created C:\Program Files (x86)\Google\Temp\GUM7417.tmp\GoogleUpdateSetup.exe 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe aspnet_state.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM7417.tmp\goopdateres_lv.dll 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File created C:\Program Files (x86)\Google\Temp\GUM7417.tmp\goopdateres_sr.dll 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE aspnet_state.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM7417.tmp\goopdateres_en.dll 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File created C:\Program Files (x86)\Google\Temp\GUM7417.tmp\goopdateres_nl.dll 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM7417.tmp\psmachine_64.dll 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM7417.tmp\goopdateres_vi.dll 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe aspnet_state.exe -
Drops file in Windows directory 39 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exe1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exemscorsvw.exealg.exeaspnet_state.exedllhost.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{70DEB368-3F72-409E-9919-B1638F7C5D95}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{70DEB368-3F72-409E-9919-B1638F7C5D95}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exeehRec.exeOSPPSVC.EXESearchIndexer.exeehRecvr.exewmpnetwk.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86} SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B} SearchFilterHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ehRec.exeaspnet_state.exepid process 916 ehRec.exe 900 aspnet_state.exe 900 aspnet_state.exe 900 aspnet_state.exe 900 aspnet_state.exe 900 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 2884 1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: 33 976 EhTray.exe Token: SeIncBasePriorityPrivilege 976 EhTray.exe Token: SeDebugPrivilege 916 ehRec.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: 33 976 EhTray.exe Token: SeIncBasePriorityPrivilege 976 EhTray.exe Token: SeDebugPrivilege 2624 alg.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeTakeOwnershipPrivilege 900 aspnet_state.exe Token: SeRestorePrivilege 2688 msiexec.exe Token: SeTakeOwnershipPrivilege 2688 msiexec.exe Token: SeSecurityPrivilege 2688 msiexec.exe Token: SeBackupPrivilege 1720 vssvc.exe Token: SeRestorePrivilege 1720 vssvc.exe Token: SeAuditPrivilege 1720 vssvc.exe Token: SeBackupPrivilege 2796 wbengine.exe Token: SeRestorePrivilege 2796 wbengine.exe Token: SeSecurityPrivilege 2796 wbengine.exe Token: SeDebugPrivilege 900 aspnet_state.exe Token: 33 2032 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2032 wmpnetwk.exe Token: SeManageVolumePrivilege 2780 SearchIndexer.exe Token: 33 2780 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2780 SearchIndexer.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe Token: SeShutdownPrivilege 812 mscorsvw.exe Token: SeShutdownPrivilege 2084 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 976 EhTray.exe 976 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 976 EhTray.exe 976 EhTray.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid process 2292 SearchProtocolHost.exe 2292 SearchProtocolHost.exe 2292 SearchProtocolHost.exe 2292 SearchProtocolHost.exe 2292 SearchProtocolHost.exe 1984 SearchProtocolHost.exe 1984 SearchProtocolHost.exe 1984 SearchProtocolHost.exe 1984 SearchProtocolHost.exe 1984 SearchProtocolHost.exe 1984 SearchProtocolHost.exe 1984 SearchProtocolHost.exe 1984 SearchProtocolHost.exe 1984 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exedescription pid process target process PID 812 wrote to memory of 2768 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2768 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2768 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2768 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2772 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2772 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2772 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2772 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2000 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2000 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2000 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2000 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2496 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2496 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2496 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2496 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1552 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1552 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1552 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1552 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2164 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2164 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2164 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2164 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2720 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2720 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2720 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2720 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1496 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1496 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1496 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1496 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 3000 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 3000 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 3000 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 3000 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2248 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2248 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2248 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2248 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2824 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2824 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2824 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2824 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1044 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1044 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1044 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1044 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1680 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1680 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1680 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1680 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1656 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1656 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1656 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 1656 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2560 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2560 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2560 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2560 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2860 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2860 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2860 812 mscorsvw.exe mscorsvw.exe PID 812 wrote to memory of 2860 812 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe"C:\Users\Admin\AppData\Local\Temp\1fd353b5a5a6cc0fec53e0c33b8b18cd2fad3ab141a1cabe819f6ab0f53b22cc.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2908
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2016
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 268 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 254 -NGENProcess 1dc -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 274 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 250 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 27c -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 274 -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 264 -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1dc -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 264 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 298 -NGENProcess 278 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 25c -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 27c -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 250 -NGENProcess 25c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2a8 -NGENProcess 28c -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 1dc -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 258 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:968 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1f0 -NGENProcess 2a4 -Pipe 230 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 244 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:892 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1f0 -NGENProcess 220 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 1c8 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1480
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b4 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1948
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2348
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1612
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:976
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1728
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2804
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:680
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2936
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2564
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2532
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2848
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2740
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1800
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1936
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2664
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1048
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2168
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2292 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:1124 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD52b293f2effbc76e809d88f19bb2a01e7
SHA1c3ef0621519f119eeff8d193324ec082ff91eb37
SHA256f8f88d5986ed97e8405e3db2f676e275a979830d88d879e14d2f9d79b89357d8
SHA5120f9e8fec99f3ccf0a25f77c481f2bdc47700fd112d19da659a17b3a42fa950a1711e179bb22e9930140255d847674d9d29946209b2f7f2714aa771d4a74341ab
-
Filesize
11.7MB
MD5eb458b4943d3388a94e591d3c033051d
SHA10930b6b80ecaf8ca7bfee765e3016a6f61da7bf8
SHA25675bde09882834339635692f3699821baeeb6184e1c5f66e2544ca4c57468f679
SHA512349b53f2b4fe6f823c0346d39214a051e4fdf12c0f8ea4769905d8198d8104b87b9c8d4374b40519174fb6083b843b118ea981db137c22b6749f1f43033da911
-
Filesize
1.4MB
MD59c9b06673dfd58f5063ead423f4b35e3
SHA140145cf217f89195e7acc4558efe6d0ffbd86b1d
SHA2563b0041e9b68185278466dc477a87987755ac5d25b8f6522cdf0c95aaa07e22eb
SHA512f3fa1a346602de5b3e4458679c563a9c62dddcd4526f4751cfb20ca4bee043acc4bd8005514703a6745471946f36458d5d66b082b73194d61c8e12e68b11aea1
-
Filesize
5.2MB
MD5d26f9ed2ab2a3bc9fd1725a84fcffbbd
SHA1a5fee0bc95516df0c7aadffc02757061a3be5f7a
SHA25699336508d67d919d33dce6f13237866ba3077763f800afaf713b40bd1cfb88d9
SHA512e942bb8223e7167b451bfef4cd94d912074077ba66f4348d9b973d30b8f53c8c86c08e43a7bd1f1a5d0ce8076bfd827db67feb504a1a47029307f3b231c70827
-
Filesize
256KB
MD5e0ebe9f08699299e026e3144645fb192
SHA1e1bd4d5716385e4b4ae83b8ca1c0fc32e17180b2
SHA25635e8031d9116be404d3e815e8d859113291b5b6a99a5f4271f76748db1a50f2c
SHA512ec5187f76ececa4bdd4fb8accc664ca13da76e25e7f6496249fe4ac58a0872ae85eff3c1059308993f7a98bd25227edafa8d650d9ceb1d3f861664f09e3e5086
-
Filesize
2.1MB
MD5ac7f2c974f44fa4e03ececc899383c9c
SHA1faa07ceac0b8a3e37d1ed587e8b18155977b90dd
SHA25671504b01521148bba9696cb98038bf13185c3830c7571a17b111e5b8a4fd26d0
SHA512735a9394f2dfea72413724c61ace615b2f69c3dc3776fc0f7a94bc6e547db3cbc4bcb63bf19d1d40d4250d7f3de25c219038240613ca157a1756691c88678036
-
Filesize
1024KB
MD5070825070fe2ad27fe6916a1c85fbc1f
SHA1e61dd571327cf256c865ece3432c2a1fee79dfe4
SHA256f2ff3aff3c345eba047e4b2e31d96196685bf2a995201a3e0cee34aaab645f73
SHA51231b60aa98cf509997edfc1c09ee86893e73769889390bc68d08e6dbf97bdac7be8ccffbf6d9421c7d6d8a71fdfd336adc7274a8ca0ceee947d29752d8077893a
-
Filesize
32KB
MD5b1a6a4d875af3e883fb4d2e4f1d0b937
SHA11a06c5a34a7f878d3042d9e9507578e4e9382fa0
SHA256839f5bf22471103e221f522a86704c6c55daabb0303ea652300cdc16fce5bbcb
SHA5122fd14174bd40ac54e5f97d316c5b1d25a6f76fe45350af2f8a8bc84dbc222affdf7f84491645676efc035749917611e56c7d611df52b767f888fd7f2e6156a8f
-
Filesize
855KB
MD5d5716854a47e06f36101c2ac349ac049
SHA10c3f192c796667c850f94cb4e09c00eb70941e7e
SHA25651d59b414772a77abeeee77498000f539235808b3687f9643a0bfc9812176422
SHA5120bfe4b9b0008c4a3258238b003dd6edc5115e497bedc37f39349f5870663742ed78804e124b3be0fee733efa81d200fd3c2cbd363ccf5e1da7d125995287f7fd
-
Filesize
336KB
MD590d593d84967387b683ff25975a6f23a
SHA136935ca9f508691198cace63febb7373fa8b9fe8
SHA256c327411348ce92d53e9b7d37a11636033cba3d9d24397291ccaecff4e28021b2
SHA5126fc1da077a530a19000619c5af01c091c844d6180ef198aa12e3ac2801d62bc29ec7fa7dbd9496234a452d7892463581e7056deed865f642bd3778c2bc95f871
-
Filesize
835KB
MD514839e9e85e2572fd4641d3b3593f18c
SHA1a6b1b5f3ea328e779a33a0322e9e89e112cc506a
SHA256d1dc442cf9cd76d903a205f4414f00a302ee18752e0a54f31c89eb56e4361533
SHA512cdd0235afdf95496360413280116ea245fe5cbfd34bef82741ba699c6f9a28b3abb2fad18215254863147173bf467205bb073925d92c7bee71936e54b3bf01e4
-
Filesize
333KB
MD5b6c7652c787435e09d8a66ae73a6672c
SHA1bd2eda478ceab489d4ae6be017812464a78f6ca2
SHA25622cfedeb09137d109032b73db433e179d48f62be87c6144746f7a94efab924f7
SHA5128188195f58d3f6778fe8570563db4d77fb8b54edf0769a45834c654738e81c118ee52d1d9935ebf524a50ac0f58cbc9acdb2d470a47c5febf341ef95ae86e969
-
Filesize
1.3MB
MD5fb913859b57188032f15418556e48fe7
SHA11ab75d292a878ee4ce12f80fee7fc2e7df23167b
SHA2560098fc43b2d01753f8e5511bc5d298acd761af67cf01206bc7ca8089a2753ae8
SHA512964afebb0afafc64504b91e0f895b6796bbfeac0609ecf2fd39953ad4776f4f0b97cd15ceae014b685afd37ad48e641b4aa22d422a0618a91fef2cf015afa54e
-
Filesize
304KB
MD50c92848e04af3595c7a57de915e06516
SHA1c29c2f10420ebb36a2868304e530f1f928ab3607
SHA2567dcf28be446050e3d30a7e54834985c7b2dd08e3e2997cca9b0e3f1978ebe3fc
SHA5125f8cea92dff26fb8d728c24bb39435e24186739bd77c6fb22bb4fb510df8bb969963194c38ecc1832b8455fc0607ac6f9cac0e658d9be2c1a2ee4691646382e6
-
Filesize
92KB
MD5c422e5f21ccac52348f22ef5a7f357d3
SHA17b5a0b230d3f97dda9bcc22d1c5be3e642d20654
SHA256e624b58a1eb660c1879c4f553ac0ddfe85f23342b4e5de3e7d8db537fb54464f
SHA51231a1cd71ef1a89d760631b80d500d5ab6be65b52a3ec792c010bd9857c192bb5e1059a894afe6e54a1d92090dd97b98ae458a0701196b68254e27e3dc9838de9
-
Filesize
1003KB
MD5094028648a6eede52e38c53d6686b6b4
SHA17e023b1a3a73b6d9c22dabea035b22bdf68ab5a5
SHA256a3f5f015dcb6ea634ae5ef9549070ff34aa70c040769f2abb5128ce95a436324
SHA5124074d9666431391c27bb45e196636113d8ca814248cc05eddb76019bbf1e5fb8c360538acb166ddd565d9b1c9a7d81bb6d474550eb59837d0d774496a5277f5d
-
Filesize
986KB
MD529e7bf6345083e16a07921ff29f13cac
SHA10c87feb3b86a4579c7c516e7b1952bbc3ada9b39
SHA25682ecc3b9f512c659b46b1343e47fb9ccca393a5cf91ac3578c29c9853444997e
SHA512ea7a624105651da45f719ffce0c4b664d00d0a8f5c8ee7157bb09d673c7edf4411d433525d3c7e59e6bd399cc5d20fe5d38aa2ed0272314ca8a1bfe29a9e860a
-
Filesize
354KB
MD58ec8a2f3f6b9e9c61704badce99a199a
SHA1ee771c117fab247d0c8707e8764e65fed769d1ec
SHA2560749a0882b2a28be19f7686bddce8b9564871b452e913efc24cffb185f2e13c3
SHA512fb87476698bea08c7322ff28ce87821e9b1996524a64b78aca3cf54f78a58e796145212a17d326bd4274c5aab10c088f85fc069d3045551bf0ed304ffb4e8d96
-
Filesize
1.3MB
MD5d3a641d428ade9055fbd58e821933c1a
SHA1c78f598a089b83456e287fc69b639d8d6f4ff5ec
SHA2567ba7151b558c30a1e2f5496273674b8dad229308004c7f59413b038c5bde7e51
SHA5128d5fc384277ba7dde01cd5fcb6e779e6b817ba596b6b61a1dad729289efc1a08f4bc2ad86f0ef159fc5604713beefa859a15d9c7e68a8a4234c65f9d89d3e110
-
Filesize
424KB
MD5a41be8cccb2003392886a7c3625a1a21
SHA1949e1edd3d4a8c087448b8444374cb77d19a8329
SHA256a0f6b1cf964f0bb141fe9422edc453675bbcdb86815d76d60dac8dc26129f9b9
SHA512634e775c4ba33cd9dd1163e80c446e69dcedd60aad7ed298016aec3620abb3d5aee3329815ad41e6e67729699960e052f683b1124f7379826f2c02317e24a95e
-
Filesize
512KB
MD5a868f3fa726d6b200fa798738984963a
SHA12a135848f1c8da262c905d230ceaf68bc4255a6e
SHA256c74bd239d2ccc46b5c4d2abd91216b5d88b85814eae4fc1e67219f85347eecd5
SHA512c24fab90ee6f13832ca621e1be9593b81cf8a88029ed49026c67b50b48772e55d022fd7321b6e62a6305587948750705c3a3afc2c3d422a9304d94a53feb43a9
-
Filesize
990KB
MD5710e3ef486f9b2b4150f0d748e23201f
SHA19a364990f17f3f97cfe5ff38567a5b127942097f
SHA25616b0f3407418b3d1ddb1bd7e83b2f9d668c31e5cd090847c10e6f10e81b46022
SHA512664383582f7a23bad33f976c3587def1eb8c21353dc4a4c715b146104f11b05cd67ea7ad1bd736424152918dc77aa741fb40d839809cbb3968988b088e15b250
-
Filesize
651KB
MD5b32832db1137c4ef8aff4a099b491a76
SHA11722b19b9ce1ab68d56f88b941882cf9ebc60a3b
SHA2569969e03f041436cc0833c5047c8e29e0c9851c02dc96a19d114c8c50b58ca990
SHA5124a7f9732721f40cceb52d2b6f4d1754061b90cf53a28a5cd2bfef0cfac56403bdef766121fc00e712e880e05710aca586f0687970cd704bb7f400a9b43681b24
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.2MB
MD5f90aaa1e0f9fd545a57769d01a79da93
SHA14cda9bea3d115f305a45c0ee8a52cb6805b51489
SHA25626e4a47d57638299debf92af62565492c2f6ae76402f8327f4e9dc7000e042bb
SHA51239cab84c640c2609934628ea1e4b0d3a2b0dd14aea9ccf27cef9d6f7486aa91c6bdc7341ecfcf3db13da27cfc9f251ee876dec3abd1edc016c66945f00894fd5
-
Filesize
1.3MB
MD53dd01b09bcb247915ccc13b2c9919258
SHA120a4bbabe0a8d57cf7a3af6b09685fbeecbd1ea3
SHA25622597cb5927fbc7665bc21a88fa91c85d6da7f5f075c93c93524cc1524b77588
SHA512ea445e402fa42784085a12190f625cb999a35e11e06caa30f4810c6091f013ea1704cea0a5cd543d261c4b6ce00e1332d2d7ecf98b43b63e5882e7d3b7231ea3
-
Filesize
1.2MB
MD5155c64d02e00befcc6d9652d573733e9
SHA105e39755549e841c9d6cd778f0552b6aa5ee54d6
SHA25608eeb3619ebc2e9bf4aee237262451dddc7449a272aeda91dfdce633a7372214
SHA512d600f404bab937c9b52690e5de74dbcd46e9cb6f5efe1af73d27e7226ef4c148b55bf671d0195867b88dedbc830cc9148d08688cd4f57c398860645682fd57f8
-
Filesize
768KB
MD5766f9697ae0c86acc6649260caf81f26
SHA12cd5767447ca9af442c6172ea3cccaf507f91544
SHA256f2c4dfca9c1ac42c3e5b78ad1cbb9e0f1fc502c910555b31877e3efc11d68411
SHA512abe3b87e0d9497c38d79e048c33a15d1f401317bc87294ee1c8f8071ede799cfe2eacdfb7d1419a73c59adcbf7dda40cb965b667159a83f3a9dfccf9996ab999
-
Filesize
1.2MB
MD5fdfd169e9fc74dfeb509f7356084c726
SHA1a482a6ddb32ea6281141eed19f0d169bda3b104d
SHA2560cbb06b8d7218ece091f76844fd2a498c60baa3c1468c87cede7ca1ebc8bbc07
SHA5128817940831a6e4da60474090a401ba8892ba3c7a14ac9af2b5c150ce41cebf429d8f92442fdec3d1cddf9b40591022ff04ea34fc830ea838075947458522205a
-
Filesize
1.2MB
MD5c45c236ad92d4d000eb216e84e2ef272
SHA18f5d0622fbc4126cfbe9551e2e40d9bb6ae8a065
SHA2567d49b047447c3260383ebf6bd3cb750ba44777f8b977be3569129558404d932b
SHA5126bf350f7b30223d7c34d7e09d76b16fe039274f278396a5274c87e90419eff53fa43cf520fcd64821c26f2a96a648be623449a2bc191f3836f6bc9a9b6c8aa91
-
Filesize
60KB
MD5b8853d93c44d4003133f573eb2e6e787
SHA1574eb06f0b6880c948b10d78a58565d010a40dcb
SHA256b548aa1e9983498e7ac169f37a0ac64e763703afa33bf66b40e9a84eb9b9e7f7
SHA51249108d4e04d77a24c5825420ed005a50dca4ccbd01c7aa65be9d4a65529f048e50254cf524d7965a04904dc2248614093f3491e73f341c9f1f79331d1a616b44
-
Filesize
476KB
MD573ff13d34967edeb8d1eac8e00d0936b
SHA1fca423b8834b82c4a2509f11df74a22c1e6a1ee9
SHA256136630128b48b6c639c672826c14fc033210117535ea7a6178e8a392afc1b0d2
SHA51207f28cd9cd53a932618fec31bafc1c6924e150d7ba88d70be2f1dd4659057f0615b0eb8851a0fa22954e216e3309ae93803b1f55d78a74906ae61c2453bc0db5
-
Filesize
1.2MB
MD56c11b92e2791d47fa64286b8b1b2569f
SHA1e4958e9725973d571c2638b662f8bbdfc0875f6e
SHA256f07a50cb76f03e7d42f42d36944bff64496fbdc1b29202d2c303e29d3cf81166
SHA512bf47d527f37c9bd79fb345c033a0518fad90388e7e2c83e13d5586ad3629228302757e268acd0d736d6070f1ffe0d25a8c1d3cd7ac4d180c34c1626bd07f5226
-
Filesize
1.1MB
MD554c39993c5b7fd7fa5605f7850973b51
SHA1afa1aa81e452179010b9d188dc15cec24d0f1ba2
SHA256e2ee9d3c0568ebb36bd65b9a9457ce1d55dfd49895fa68def9f9cc67dc9c8b7a
SHA512b6f50aefa508e81af4e622ffe8436de8ab327aa0af7a45da7e8c0fc663ff343f4774ba2b280bdf825f0fa5936a800908208e8cf82029dd4c9c2acca0d81f9773
-
Filesize
1.3MB
MD5d8c9582e791ae89b4f060bc433a4e8cf
SHA1fec8772ff40c7f28fdd41744a3e42e31eaedc135
SHA25673f94803c41217f2a5ebe0556d249dbce9fa713f7e0ad55b85e837f3fa80f99b
SHA51226d108a441046632c4347f67c8117a2d1dc19c6c36b8a393d0b398796fa29733cc896a03ff090eca0900e13ebb5d9ee4c334d1a1773059a82df827d0f06b75ce
-
Filesize
1.3MB
MD5525cb2b0af3aba5cb9f88fc41f452eca
SHA120746a88c3a11a958d7819b3664eedcd985eb563
SHA25695c426f70ba483c884dbd5cde14653d1779d0b6d11dd71e06391857db9ded1b3
SHA5122f41b1edc63258b156fd605fe44e85d32132f85b6d789c0867b4cc76449dfd60ad315f93d2185bddadee1b178ed331775aa53151878e99ca706c8e14c5f58b7f
-
Filesize
1.3MB
MD58e08955be4be312b42786b1589694b70
SHA1452869d37366fc0c7839e97aa3d1bfbf870f21b1
SHA2569e7cd6b8c1cd81c47c4eb6805925efd99c323f858ebab6532eae596a8a35b2f9
SHA51210070f7af58f8ae00d17858e935da1034c084de4aced0d422a6fb3dec1a56751c4c664de357c6fd19139e1f28aa82b96766739eb4330d717ba777356b13bbee7
-
Filesize
1.3MB
MD5419e33c5a69b2c07e7b08731cb896318
SHA1bc93c377d16239cd9238049c07962a3afd8b96ac
SHA2569cd0ce321d0b44d31209af9d511c7f31a19c9e8fc0c8eac6c49824d31e4bc9a3
SHA5127c3b236839b985f01774f11afac93d25032165cf49fc61eef7287f1df6fdf335a322f083bc22654ec21710e9b9575c5c87ba5f904370a260473e24e46e13e887