Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
6Static
static
3PingPlotte...FF.exe
windows7-x64
1PingPlotte...FF.exe
windows10-2004-x64
1PingPlotte...ll.exe
windows7-x64
6PingPlotte...ll.exe
windows10-2004-x64
6$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$_4_.msi
windows7-x64
6$_4_.msi
windows10-2004-x64
6Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 04:52
Static task
static1
Behavioral task
behavioral1
Sample
PingPlotter Professional 5.24.3.8913/KEYGEN-FFF/PingPlotter.v3.30.4_KEYGEN-FFF.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
PingPlotter Professional 5.24.3.8913/KEYGEN-FFF/PingPlotter.v3.30.4_KEYGEN-FFF.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
PingPlotter Professional 5.24.3.8913/pingplotter_install.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
PingPlotter Professional 5.24.3.8913/pingplotter_install.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
$_4_.msi
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$_4_.msi
Resource
win10v2004-20240611-en
General
-
Target
PingPlotter Professional 5.24.3.8913/pingplotter_install.exe
-
Size
21.4MB
-
MD5
ae2015bc36bb8a0b872d049430c622c2
-
SHA1
c11db0f26d3554dea55b601eecdc50f90eae785d
-
SHA256
3586e0620442b8dfe2ae80f14dd389c224a7b9db7e6b9b29779a5b3d28e4a47f
-
SHA512
85c3b9380c2a803bb2f3f64a667bc062f0ee786f9bc5d50f6ce5157055eae20c76f6c6ae3d0ead0a89f011925dd7bb8097d5c6014c2fb5b077cf5ff734cceaf0
-
SSDEEP
393216:SeHSB8FeRF1NDgVEoZM9m5boLMMzgO+8+X7gj/pIBibcqBKOCCtbP:YzXay9UoL5+RgjLRgEP
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: pingplotter_install.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: pingplotter_install.exe File opened (read-only) \??\S: pingplotter_install.exe File opened (read-only) \??\V: pingplotter_install.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: pingplotter_install.exe File opened (read-only) \??\U: pingplotter_install.exe File opened (read-only) \??\Q: pingplotter_install.exe File opened (read-only) \??\R: pingplotter_install.exe File opened (read-only) \??\X: pingplotter_install.exe File opened (read-only) \??\Z: pingplotter_install.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: pingplotter_install.exe File opened (read-only) \??\H: pingplotter_install.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: pingplotter_install.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: pingplotter_install.exe File opened (read-only) \??\K: pingplotter_install.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: pingplotter_install.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: pingplotter_install.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: pingplotter_install.exe File opened (read-only) \??\T: pingplotter_install.exe File opened (read-only) \??\L: pingplotter_install.exe File opened (read-only) \??\N: pingplotter_install.exe File opened (read-only) \??\E: pingplotter_install.exe File opened (read-only) \??\O: pingplotter_install.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dll\msi.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\wkernel32.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\ResourceCleaner.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\symbols\tmp\ResourceCleaner.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\wntdll.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wntdll.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\msi.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\tmp\ResourceCleaner.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\dll\wntdll.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\msi.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\DLL\wkernel32.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb MsiExec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Http.Connections.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Physical.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.EntityFrameworkCore.Design.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Remotion.Linq.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\cloud_agent.bundle msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\NGraphics.WPF.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.ValueTuple.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Utils.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Security.Permissions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Net.Sockets.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe.config msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\LiteHtmlSharp.Wpf.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\MsgPack.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Reflection.Metadata.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Collections.Specialized.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Net.WebSockets.Client.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Drawing.Primitives.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Options.ConfigurationExtensions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Text.Addons.JavaScript.Wpf.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Text.Encodings.Web.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Localization.Abstractions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.DiagnosticSource.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Zeroconf.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Namotion.Reflection.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Text.RegularExpressions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Threading.ThreadPool.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\MacAddressVendorLookup.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\trial_banner.bundle msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Jint.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.IO.FileSystem.Primitives.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\action_alert.bundle msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Formatters.Json.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Annotations.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Xml.XPath.XDocument.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Security.Cryptography.Encoding.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Net.NameResolution.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Chronic.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\NGraphics.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Extensions\MOSColumn\package.json msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Data.Common.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.ApiExplorer.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Reflection.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\MagHubClient.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\new_version.bundle msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Contracts.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.IO.Compression.ZipFile.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Wiry.Base32.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Html.Abstractions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Data.Sqlite.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Collections.Immutable.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\WriteableBitmapEx.Wpf.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Xml.XmlDocument.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Http.Extensions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Primitives.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Security.Cryptography.Cng.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Core.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\FluentCommandLineParser.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Localization.dll msiexec.exe -
Drops file in Windows directory 31 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File opened for modification C:\Windows\Installer\MSI125E.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe File opened for modification C:\Windows\Installer\MSI1C76.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI11DF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI157D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1200.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1388.tmp msiexec.exe File created C:\Windows\Installer\e58dc53.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2541.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1027.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID73.tmp msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\Installer\e58dc51.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIEFD.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{CBAA9826-6D34-44FF-AEBF-E880F91CADCE} msiexec.exe File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI1A31.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI259F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE6F.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI1141.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI11BF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDE2.tmp msiexec.exe File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI1C55.tmp msiexec.exe File created C:\Windows\Installer\e58dc51.msi msiexec.exe File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 5044 PingPlotter.exe 4904 PingPlotter.exe -
Loads dropped DLL 26 IoCs
pid Process 2724 pingplotter_install.exe 2724 pingplotter_install.exe 1948 MsiExec.exe 1948 MsiExec.exe 1948 MsiExec.exe 1948 MsiExec.exe 1948 MsiExec.exe 1948 MsiExec.exe 1948 MsiExec.exe 1948 MsiExec.exe 2620 MsiExec.exe 2620 MsiExec.exe 2620 MsiExec.exe 2620 MsiExec.exe 2620 MsiExec.exe 2620 MsiExec.exe 2620 MsiExec.exe 2620 MsiExec.exe 2620 MsiExec.exe 2620 MsiExec.exe 4968 MsiExec.exe 4968 MsiExec.exe 4968 MsiExec.exe 4968 MsiExec.exe 4968 MsiExec.exe 2620 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5 PingPlotter.exe Key created \REGISTRY\USER\.DEFAULT\Software PingPlotter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Pingman Tools PingPlotter.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5\License = 6763060ab6cb83846512a1baf3abfa025a81f1a62a8fd8950f00e52ee03301c22f2c677f069245ba086d7acdd4620b84 PingPlotter.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "{5716629D-5364-4C67-9992-4C03A559A38F}.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281\6289AABC43D6FF44EAFB8E089FC1DAEC msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WebInterface = "PingPlotter5Main" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws\ShellNew msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\ = "URL:PingPlotter Protocol Handler" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\PingPlotter5Main msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\PackageCode = "D9266175463576C49929C4305A953AF8" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Version = "85458947" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\ = "&Open PingPlotter Sample Set" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\ = "open" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\pingplotter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WindowsService = "\x06" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\ = "open" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4108 msiexec.exe 4108 msiexec.exe 2620 MsiExec.exe 2620 MsiExec.exe 4968 MsiExec.exe 4968 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2724 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 2724 pingplotter_install.exe Token: SeSecurityPrivilege 4108 msiexec.exe Token: SeCreateTokenPrivilege 2724 pingplotter_install.exe Token: SeAssignPrimaryTokenPrivilege 2724 pingplotter_install.exe Token: SeLockMemoryPrivilege 2724 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 2724 pingplotter_install.exe Token: SeMachineAccountPrivilege 2724 pingplotter_install.exe Token: SeTcbPrivilege 2724 pingplotter_install.exe Token: SeSecurityPrivilege 2724 pingplotter_install.exe Token: SeTakeOwnershipPrivilege 2724 pingplotter_install.exe Token: SeLoadDriverPrivilege 2724 pingplotter_install.exe Token: SeSystemProfilePrivilege 2724 pingplotter_install.exe Token: SeSystemtimePrivilege 2724 pingplotter_install.exe Token: SeProfSingleProcessPrivilege 2724 pingplotter_install.exe Token: SeIncBasePriorityPrivilege 2724 pingplotter_install.exe Token: SeCreatePagefilePrivilege 2724 pingplotter_install.exe Token: SeCreatePermanentPrivilege 2724 pingplotter_install.exe Token: SeBackupPrivilege 2724 pingplotter_install.exe Token: SeRestorePrivilege 2724 pingplotter_install.exe Token: SeShutdownPrivilege 2724 pingplotter_install.exe Token: SeDebugPrivilege 2724 pingplotter_install.exe Token: SeAuditPrivilege 2724 pingplotter_install.exe Token: SeSystemEnvironmentPrivilege 2724 pingplotter_install.exe Token: SeChangeNotifyPrivilege 2724 pingplotter_install.exe Token: SeRemoteShutdownPrivilege 2724 pingplotter_install.exe Token: SeUndockPrivilege 2724 pingplotter_install.exe Token: SeSyncAgentPrivilege 2724 pingplotter_install.exe Token: SeEnableDelegationPrivilege 2724 pingplotter_install.exe Token: SeManageVolumePrivilege 2724 pingplotter_install.exe Token: SeImpersonatePrivilege 2724 pingplotter_install.exe Token: SeCreateGlobalPrivilege 2724 pingplotter_install.exe Token: SeCreateTokenPrivilege 2724 pingplotter_install.exe Token: SeAssignPrimaryTokenPrivilege 2724 pingplotter_install.exe Token: SeLockMemoryPrivilege 2724 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 2724 pingplotter_install.exe Token: SeMachineAccountPrivilege 2724 pingplotter_install.exe Token: SeTcbPrivilege 2724 pingplotter_install.exe Token: SeSecurityPrivilege 2724 pingplotter_install.exe Token: SeTakeOwnershipPrivilege 2724 pingplotter_install.exe Token: SeLoadDriverPrivilege 2724 pingplotter_install.exe Token: SeSystemProfilePrivilege 2724 pingplotter_install.exe Token: SeSystemtimePrivilege 2724 pingplotter_install.exe Token: SeProfSingleProcessPrivilege 2724 pingplotter_install.exe Token: SeIncBasePriorityPrivilege 2724 pingplotter_install.exe Token: SeCreatePagefilePrivilege 2724 pingplotter_install.exe Token: SeCreatePermanentPrivilege 2724 pingplotter_install.exe Token: SeBackupPrivilege 2724 pingplotter_install.exe Token: SeRestorePrivilege 2724 pingplotter_install.exe Token: SeShutdownPrivilege 2724 pingplotter_install.exe Token: SeDebugPrivilege 2724 pingplotter_install.exe Token: SeAuditPrivilege 2724 pingplotter_install.exe Token: SeSystemEnvironmentPrivilege 2724 pingplotter_install.exe Token: SeChangeNotifyPrivilege 2724 pingplotter_install.exe Token: SeRemoteShutdownPrivilege 2724 pingplotter_install.exe Token: SeUndockPrivilege 2724 pingplotter_install.exe Token: SeSyncAgentPrivilege 2724 pingplotter_install.exe Token: SeEnableDelegationPrivilege 2724 pingplotter_install.exe Token: SeManageVolumePrivilege 2724 pingplotter_install.exe Token: SeImpersonatePrivilege 2724 pingplotter_install.exe Token: SeCreateGlobalPrivilege 2724 pingplotter_install.exe Token: SeCreateTokenPrivilege 2724 pingplotter_install.exe Token: SeAssignPrimaryTokenPrivilege 2724 pingplotter_install.exe Token: SeLockMemoryPrivilege 2724 pingplotter_install.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2724 pingplotter_install.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4108 wrote to memory of 1948 4108 msiexec.exe 87 PID 4108 wrote to memory of 1948 4108 msiexec.exe 87 PID 4108 wrote to memory of 1948 4108 msiexec.exe 87 PID 4108 wrote to memory of 3112 4108 msiexec.exe 99 PID 4108 wrote to memory of 3112 4108 msiexec.exe 99 PID 4108 wrote to memory of 2620 4108 msiexec.exe 101 PID 4108 wrote to memory of 2620 4108 msiexec.exe 101 PID 4108 wrote to memory of 2620 4108 msiexec.exe 101 PID 4108 wrote to memory of 4968 4108 msiexec.exe 102 PID 4108 wrote to memory of 4968 4108 msiexec.exe 102 PID 4108 wrote to memory of 4968 4108 msiexec.exe 102 PID 4968 wrote to memory of 4912 4968 MsiExec.exe 103 PID 4968 wrote to memory of 4912 4968 MsiExec.exe 103 PID 4968 wrote to memory of 4912 4968 MsiExec.exe 103 PID 4912 wrote to memory of 2020 4912 cmd.exe 105 PID 4912 wrote to memory of 2020 4912 cmd.exe 105 PID 4912 wrote to memory of 2020 4912 cmd.exe 105 PID 4968 wrote to memory of 1132 4968 MsiExec.exe 106 PID 4968 wrote to memory of 1132 4968 MsiExec.exe 106 PID 4968 wrote to memory of 1132 4968 MsiExec.exe 106 PID 4968 wrote to memory of 1712 4968 MsiExec.exe 109 PID 4968 wrote to memory of 1712 4968 MsiExec.exe 109 PID 4968 wrote to memory of 1712 4968 MsiExec.exe 109 PID 4108 wrote to memory of 5044 4108 msiexec.exe 111 PID 4108 wrote to memory of 5044 4108 msiexec.exe 111 PID 4108 wrote to memory of 4904 4108 msiexec.exe 113 PID 4108 wrote to memory of 4904 4108 msiexec.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe"1⤵
- Enumerates connected drives
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2724
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CD4260307A46ACE0967FBF6020BC780E C2⤵
- Loads dropped DLL
PID:1948
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3112
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9D1F35A8187679CFA452B8AC6F18A8F42⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2620
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DC1D9B417077D784F70220BE90416E41 E Global\MSI00002⤵
- Drops file in System32 directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\{FE7D9469-69FF-4AD0-A0FA-666CF8090897}.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\{FE7D9469-69FF-4AD0-A0FA-666CF8090897}.bat"3⤵PID:1132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:13⤵
- Drops file in Windows directory
PID:1712
-
-
-
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet2⤵
- Executes dropped EXE
PID:5044
-
-
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4904
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2376
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵PID:4896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD551ed69178e2fdb90e1e101c7fef44982
SHA1581cc6a5735e94a431680d73853762129b95d7c9
SHA256d99be018e924eeb40c9ca4c51a38b0c58b897b737b533ed0dcc89d9cc93db62d
SHA5125ba82b862cf56757b2009e513b62be5b7bc16afc3202ae6f1f66c318009481eaa95c5664f6a442fe8cf68809ef03f091db97f007a0bfdcf557fa27f4dea2216c
-
Filesize
87KB
MD59c43eb18df357b00aaf31b6684e57a53
SHA16de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6
SHA256abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6
SHA512fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309
-
Filesize
677KB
MD5b9d27fbdd161b1879aa1b5bf390b8114
SHA11e9ffc3fcefc25581fd726087c74d257c713ffe4
SHA2563866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4
SHA5124af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6
-
Filesize
929KB
MD56f0e2870c72222d5989e9842d7d9e275
SHA19a847f1d5efe181c945c60bcfeeb43132db3f599
SHA256b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8
SHA512ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d
-
Filesize
315KB
MD53e50933e28b0ac08f7158e3a783f6bf4
SHA12178728de734670785b749499e4cfda7e1e30f60
SHA2567d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a
SHA5123324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6
-
Filesize
1.9MB
MD5674447f18caace5e1163fb227e4cf08d
SHA162082108201e8be712cd52806a66503cf51fe714
SHA25656dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84
SHA51289fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8
-
Filesize
1.1MB
MD5855914201fde2285b71d87c05c4bbcc2
SHA18bc1bdbb97c2775c0399e9d0e90a036f41357a4c
SHA256580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6
SHA5127040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb
-
Filesize
2.2MB
MD54f79b56c4bebf4683f731c2fa68126ce
SHA1be502d11260c83f3bdb67279f796b137094248b6
SHA25628130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63
SHA5123384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f
-
Filesize
24KB
MD550f77484e5ebbab4178d226457277f61
SHA1f9ce26a5dac69bc620481e76ff4bcaa44610b4f1
SHA25676a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5
SHA512f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da
-
Filesize
100KB
MD536896e5b8ff559857c870c8d60470d79
SHA18abe9941ec44d19b2f079fa66c118d60ecd75141
SHA25657f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823
SHA512ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793
-
Filesize
2.9MB
MD5aea6964efb6bfc8723f85e191c6db9b0
SHA1f213e8ae0088838ae76d9d5841f9e9a2376c78a9
SHA25689a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac
SHA51284a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a
-
Filesize
27KB
MD5928b8e104bc50973bad9150c577aaa64
SHA133eb7ed6547d26bbb8dbb087a45baf41292d01d2
SHA256b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629
SHA5123b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2
-
Filesize
15KB
MD5ba3845f4986d242d62641e1f6e14caba
SHA19278fe4d60ed3462835a90c56bf187cadc35ddda
SHA256ab5d0fa375fd11f411293552ffa7b127a62ecc7bef74c5c3a49cad629413e38b
SHA5124ccc206b30208cf1ceef1e7341cf7f28e36f3ba90daff5051ee706841a1f30d49d654399c33b2d336d330789b76e5d3fac39d22d6d45d6d76a3ef643750a70cf
-
Filesize
364KB
MD5ca95f207ec70ba34b46c785f7bcb5570
SHA125c0d45cb9f94892e2877033d06fe8909e5b9972
SHA2568ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb
SHA512c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831
-
Filesize
561KB
MD55576bf4d22dc695564e49a68cbc98bc2
SHA180e0e045162a65d84939e22a821ecbbbde3f31d6
SHA25620f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801
SHA5124b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972
-
Filesize
84KB
MD5f18364fa5084add86c6e73e457404f18
SHA16d87c4b9dbf78af88fddf0d4d5febe845c8e4e6a
SHA25639c43d67f546fc898f7406d213b73dcb1bc30fc811ddfa3a02b6b50c29d11f91
SHA512716892492390fe4314f3289286f733d07b8b84de1f5af0676b26e68c0be01808682d35ad2bb9e9491247b7bb5a0ea297a6850e26de9baf88621c789206107db3
-
Filesize
11KB
MD5ca332bb753b0775d5e806e236ddcec55
SHA1f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA5122de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00
-
Filesize
48B
MD596a568f9af3d18ebb930331118447946
SHA130519320aed158e16d1db748d9a9064094593554
SHA2566b824e9f13ee7210ccabdc81e255cf3a390e5b8fcc7b69069349d89de428994e
SHA512b45971c7a6e3ccc4f02227f570bbd7adfbcef7ed4cf39322c272a1ce70fca4f5e048001c44cc17eddf9313770c31fc6728b9e15c56007f03b554a7f529765aab
-
Filesize
48B
MD52a13a6f38d9299bdfbb1d30a1cea8fde
SHA18a3d0cd8dcdb24b4d0b40e1de5988b6dc980ed0f
SHA2560f0a878a2dbefb3233c75339d2b5511f0f86e54a230ae037fe3b64a87e193399
SHA5121be095400f54a1cbab1f3f58a485aef463b019a3a55be9b07e2096d30b43676f98b97df3987a97b9a04f5b9a427ad7c26074a0feeec1002a51fb8dd156812cbb
-
Filesize
104B
MD5a937e8f48d3a6c808168c5b8ccde386d
SHA1a5c79ce563c6976b75f3037ab544616813b1ac48
SHA256a159304fedf73b8147af1cf80d495f9338db77bbafc822ba176eee02cab7561b
SHA51233cf95a0dc2f57e3e9084eb3ff526c469b2372b64fef0968ac95933f8f6f50b9b7784cfc4aae63d57c02feadb9b0a4845d870f907b41dcfc1a06558fb728a55a
-
Filesize
195KB
MD571c143221c4d2f06e495ee3f9e51a7f0
SHA144a3aa0ca190243d6f21becbd5b0c5e923426135
SHA2568d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9
SHA51298a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445
-
Filesize
196KB
MD594fa9ff9c26724e0b8ac910c1e7c40aa
SHA10cf47957200dec349d6b6da432e24165afd590eb
SHA256adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09
SHA512becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb
-
Filesize
849KB
MD599dc199a4a390a86f2728f5232a2f9a6
SHA121b03b2dacbc5e19f3334054703ce53c8ba4a15f
SHA25612b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9
SHA5128ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db
-
Filesize
409KB
MD5e34827bf55cae867e83cc6122d25154a
SHA1e513c23028532a6997692965765e235d42d96efa
SHA2567f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a
SHA512506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2
-
Filesize
23.7MB
MD529235c8b397a0b7cc27d7e81b0279ebd
SHA1bed43f593c3cd174514bb0c1175606bcb353e04e
SHA256af6b1d10b043b53d07a902934665d503ab6ca270dab555e8d0bf3bac6fa7c938
SHA5121082f31d93847b41da5152e535642ca1dd7f9ac221afeeaaf1b35f30387ad05ed4c2e24c9053f0f00c7df72aecbfbb32540e14602b6b28743f6e9bda88f962ef
-
\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0f901d05-e6b5-4346-a3f0-c7e8795fba43}_OnDiskSnapshotProp
Filesize6KB
MD5c2d3287eacfe9b2b84a06ecc53a06f3f
SHA1870c4a36229db9de6a60d26a94eea102f9462417
SHA256f1d365244c4d85454404359b41e39f3ac35c0d6dea0f3571d5813a6ab8504b7a
SHA51238d7b5d19a4d84f588e6efbc8760880f8e90bbe89e1aa9e979d5bb323805a788abffec2ea47634e8a3567625c8e082fa98de3b4a2651acefbf739d138bcbc9ce