Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 22:59
Static task
static1
Behavioral task
behavioral1
Sample
fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe
Resource
win7-20240221-en
General
-
Target
fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe
-
Size
1.8MB
-
MD5
0f922dc4c18c708aa3f863d8701dc5a9
-
SHA1
15dc8ad1edd1c66cffcc85b008bd418a1c43a3ee
-
SHA256
fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d
-
SHA512
8d27480a36abc7732475af3b0455639b9b47f6fec042ff054ac52f794b8ea98aed1f2de1f77a5959f2124cf05cc943e942b1c98d256af0b03f7e232d051e6a05
-
SSDEEP
49152:Nx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAd/snji6attJM:NvbjVkjjCAzJkEnW6at
Malware Config
Signatures
-
Executes dropped EXE 37 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exemscorsvw.exedllhost.exeelevation_service.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEmscorsvw.exeOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeIEEtwCollector.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 484 3068 alg.exe 1668 aspnet_state.exe 2728 mscorsvw.exe 1028 mscorsvw.exe 1516 mscorsvw.exe 2968 mscorsvw.exe 776 ehRecvr.exe 2400 ehsched.exe 1588 mscorsvw.exe 2992 dllhost.exe 2592 elevation_service.exe 352 GROOVE.EXE 1848 maintenanceservice.exe 1576 OSE.EXE 1688 mscorsvw.exe 1488 OSPPSVC.EXE 2440 mscorsvw.exe 920 mscorsvw.exe 2372 mscorsvw.exe 1792 mscorsvw.exe 2020 mscorsvw.exe 1108 IEEtwCollector.exe 300 msdtc.exe 296 msiexec.exe 1424 perfhost.exe 2972 locator.exe 2212 snmptrap.exe 2172 vds.exe 2432 vssvc.exe 2976 wbengine.exe 2208 WmiApSrv.exe 2688 wmpnetwk.exe 2480 SearchIndexer.exe 2848 mscorsvw.exe 2980 mscorsvw.exe 2576 mscorsvw.exe -
Loads dropped DLL 15 IoCs
Processes:
msiexec.exepid process 484 484 484 484 484 484 484 484 296 msiexec.exe 484 484 484 484 484 748 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 18 IoCs
Processes:
GROOVE.EXEaspnet_state.exefd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3202a36278a61a12.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
Processes:
fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exealg.exeaspnet_state.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\GUM1E79.tmp\psuser_64.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File created C:\Program Files (x86)\Google\Temp\GUM1E79.tmp\goopdateres_uk.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM1E79.tmp\goopdateres_sl.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM1E79.tmp\goopdateres_hu.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe aspnet_state.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM1E79.tmp\goopdateres_cs.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File created C:\Program Files (x86)\Google\Temp\GUM1E79.tmp\goopdateres_es.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM1E79.tmp\goopdateres_en-GB.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File created C:\Program Files (x86)\Google\Temp\GUM1E79.tmp\goopdateres_pt-BR.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM1E79.tmp\goopdateres_am.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM1E79.tmp\goopdateres_it.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe -
Drops file in Windows directory 35 IoCs
Processes:
fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exeaspnet_state.exemsdtc.exemscorsvw.exedllhost.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{38D93637-65BB-42A2-B2A5-475F4F6110F8}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\ehome\ehRecvr.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{38D93637-65BB-42A2-B2A5-475F4F6110F8}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 37 IoCs
Processes:
ehRec.exeehRecvr.exeOSPPSVC.EXEwmpnetwk.exeGROOVE.EXEdescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{DF48634B-63D9-413F-990F-705C140B8BB6} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{DF48634B-63D9-413F-990F-705C140B8BB6} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ehRec.exeaspnet_state.exepid process 2596 ehRec.exe 1668 aspnet_state.exe 1668 aspnet_state.exe 1668 aspnet_state.exe 1668 aspnet_state.exe 1668 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exewmpnetwk.exedescription pid process Token: SeTakeOwnershipPrivilege 2972 fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 1516 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 1516 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: 33 2784 EhTray.exe Token: SeIncBasePriorityPrivilege 2784 EhTray.exe Token: SeShutdownPrivilege 1516 mscorsvw.exe Token: SeShutdownPrivilege 1516 mscorsvw.exe Token: SeDebugPrivilege 2596 ehRec.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: 33 2784 EhTray.exe Token: SeIncBasePriorityPrivilege 2784 EhTray.exe Token: SeDebugPrivilege 3068 alg.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeTakeOwnershipPrivilege 1668 aspnet_state.exe Token: SeRestorePrivilege 296 msiexec.exe Token: SeTakeOwnershipPrivilege 296 msiexec.exe Token: SeSecurityPrivilege 296 msiexec.exe Token: SeBackupPrivilege 2432 vssvc.exe Token: SeRestorePrivilege 2432 vssvc.exe Token: SeAuditPrivilege 2432 vssvc.exe Token: SeBackupPrivilege 2976 wbengine.exe Token: SeRestorePrivilege 2976 wbengine.exe Token: SeSecurityPrivilege 2976 wbengine.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeDebugPrivilege 1668 aspnet_state.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: 33 2688 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2688 wmpnetwk.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe Token: SeShutdownPrivilege 2968 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 2784 EhTray.exe 2784 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 2784 EhTray.exe 2784 EhTray.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
mscorsvw.exemscorsvw.exedescription pid process target process PID 2968 wrote to memory of 1588 2968 mscorsvw.exe mscorsvw.exe PID 2968 wrote to memory of 1588 2968 mscorsvw.exe mscorsvw.exe PID 2968 wrote to memory of 1588 2968 mscorsvw.exe mscorsvw.exe PID 2968 wrote to memory of 1688 2968 mscorsvw.exe mscorsvw.exe PID 2968 wrote to memory of 1688 2968 mscorsvw.exe mscorsvw.exe PID 2968 wrote to memory of 1688 2968 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2440 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2440 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2440 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2440 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 920 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 920 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 920 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 920 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2372 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2372 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2372 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2372 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 1792 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 1792 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 1792 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 1792 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2020 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2020 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2020 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2020 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2848 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2848 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2848 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2848 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2980 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2980 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2980 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2980 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2576 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2576 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2576 1516 mscorsvw.exe mscorsvw.exe PID 1516 wrote to memory of 2576 1516 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe"C:\Users\Admin\AppData\Local\Temp\fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2728
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1028
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1e0 -NGENProcess 1e4 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 25c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:920 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1ec -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 1e4 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 244 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1ec -NGENProcess 124 -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2576
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1688
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:776
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2400
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2992
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2784
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2592
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:352
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1848
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1576
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1488
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1108
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:300
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:296
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1424
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2972
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2212
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2172
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2208
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
PID:2480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5cda81a493e067bfbe8f7522f95a4ffb8
SHA169dcfdc03d604aea82c83072ed8569f95ecf54d4
SHA25685c78e445110d5f913a4e4b899ed5e347a6f715cc03a34e419a446c107c86260
SHA512579b5c694da5671383dae8a53b9b645c566b278fa0b6970ff10e8534ef8c4f4c527c642f85a290c2c67bd31daabaecece94ad14b6ed04891cf999f4918c1dde6
-
Filesize
1.6MB
MD58908942df1b0afa5f55e599af0744ec5
SHA10b72578e56a146d4f0a3670521a867eaab61b854
SHA256339a41c4dec351e9f477770c09a162ef5ea9b3effd9062361f2568bb6f2f50ad
SHA512fc4dcd64b98db9eee2fdab0abb7e957a07c4e889905545d30ebfef733df5794531d8172669e6091cfd469a08738d75a9e068ad0477e8f9f5792da49942f3a9a4
-
Filesize
1.3MB
MD52267540f7fd2eb7997d072b54bf4fc3f
SHA18d99ee6c480c769b5b2ad14d8a36394059211334
SHA2568a05c22fdd98bf45f32919e4e29b14a0e7652775e19f60851547d2961a2fbbc6
SHA51285176cb761bb1c423e9206ebffebefbf7080259264bb92d24556d24831a9a180c6160af9a11baf131b0a1936b41b8759af1cc28b545c7032ddedf06eb9f0089b
-
Filesize
1.0MB
MD540b8c578494d752a8394e19a3fe1cb2b
SHA11dec4dd17c7bfbdd89a3dbd06c9e096b923e2535
SHA25690326ec9f3f73808637c570c1677f385c501c422bf37fe4b1788b5e96d3ce94e
SHA5129293d08c58085e74a84f5092e192a22f14827838ee128e238dc309b5988ab19526d6f5fcb70343c61e1982b3b8d6b51220d841deeab3375379e80d47e16b0648
-
Filesize
706KB
MD57d580551e36a27414c55f9c36233a6b6
SHA17be8916203e71ca76223ebf471a026ef4dd7f64a
SHA2561abb3a13c12897c821a4d77432125e0bf5f8cf2caad7c1c6aa137596e36498e1
SHA512b679ebb683b6a5ffceea6f4ece8f9f7911e8410b38a28917ef7c2ed7ad16bbba815b401fa69184f069cbd55865054a5bd61f0b0a1262c23cdc50d048560bc464
-
Filesize
30.1MB
MD5f23fb699ca90e94ba0fe6a198a85cf7b
SHA15e44a242438534a292d3664ee84eea8df73f5edc
SHA256d1a807683529fb712b71a44e7d15821f9044dac14d7aed8a86c958f672c24d65
SHA512c97858c373b293bc5db7f3c688ae5c260f2f2d5dff4ef455a23e8b0d368791663e42773e0c390ea0856d4e9781affc7cf4390e47892ab4dc45b911ae1f880c4e
-
Filesize
781KB
MD5d808803698e57bc6e59125eb1f919337
SHA14fdf09332867df629006a82e49d99abd4e098b04
SHA256cf2492f53f3b97a35d3de487e9acbd5d480c83a110676cf36c0f4524efc51eff
SHA5124c89ce3024087917ab4775649231fb65324fdecc1ee4f70d46a5e0bdbe4af2350d78cc86426ef322dc2c986bc468bbe4294c6c60b8ccaa5ab3b78f42a1d988ab
-
Filesize
1.1MB
MD58056391784ae8dc7ac99ab95a4651966
SHA1c35dba823de40ffec60824b5e6cf973b6d8c7e3a
SHA256d254a18047ba138fa7f94b6caf4eb3b3d7c9b0f42175b64c35531de3e9225803
SHA5121ab36192c377e69065e8213c8dd8e93391161caf2938fba3a9588a3b06b155f70287bb10d9bccb3551aa45d9fc34f7e9b0f072f921f4fcfdecd0c8eb52dd5e15
-
Filesize
1.5MB
MD5b4435666cb7c9f329cbda20b2772867b
SHA1eb1fc402ab96b7adea75095fb2d8d9a1d78995f4
SHA256820fe6bb3f85e51532f25cc4776d465c80ed9b3c2e87d6f57612a74723fd1af2
SHA51212ec13aabd55a2b478027c980cd783280dcbddcc37ea015a8afe3505ae90fe39c87ba9c4903a3a0b8dedda3704f8a9dd2cd54f9a7261008c7f8b4935b5708d51
-
Filesize
1.2MB
MD55878cb6a1229b44ca89959dbd2baaba3
SHA18c4175bdaf4bc990dd33597dfed692c401530159
SHA25659a5380df8c6d201b579c029d9254dd74573859ccf96c522d1547a2f564ed713
SHA5127f5683489d0f7c867dd90c31090612921710b613ad7be40ad8914f6dd4eb6a2bc30b90805b043f1eb1d78ccbcf333b20a7b64eb0d46d2baf64ab0cf2c3a6d6c4
-
Filesize
5.2MB
MD531053717d82707aef40e6115821c67c6
SHA1c464d42e1df0754d0d2e70f5a3456c6424e2799a
SHA2562842f280e97783096932b489b1803f6c0bceaf287bad12852a816452cee41bb2
SHA512463abd9974a83219ccbf50292353ab0595aef3ae965651f15e9c9dde1a12c4554d4427d89d670a702c6ec3822b10970a7a92f2f4aca463c59ed32a825e576d24
-
Filesize
2.1MB
MD5ab441bde882341bed6a68e176bbe15ac
SHA17731a31529c57d08209bea29829ab36055b0d864
SHA2561a4af06c10038f498786b2477a20075de88580f969b0ca98b9ff63702f417c4c
SHA512b6152c371c9553aded3999b2b2bd7a36645927371ee6d0066937c4d7e1168f29493f84879a54a6eeaf3e4530252b39b509d97c38875880989b60bc646d00da09
-
Filesize
2.0MB
MD52406d615f4cd1e70f8535223f79f4434
SHA196a51169049dce63a8c550ba1d3576b6aeaeaa6a
SHA256bc038e51213a383b38d44aabaa937b96f250cf5cf114e5d9323d43b95b1c37cc
SHA5123708b1ae7deb0e605bc94f5e3bac915b8f01523f4a67468b7da129ec206d45e126dbfbf86f4cd3d68a1bb10dd556c0e22a4ec61203742870807b83ceb69a0be8
-
Filesize
872KB
MD5c723a84a1cde148c14467e421d42f5be
SHA12ae183abeca47023c61e97a3df9ecf42ef94fa97
SHA25646909c0db38dd0a54d1b5469068690837b1df1efd116ebfc0c60880134c7f0c0
SHA512013f8eec5143e84604357afda0d37be2fe8901f6868736e3f840a5fc1d0e899e19e640a9646aad2ecd7dd11f0b5ecee74c9af4b6e099741a88385d17bd2da6e1
-
Filesize
603KB
MD511c6036ac3b3302a0c9c5e756db13abe
SHA1e484cca23318558bedb0ee499d6068b408c2deb5
SHA256588bfd5aacd82d668420a659447e70eb4ebe38deb8d65d4755663e944f084589
SHA5128b48d99725cad5d39235b73ad9c1d920f430a043a539fc8dbc70e8817aab19d5d02ecbbafc5d5fbba736cfa4b7abb015a5b87ded2ac58b9cea39302962f7d9fd
-
Filesize
678KB
MD5010595c69f8c9dd518e39714a03cb9bc
SHA170004d05e014e5afbcf71200c3e49c6864506a0a
SHA2561c2c45edea146852498b4fd9b328e063a92377c571f71823031a99ab20b17cf8
SHA512ca9dc2f8c4afcd99224a2643343b8a7424c9ecf9480e35410e25d73b71ab5e13ecd4ce4b6f5f85e9dbc6e8600e1502a7aa1c8419f5bd3cc5514c9b1846531f3f
-
Filesize
625KB
MD5280ab23b90146e466a376f8fe4648a53
SHA1891db9fcaccff010fde3a381989e1ddccaa2f0ab
SHA2561000524f5269d1f0b072b3f413fa8ab482c8642ffebce1ed003598987538aace
SHA5128c63b6acc4056ca6a5168d1f0cb2f69ab65a988d417beafe31ddf5e0bdfd0457bcaf929ff6cd697acb6d752a1bcb2a1fcd433cdbc1f039c1fcc311f0f0ddcdde
-
Filesize
1003KB
MD5a5986bd85c1c69eba78c07229f5ce0d2
SHA1fd1675e5e5dd2f9b445d51f21823779da34be7e0
SHA256ddadd4b25ec9abccc955c0b598b8677c6d5d3336038493620f48201f8f037fbd
SHA512182bde394f585604f1c7785dfa26cc302192102580e68c5d8fb2d9251a8d965fc8547d64cf745993bfe74fcf39d3eb73ac63522a4de37e42df84b8d3a2e6e947
-
Filesize
656KB
MD5390ff9a1be9a20080ac2c48197e40b37
SHA1fc88cbcfebab8f13f2d26c5e7980d1800d1f2d1d
SHA256e18efd82f8e9a7dcc08f74461e1f31325e77712dc474c82e936795bdc167d44b
SHA5121e2f7749bf2187b939a518d89dd85aa802ca48f59d707fda71a0d5468efa963d5ef496dabb73b6037e8b83b00176f8beefc908bb7308ee499a1ae9da9551363c
-
Filesize
587KB
MD5f9bc28d421de9981ed5364ee38a97629
SHA1693704a7785bac0f7f337283b2b28661dc0cba8f
SHA256d7e11ce3ca2a43d486cd93b9bdcf3507909c8abc0976b604f7f6a453a7a69700
SHA51200c203d23b6c19dd534469f2ce6963a33eced60e0909061fc93210c6f45e76a6bd221de5b4d3ed7f38e2f8b7b89bd355532babb469dca20ddea3e7e56219e95d
-
Filesize
577KB
MD52d4cf9de191f809e2084e783bd5f110e
SHA1fb09476c08e085578447d40f8961f4fa54f4d9d8
SHA2568d26b07b5a2a915d532dc95d38501a2304a3c43ebff0da6b6fb1c6a84b92317e
SHA5129f630543d3e259fd9f94c5a20ae367112a21ca60fe7128a6eea6da0a6b400889f7b3966e782d908cc6d61734d6932cfa7c37e693f86a71378502250294b98c67
-
Filesize
1.1MB
MD5571b358fb420e0add5eeb1f48a89fd57
SHA16ba271eba13e65026da3869c1adc7f61f326e070
SHA2565dd8dd76a5d37a1b51577fe2bac27f8281cb4ae7766e3ad42c38b7f2ff543224
SHA51257eaf276dd7684d6d905cea3e8fabe56e2e639951f5205806e804f3730945d9aadb9d90ef7a4a5a6ec7b265b92dde9616bbe8ec1a9baae9068f7ca4ac7de03ea
-
Filesize
2.1MB
MD5228ae9a734b0025ab640d6c807b06ade
SHA153375df76150a662a5f078e53389878a2ed241b9
SHA256172a4658be1d6ee1385b145afd57be39738cab33e49e31174b7ab8fac6603214
SHA5122f426d85bac530576af860241a12d8af4946d2792ffcf707c77aec0d428cdfc0293fba91c27530941a27bb3349ddb0b38f3af12d705c982c7fdf02b82fe44604
-
Filesize
674KB
MD5d84fe5fcdac6a6fd4a1320f0b0610905
SHA121da026ba19a627c282f284e01f66827e0bcaf8b
SHA256670de2d13e129e916296e0ad2e5a1a5803cf5f22e4bdaf6431ebe49e6ca60269
SHA51259a79a1c755200a75ba53b5db2f8c6309d9c1c6a74c198f10f4d33c40d15b16cefb4b651df55d507259b76f8f514c1b789096f904970a767a770544d6cd31e1e
-
Filesize
581KB
MD54110d7fa54ebbef0e77a9ed2d2c7ef59
SHA1a17b5ac54b37408f804092a9a8af86df8d5dc577
SHA25632409850806bc8ebed21e24ac89791d1f31319a5d7adbe01cad7e813fc180eca
SHA5124b4f0f30f85a124458a5733307dc4c4084af5cc37756481770adb2fe7eff030304f6c3e8d9a9f13904f0853585abdf63ff007a023e9e75e64cee1c7fd6ca00b0
-
Filesize
1.1MB
MD5d0d7e2c8be8f93875caefe6056531287
SHA16333cb9684d39dcbf23c8fe5b3c7dcfe202c9db1
SHA256871ade394c69f904e37f95ce8ac6d5a0ed2339b45b0c93fed89513d93469850f
SHA512b65a25ff78ce82a14b401bf9243e943ad85bb515f0023ffe2d142cc22cfe1315210c90d601ace4fd307a024e38c65c8f400f3f147735a0034c461e92e3ba196f
-
Filesize
2.0MB
MD5764da1be128f905515ba0feb19adea27
SHA123e1fe7fd8693508688e41e176efc075837c394a
SHA256343afb6cccc38ddadaa6bf35eb9d6408c00362ec9591d828ad9f3f37c0a7a73a
SHA5129536a23d7712e07c23d8e10c07dadc5a2c4b98b9959191f6173861ca5814d21742749b2b8d8b445292919a2d0ea4a631c331361f5d1b37823ca75f05294683ba
-
Filesize
691KB
MD5bf8781f26a4e071fd08b9144e01fbd1f
SHA1b461585e39623e6cfd6ed2b4529ccaf4bd97fc14
SHA2566eb55030206d94785c20a5e3dd1b698cf71c436790e2a2ffe632fed6662e2fe3
SHA5125c8910b1ee1592b0dc8bbd7b8415127aee02905874faa6f135d35a081863d177a07049759f5345975d849adb40d707f2dd2a77f649ab22968fdc1b9d6a895ffd
-
Filesize
648KB
MD5951f23d8d6f604088edaf6d08d8e6aa4
SHA16d61f5785c947c897daefec0a350c37ce2bc405a
SHA256e508b28f94f8ec75e27ebfe5af8507a7136d6c17d91e5495dfd4fa4e87fca26e
SHA51290a4d5385836089168b6cc143039ff976756d92761a736c6f915aec3e4e85e560b48041ec4d7a5c3ae68ca055625270b63858380bc179dbf739d65ded5c4a508
-
Filesize
644KB
MD5649f40101f35c00415c5037a934b8564
SHA12928a0aac2f4eeb65902177d38800602dfd00fcb
SHA256f13be82a5e41846248adb2b106efa901de4513449810646d36b9c8fbaa6afc28
SHA512f4e69c7e17f02ae143de06ffcf9aa2f9e5b7e6cdbefa7556715eeea454416e66d7e1c26fbb1dad641382b1dd8aab0461dbd29b0944636da075685662a07266d8
-
Filesize
577KB
MD5262f4dfac67c95164d72f76fed393aed
SHA1de67b7aa3bb7872d48ffe25ba03648bd07470d81
SHA256e5bc1a68ca51f0160155c0a1c0fddbbc5fb43cd4c9934f55988dbb0bfb3f27a9
SHA5123448341feab8572675e0d6509337784d91df81420baaf7f508343efbc40b13b8f08f679e66f7bf80523d35088a064765d77bb689ec27755c64129b0872ef9ea2
-
Filesize
705KB
MD5d2e4606bf8fcdc565fbeef9e8243d053
SHA1fcbd1f15959be168a87a7809733b2798d54e3d31
SHA256dd184c89ff814d29bd782179912c3ad21a66633addd64f34a1150e369d202980
SHA512cd9eaf663c11b57c9b6724f8ca0e0c279e13bf84184a194b57006e7ebb0d16a7f98882f796831bb1f20a9729673f1f8f6062d17d6f3e8180db8efa4899b1370d
-
Filesize
691KB
MD51301e9c80df93f032effc6d93c727635
SHA12b0f2f42d2bd5bfdcfdd12bd110bc27e79a2b9d1
SHA256292c52a5e765264488ac7c27e2867d2745e773939395cd694df5bc4c765340e9
SHA5121129037064eb64ca6869639e58b8e3f65a0fb5329da153f6b48c8030fed92d17d07c828724617da9cdcd9f367966fe79951a5662a9f82e52e4d4142b6fb45ac4
-
Filesize
765KB
MD58e95b8b1d7cdb0a121345bceacc4614a
SHA1ef55d6a3f2c119fbdbdd7558d90a39245b6e0d74
SHA2562551d41e63a4cd3304b15acf7cc0141f64acc57bfc9840bf1c0950d5c82262ef
SHA512c4aaf46bb0e0d4346ed40cf171afb52e0ce917459974f13cebed88816596b8a56a8c48188d17820c3dea3a041015fb6d04dfc26c962bd8b5e904f8284d4c181a
-
Filesize
1.2MB
MD5ed6540ed2906a0a4338a3834a083dcd1
SHA1eb425ec55d9711d7a82e31a84bf81c43c555d357
SHA256ed41a0061dd45d16e26745de114258f9249ad3e4f062e87966d564c7a485cc6c
SHA51256cb678038b1516e63422eb10ee67a6a13466704efe6efd53c810d24c86e78b216898fe4ae73a97851ec56091401a32ed5cff34aff6ef696b5e059f4b21699dc