Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
6Static
static
3PingPlotte...FF.exe
windows7-x64
1PingPlotte...FF.exe
windows10-2004-x64
1PingPlotte...ll.exe
windows7-x64
6PingPlotte...ll.exe
windows10-2004-x64
6$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$_4_.msi
windows7-x64
6$_4_.msi
windows10-2004-x64
6Analysis
-
max time kernel
132s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 04:52
Static task
static1
Behavioral task
behavioral1
Sample
PingPlotter Professional 5.24.3.8913/KEYGEN-FFF/PingPlotter.v3.30.4_KEYGEN-FFF.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
PingPlotter Professional 5.24.3.8913/KEYGEN-FFF/PingPlotter.v3.30.4_KEYGEN-FFF.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
PingPlotter Professional 5.24.3.8913/pingplotter_install.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
PingPlotter Professional 5.24.3.8913/pingplotter_install.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
$_4_.msi
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$_4_.msi
Resource
win10v2004-20240611-en
General
-
Target
PingPlotter Professional 5.24.3.8913/pingplotter_install.exe
-
Size
21.4MB
-
MD5
ae2015bc36bb8a0b872d049430c622c2
-
SHA1
c11db0f26d3554dea55b601eecdc50f90eae785d
-
SHA256
3586e0620442b8dfe2ae80f14dd389c224a7b9db7e6b9b29779a5b3d28e4a47f
-
SHA512
85c3b9380c2a803bb2f3f64a667bc062f0ee786f9bc5d50f6ce5157055eae20c76f6c6ae3d0ead0a89f011925dd7bb8097d5c6014c2fb5b077cf5ff734cceaf0
-
SSDEEP
393216:SeHSB8FeRF1NDgVEoZM9m5boLMMzgO+8+X7gj/pIBibcqBKOCCtbP:YzXay9UoL5+RgjLRgEP
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: pingplotter_install.exe File opened (read-only) \??\T: pingplotter_install.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: pingplotter_install.exe File opened (read-only) \??\N: pingplotter_install.exe File opened (read-only) \??\O: pingplotter_install.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: pingplotter_install.exe File opened (read-only) \??\M: pingplotter_install.exe File opened (read-only) \??\V: pingplotter_install.exe File opened (read-only) \??\Z: pingplotter_install.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: pingplotter_install.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\R: pingplotter_install.exe File opened (read-only) \??\S: pingplotter_install.exe File opened (read-only) \??\U: pingplotter_install.exe File opened (read-only) \??\W: pingplotter_install.exe File opened (read-only) \??\E: pingplotter_install.exe File opened (read-only) \??\H: pingplotter_install.exe File opened (read-only) \??\L: pingplotter_install.exe File opened (read-only) \??\Q: pingplotter_install.exe File opened (read-only) \??\X: pingplotter_install.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: pingplotter_install.exe File opened (read-only) \??\G: pingplotter_install.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: pingplotter_install.exe File opened (read-only) \??\Y: pingplotter_install.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\PingPlotter 5\Topshelf.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Alert Audio\buzzer.mp3 msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Castle.Core.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Cors.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.WebSockets.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Drawing.Primitives.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileSystemGlobbing.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Nito.Collections.Deque.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Extensions\RemoteAgentScript\remoteagent.meta.json msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Formatters.Json.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Net.WebSockets.Client.Managed.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Debug.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\SsdpRadar.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\Fonts\Roboto\Roboto-Medium.ttf msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.TagHelpers.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Dynamic.Runtime.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Xml.XDocument.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Security.Principal.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.DependencyModel.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.HttpOverrides.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Timer.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Cryptography.Internal.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Routing.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\core.bundle msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.DependencyInjection.Abstractions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Primitives.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.TypeConverter.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Channels.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Composite.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Physical.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Annotations.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.StackTrace.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Security.SecureString.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Runtime.Extensions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\x64\LiteHtmlLib.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.DiaSymReader.Native.x86.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Remotion.Linq.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.AppContext.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Reflection.Primitives.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\x86\e_sqlite3.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\mustache-netstandard.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\NJsonSchema.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.Bson.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Net.Sockets.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.SignalR.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\MsgPack.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\MessagePack.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Hosting.Abstractions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Extensions\MOSColumn\moscolumn.js msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Net.WebSockets.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Cryptography.KeyDerivation.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Logging.Configuration.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Https.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\action_alert.bundle msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Linq.Parallel.dll msiexec.exe -
Drops file in Windows directory 33 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI1C1B.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\Installer\f779c31.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSI1EE1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI201B.tmp msiexec.exe File opened for modification C:\Windows\Installer\f779c30.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1D57.tmp msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat ngen.exe File opened for modification C:\Windows\Installer\MSI2F7B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1D07.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1DE6.tmp msiexec.exe File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe msiexec.exe File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe msiexec.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f779c30.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1B40.tmp msiexec.exe File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI2386.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1D28.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1D78.tmp msiexec.exe File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI24A1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2F8C.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f779c31.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1CA9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1E35.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2433.tmp msiexec.exe File created C:\Windows\Installer\f779c33.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe -
Executes dropped EXE 2 IoCs
pid Process 1200 PingPlotter.exe 2280 PingPlotter.exe -
Loads dropped DLL 24 IoCs
pid Process 2188 pingplotter_install.exe 2188 pingplotter_install.exe 1944 MsiExec.exe 1944 MsiExec.exe 1944 MsiExec.exe 1944 MsiExec.exe 1944 MsiExec.exe 1944 MsiExec.exe 1944 MsiExec.exe 2304 MsiExec.exe 2304 MsiExec.exe 2304 MsiExec.exe 2304 MsiExec.exe 2304 MsiExec.exe 2304 MsiExec.exe 2304 MsiExec.exe 2304 MsiExec.exe 2304 MsiExec.exe 2288 MsiExec.exe 2288 MsiExec.exe 2288 MsiExec.exe 2288 MsiExec.exe 2288 MsiExec.exe 2304 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 51 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software PingPlotter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5 PingPlotter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools PingPlotter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5 PingPlotter.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5\License = adf0308de21a01c33fa810922e71ab091d65b164aa199d1fe9130850099dd63ad175cb374c608d1f3a89c24c2b4ac93e PingPlotter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\ = "open" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\ = "&Open PingPlotter Sample Set" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\ = "URL:PingPlotter Protocol Handler" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "{5716629D-5364-4C67-9992-4C03A559A38F}.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281\6289AABC43D6FF44EAFB8E089FC1DAEC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\ = "open" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WebInterface = "PingPlotter5Main" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WindowsService = "\x06" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws\ShellNew msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\PackageCode = "D9266175463576C49929C4305A953AF8" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" /url \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\PingPlotter5Main msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main" msiexec.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 pingplotter_install.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 pingplotter_install.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 pingplotter_install.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 pingplotter_install.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2964 msiexec.exe 2964 msiexec.exe 2304 MsiExec.exe 2288 MsiExec.exe 2288 MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2188 pingplotter_install.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2188 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 2188 pingplotter_install.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeSecurityPrivilege 2964 msiexec.exe Token: SeCreateTokenPrivilege 2188 pingplotter_install.exe Token: SeAssignPrimaryTokenPrivilege 2188 pingplotter_install.exe Token: SeLockMemoryPrivilege 2188 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 2188 pingplotter_install.exe Token: SeMachineAccountPrivilege 2188 pingplotter_install.exe Token: SeTcbPrivilege 2188 pingplotter_install.exe Token: SeSecurityPrivilege 2188 pingplotter_install.exe Token: SeTakeOwnershipPrivilege 2188 pingplotter_install.exe Token: SeLoadDriverPrivilege 2188 pingplotter_install.exe Token: SeSystemProfilePrivilege 2188 pingplotter_install.exe Token: SeSystemtimePrivilege 2188 pingplotter_install.exe Token: SeProfSingleProcessPrivilege 2188 pingplotter_install.exe Token: SeIncBasePriorityPrivilege 2188 pingplotter_install.exe Token: SeCreatePagefilePrivilege 2188 pingplotter_install.exe Token: SeCreatePermanentPrivilege 2188 pingplotter_install.exe Token: SeBackupPrivilege 2188 pingplotter_install.exe Token: SeRestorePrivilege 2188 pingplotter_install.exe Token: SeShutdownPrivilege 2188 pingplotter_install.exe Token: SeDebugPrivilege 2188 pingplotter_install.exe Token: SeAuditPrivilege 2188 pingplotter_install.exe Token: SeSystemEnvironmentPrivilege 2188 pingplotter_install.exe Token: SeChangeNotifyPrivilege 2188 pingplotter_install.exe Token: SeRemoteShutdownPrivilege 2188 pingplotter_install.exe Token: SeUndockPrivilege 2188 pingplotter_install.exe Token: SeSyncAgentPrivilege 2188 pingplotter_install.exe Token: SeEnableDelegationPrivilege 2188 pingplotter_install.exe Token: SeManageVolumePrivilege 2188 pingplotter_install.exe Token: SeImpersonatePrivilege 2188 pingplotter_install.exe Token: SeCreateGlobalPrivilege 2188 pingplotter_install.exe Token: SeCreateTokenPrivilege 2188 pingplotter_install.exe Token: SeAssignPrimaryTokenPrivilege 2188 pingplotter_install.exe Token: SeLockMemoryPrivilege 2188 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 2188 pingplotter_install.exe Token: SeMachineAccountPrivilege 2188 pingplotter_install.exe Token: SeTcbPrivilege 2188 pingplotter_install.exe Token: SeSecurityPrivilege 2188 pingplotter_install.exe Token: SeTakeOwnershipPrivilege 2188 pingplotter_install.exe Token: SeLoadDriverPrivilege 2188 pingplotter_install.exe Token: SeSystemProfilePrivilege 2188 pingplotter_install.exe Token: SeSystemtimePrivilege 2188 pingplotter_install.exe Token: SeProfSingleProcessPrivilege 2188 pingplotter_install.exe Token: SeIncBasePriorityPrivilege 2188 pingplotter_install.exe Token: SeCreatePagefilePrivilege 2188 pingplotter_install.exe Token: SeCreatePermanentPrivilege 2188 pingplotter_install.exe Token: SeBackupPrivilege 2188 pingplotter_install.exe Token: SeRestorePrivilege 2188 pingplotter_install.exe Token: SeShutdownPrivilege 2188 pingplotter_install.exe Token: SeDebugPrivilege 2188 pingplotter_install.exe Token: SeAuditPrivilege 2188 pingplotter_install.exe Token: SeSystemEnvironmentPrivilege 2188 pingplotter_install.exe Token: SeChangeNotifyPrivilege 2188 pingplotter_install.exe Token: SeRemoteShutdownPrivilege 2188 pingplotter_install.exe Token: SeUndockPrivilege 2188 pingplotter_install.exe Token: SeSyncAgentPrivilege 2188 pingplotter_install.exe Token: SeEnableDelegationPrivilege 2188 pingplotter_install.exe Token: SeManageVolumePrivilege 2188 pingplotter_install.exe Token: SeImpersonatePrivilege 2188 pingplotter_install.exe Token: SeCreateGlobalPrivilege 2188 pingplotter_install.exe Token: SeCreateTokenPrivilege 2188 pingplotter_install.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2188 pingplotter_install.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2964 wrote to memory of 1944 2964 msiexec.exe 29 PID 2964 wrote to memory of 1944 2964 msiexec.exe 29 PID 2964 wrote to memory of 1944 2964 msiexec.exe 29 PID 2964 wrote to memory of 1944 2964 msiexec.exe 29 PID 2964 wrote to memory of 1944 2964 msiexec.exe 29 PID 2964 wrote to memory of 1944 2964 msiexec.exe 29 PID 2964 wrote to memory of 1944 2964 msiexec.exe 29 PID 2964 wrote to memory of 2304 2964 msiexec.exe 35 PID 2964 wrote to memory of 2304 2964 msiexec.exe 35 PID 2964 wrote to memory of 2304 2964 msiexec.exe 35 PID 2964 wrote to memory of 2304 2964 msiexec.exe 35 PID 2964 wrote to memory of 2304 2964 msiexec.exe 35 PID 2964 wrote to memory of 2304 2964 msiexec.exe 35 PID 2964 wrote to memory of 2304 2964 msiexec.exe 35 PID 2964 wrote to memory of 2288 2964 msiexec.exe 36 PID 2964 wrote to memory of 2288 2964 msiexec.exe 36 PID 2964 wrote to memory of 2288 2964 msiexec.exe 36 PID 2964 wrote to memory of 2288 2964 msiexec.exe 36 PID 2964 wrote to memory of 2288 2964 msiexec.exe 36 PID 2964 wrote to memory of 2288 2964 msiexec.exe 36 PID 2964 wrote to memory of 2288 2964 msiexec.exe 36 PID 2288 wrote to memory of 1584 2288 MsiExec.exe 37 PID 2288 wrote to memory of 1584 2288 MsiExec.exe 37 PID 2288 wrote to memory of 1584 2288 MsiExec.exe 37 PID 2288 wrote to memory of 1584 2288 MsiExec.exe 37 PID 1584 wrote to memory of 1808 1584 cmd.exe 39 PID 1584 wrote to memory of 1808 1584 cmd.exe 39 PID 1584 wrote to memory of 1808 1584 cmd.exe 39 PID 1584 wrote to memory of 1808 1584 cmd.exe 39 PID 2288 wrote to memory of 2500 2288 MsiExec.exe 40 PID 2288 wrote to memory of 2500 2288 MsiExec.exe 40 PID 2288 wrote to memory of 2500 2288 MsiExec.exe 40 PID 2288 wrote to memory of 2500 2288 MsiExec.exe 40 PID 2288 wrote to memory of 2800 2288 MsiExec.exe 43 PID 2288 wrote to memory of 2800 2288 MsiExec.exe 43 PID 2288 wrote to memory of 2800 2288 MsiExec.exe 43 PID 2288 wrote to memory of 2800 2288 MsiExec.exe 43 PID 2964 wrote to memory of 1200 2964 msiexec.exe 45 PID 2964 wrote to memory of 1200 2964 msiexec.exe 45 PID 2964 wrote to memory of 1200 2964 msiexec.exe 45 PID 2964 wrote to memory of 2280 2964 msiexec.exe 47 PID 2964 wrote to memory of 2280 2964 msiexec.exe 47 PID 2964 wrote to memory of 2280 2964 msiexec.exe 47 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe"1⤵
- Enumerates connected drives
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2188
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A703E191B7F471631000DB965481D999 C2⤵
- Loads dropped DLL
PID:1944
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A312B2E051A7AA8E51865620DBE9A5292⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2304
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 33F085D003894205F3850E2674B43CFC M Global\MSI00002⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\{7185CD67-9B19-48BA-8AC5-F197A1F6DA5B}.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1808
-
-
-
C:\Windows\SysWOW64\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\{7185CD67-9B19-48BA-8AC5-F197A1F6DA5B}.bat"3⤵PID:2500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:13⤵
- Drops file in Windows directory
PID:2800
-
-
-
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet2⤵
- Executes dropped EXE
PID:1200
-
-
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2280
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2008
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000318"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1352
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD53c637802dcf530951126ee8b36d3e1e8
SHA11085952fd71150bab00cc8bd8d6bc5e0bcb8d994
SHA256665d0915b162e95f286f55addfcff7cab9a69dac69db096b249fa3c4ca29a15a
SHA51271a3ef668fa4706662ba338a467459859171abd4b3c7b6f1688f2540d3e3f484f05113158c5cc470f3790f40729d7aa8270563cd016ed4307d466f9b3bd931a6
-
Filesize
87KB
MD59c43eb18df357b00aaf31b6684e57a53
SHA16de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6
SHA256abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6
SHA512fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309
-
Filesize
677KB
MD5b9d27fbdd161b1879aa1b5bf390b8114
SHA11e9ffc3fcefc25581fd726087c74d257c713ffe4
SHA2563866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4
SHA5124af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6
-
Filesize
929KB
MD56f0e2870c72222d5989e9842d7d9e275
SHA19a847f1d5efe181c945c60bcfeeb43132db3f599
SHA256b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8
SHA512ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d
-
Filesize
315KB
MD53e50933e28b0ac08f7158e3a783f6bf4
SHA12178728de734670785b749499e4cfda7e1e30f60
SHA2567d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a
SHA5123324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6
-
Filesize
1.9MB
MD5674447f18caace5e1163fb227e4cf08d
SHA162082108201e8be712cd52806a66503cf51fe714
SHA25656dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84
SHA51289fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8
-
Filesize
1.1MB
MD5855914201fde2285b71d87c05c4bbcc2
SHA18bc1bdbb97c2775c0399e9d0e90a036f41357a4c
SHA256580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6
SHA5127040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb
-
Filesize
2.2MB
MD54f79b56c4bebf4683f731c2fa68126ce
SHA1be502d11260c83f3bdb67279f796b137094248b6
SHA25628130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63
SHA5123384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f
-
Filesize
24KB
MD550f77484e5ebbab4178d226457277f61
SHA1f9ce26a5dac69bc620481e76ff4bcaa44610b4f1
SHA25676a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5
SHA512f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da
-
Filesize
25KB
MD5c15a90b02588f3c2e92086d729268d9a
SHA1f3917545b0d2f1784d6c677940e184a8bdf199d7
SHA25664c10c0c8c7e80b8697d395f4c89622f5323d89a1b5ae5bb5c2436d2b614667e
SHA512821986403f4c2d96413f3b2f81ff570198d4445f6cbb5fca38dc43ce4f2f6d7fd571cec70ef047e93e24f32b2069695435344523ff3390d40a6a400e71144407
-
Filesize
100KB
MD536896e5b8ff559857c870c8d60470d79
SHA18abe9941ec44d19b2f079fa66c118d60ecd75141
SHA25657f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823
SHA512ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793
-
Filesize
608KB
MD5a55e8da594924aff7aac9494c91a63d7
SHA1d92135f1aab51978f26d8f879dbd4e5ffc71146c
SHA25695d5e5a3d6b1a0175bfeef2c10106ad2bee646bc9063d8c3bfdb70f284060b34
SHA512ce0fd4ca5a5ef5e6d6413d7f526110ea2b2473e2218915b65935441ffa51982e62512b8e658d39a2705aaa90a5171bd73fb73d410deda0b11c5c11c61a9f1be0
-
Filesize
693KB
MD59ef8fb5c101ca8cdcb20af7e2188496f
SHA1a4f3566d20fe9003a092ab1bced77f12016b9022
SHA256ae8b84a5e656c0df5a58e365cf91c6eedcd85ff31f93bd5f21db6f1fe025ccd0
SHA512271198207f107f29b374e188efa318c052827d696e2296dfb58120608edfd7110272338f3effbcb7d3db6e45e72dbb168e5ca90b59836436d9e50276756ae72e
-
Filesize
2.9MB
MD5aea6964efb6bfc8723f85e191c6db9b0
SHA1f213e8ae0088838ae76d9d5841f9e9a2376c78a9
SHA25689a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac
SHA51284a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a
-
Filesize
27KB
MD5928b8e104bc50973bad9150c577aaa64
SHA133eb7ed6547d26bbb8dbb087a45baf41292d01d2
SHA256b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629
SHA5123b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2
-
Filesize
15KB
MD5ba3845f4986d242d62641e1f6e14caba
SHA19278fe4d60ed3462835a90c56bf187cadc35ddda
SHA256ab5d0fa375fd11f411293552ffa7b127a62ecc7bef74c5c3a49cad629413e38b
SHA5124ccc206b30208cf1ceef1e7341cf7f28e36f3ba90daff5051ee706841a1f30d49d654399c33b2d336d330789b76e5d3fac39d22d6d45d6d76a3ef643750a70cf
-
Filesize
23KB
MD5351865b759999ab60da018c38878662d
SHA12c6d09dfe7a95f78af5b27d0ffab491ca47dc2e5
SHA256cfc8576cd3f50e93ead20e4a08cb1623e95cd928e5afcbaab9ad8ec1eba2528d
SHA5127e329b5072fe7eb47871368a357643a4ec59576c0c7dfd2a48b671a33c9fb2fdf24198540ca283797ec2b274946c33f99d10d6b5aa5174872369aa5b58677f3b
-
Filesize
163KB
MD518dcf426a4822b80a52832439138e7f0
SHA1270924f3bd1b1f7ac5efdd26e7a8eb922b584129
SHA256be2c678b7e39d7af3e631a4b882302a38959b8736a114d9223720ab7d4077f5a
SHA5125b7b6c327a8ff25703c8acbcbd9aa3398398fb51d68893ef938f64a7abeeb50cc9751f525f967b1346bb979a3122bf09ebaa444ad5b41f5deef824bf5c342870
-
Filesize
16KB
MD5e7120b5779730efb615235cf0107e386
SHA1455ea9f216bbfcd1876f142d7a1b634fd85ef819
SHA256ace34e85a2e954ed07ec11390cbdea7097ae4e56efd8b1bcef35788ce08c6777
SHA51291f893b93d771eb1ac9b9f666561375da5c9a282bf778bca76489306f8aa398fd31bfa59eaeca2f1b1b16a598dc0f5cfa9d3f3d98b0a4cd2ec9fd5539bc3efb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54c49d43fe9e08ae84631925d5e6c6fc5
SHA1e37a209cc10ac87e91ca96182fd2bf3732170833
SHA2566561f3c13db1fd0dcf73df343499c7e149eef06001d578647586054329c3b3e5
SHA512575e5853bbf588baf8fd7e01e8c83f7c7abc3db31bcd41b56bc67d18e46bf2fa459c953d20d99c80435847feb8affd7e6b7d069a8b412f251caaaac5f58df8af
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
364KB
MD5ca95f207ec70ba34b46c785f7bcb5570
SHA125c0d45cb9f94892e2877033d06fe8909e5b9972
SHA2568ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb
SHA512c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831
-
Filesize
561KB
MD55576bf4d22dc695564e49a68cbc98bc2
SHA180e0e045162a65d84939e22a821ecbbbde3f31d6
SHA25620f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801
SHA5124b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
48B
MD5b16a5fba3793c99536148b33a7304ab1
SHA1e353837d75409bf40a3933a4a33cc4241c1989f4
SHA256172a427175692aa038ff7c36ed654549aec085ad7931cde5452b7814f6cc1832
SHA5126bdf135a6aaceeb9013c71369a648ee1f9a2f48c5308706c9cb7c331b58fb48f7648e6d2d68ad7fa31439599a66b371a1b81146637f87b9164052c4c055dfab8
-
Filesize
48B
MD59e3a645eefcedc75fd12957ecee400a6
SHA13336d6e406ed53b4403557953b431517cfa871eb
SHA2563c4499fadbddfa0adc98cd8a422018cf9ec5daec6ce23c64ea6c1eb0a1806c93
SHA512507c9a7c2fec9eb57bcb8d60f03439440f52091dec99076ec7d92ef88e0edbd45c74f42fb8c425fd964ae0b2b41dc3a56bab60b0e8bf97edfdb317260ac48b01
-
Filesize
104B
MD5f6818e7ca5e3b67451c9e672aab6f176
SHA1816b7e4c7d0e7f5a200c008f4b2fbab16401ad43
SHA256748e284ad9f27b7067978564a0989f1dbe23fb0ac1750778e08267373f9601c2
SHA512bfea7b7800b33f8431d4807954315a13f4e8f67cb8d72a0c3e23f15875688a0a96e872d5feb5a5ac4e4b0f30479b74b61cff026d8cde3ef3e417eee23830df96
-
Filesize
195KB
MD571c143221c4d2f06e495ee3f9e51a7f0
SHA144a3aa0ca190243d6f21becbd5b0c5e923426135
SHA2568d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9
SHA51298a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445
-
Filesize
849KB
MD599dc199a4a390a86f2728f5232a2f9a6
SHA121b03b2dacbc5e19f3334054703ce53c8ba4a15f
SHA25612b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9
SHA5128ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db
-
Filesize
409KB
MD5e34827bf55cae867e83cc6122d25154a
SHA1e513c23028532a6997692965765e235d42d96efa
SHA2567f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a
SHA512506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2
-
Filesize
84KB
MD5f18364fa5084add86c6e73e457404f18
SHA16d87c4b9dbf78af88fddf0d4d5febe845c8e4e6a
SHA25639c43d67f546fc898f7406d213b73dcb1bc30fc811ddfa3a02b6b50c29d11f91
SHA512716892492390fe4314f3289286f733d07b8b84de1f5af0676b26e68c0be01808682d35ad2bb9e9491247b7bb5a0ea297a6850e26de9baf88621c789206107db3
-
Filesize
11KB
MD5ca332bb753b0775d5e806e236ddcec55
SHA1f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA5122de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00
-
Filesize
196KB
MD594fa9ff9c26724e0b8ac910c1e7c40aa
SHA10cf47957200dec349d6b6da432e24165afd590eb
SHA256adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09
SHA512becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb