Analysis
-
max time kernel
154s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe
Resource
win7-20240221-en
General
-
Target
edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe
-
Size
1.8MB
-
MD5
963d920f95753f80594ae3438bbdb5c3
-
SHA1
a94b3fe25fa51339b750a568fa429dc8f5991374
-
SHA256
edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352
-
SHA512
6611f73b1f45345813573b60cb055d3589b2f93ac04b192bd13bbefb78909ff02a0aca2c32dd37a0ebc996820b85b7c1f53bcbd1bb615d72103ae53303d00488
-
SSDEEP
49152:rx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA/kQ/qoLEw:rvbjVkjjCAzJMqo4w
Malware Config
Signatures
-
Executes dropped EXE 45 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmscorsvw.exemaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exemscorsvw.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 464 2572 alg.exe 2124 aspnet_state.exe 2552 mscorsvw.exe 2800 mscorsvw.exe 752 mscorsvw.exe 592 mscorsvw.exe 1556 dllhost.exe 2204 ehRecvr.exe 1940 ehsched.exe 1804 elevation_service.exe 844 IEEtwCollector.exe 1880 GROOVE.EXE 2172 mscorsvw.exe 2440 maintenanceservice.exe 2780 msdtc.exe 2152 msiexec.exe 688 OSE.EXE 564 OSPPSVC.EXE 2836 perfhost.exe 2116 locator.exe 2360 snmptrap.exe 2760 vds.exe 2348 vssvc.exe 2748 wbengine.exe 2212 WmiApSrv.exe 1340 wmpnetwk.exe 2536 mscorsvw.exe 3040 SearchIndexer.exe 1748 mscorsvw.exe 1200 mscorsvw.exe 2584 mscorsvw.exe 1612 mscorsvw.exe 1664 mscorsvw.exe 2940 mscorsvw.exe 2476 mscorsvw.exe 1920 mscorsvw.exe 1700 mscorsvw.exe 1000 mscorsvw.exe 2808 mscorsvw.exe 1688 mscorsvw.exe 2772 mscorsvw.exe 2268 mscorsvw.exe 2452 mscorsvw.exe 2720 mscorsvw.exe -
Loads dropped DLL 15 IoCs
Processes:
msiexec.exepid process 464 464 464 464 464 464 464 464 2152 msiexec.exe 464 464 464 464 464 760 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 17 IoCs
Processes:
msdtc.exeedaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exealg.exeGROOVE.EXEdescription ioc process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1d4ef91d4501ed38.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\system32\msiexec.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\system32\wbengine.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\system32\fxssvc.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\system32\vssvc.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\System32\alg.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\system32\locator.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\System32\snmptrap.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\System32\vds.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\system32\SearchIndexer.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\msdtc.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\SysWow64\perfhost.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe -
Drops file in Program Files directory 64 IoCs
Processes:
edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{A460FDBD-01C6-4800-8EDB-C87720E1D9B6}\chrome_installer.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe -
Drops file in Windows directory 28 IoCs
Processes:
edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A27DEAA5-6B85-40EB-B2BE-7500CFA9C502}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File opened for modification C:\Windows\ehome\ehsched.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A27DEAA5-6B85-40EB-B2BE-7500CFA9C502}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Modifies data under HKEY_USERS 54 IoCs
Processes:
SearchIndexer.exeehRec.exewmpnetwk.exeSearchProtocolHost.exeehRecvr.exeGROOVE.EXEOSPPSVC.EXEdescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{CBD3AE77-E161-4484-BB6D-5979BF0D3C83} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{CBD3AE77-E161-4484-BB6D-5979BF0D3C83} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
ehRec.exeehRec.exeedaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exepid process 856 ehRec.exe 1380 ehRec.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exemscorsvw.exemscorsvw.exeEhTray.exemsiexec.exeehRec.exevssvc.exewbengine.exewmpnetwk.exeehRec.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe Token: SeShutdownPrivilege 752 mscorsvw.exe Token: SeShutdownPrivilege 592 mscorsvw.exe Token: SeShutdownPrivilege 752 mscorsvw.exe Token: SeShutdownPrivilege 752 mscorsvw.exe Token: SeShutdownPrivilege 752 mscorsvw.exe Token: SeShutdownPrivilege 592 mscorsvw.exe Token: 33 2104 EhTray.exe Token: SeIncBasePriorityPrivilege 2104 EhTray.exe Token: SeShutdownPrivilege 592 mscorsvw.exe Token: SeShutdownPrivilege 592 mscorsvw.exe Token: SeRestorePrivilege 2152 msiexec.exe Token: SeTakeOwnershipPrivilege 2152 msiexec.exe Token: SeSecurityPrivilege 2152 msiexec.exe Token: SeDebugPrivilege 856 ehRec.exe Token: SeBackupPrivilege 2348 vssvc.exe Token: SeRestorePrivilege 2348 vssvc.exe Token: SeAuditPrivilege 2348 vssvc.exe Token: SeBackupPrivilege 2748 wbengine.exe Token: SeRestorePrivilege 2748 wbengine.exe Token: SeSecurityPrivilege 2748 wbengine.exe Token: 33 2104 EhTray.exe Token: SeIncBasePriorityPrivilege 2104 EhTray.exe Token: 33 1340 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1340 wmpnetwk.exe Token: SeDebugPrivilege 1380 ehRec.exe Token: SeManageVolumePrivilege 3040 SearchIndexer.exe Token: 33 3040 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3040 SearchIndexer.exe Token: SeDebugPrivilege 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe Token: SeDebugPrivilege 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe Token: SeDebugPrivilege 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe Token: SeDebugPrivilege 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe Token: SeDebugPrivilege 3000 edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 2104 EhTray.exe 2104 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 2104 EhTray.exe 2104 EhTray.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid process 2644 SearchProtocolHost.exe 2644 SearchProtocolHost.exe 2644 SearchProtocolHost.exe 2644 SearchProtocolHost.exe 2644 SearchProtocolHost.exe 548 SearchProtocolHost.exe 548 SearchProtocolHost.exe 548 SearchProtocolHost.exe 548 SearchProtocolHost.exe 548 SearchProtocolHost.exe 548 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exeSearchIndexer.exedescription pid process target process PID 752 wrote to memory of 2172 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2172 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2172 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2172 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2536 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2536 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2536 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2536 752 mscorsvw.exe mscorsvw.exe PID 3040 wrote to memory of 2644 3040 SearchIndexer.exe SearchProtocolHost.exe PID 3040 wrote to memory of 2644 3040 SearchIndexer.exe SearchProtocolHost.exe PID 3040 wrote to memory of 2644 3040 SearchIndexer.exe SearchProtocolHost.exe PID 752 wrote to memory of 1748 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1748 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1748 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1748 752 mscorsvw.exe mscorsvw.exe PID 3040 wrote to memory of 2036 3040 SearchIndexer.exe SearchFilterHost.exe PID 3040 wrote to memory of 2036 3040 SearchIndexer.exe SearchFilterHost.exe PID 3040 wrote to memory of 2036 3040 SearchIndexer.exe SearchFilterHost.exe PID 752 wrote to memory of 1200 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1200 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1200 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1200 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2584 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2584 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2584 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2584 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1612 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1612 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1612 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1612 752 mscorsvw.exe mscorsvw.exe PID 3040 wrote to memory of 548 3040 SearchIndexer.exe SearchProtocolHost.exe PID 3040 wrote to memory of 548 3040 SearchIndexer.exe SearchProtocolHost.exe PID 3040 wrote to memory of 548 3040 SearchIndexer.exe SearchProtocolHost.exe PID 752 wrote to memory of 1664 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1664 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1664 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1664 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2940 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2940 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2940 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2940 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2476 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2476 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2476 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2476 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1920 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1920 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1920 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1920 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1700 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1700 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1700 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1700 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1000 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1000 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1000 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1000 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2808 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2808 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2808 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 2808 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1688 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1688 752 mscorsvw.exe mscorsvw.exe PID 752 wrote to memory of 1688 752 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe"C:\Users\Admin\AppData\Local\Temp\edaaf5f891682323c24c6a219e1084bab24901468f15640f5bf0605463401352.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2124
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2552
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2800
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1ac -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 254 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 240 -NGENProcess 184 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d4 -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 23c -NGENProcess 264 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 184 -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 184 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 184 -NGENProcess 1ac -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 26c -NGENProcess 254 -Pipe 184 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 27c -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 288 -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 288 -NGENProcess 274 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 290 -NGENProcess 1ac -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 260 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2720
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:592
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1556
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2204
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1940
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1804
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2104
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:844
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1880
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2440
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2780
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:688
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:564
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2836
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2116
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2360
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2760
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2212
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2644 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:2036
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:548
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5a3777855b8a44fa8f697040cd7f2cd98
SHA16eb53d6a6e97d31b4b187a3d8941c73aed544ef6
SHA256f8f75fc1b6c227d7ab3772e4ffc60dda353808a181ba63a522d98309a506801b
SHA51262f5485bb56c9af11b6640b274c44be7223deed1e0420327a10ab894b60298b04c96e017453c6f5f86cd03c69c3c86233271537a684e69771e261db2c642653b
-
Filesize
30.1MB
MD5b81c49cd70f35cc1a9e17346221f795c
SHA1dbcf7f05cec1b09e2b97f75999ab97e85738d454
SHA25643db89bde37bc80368cd5257e61c58bb6b7f2471cb3f52ba37f7db7e5396f347
SHA512f0829bc1184aa8f6bc92492d36ad6b38996fd052a15911a985969222f0ce388738d041cdf9f26b978a83a376e4cdd11d1cfc8e8f26668945df740b488ddc5e5d
-
Filesize
1.4MB
MD5d27704ffe919e1b297f7baab8b2ac709
SHA121a900394f683ad3498fb0840706492909047f75
SHA2567a872db81052244bb64b73c7b3ca2b5f78ede210eea0881d9b86e3591c45a397
SHA5128dc8cde64c0a75fbb5a85c88c5e088966b3e11f1ad534f7ff640d5bf3761eecd3f960341cf181724c9f05b0f689c18e0ae27cb225029875c44c60a95bcd5cd40
-
Filesize
5.2MB
MD51b2c6a92813857318f988a0e26c9258d
SHA1a8dbf22a9eeadf62dd180711de85b8b30c3aaf2f
SHA2569f0bfba54a332fef6ab68eca4a5655543e1707d1c117813c4e4ff47658461d3c
SHA5122afd5a05b9f17c96e308be2b985ff8d4591eaae2dc57c4f35799156bb32437bc01b1324f3a2dbc703639ae9bcc71217a2d14fae6775ef6c82104afe1b5f50920
-
Filesize
2.1MB
MD58137734991728bce5dbd87ba7fd8a36e
SHA16a63c08750b0ff61ce74a9b780c32f47d2d4b6af
SHA256f88a3f3cb4c697dc918e4df108d96137df184d8ea6fb42fef11f3c0ab44eac8f
SHA5122a54a88301ed43b80f116c4dbb865771e1e06594bc66697e89db04fa599665e674b97921c72124f13d0bdf8b570bcf1852cc68d4c089f9b39a7291ccb8e011bd
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\8f96978fc46d9f00d8780351026924d7_bf9bdae1-6812-4169-92a0-a7c2b4bbb305
Filesize59B
MD5db733e033c397fec5917611957620271
SHA16f94d1daa0fc4ec1b2d4cbcb93730d8edb77a2b7
SHA2561f3ffadd3b80c7f95be06e245410768e8302a24e573868da3c6fd91230025bdc
SHA5129a9bb4cf6380bb0a73ea414ca2226a344c7da003e49610dc38bd10892dc17244e4c88bf8a466131027e3c064c693ad99014e6853fff51edb21cb690b926b962f
-
Filesize
1024KB
MD540077e58c61fad92519e140e0dc34022
SHA12cce66177530344f88e37eb84f0043be701bf444
SHA2566e3868949a3dc1443296f14a96c93c58e3b50bfc4b177f37ac0b233ed8baa1f0
SHA51220e5128d8533a27568aacd900a58a947cbbce92dbd1bac8dce44871d1f7edb57b8d303c21c1b9945e386bb42265c48ed32347b3f4b275e0dd835c30eab2f662f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.2MB
MD5fb3a320c885ce17bb7a92fe8d1e55196
SHA1f687081dec4fda9f7605db1a4f79baee2ab1ab75
SHA25698fd7f16eef60455d6f0a3e73559d7e2bc7e428aad1b800279759f2330effc72
SHA512b70950943054833a05bb3f120c5fa0aaa1e2de189d8329539f1359114f82bad4182e06d12d9da4bcdeec21606edf40aee25a346c86a7e36209ee746e0bf98475
-
Filesize
872KB
MD562707c97b2066724b92647ec37d37e04
SHA1c2def4837d6e79ff0e2166f62d5a71c214ee54a7
SHA256e766f9b707566c1d2aa4052272d96f83cef98e91bd53f5c81e405fd41be1618c
SHA5123ab162d8308bf7da4d0d068748a78bc865909c71909e6b72cdbfa48596f6019e7696b312adfc39e85c3898721eaac375c40ba99e407ceb781a05c8277067cda0
-
Filesize
1.3MB
MD58abc07986e08e7ee8d9ccd8a1cbce687
SHA163430dc3dacd5261164d173babf1de8c8f6de55a
SHA256864c680f0e6a7aef9529c0d08be3b015fb7fa51a8c5ed708ce219df9eb592d58
SHA512c46b83ed6ab6665751ef3dc87cef0bb263c3d8471c05e8290cbc1ef11e5ee69cef0928a880e8d531768791cb96226654e2efa45927c78d9cfb3ed8dcd595ef6c
-
Filesize
1.2MB
MD5f4e8e7fe0963a25c6e691e194c1ed0c8
SHA10af3c06b8c7cd255a2d07844f339e00ae0faf6e0
SHA25646144eaef219bb3c65f16295f019de483b73db8a18ee7a0fa5994a4392d899c6
SHA5129114797bcb9fa1abbe733872d099fa136ed5c5427c15ad980905bb6a77142986d548a13335e308eae76de3e847d34f05fe03281fe5f6064e438d31dba5f5fb46
-
Filesize
1003KB
MD5ffde9a76b8186999cedf7f1654d29627
SHA133e0d30bcc336e804342b039640d2b7682de41cf
SHA256e6abdc6fd68d82ecd9fde9cd4a6b69462327fbb082c3ec2d0ca7a06199b48633
SHA5127bf157230abbb0c6cf1376aae5e7888057c4d037ed293a5e1f6854b54a0b6df612800a81842d772266bc3221e9dd3d1cb0db4fe82a1bbc400ae862ea4572d5c0
-
Filesize
1.2MB
MD594c59e5780b619309d40d87600306bf8
SHA1922e2b17cea5fdc4c5e02a3a827115478a282aed
SHA2567090f8c5ab30505069ff8dc63d59213593f9cf29cb680d89d73642514828fc9e
SHA512c906c903b23f03f6dd785cfe6cf0f802f11f5659d5be0fe5c2997426bcd8292f05123480e1206e88340cdf3885c5f9fc0b310b8aec0af272f97fa3b26439cfbc
-
Filesize
1.2MB
MD556d2623b535f34c7f984621a441f769e
SHA1e11a1c3eb8cd9112f9a04b40f4943cd50f6fc274
SHA2567fbbda31ba4f1dbd3e9d6569413aabf8c77ee4a4319bd2e57a15458b0ec8af90
SHA512db1b3a26ea909d9098f3e636f508a008e8f9bc7dab40d186889118b8035cf36266fab3a21de8c6fd59ee82763d4921817d12ad1fcdb004cf3559357132a62af7
-
Filesize
1.1MB
MD59ff0226415f51b4ab5fd29be8adb574a
SHA1c9f186734377c05c653a33870f5c4e352213b1a4
SHA256b39a186c6d6b23ce3131d24f9c78147bbe7088935cce002b00163a0530900514
SHA5125308e97494ab12813ecf73466f28ea4a5bb2e3d229c14dca966aa5cf7e8dcd9e615c01ae10e56752cc87acf7628bc38bed5b15d4b4a7365fc9fd90b56e05d92f
-
Filesize
2.1MB
MD5ab72ad15e45a687c245b74dacf23883e
SHA116630d5bb455633fcb208552db0239dbfcc17ad9
SHA2565c9a1f41a4e0fad5bf7a74d76cd489294ed23bbdbd866f0c2fdff2624870ac23
SHA512bc3899a29b5b63d2bdda28991736f282913b5f3d3c66be916e808c8503adddf75a116caff0a7881d887e12b2284bf471431f5917fa1d5b50239c250b082e5b31
-
Filesize
1.7MB
MD55c62d9d946265a8690f761f33e6eb94b
SHA1e823bb7a095f3ae7137d51ae0f1c76edfe536634
SHA256dd36c71dcce4b759884ad513b8fa381a1e6b80bd7dbb232cdb31f586cf3c0716
SHA512ba088a82be2386fb0e824c5efbd024c69113a24d5c23c411d0183227faf7cd4405ec665028b1d746a6ca51093ab62e7e3bc66c464aa74ebf5eb6cc183d95dbb0
-
Filesize
1.3MB
MD520308669e51dd64331987cdda42e7a41
SHA15b9946fbba3d18d2dbdcd98c9c59385a4f49e0e3
SHA256565e97d1f73dde0aad55b18056155ddd5927c1352c0c51ace364c3b75df6d7df
SHA512b4724de764844e52e903807e074f2f141fb566c1a3a54ed24dc559c3c9316337552098327bf0384369f51a8ff41f184957ba2739dee5415f31767156f4d296ac
-
Filesize
532KB
MD5efd89bfe276f5e4ebc563659abacf6b8
SHA16f9158810b851eb817d2b32eb04fc72c4a95817a
SHA256425c5a2f53d1bb29faf532dd6c68101b6e04e87562e26deae6c32f1f3eea3b1b
SHA512871e8c96ca3daaf8bd0a123d0c396af31a8374572dd75dd75fc729d4e3ec6eb35a8674b4d23eb62c17e34363372316899a74f49bc1f2b90f9e76d9e4b7b49ee8
-
Filesize
2.0MB
MD5b0f65f5cd1fec91322d0dd63e01decdc
SHA100a2d5151febf60857b205edde6fdce28e8f0340
SHA256455078854fdd1e02f9dc6a1e9b082af9271c73dbe3b76b8349f9120830d7f7b4
SHA512ea78ce3a61ff1da4e186fa874a2132faf4876f92f381f18c729bb9cb401d3ad97d5a31dcf9a45996f3d90e2e77dc76ab7356f82f207203a03b8b21fdb7c7398a
-
Filesize
1.2MB
MD582735edde3d656ca4a9546b7003ced1f
SHA1a58fae44fb1f9b5217b54c9a9ae84a4183687726
SHA25636d08116b07c26713602a1d8a3ff925559eab0ee1804957b9072fb3f74532b27
SHA5127635ef94f0bb6606423ec02e260d0626f33d4e6ecd5fdd2f6801c01ed5d3e0c8733aad5d7855358615357ee646b8259fa2b94320311d3fbdeb47a28801306ca2
-
Filesize
1.2MB
MD5cc11be9893f7d0609d0b15d8aad328d8
SHA1c0079b2e38d45dc48a58a02b8091c7ac4b6f25ce
SHA2563d737caeebaf34d62def21b07d5e859d8f968827b0a105d27b664ba29e2d4dc3
SHA5129d5ee85dc3a378e4db4f74807b59194e103640d64a2f73414dd30ce368d24db10d916ecdbaa477b9e826a4b80df1d698e89e642282ec69ed8eda8ae079ed6072
-
Filesize
1.2MB
MD5480cbdfd8033d7d4bdcd2802fa927eaa
SHA1819f9867f5743319f1bc296030972cc8af4661f0
SHA25604076f5495232b92409086867547bd2d7d4d6976487cb354d5c8cacfd31d912c
SHA512efa3b8bae9a7796a0abffc2bc38e0ade50cdca7c72dc174b0639aa98113b7b1649c7ad95e5d43f9e584b18875ee0f3f52fa1ed56f62923114e07871fb58158de
-
Filesize
1.2MB
MD52146ce2c072b3367744b4a9c5f65bc90
SHA1f59b0e3b053b0e43415c622f5e192c3b3eaee853
SHA256ed008ed194f1eca8848d27927bb3778328a806ae011df76e6c138d0bd3c70f30
SHA512c82de4eaf25d81d88058d94348a91ea6700aa1630f7d856949a3bf88ae225e314758ff1babee7d5e146148795da095006b8a4cee65c2ed268c5b6fd2edcaf473
-
Filesize
1.2MB
MD564b732e1a4c29286293a69cb73944e41
SHA1313718b3700540d6bbc2f3532e517e9e7d8373bb
SHA256c6725841735548a6b3bb2515acb9afde388f538248c6914431ee36c9ee6a5848
SHA5125760f6514689825b7b1c905c1e44892241a48deb6f15236864e23a89f36aee3e503b1af69d2273421f262b0a607fb8951791fb36bd09f79f44f1d91f352a8452
-
Filesize
1.3MB
MD51a339c437104c2bdbb1f90881902e998
SHA148f7c723a07229cc45d0e3d49486b5580db1407e
SHA25688eb5102aa03bc3ff02782c55d839efecc76da04a3fe4c310f727e1e0fd91bff
SHA51209999e33a6d587ea4e3903dde35cb209c0e8968f15544e0038915b22ff8f32270e3145ac180f5e4e5578a27a55c15d789710284407fe2375e18f37d027aea299
-
Filesize
1.3MB
MD5e8200e1b8e455b93b419f702fea1a202
SHA15e5a918a29ef6ced0b1f35d97d69eb9861812f21
SHA256041f19a94a2b43b6a249444035b86d0663d7e409b770b35fe96cfd6048cb7961
SHA512f1869a7a78f28b0a7ebf64d736e096b620c2c15819470ac3b499c2f7a401c7864cec7bfa00ebe3b81f949256dc2849c6fd01c754ec70f90db90f05c891e123a9
-
Filesize
1.2MB
MD5f9a870b7445d70e885303e5712d88b98
SHA178772b5e8dcb9a5f2edc5ae7a689a65b9ef68bd4
SHA256dfd90d739904ab03f5c96ceac20615c580882466904bf9de5cb1de8d5a179f3a
SHA5120edf9137eff42f12bd6e840e78140c61778ccb4053b52e458722b3cf59b556cb46d751da2936dd86074a195b7f012ec1918086aafef98ef86859c7f6698bd919
-
Filesize
1.3MB
MD5fe3fd38ec79310fae4f00a845f22ea97
SHA11256c43a715eeaf0d3468729ee9bb7f6955aff7f
SHA2563ee8251d881b162142a795267720efec1ba2bac1f02580f4dfb3eb524ccd1047
SHA51210d1d51f6ab13f9d59a3808dc3fbd9636ed6c1aa88f190c898ece9f4fdc0d0fa8f31203c3db1c2bae0a9827c0956c7ff6cd3d107cd0b50f8506a90b661ad5d80
-
Filesize
2.0MB
MD54274cb2dcbfd300d78c85d711f148b66
SHA1a21c47263a299930e763201b381545a47eb36c60
SHA2565e8795a7cbe8458a97d54fdd7a1a2bd3aca64dcb32c14942b9a4d642a9a5295e
SHA5128177835cb5b28d6653b152f96dbb15d1916599f44067134846dcb0b5377d30b46efab132c530945855ea0a0cd6a7b3871f3c8c5e6abf86c5f0ef3281b2837213
-
Filesize
1.2MB
MD5987a14ee124cf2966584fece30e1f368
SHA192299c684e321157628952a405a748c546f393e0
SHA2564e96432d71eea7e1ce8a098168f468c6e8dbb5e47122cbfd43a1c9de7435d2f5
SHA512e01964ac00689644c690b0a059866a8926645cbb11a5d4e6eb1557f9241bb6a285398ea5824d6c6d7baea6416280ebd40bf5417a783a38b1d0fd42601c404f5c