Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
16/04/2024, 12:12
Static task
static1
Behavioral task
behavioral1
Sample
dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
Resource
win7-20240319-en
General
-
Target
dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe
-
Size
1.8MB
-
MD5
0c414c744d93254cb1ae93770374aab9
-
SHA1
4afa2b6061fa2c48eae9858cd3dbb70c6ca1eae4
-
SHA256
dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db
-
SHA512
1ecbf203e558870bb5fed2425b3051357aedf5429f766237bc40e7d9cae3aa72767ddb314bc59781969b6c87b6f70d29ef474919b0a70a7a5677707b68332e78
-
SSDEEP
49152:Jx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAzgDUYmvFur31yAipQCtXxc0H:JvbjVkjjCAzJtU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 53 IoCs
pid Process 468 Process not Found 2388 alg.exe 2452 aspnet_state.exe 668 mscorsvw.exe 808 mscorsvw.exe 1456 mscorsvw.exe 1648 mscorsvw.exe 2064 ehRecvr.exe 1148 ehsched.exe 1812 elevation_service.exe 2992 IEEtwCollector.exe 2952 GROOVE.EXE 2440 dllhost.exe 1640 maintenanceservice.exe 1460 OSE.EXE 2788 OSPPSVC.EXE 1132 mscorsvw.exe 2664 mscorsvw.exe 436 mscorsvw.exe 2076 mscorsvw.exe 1916 mscorsvw.exe 1608 mscorsvw.exe 2564 mscorsvw.exe 2700 mscorsvw.exe 268 mscorsvw.exe 1756 mscorsvw.exe 1896 mscorsvw.exe 1548 mscorsvw.exe 632 mscorsvw.exe 1696 mscorsvw.exe 2708 mscorsvw.exe 1728 mscorsvw.exe 2676 mscorsvw.exe 1740 mscorsvw.exe 2724 mscorsvw.exe 1800 mscorsvw.exe 1620 mscorsvw.exe 320 mscorsvw.exe 2832 mscorsvw.exe 2640 mscorsvw.exe 2660 mscorsvw.exe 2000 mscorsvw.exe 2764 msdtc.exe 608 msiexec.exe 2312 perfhost.exe 2112 locator.exe 1896 snmptrap.exe 1276 vds.exe 2336 vssvc.exe 1820 wbengine.exe 2620 WmiApSrv.exe 2800 wmpnetwk.exe 272 SearchIndexer.exe -
Loads dropped DLL 15 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 608 msiexec.exe 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 756 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\fxssvc.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2fd5f00ccea407a.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_ja.dll dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_pt-PT.dll dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_te.dll dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File created C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_ur.dll dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_hi.dll dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\GoogleUpdateComRegisterShell64.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File created C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_nl.dll dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\psmachine_64.dll dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUT4B73.tmp dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_es-419.dll dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_el.dll dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\psuser.dll dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_mr.dll dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\goopdateres_fr.dll dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUM4B72.tmp\GoogleUpdateSetup.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe aspnet_state.exe -
Drops file in Windows directory 37 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC53FC4E-4AC6-4773-B69E-91F8F7A5F734}.crmlog dllhost.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC53FC4E-4AC6-4773-B69E-91F8F7A5F734}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Windows\ehome\ehsched.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020504b9af78fda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehdrop.dll,-152 = "Microsoft Recorded TV Show" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 940 ehRec.exe 2452 aspnet_state.exe 2452 aspnet_state.exe 2452 aspnet_state.exe 2452 aspnet_state.exe 2452 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2184 dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe Token: SeShutdownPrivilege 1456 mscorsvw.exe Token: SeShutdownPrivilege 1648 mscorsvw.exe Token: 33 1448 EhTray.exe Token: SeIncBasePriorityPrivilege 1448 EhTray.exe Token: SeDebugPrivilege 940 ehRec.exe Token: SeShutdownPrivilege 1456 mscorsvw.exe Token: SeShutdownPrivilege 1456 mscorsvw.exe Token: SeShutdownPrivilege 1456 mscorsvw.exe Token: SeShutdownPrivilege 1648 mscorsvw.exe Token: SeShutdownPrivilege 1648 mscorsvw.exe Token: SeShutdownPrivilege 1648 mscorsvw.exe Token: 33 1448 EhTray.exe Token: SeIncBasePriorityPrivilege 1448 EhTray.exe Token: SeDebugPrivilege 2388 alg.exe Token: SeShutdownPrivilege 1456 mscorsvw.exe Token: SeShutdownPrivilege 1648 mscorsvw.exe Token: SeTakeOwnershipPrivilege 2452 aspnet_state.exe Token: SeRestorePrivilege 608 msiexec.exe Token: SeTakeOwnershipPrivilege 608 msiexec.exe Token: SeSecurityPrivilege 608 msiexec.exe Token: SeBackupPrivilege 2336 vssvc.exe Token: SeRestorePrivilege 2336 vssvc.exe Token: SeAuditPrivilege 2336 vssvc.exe Token: SeBackupPrivilege 1820 wbengine.exe Token: SeRestorePrivilege 1820 wbengine.exe Token: SeSecurityPrivilege 1820 wbengine.exe Token: SeDebugPrivilege 2452 aspnet_state.exe Token: 33 2800 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2800 wmpnetwk.exe Token: SeManageVolumePrivilege 272 SearchIndexer.exe Token: 33 272 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 272 SearchIndexer.exe Token: SeShutdownPrivilege 1456 mscorsvw.exe Token: SeShutdownPrivilege 1648 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1448 EhTray.exe 1448 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1448 EhTray.exe 1448 EhTray.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 2524 SearchProtocolHost.exe 2524 SearchProtocolHost.exe 2524 SearchProtocolHost.exe 2524 SearchProtocolHost.exe 2524 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe 3052 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1456 wrote to memory of 1132 1456 mscorsvw.exe 45 PID 1456 wrote to memory of 1132 1456 mscorsvw.exe 45 PID 1456 wrote to memory of 1132 1456 mscorsvw.exe 45 PID 1456 wrote to memory of 1132 1456 mscorsvw.exe 45 PID 1456 wrote to memory of 2664 1456 mscorsvw.exe 46 PID 1456 wrote to memory of 2664 1456 mscorsvw.exe 46 PID 1456 wrote to memory of 2664 1456 mscorsvw.exe 46 PID 1456 wrote to memory of 2664 1456 mscorsvw.exe 46 PID 1456 wrote to memory of 436 1456 mscorsvw.exe 47 PID 1456 wrote to memory of 436 1456 mscorsvw.exe 47 PID 1456 wrote to memory of 436 1456 mscorsvw.exe 47 PID 1456 wrote to memory of 436 1456 mscorsvw.exe 47 PID 1456 wrote to memory of 2076 1456 mscorsvw.exe 48 PID 1456 wrote to memory of 2076 1456 mscorsvw.exe 48 PID 1456 wrote to memory of 2076 1456 mscorsvw.exe 48 PID 1456 wrote to memory of 2076 1456 mscorsvw.exe 48 PID 1456 wrote to memory of 1916 1456 mscorsvw.exe 49 PID 1456 wrote to memory of 1916 1456 mscorsvw.exe 49 PID 1456 wrote to memory of 1916 1456 mscorsvw.exe 49 PID 1456 wrote to memory of 1916 1456 mscorsvw.exe 49 PID 1456 wrote to memory of 1608 1456 mscorsvw.exe 50 PID 1456 wrote to memory of 1608 1456 mscorsvw.exe 50 PID 1456 wrote to memory of 1608 1456 mscorsvw.exe 50 PID 1456 wrote to memory of 1608 1456 mscorsvw.exe 50 PID 1456 wrote to memory of 2564 1456 mscorsvw.exe 51 PID 1456 wrote to memory of 2564 1456 mscorsvw.exe 51 PID 1456 wrote to memory of 2564 1456 mscorsvw.exe 51 PID 1456 wrote to memory of 2564 1456 mscorsvw.exe 51 PID 1456 wrote to memory of 2700 1456 mscorsvw.exe 52 PID 1456 wrote to memory of 2700 1456 mscorsvw.exe 52 PID 1456 wrote to memory of 2700 1456 mscorsvw.exe 52 PID 1456 wrote to memory of 2700 1456 mscorsvw.exe 52 PID 1456 wrote to memory of 268 1456 mscorsvw.exe 53 PID 1456 wrote to memory of 268 1456 mscorsvw.exe 53 PID 1456 wrote to memory of 268 1456 mscorsvw.exe 53 PID 1456 wrote to memory of 268 1456 mscorsvw.exe 53 PID 1456 wrote to memory of 1756 1456 mscorsvw.exe 54 PID 1456 wrote to memory of 1756 1456 mscorsvw.exe 54 PID 1456 wrote to memory of 1756 1456 mscorsvw.exe 54 PID 1456 wrote to memory of 1756 1456 mscorsvw.exe 54 PID 1456 wrote to memory of 1896 1456 mscorsvw.exe 55 PID 1456 wrote to memory of 1896 1456 mscorsvw.exe 55 PID 1456 wrote to memory of 1896 1456 mscorsvw.exe 55 PID 1456 wrote to memory of 1896 1456 mscorsvw.exe 55 PID 1456 wrote to memory of 1548 1456 mscorsvw.exe 56 PID 1456 wrote to memory of 1548 1456 mscorsvw.exe 56 PID 1456 wrote to memory of 1548 1456 mscorsvw.exe 56 PID 1456 wrote to memory of 1548 1456 mscorsvw.exe 56 PID 1456 wrote to memory of 632 1456 mscorsvw.exe 57 PID 1456 wrote to memory of 632 1456 mscorsvw.exe 57 PID 1456 wrote to memory of 632 1456 mscorsvw.exe 57 PID 1456 wrote to memory of 632 1456 mscorsvw.exe 57 PID 1456 wrote to memory of 1696 1456 mscorsvw.exe 58 PID 1456 wrote to memory of 1696 1456 mscorsvw.exe 58 PID 1456 wrote to memory of 1696 1456 mscorsvw.exe 58 PID 1456 wrote to memory of 1696 1456 mscorsvw.exe 58 PID 1456 wrote to memory of 2708 1456 mscorsvw.exe 59 PID 1456 wrote to memory of 2708 1456 mscorsvw.exe 59 PID 1456 wrote to memory of 2708 1456 mscorsvw.exe 59 PID 1456 wrote to memory of 2708 1456 mscorsvw.exe 59 PID 1456 wrote to memory of 1728 1456 mscorsvw.exe 60 PID 1456 wrote to memory of 1728 1456 mscorsvw.exe 60 PID 1456 wrote to memory of 1728 1456 mscorsvw.exe 60 PID 1456 wrote to memory of 1728 1456 mscorsvw.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe"C:\Users\Admin\AppData\Local\Temp\dca1ed2a5774ae9122df793777cdf36931fe98a3cb062235efa8b36b6d33b4db.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:668
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:808
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2076
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 244 -NGENProcess 1dc -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 258 -Pipe 1f8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 264 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 1dc -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 270 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 274 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 244 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 284 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 278 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 268 -NGENProcess 29c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1740
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 290 -NGENProcess 2a4 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 29c -NGENProcess 2a8 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 29c -NGENProcess 2a8 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 188 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 284 -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 274 -NGENProcess 2b4 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2640
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1bc -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2660
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2000
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2064
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1148
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1448
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1812
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2992
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2952
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2440
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1640
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1460
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:2788
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2764
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:608
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2312
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2112
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1896
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1276
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2620
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:272 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2610426812-2871295383-373749122-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2610426812-2871295383-373749122-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:1348
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD590fc1fe924d49f9b4da00539ae082ed4
SHA185cecc6627d4b8e047b53644f29e9f85bc59d44c
SHA256323be04db5b4cd769688a4129ee81da91508bd1c662af0b0ffe1fefadd9078ca
SHA512856496b7ba0f45555019957278d12409de408f46c90f2c1317aea9ceccf8fc9b920041c4d4b84ef3403df5abb78e3dffa4202c54847b1f2bd0a308868d488086
-
Filesize
30.1MB
MD5cbcb0d4c80545fe01e3ac0e978d927f4
SHA1f3b8e19f0ec4eed8d54ce73b5de093173367bdcb
SHA2565a4900c57e7129a59b1060349a9eee4347eedf73d60f4d855b096137afecc572
SHA512b3a03f5ef0e1be8c23f06ed5169a0f6bbbc989c19ed1f4814173c73a4c9f30c58d0cb946fef24ff3eba5bccb4e987b77df1a517807cedc5e2a986d82ddf92171
-
Filesize
781KB
MD501529d845e604739c4077696b72370d1
SHA1c3b600955a805ae069a5e0619faadf6b9d8c5a74
SHA256d24513f652f14503fedc432835fe4239ea9de59aaffeab7d0d67331f5931acd6
SHA5123627890a74a3de8ac1af09ad155dd30fad3115765bc159cb72d195b8bcab4891a75c78b315b67831c4fb57c99ad2d138faa11cfedb4c4e0739cbfbeed135aa16
-
Filesize
5.2MB
MD5c65172f5e6eb25cc7dced89883d5140c
SHA1d7f4fbafd4b7bd920d097cbf45bcc8222cc77631
SHA2560099f3eb9445eb0eb86ca3a46171b8efaed533a404f773fbe72a7d5693f8da25
SHA51238be245b9c7c40c5566171911dd8d7ecfe18d601d9d43a8945d29ef79a38840b1d25233fe7b9e1119453d728e41f35d9daca41089cb7835d7a38d89994a0ef74
-
Filesize
2.1MB
MD56569aa0d1bbabad1b66022a14dd03ddf
SHA1a31946bd97de3b9145bbfa2299fd99d3c007e451
SHA2565ada869370203d8c9dfffeae8a15ce32177d7aff843ba6c822c33450ad8874ae
SHA512c4d578a9f6574b389760e06c820a15e0a41ae60a82f6d51e849f420eb9703becbf799a8463b5d4844825de98f2a6a10ca6a750a7a5a7f1ab18adf6051fff8b58
-
Filesize
1024KB
MD514349ce1846fccf7830f06c7b606ea7e
SHA120fcec01f71a77e84b5b7052e2acb8d87616faef
SHA256932c5198814c1de31e2754b3e57aa12ee72b99dafce3b331f7a2efa659201b04
SHA5120c3df92a9f054f6c38abdc2da475a76d7185bb591c6679fd287cacfeb493a42dccadf009041c870472c7efb2b253a049d20eb0b9e1ddcbaf6649054532637fc4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD581b0f66b70843b2c98fd446dfa10bad2
SHA1b8d0026310c670559ebed06c693ee8055c73030e
SHA25606850db7ace78636f972d5da772fc764d0a73dd1bd4ab59c325108cec6a1a6a6
SHA512f6bc3a15ddaa66df24f21c47a03ffc682f52dd0c3d5fdbce4cfbb98fb498eeec66359f54aeeaa716b6b5e2a9f3dea56e56b25c9b28f2cd38487b28418c7ff4f7
-
Filesize
603KB
MD5cab5c2ef8a93f68f31e84f3553345fb3
SHA1622f516658c5cfabe009aa84f2e87c30cf311a7a
SHA2566cc498b1aa0f84afd55c10e1201235dc52a5e4f7a996be4ee27655d78f4e126a
SHA5126613a5845df4adbd2e936ec4c98a4664a11556b0f8613e005a5d596f047b9785163ee5ad99618a348faec50f7fa6cded643645210f4d019a514af7c657806be0
-
Filesize
678KB
MD5b43db3a95c8ac0cd7649dadae25e6f31
SHA120011a26a981060287b1d651127be04ab988c4b6
SHA2562318fd61f2b9a4b538179b71a58cd82808c6f030bfe2f29b551e99ae9004504f
SHA512d6df2a124c3f12fee1827415503cc555cd4b18b9a4e9c0de7c6eeb0e5bc0d050d752ae0eb9121556f785f8efdaca229c79f7f78b197a1b8ebf39341d3e760896
-
Filesize
625KB
MD532b203834d2032a9c6a3e169c21a44b3
SHA1a8d51f78a892090cad676fdee473d89872439587
SHA2565815148d70855895a84c55d37e32c4205d07712df03fddb7a1abc4eb129af3e4
SHA512972477c2c5d51a76bd853efd99aa44662d70e8426006aafb899a42f317a141b0e503d5302b1e3c946b42153f38f434bbbf3784dd4b089f331682b1475b189c05
-
Filesize
1003KB
MD576915b55fe7bc35e3e53ccdb4eeb64ef
SHA16bcb848b11bd517d4adf97e76a69a5d6f6d3f9b6
SHA2567f352b6ed879f728fc5417a7abf4260885432d74ceba4dd05edd2cad01ac168a
SHA512286503eb7ee3414afb5a6775f4ed37c095a98ca76db6b68dee16e7ca8f4d24aa36a9ce40c77518f6514d465c42c710911cd00c31e2a73b072a2497f4e4341e75
-
Filesize
656KB
MD52b37e4642321cc476d1d10bfba53c2b5
SHA1991c4e5a5eb686e6af3d74bf90346842fca8b0b5
SHA2568b929fc38d96fd91665512e2d0e93eeb5ee31b213e6c021368f76605c1361cd1
SHA512248d3b0c432967e4ec872c1bb4fd85beafe2cb93f7c205b54786287df6da025b222a5ae04b8db0c658b3bb4f5962496fb1304fea5afff702664153dfca219bce
-
Filesize
587KB
MD56c8a1122633a9de87487105fae2df42a
SHA1bc3e62cda59f3124f9d3faf16f525001b734544f
SHA25682f1b789e2b30fe2450b45f8e4d47915f4dc3b64f788607dcb6211b1fdf96913
SHA512f6cc7ee6fa82d2b2e8cf0bb5f81ba9c8eb43f7f51493ffd0e516333bf29214d20b5ca2a44e149c5c51549bb6af43fc16648ce35d12de06f7fc6ec67c5a1b75f1
-
Filesize
644KB
MD5f58a99c83f3db4da3041efb076b4c0cf
SHA1a21510f3ab697734559af29cdcb8002d27a28d8f
SHA2566f2421c19f0012fe6897d20150692312595c280549cb6039a1020a66403843b0
SHA512f6e5df6bdf80611dc5b0d368bff38fa80284ffbe87d6f8aa637082bba345798b3cf1c0b2c138a93d51ac05e777ac8d45b11e08ae0cd0869d5789deafa6791c7b
-
Filesize
577KB
MD5be103d3ee18c7864e6030b10ee2c2ffb
SHA1f6dba7337907c33615d13c3ebda69996acb8b19c
SHA256837d7ca75cc30ba6fc98dfbcaad26754c06a80b3281e6df212df57178be91336
SHA512cc1286f99e636ec2d7e4d06748586e8d66f8531c5ba0d2ac2937c3b11eb1e8248681930383725a19cb0cc63dc2d047e4cb7af64b75a8623e82baf5de82279d1d
-
Filesize
1.2MB
MD5bb6939d1fc4a3788bb2f256c95841d8e
SHA11e1527edd9e67cc6f4f216ff2a190e849e1bd02b
SHA25611d90db88200d8ffd17a36cd2fc84883f3f1e372ea0cfcd9cafea1692b05c431
SHA5128824354a39ddd297944050cb8d8455ca2e9f06d6d2de3ddb76ea7dbdf922b4e731d775aef45d4aff4c501eaf31ea31df70f7e7f4f14c0f709d73f709d5c09e11
-
Filesize
648KB
MD5a3a6356268137b616e227330bdb4aa59
SHA1a96c9fb4e58e08e72697372e32165085d86fd346
SHA256868d611be4050610f14a889b0cf864ba9c3ff2aedc88bab705953622db13029d
SHA5125cc5c8b4a4bc9872610a7097ff36d3c98d9708f4ef2625ce66bbd0fd1cbcf9aed9d7b3ef20dee41fe0d4e5b864a3fbf4253fca432ac9141620af90965586bb44
-
Filesize
674KB
MD5f7e0417b8ec62c539cee726edb582b2f
SHA1a2ec3c6b19627129fe92fe317cbaa7ec633a7342
SHA256b1cd926e3f576858823e0eb71027756d102a587aed85142faf64afcbf96e7d2a
SHA51216b0929cea4c08927edf8bdb87e915ecd57703fbcd57ab107b2784743f6f594a0f037961d1291906673def45499eb160c3423da18df7432e54126aad99c14a6c
-
Filesize
705KB
MD5dd90ec35cf4bc808e7c0b27920b79ecc
SHA1fa6cdf8b0cd5b8808af3bec12ec2104e06414d0d
SHA25618cdee53e98b464502327d461fdd61cf5e4966249e1b93d41903d0f2daad6fb3
SHA5127835ddae55690cb5a1ab6474cd60ec1716e3235200110f953a394e004bdadfcc41df0997e6d885bc810d1680b89e50c5b0eff781394e93b28c5f379e6dd866c1
-
Filesize
691KB
MD5af22f3eed78d492c6613bb6fd6cee24a
SHA14393f7ccd6d509687df3ea9003c32f0edd0cc58e
SHA2561a079b25517650d5c754ddacd2fe5577f976182b17ab0ddfe6a734aa96321cf6
SHA512373b6b1055ce2a5064e9d66e6a0e92e85d065c5eae5bd8784776cdf30b5f63f457eec44fc26c28580738d0876581452c800acc654a96d7cbd7f4df98a7cada8c
-
Filesize
1.2MB
MD55098e8393ec73a929e0f9f87657a64a6
SHA1edd886012042cb8b0dee2ab0fa11b04b40c345af
SHA256cd23da381aab865bd247fe0f172be39107d0bec12d0e65d93949fb6eaf92b061
SHA512c2e63c108ee03e0e8fe08dfd752e2c4936d1fb6e725c7deabb3d379f02b98f6a57deea57b4bdd0db0cab453581921732036c7d5e0afd7c803b43827ae5ffcaa1
-
Filesize
691KB
MD57ff7254ff31a4a840454a8e2f217aacf
SHA151d157787a7daeffc47c024c76fb5f99d331b0a9
SHA2562214c52df54ca9e7d0361e77abe5c18156ae05fc671b4665aa1d40ed9f88f2de
SHA512f8aa1483028475a8411ad2a97b6547426468d8a6d756ca786f1b3f75bfd37c8c57e28ca7ed2205c2af254f02a0a2be7cd730bc9a9a24541d0d018208cfcbc0eb