Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 23:32
Static task
static1
Behavioral task
behavioral1
Sample
949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe
Resource
win7-20240221-en
General
-
Target
949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe
-
Size
805KB
-
MD5
54425fc7095f1214a487b1a057b39198
-
SHA1
8749ead7231553bdd1a08959eea3b07cb9a839d6
-
SHA256
949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1
-
SHA512
50ec59575947afe0d43bc737721301d7edb2b623fdff98706552de07b12d57c043206a88d9e139d83a3754a8aa6745f377d95028ad7682c4287629deee72cf15
-
SSDEEP
12288:rlGp0BYJKQ1uBeAMlwesHU8wqy2VYCIbvpOBlU1RlgIDMCZgjtGlxHZ9/I:rXf1SwPHU8X31PfU17DhZy0lxHZ9/I
Malware Config
Signatures
-
Executes dropped EXE 43 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exemscorsvw.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 472 3048 alg.exe 2668 aspnet_state.exe 2596 mscorsvw.exe 2548 mscorsvw.exe 2768 mscorsvw.exe 1368 mscorsvw.exe 792 dllhost.exe 1604 ehRecvr.exe 572 ehsched.exe 1060 elevation_service.exe 2880 IEEtwCollector.exe 828 GROOVE.EXE 2156 maintenanceservice.exe 1588 msdtc.exe 2704 msiexec.exe 2292 mscorsvw.exe 2696 OSE.EXE 2344 OSPPSVC.EXE 2500 perfhost.exe 1540 locator.exe 1544 snmptrap.exe 1944 vds.exe 924 vssvc.exe 1984 wbengine.exe 2844 WmiApSrv.exe 2456 wmpnetwk.exe 2052 SearchIndexer.exe 1276 mscorsvw.exe 2624 mscorsvw.exe 544 mscorsvw.exe 868 mscorsvw.exe 2516 mscorsvw.exe 2068 mscorsvw.exe 1212 mscorsvw.exe 912 mscorsvw.exe 1580 mscorsvw.exe 1004 mscorsvw.exe 2804 mscorsvw.exe 2208 mscorsvw.exe 2192 mscorsvw.exe 1636 mscorsvw.exe 1596 mscorsvw.exe -
Loads dropped DLL 15 IoCs
Processes:
msiexec.exepid process 472 472 472 472 472 472 472 472 2704 msiexec.exe 472 472 472 472 472 736 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 19 IoCs
Processes:
949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exealg.exeGROOVE.EXEmsdtc.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5f0242af9a3c2c1c.bin alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\system32\locator.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\system32\msiexec.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\System32\vds.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\system32\fxssvc.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\snmptrap.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\system32\vssvc.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\system32\wbengine.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe -
Drops file in Program Files directory 64 IoCs
Processes:
949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exealg.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe -
Drops file in Windows directory 33 IoCs
Processes:
949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exemscorsvw.exedllhost.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\ehome\ehRecvr.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{06217F96-5016-4D11-AB1F-ED9B93D0CF78}.crmlog dllhost.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{06217F96-5016-4D11-AB1F-ED9B93D0CF78}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Modifies data under HKEY_USERS 54 IoCs
Processes:
ehRec.exeOSPPSVC.EXESearchIndexer.exeSearchProtocolHost.exeehRecvr.exewmpnetwk.exeGROOVE.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{C9658EE7-8ED9-45C9-A1C5-AB8F060375FD} wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{C9658EE7-8ED9-45C9-A1C5-AB8F060375FD} wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
ehRec.exe949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exepid process 912 ehRec.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exemscorsvw.exemscorsvw.exeEhTray.exemsiexec.exeehRec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe Token: SeShutdownPrivilege 2768 mscorsvw.exe Token: SeShutdownPrivilege 1368 mscorsvw.exe Token: SeShutdownPrivilege 2768 mscorsvw.exe Token: SeShutdownPrivilege 1368 mscorsvw.exe Token: SeShutdownPrivilege 2768 mscorsvw.exe Token: SeShutdownPrivilege 2768 mscorsvw.exe Token: 33 896 EhTray.exe Token: SeIncBasePriorityPrivilege 896 EhTray.exe Token: SeShutdownPrivilege 1368 mscorsvw.exe Token: SeShutdownPrivilege 1368 mscorsvw.exe Token: SeRestorePrivilege 2704 msiexec.exe Token: SeTakeOwnershipPrivilege 2704 msiexec.exe Token: SeSecurityPrivilege 2704 msiexec.exe Token: SeDebugPrivilege 912 ehRec.exe Token: SeBackupPrivilege 924 vssvc.exe Token: SeRestorePrivilege 924 vssvc.exe Token: SeAuditPrivilege 924 vssvc.exe Token: SeBackupPrivilege 1984 wbengine.exe Token: SeRestorePrivilege 1984 wbengine.exe Token: SeSecurityPrivilege 1984 wbengine.exe Token: SeManageVolumePrivilege 2052 SearchIndexer.exe Token: 33 2052 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2052 SearchIndexer.exe Token: 33 2456 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2456 wmpnetwk.exe Token: 33 896 EhTray.exe Token: SeIncBasePriorityPrivilege 896 EhTray.exe Token: SeDebugPrivilege 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe Token: SeDebugPrivilege 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe Token: SeDebugPrivilege 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe Token: SeDebugPrivilege 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe Token: SeDebugPrivilege 2948 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe Token: SeDebugPrivilege 3048 alg.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 896 EhTray.exe 896 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 896 EhTray.exe 896 EhTray.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid process 1460 SearchProtocolHost.exe 1460 SearchProtocolHost.exe 1460 SearchProtocolHost.exe 1460 SearchProtocolHost.exe 1460 SearchProtocolHost.exe 2644 SearchProtocolHost.exe 2644 SearchProtocolHost.exe 2644 SearchProtocolHost.exe 2644 SearchProtocolHost.exe 2644 SearchProtocolHost.exe 2644 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exeSearchIndexer.exedescription pid process target process PID 2768 wrote to memory of 2292 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2292 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2292 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2292 2768 mscorsvw.exe mscorsvw.exe PID 2052 wrote to memory of 1460 2052 SearchIndexer.exe SearchProtocolHost.exe PID 2052 wrote to memory of 1460 2052 SearchIndexer.exe SearchProtocolHost.exe PID 2052 wrote to memory of 1460 2052 SearchIndexer.exe SearchProtocolHost.exe PID 2052 wrote to memory of 2692 2052 SearchIndexer.exe SearchFilterHost.exe PID 2052 wrote to memory of 2692 2052 SearchIndexer.exe SearchFilterHost.exe PID 2052 wrote to memory of 2692 2052 SearchIndexer.exe SearchFilterHost.exe PID 2768 wrote to memory of 1276 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1276 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1276 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1276 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2624 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2624 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2624 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2624 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 544 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 544 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 544 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 544 2768 mscorsvw.exe mscorsvw.exe PID 2052 wrote to memory of 2644 2052 SearchIndexer.exe SearchProtocolHost.exe PID 2052 wrote to memory of 2644 2052 SearchIndexer.exe SearchProtocolHost.exe PID 2052 wrote to memory of 2644 2052 SearchIndexer.exe SearchProtocolHost.exe PID 2768 wrote to memory of 868 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 868 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 868 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 868 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2516 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2516 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2516 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2516 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2068 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2068 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2068 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2068 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1212 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1212 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1212 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1212 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 912 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 912 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 912 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 912 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1580 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1580 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1580 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1580 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1004 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1004 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1004 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 1004 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2804 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2804 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2804 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2804 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2208 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2208 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2208 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2208 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2192 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2192 2768 mscorsvw.exe mscorsvw.exe PID 2768 wrote to memory of 2192 2768 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe"C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2668
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2596
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2548
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1dc -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1276
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 1f0 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 264 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 260 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2516
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1dc -NGENProcess 26c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1dc -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1212
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 254 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1ac -NGENProcess 1d8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1ac -NGENProcess 1d8 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 290 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 26c -NGENProcess 298 -Pipe 1ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a0 -NGENProcess 27c -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 11c -Pipe 120 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1d8 -NGENProcess 2a8 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1596
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:792
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1604
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:572
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:896
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1060
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2880
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:828
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2156
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1588
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2696
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2344
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2500
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1540
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1544
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1944
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:924
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2844
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1460
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:2692
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5afc5c7d6f1124fd0fa1e5a81d693920c
SHA17ea3f367abe9b9b6e39d50ebe92cb9f533c7790c
SHA2562d4f19ffe6b81f1c8b233f88663a343142ace361255bb513293c4e33686dee55
SHA512fda75fee88b6f861d7adbf5c44f85f57b2db272d9d72d0f61db2d9d9892747d987f831ffd9b84753c65a90d89a16e2534c9d0157877311b9de4f9acc84101ec7
-
Filesize
30.1MB
MD5021e24a72cdfc29c321138452d42a048
SHA18321c60db714bb9d7eea6f3a4f2eb78fd6d7dab3
SHA256539bc2750ff0b38988b731729a814a7adcf1c24f9cfc93b5d04545530c91bd78
SHA512c14d6992e92c03809aaae6efe9b12a703eb4908ead7341b4f51377f5dd22c307a40951e2f01be391c7310433252f500c864cc3ccf29cf848228df9a8ace361ed
-
Filesize
781KB
MD502e7a0770d91577a2be5d3d5ba96f8fd
SHA1cb565eadbef3064107814f427199c8112b09fcd6
SHA2569d97e57b1544f7aab2249a621d78de1df0a9da8c951d348f4b97a1431d27106e
SHA5120429c1af00a9bff75042f55032e4c0413caae04294d41a2d87df3c4110e9819f71b46c2d426f041c1f17e70541f5dcca10e56b2cce359f232cb4940e2c85960e
-
Filesize
5.2MB
MD56c8f5b16a1d4f6b46a9a8b7e27950312
SHA1647f4ba788bb28377673428516e77a57bed1d77a
SHA2563355949c6d81cec5634a05514f97e3e22de01068495f2f42e62c606a54d60f02
SHA51263b589bcc10c44fe6de3ba3781e3f43b8322dcc8ce9dc11ab14a365410960387adec9750dff0648caaf94da7a661068e7a937d57409d427a33bb8ebf7216c0df
-
Filesize
2.1MB
MD578fd477cc86c3c108ba6d3ec56e80583
SHA17cd4fd0a11fd81c72f2fa2a81435a308d90f2fc0
SHA256b05d739506acef0c914c9b392a2a72982bb85fcb7f59287e4cd597375c2e9921
SHA512d59a375111dc0cc6a0fc9e13495d3460e8065f74d0550020e8d5b376c5dd42e91b9c0243325aebf6fcbf40e1ec8ab1ba5a23234fb806669127527aebaff2ef58
-
Filesize
2.0MB
MD5bd7679a92422b38c4515563aaa29069b
SHA1b0c306394676167a60cb5ea5746b8928bee9078a
SHA256a82d4798d8e1d15c6a24ccda4e222245b476d42b681b070356ae4551cc044758
SHA5129a8129525f6bf305aac1eae0ad3cb4af4a50ab4cb404820b32d74c79fd913cfcb5b016fd12f07fad005a324685986544d0948bcee71ac2c64cb63829f30db399
-
Filesize
1024KB
MD50b3a7eb6c9f30115d74e509f2e72821e
SHA19a1e5718d56ccad808b035f7b54f4b67a3d1ee55
SHA2565aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499
SHA51233846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171
-
Filesize
872KB
MD54b347d5f62573b93408ea5df169cdad8
SHA199aca886df87f400d841b871d211d243cfa1c287
SHA256bc7591fe28058b6509c02ae1822659e03ef3e38522bf89f614f25885de1f4142
SHA512db82b8a116102bfbb91f71899325375dd1176dc642073419f9c40cfbddeb1b65a7805a8453e18dd95fb9c128473972197ef2644fb62f7ac4a0eee47e284536a4
-
Filesize
678KB
MD58e864157d5d5a9cb0eae22fb908da061
SHA1d05ad935b0b93f1ee847efa60c823034eaf52f67
SHA256e4b8732902f6dc2e516dbf1a8f90b4c49a1bdd1459695d578d359fc0307b2b9c
SHA512111cb4e863fe15a9919e24c20e2ee834a4251241b15b4fb5c38d2814b94e555877db0e09a8289085a77321a0096e8721f60249828544e1a6ec78e511d44e277d
-
Filesize
625KB
MD5ef1b26578ba65008bf30051ac331097f
SHA1424f2d76ee0b63eaac7cf8bd31bb4d7982ee0923
SHA256b7db2992fbbb300e0bdc3e817ce3f54ecafedc321264732dfa4209153f469e3b
SHA5126d810d4831a6a843a4ba6b570faf1ea87052e5ab77a8f556b6136a10560fe91fe8115ffd0d038241b2b38c39028082c54cd78400fc2fdc887513f8475b18e375
-
Filesize
1003KB
MD5169bb97156420cba6b85f98e45c9659c
SHA10c3c13d59868226b51b12c233ff9a4483b29ab85
SHA2565fac1cb7fa1b17532829ec974215993a0ad798608c27a6a35aef1ccbf8518755
SHA512937962ef829d5f03f284d20693f2797942d20de1d71964e48e80f089b228de4fe85c003553e64a965df39d3b55c0be59438c5e4c4fd409024eb09d25d45e2999
-
Filesize
656KB
MD5d18a736604e7acd4d03b5d3cd9ef84e0
SHA10a5ba61331c543e635dad743ff11ff4de0ed79d3
SHA256614fb0aab7689ae327b4d0faa051b77af85b7435b071c0d1fd4525ca70f60773
SHA51203dc5cac84a796a7c70db3ae789660ca6a641ec9fbd30c9d0c2b6774c25e68c57786ce348fc2b7da99ff0404a6ae729a07e51f81ea7b2ab2a746f88825a19880
-
Filesize
587KB
MD5ac664682549c0e390ab11db695b7e3fa
SHA1ea9f7e3cf3bdeec9b7e58cee0d5e4d3b955c3225
SHA256b25b9b16ed15168780e73433820140f4227e801a540f84e199fc724c9bd5e943
SHA5120fc819554473361623351c353b8e25c53e41e0d8ebcc097319d9033e004f36a5edccb4adffb0c95f7f25cce37573c360cf9e18d06360851bfe75dd4a8e3e1dda
-
Filesize
1.1MB
MD5feb251a5a1ec0b6f157faa7d502f13b3
SHA148fe4b7c4d5d9fe562a7a590fb6ace09d1b4683b
SHA2561e77ed05f15c467b9357e1d1e7cd2f3c56158d2f242ad1e186a79dbe0ddf5097
SHA512aa382cff61f65c1580e1893a7036f5138c69098680a0e5215b604255f64b25cc0c0e77e119bc8bdfe6da4de3ca4e89f95286b70c98f6355830a4d4dfcf8fa91c
-
Filesize
2.1MB
MD5ffcacc71b112374e38adb6cfb4f1a44e
SHA1cb2ce8ef78449de96b5766c52b86374adf2fdeb0
SHA256cb06cf1ae9813ecda71d2c4b0b770e2576b26f57ac76fac716785a8123063f7d
SHA512699a6552fd03c927dd2b55a6704b3c17a2ec24974639827c0d48dd74c584a9da1993b5494df74c4388e302bf370979525a0e8fd6597673d90177587ababcdc23
-
Filesize
581KB
MD52966656796b680cfa895e5ce7f8abc0a
SHA10a461074183ea451cdc1a8c37633e685b678ebbf
SHA256ddae73b6dad7707a014b9f3b8808a34c21518791f51a20a4fb4116092c013b29
SHA512bb6b9d55999e76c547eb453650e5de1c249556cb63ed5f953d7c8c095b6732bdff0719f78c3e657ff259a8e2656803177b8547cf18f6752b84f169f71de3c73c
-
Filesize
1.1MB
MD59440b6ef108911f08fb052de4e95787e
SHA1ca6631457dfdfb662d680f062da579f2b0524678
SHA256e64abfd82d7c23de968ed696d536e9aab036a11f3bce01b91e8c9bead9a92493
SHA5124a3b59dc919cadbb2d2cd758b38fd98891f34bf6da4a5e9c0d87bc1614610ff7ad4ec486cc66d902fdb823a7971e96ca65deb451980a5e11e5bf2ec100b0e1fb
-
Filesize
765KB
MD5e015198669059498f2ca11f554f086fa
SHA194fd9dbbbf229f3c3b06c578c058c5490fcb8e5a
SHA256c3f90a9a75cc91f19881adec2d964b0d6ea852a69af64e17a0d0642e714e9855
SHA51269330cb7728708c33417f523077534fd459685d83189a1bf426b3f59fe5e7be65ab871bb25b74f7569f98409c3766278cba8564d3ae8e05df5d3e07dc6c827b2
-
Filesize
1.2MB
MD5e8161db3e5f7cf7045c471ed87d4752d
SHA1fffcb96be72106996e53d14d5a9cf08141d85543
SHA256326dfe7ac99093056e632c7da0155b248fccb180032b94ad2ae7287a648f5b45
SHA512a9e527abd07f4cbede9525fbadacb71ebf2fddb3fe5a127c7f9df4d952f27b7f759f4d31fcb666b5fe09b6d691d15e36562d5258dab5f729f98114da9ea8eb96
-
Filesize
691KB
MD53d58330c8bef2bb963a386dc5fa04803
SHA1ac70ca53bb07ea7dafcd758d714b2042ff0a994d
SHA256810649211c98b0aa246f123bb098a278024e65d1ed4ef22f9edb3a231a49d221
SHA5125ffe03788a85f048c2a33dc664064d6dbbad029be29995b2fa770fed9fbaddbe8d946e9f521759ad68334eed6b9f5a7ef0803c471af59425fd71670babeec745
-
Filesize
648KB
MD50c7dc86868e2a795d653c074c222dfad
SHA1c245d286c56643ff1d4add3f7ef48dcd7ab60e61
SHA2560f450e4ea5412cc78c4b0482571487ed1fdf0218a160281bb65fdff2cf481932
SHA512f9619ffa251d4218b96e736207dcaf4d945cd5f36b27990ffdff3b60cd7d6817619cc985cad6303e1c6df70a8afd523b1241530ef982e1c784139ff933258d3e
-
Filesize
603KB
MD54231f14fcde55e2440db03593e5d7999
SHA11ea5a2ee25734ae9567a304dd9d561debb377cba
SHA2560e9c2a217e5e089336edfe49638f0af53c06a103749ed5ce37217989b509c144
SHA512ed37dfaf6210019273cc2aca611dc48659ffc5160b5a2256e343bd1a12785f6ff055499466e689aa300d5befbbd1438072907a26a6b90458c0a61c11ae9a0402
-
Filesize
577KB
MD5c5259300537c0c824b7ea84e19f3efc3
SHA164b71d97c75276c11a7ccd743aad6f38d3697c79
SHA2568c0e724b00d0f9a46ca40b8579726a389dc604827af5da3b665d4ca1d99b9a73
SHA512b9e4e66435209ae9299d567e9b02faa88ed4837b8a549a5000a0231fa5fc2cb0d9605b9ffa9ced5b96ac74df94c67558d01c8491fcd412de8570267accdfd6ee
-
Filesize
644KB
MD551b16036b993a366886fc76f6362a807
SHA10e247d355ebdb4c44bcc1dea8445afb048dbaed3
SHA2563f4ba3b19e096ccf1e4dd1e3d6e1129bb5eba89c47d8bdb7ef9117f34b1f6f3b
SHA51294471f9a6806c17bfca44ca880772939939174497ca5a33a4180fd9f5c80e01c3e7745f24870bd3af8a76918ccba9e488bf1cdc626b8136d5745c0a0fc887a98
-
Filesize
577KB
MD5efaaff8e804fbf16bc157d6be14f60c6
SHA1558bd96db303457a445ce54db1c3d74888785be3
SHA2569ac1cefc993e7efa958fe361ad89bdc997ea946b8ed5299599bffb63eb7221cc
SHA5127e5d7d62729fc3c918ad25521f174402a200bd9eccdbb6330a67266c29ba279d12bb743b27eeff07b62f4427ecc4f973e76b1f0b9ea292452837379bf0e69ded
-
Filesize
674KB
MD59040897dffd09c4462a2ec0e62846572
SHA12c9ee7c74b2ef4ca1b1e10533a84d6db7a0c34be
SHA256050b640d3902bdcd38f86a8b6b0f78198b5d29154c0e14c902824f94a13ede7d
SHA5120e9c37ffb88e6aa45b0fd8366e73d4e0c9610a1328d574a583336ac0a3d246614c29f8d58b236ef0a45d44855f746a68b325a72a02c7ce89326507ccce13adcb
-
Filesize
705KB
MD5f8e42925fea6b9039fa299da39ccff0d
SHA1d11c0535f746fe693aaa9e2a6834653c1fd41573
SHA256bbc68ff53343434eddebb96d2c10a10c8bc11b766ca6063c34812841b2130b4c
SHA5127a50e1a272d07048b0d05ccfad1494f40c35a3aebaf4ae3413277cdd5c8d3e220b4c126614439caa766d2b067cd5a0db65b6d1408318e2f3c8d5dcc178732b36
-
Filesize
2.0MB
MD5a8e9c9bd5e445fdfea5e88d5a5bba01f
SHA12a09707f6c55662231cad02191aeca2286ba537c
SHA2565140dad35ab4df3a27a791379803c2391668a77ffb2ac5ff3306ce9b93f4a737
SHA5124798bef6734040dfd7c450e508ec254367502f7e8c0dfb982fc40d973ae90521e38734251fcab6de3c5e514decea0146fde4889466b26477469784ac6d0ac96c
-
Filesize
1.2MB
MD5de88c91b820a13e7553cacd8c9a65426
SHA1f021c89828ac96c853843a8167cd1195734e42ed
SHA256bb89fd7b7ae0d31f2d11cceda3fd2e50937a3ba3173d3c851983d56e8ab693e6
SHA51224826bc334bfc1bd80c9b80f040bac9fab28b39a7a0362cca8b0c6f9d528b7ccd2fcae7926c8303f10a2c48840e021a0aae76e7b6afb2e25ffbda38162354efb
-
Filesize
691KB
MD51d399b748fc4be0f78ff36d60b0297fe
SHA120ff475a448f80a177169b40d1bb7bdb929a7a1b
SHA2560c502a6eed3ee77f41da9bb8f6e19cc59283cfea2ffb4977ccb6e522d665896f
SHA512e3873a7dd9e2efbee983c448d41462f60d7c8b2a0e68122c226576e3b8c141ccf1697e8300c56f08020d2407c314aff0a02069c5722d58872de22052cc59e235