Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
6Static
static
3PingPlotte...FF.exe
windows7-x64
1PingPlotte...FF.exe
windows10-2004-x64
1PingPlotte...ll.exe
windows7-x64
6PingPlotte...ll.exe
windows10-2004-x64
6$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$_4_.msi
windows7-x64
6$_4_.msi
windows10-2004-x64
6Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 04:57
Static task
static1
Behavioral task
behavioral1
Sample
PingPlotter Professional 5.24.3.8913/KEYGEN-FFF/PingPlotter.v3.30.4_KEYGEN-FFF.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
PingPlotter Professional 5.24.3.8913/KEYGEN-FFF/PingPlotter.v3.30.4_KEYGEN-FFF.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
PingPlotter Professional 5.24.3.8913/pingplotter_install.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
PingPlotter Professional 5.24.3.8913/pingplotter_install.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
$_4_.msi
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
$_4_.msi
Resource
win10v2004-20240508-en
General
-
Target
PingPlotter Professional 5.24.3.8913/pingplotter_install.exe
-
Size
21.4MB
-
MD5
ae2015bc36bb8a0b872d049430c622c2
-
SHA1
c11db0f26d3554dea55b601eecdc50f90eae785d
-
SHA256
3586e0620442b8dfe2ae80f14dd389c224a7b9db7e6b9b29779a5b3d28e4a47f
-
SHA512
85c3b9380c2a803bb2f3f64a667bc062f0ee786f9bc5d50f6ce5157055eae20c76f6c6ae3d0ead0a89f011925dd7bb8097d5c6014c2fb5b077cf5ff734cceaf0
-
SSDEEP
393216:SeHSB8FeRF1NDgVEoZM9m5boLMMzgO+8+X7gj/pIBibcqBKOCCtbP:YzXay9UoL5+RgjLRgEP
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: pingplotter_install.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: pingplotter_install.exe File opened (read-only) \??\P: pingplotter_install.exe File opened (read-only) \??\U: pingplotter_install.exe File opened (read-only) \??\Q: pingplotter_install.exe File opened (read-only) \??\W: pingplotter_install.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: pingplotter_install.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: pingplotter_install.exe File opened (read-only) \??\N: pingplotter_install.exe File opened (read-only) \??\T: pingplotter_install.exe File opened (read-only) \??\V: pingplotter_install.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: pingplotter_install.exe File opened (read-only) \??\O: pingplotter_install.exe File opened (read-only) \??\S: pingplotter_install.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: pingplotter_install.exe File opened (read-only) \??\L: pingplotter_install.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: pingplotter_install.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: pingplotter_install.exe File opened (read-only) \??\H: pingplotter_install.exe File opened (read-only) \??\K: pingplotter_install.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: pingplotter_install.exe File opened (read-only) \??\M: pingplotter_install.exe File opened (read-only) \??\Y: pingplotter_install.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\DLL\wkernel32.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\ResourceCleaner.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\wntdll.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\dll\msi.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\wkernel32.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\msi.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\msi.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\tmp\ResourceCleaner.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\symbols\tmp\ResourceCleaner.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\dll\wntdll.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wntdll.pdb MsiExec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\PingPlotter 5\System.Xml.XDocument.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.EntityFrameworkCore.Abstractions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\SharedWebAPI.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Runtime.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Xml.ReaderWriter.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Runtime.InteropServices.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.IO.dll msiexec.exe File opened for modification C:\Program Files (x86)\sueoqwysk0.dat PingPlotter.exe File created C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\default_settings.json msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\Fonts\Roboto\Roboto-Light.ttf msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Runtime.Numerics.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Composite.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Identity.EntityFrameworkCore.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe.config msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Priority Queue.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\version_picker.bundle msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\NGraphics.Net.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\subscription_actionrequired.bundle msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\netstandard.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.EntityFrameworkCore.Proxies.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.dll msiexec.exe File created C:\Program Files (x86)\sueoqwysk0.dat PingPlotter.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Http.Abstractions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.DependencyInjection.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Text.Encoding.CodePages.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.IO.FileSystem.Primitives.dll msiexec.exe File created C:\Program Files (x86)\sueoqwysk0.dat PingPlotter.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\x64\e_sqlite3.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.FileVersionInfo.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Reactive.Linq.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Alert Audio\goblet-ping.mp3 msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\SsdpRadar.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.DiaSymReader.Native.x86.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Cors.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.IO.FileSystem.Watcher.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\IdGen.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.WebEncoders.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\launchanexecutable.html msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\Fonts\Roboto\Roboto-Medium.ttf msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Castle.Core.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Session.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.Abstractions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Linq.Parallel.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\welcome_splash.bundle msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\ScreenResources.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.Bson.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Text.RegularExpressions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Linq.Queryable.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.Dataflow.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\freeware_banner.bundle msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Process.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Data.Sqlite.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.EntityFrameworkCore.Design.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Memory.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Logging.Console.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\protobuf-net.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Security.AccessControl.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Nito.AsyncEx.Oop.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Routing.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Topshelf.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\LiteHtmlSharp.Wpf.dll msiexec.exe -
Drops file in Windows directory 31 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI7039.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7193.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7CA9.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{CBAA9826-6D34-44FF-AEBF-E880F91CADCE} msiexec.exe File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\Installer\e583f48.msi msiexec.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File opened for modification C:\Windows\Installer\MSI7436.tmp msiexec.exe File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe msiexec.exe File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI7EED.tmp msiexec.exe File opened for modification C:\Windows\Installer\e583f46.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI763F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7814.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI74E5.tmp msiexec.exe File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI70E6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7211.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7495.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7EDD.tmp msiexec.exe File created C:\Windows\Installer\e583f46.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI7534.tmp msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\Installer\MSI895E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI89BD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI731C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI74C5.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 4812 PingPlotter.exe 1396 PingPlotter.exe -
Loads dropped DLL 26 IoCs
pid Process 3012 pingplotter_install.exe 3012 pingplotter_install.exe 3176 MsiExec.exe 3176 MsiExec.exe 3176 MsiExec.exe 3176 MsiExec.exe 3176 MsiExec.exe 3176 MsiExec.exe 3176 MsiExec.exe 3176 MsiExec.exe 4116 MsiExec.exe 4116 MsiExec.exe 4116 MsiExec.exe 4116 MsiExec.exe 4116 MsiExec.exe 4116 MsiExec.exe 4116 MsiExec.exe 4116 MsiExec.exe 4116 MsiExec.exe 4116 MsiExec.exe 1236 MsiExec.exe 1236 MsiExec.exe 1236 MsiExec.exe 1236 MsiExec.exe 1236 MsiExec.exe 4116 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005b1010511f65dd1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005b1010510000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005b101051000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5b101051000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005b10105100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5\License = c19bf5f93990d8f2716f673a142b7e1a9177c62baad61e713f5c30973d50c6070e758008ca9589d7fefbcce266f83d64 PingPlotter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Pingman Tools PingPlotter.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5 PingPlotter.exe Key created \REGISTRY\USER\.DEFAULT\Software PingPlotter.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Version = "85458947" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws\ShellNew msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\ = "URL:PingPlotter Protocol Handler" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "{5716629D-5364-4C67-9992-4C03A559A38F}.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281\6289AABC43D6FF44EAFB8E089FC1DAEC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\PackageCode = "D9266175463576C49929C4305A953AF8" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\ = "open" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WebInterface = "PingPlotter5Main" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WindowsService = "\x06" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" /url \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\pingplotter msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\PingPlotter5Main msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\ = "open" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\1 = ";" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 404 msiexec.exe 404 msiexec.exe 4116 MsiExec.exe 4116 MsiExec.exe 1236 MsiExec.exe 1236 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3012 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 3012 pingplotter_install.exe Token: SeSecurityPrivilege 404 msiexec.exe Token: SeCreateTokenPrivilege 3012 pingplotter_install.exe Token: SeAssignPrimaryTokenPrivilege 3012 pingplotter_install.exe Token: SeLockMemoryPrivilege 3012 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 3012 pingplotter_install.exe Token: SeMachineAccountPrivilege 3012 pingplotter_install.exe Token: SeTcbPrivilege 3012 pingplotter_install.exe Token: SeSecurityPrivilege 3012 pingplotter_install.exe Token: SeTakeOwnershipPrivilege 3012 pingplotter_install.exe Token: SeLoadDriverPrivilege 3012 pingplotter_install.exe Token: SeSystemProfilePrivilege 3012 pingplotter_install.exe Token: SeSystemtimePrivilege 3012 pingplotter_install.exe Token: SeProfSingleProcessPrivilege 3012 pingplotter_install.exe Token: SeIncBasePriorityPrivilege 3012 pingplotter_install.exe Token: SeCreatePagefilePrivilege 3012 pingplotter_install.exe Token: SeCreatePermanentPrivilege 3012 pingplotter_install.exe Token: SeBackupPrivilege 3012 pingplotter_install.exe Token: SeRestorePrivilege 3012 pingplotter_install.exe Token: SeShutdownPrivilege 3012 pingplotter_install.exe Token: SeDebugPrivilege 3012 pingplotter_install.exe Token: SeAuditPrivilege 3012 pingplotter_install.exe Token: SeSystemEnvironmentPrivilege 3012 pingplotter_install.exe Token: SeChangeNotifyPrivilege 3012 pingplotter_install.exe Token: SeRemoteShutdownPrivilege 3012 pingplotter_install.exe Token: SeUndockPrivilege 3012 pingplotter_install.exe Token: SeSyncAgentPrivilege 3012 pingplotter_install.exe Token: SeEnableDelegationPrivilege 3012 pingplotter_install.exe Token: SeManageVolumePrivilege 3012 pingplotter_install.exe Token: SeImpersonatePrivilege 3012 pingplotter_install.exe Token: SeCreateGlobalPrivilege 3012 pingplotter_install.exe Token: SeCreateTokenPrivilege 3012 pingplotter_install.exe Token: SeAssignPrimaryTokenPrivilege 3012 pingplotter_install.exe Token: SeLockMemoryPrivilege 3012 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 3012 pingplotter_install.exe Token: SeMachineAccountPrivilege 3012 pingplotter_install.exe Token: SeTcbPrivilege 3012 pingplotter_install.exe Token: SeSecurityPrivilege 3012 pingplotter_install.exe Token: SeTakeOwnershipPrivilege 3012 pingplotter_install.exe Token: SeLoadDriverPrivilege 3012 pingplotter_install.exe Token: SeSystemProfilePrivilege 3012 pingplotter_install.exe Token: SeSystemtimePrivilege 3012 pingplotter_install.exe Token: SeProfSingleProcessPrivilege 3012 pingplotter_install.exe Token: SeIncBasePriorityPrivilege 3012 pingplotter_install.exe Token: SeCreatePagefilePrivilege 3012 pingplotter_install.exe Token: SeCreatePermanentPrivilege 3012 pingplotter_install.exe Token: SeBackupPrivilege 3012 pingplotter_install.exe Token: SeRestorePrivilege 3012 pingplotter_install.exe Token: SeShutdownPrivilege 3012 pingplotter_install.exe Token: SeDebugPrivilege 3012 pingplotter_install.exe Token: SeAuditPrivilege 3012 pingplotter_install.exe Token: SeSystemEnvironmentPrivilege 3012 pingplotter_install.exe Token: SeChangeNotifyPrivilege 3012 pingplotter_install.exe Token: SeRemoteShutdownPrivilege 3012 pingplotter_install.exe Token: SeUndockPrivilege 3012 pingplotter_install.exe Token: SeSyncAgentPrivilege 3012 pingplotter_install.exe Token: SeEnableDelegationPrivilege 3012 pingplotter_install.exe Token: SeManageVolumePrivilege 3012 pingplotter_install.exe Token: SeImpersonatePrivilege 3012 pingplotter_install.exe Token: SeCreateGlobalPrivilege 3012 pingplotter_install.exe Token: SeCreateTokenPrivilege 3012 pingplotter_install.exe Token: SeAssignPrimaryTokenPrivilege 3012 pingplotter_install.exe Token: SeLockMemoryPrivilege 3012 pingplotter_install.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3012 pingplotter_install.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 404 wrote to memory of 3176 404 msiexec.exe 86 PID 404 wrote to memory of 3176 404 msiexec.exe 86 PID 404 wrote to memory of 3176 404 msiexec.exe 86 PID 404 wrote to memory of 1884 404 msiexec.exe 97 PID 404 wrote to memory of 1884 404 msiexec.exe 97 PID 404 wrote to memory of 4116 404 msiexec.exe 99 PID 404 wrote to memory of 4116 404 msiexec.exe 99 PID 404 wrote to memory of 4116 404 msiexec.exe 99 PID 404 wrote to memory of 1236 404 msiexec.exe 100 PID 404 wrote to memory of 1236 404 msiexec.exe 100 PID 404 wrote to memory of 1236 404 msiexec.exe 100 PID 1236 wrote to memory of 1716 1236 MsiExec.exe 101 PID 1236 wrote to memory of 1716 1236 MsiExec.exe 101 PID 1236 wrote to memory of 1716 1236 MsiExec.exe 101 PID 1716 wrote to memory of 888 1716 cmd.exe 103 PID 1716 wrote to memory of 888 1716 cmd.exe 103 PID 1716 wrote to memory of 888 1716 cmd.exe 103 PID 1236 wrote to memory of 2492 1236 MsiExec.exe 104 PID 1236 wrote to memory of 2492 1236 MsiExec.exe 104 PID 1236 wrote to memory of 2492 1236 MsiExec.exe 104 PID 1236 wrote to memory of 2176 1236 MsiExec.exe 107 PID 1236 wrote to memory of 2176 1236 MsiExec.exe 107 PID 1236 wrote to memory of 2176 1236 MsiExec.exe 107 PID 404 wrote to memory of 4812 404 msiexec.exe 109 PID 404 wrote to memory of 4812 404 msiexec.exe 109 PID 404 wrote to memory of 1396 404 msiexec.exe 111 PID 404 wrote to memory of 1396 404 msiexec.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe"1⤵
- Enumerates connected drives
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3012
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0897B4B65CFA4431B23F0178FA581237 C2⤵
- Loads dropped DLL
PID:3176
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1884
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4A46AB33EDD6013095250834ACB40B1B2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4116
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 05A2BF674B07EEAD6951958EF014C478 E Global\MSI00002⤵
- Drops file in System32 directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\{BDB25E24-B7EC-48B2-A1B8-94B523D46232}.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:888
-
-
-
C:\Windows\SysWOW64\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\{BDB25E24-B7EC-48B2-A1B8-94B523D46232}.bat"3⤵PID:2492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:13⤵
- Drops file in Windows directory
PID:2176
-
-
-
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet2⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4812
-
-
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1396
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:948
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵PID:2028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD552d49411a93f2ae7a9a09efe3fb8cc1a
SHA1129326055228653d0c7157dcc85f64f831d557d1
SHA256a9ab9dd22e8aa57450e008bec92d472e516f6b70c8ba3617477ac8ecb4a3a473
SHA512c8f22d4b1c0cc99339e16298a27e2c86de880bb09e45d734e2dc860f093e77f4ed2b0361b979872f5402f7b7dfad4a65b72e94ba284a9ec04fb00d025c83aefb
-
Filesize
87KB
MD59c43eb18df357b00aaf31b6684e57a53
SHA16de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6
SHA256abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6
SHA512fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309
-
Filesize
677KB
MD5b9d27fbdd161b1879aa1b5bf390b8114
SHA11e9ffc3fcefc25581fd726087c74d257c713ffe4
SHA2563866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4
SHA5124af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6
-
Filesize
929KB
MD56f0e2870c72222d5989e9842d7d9e275
SHA19a847f1d5efe181c945c60bcfeeb43132db3f599
SHA256b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8
SHA512ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d
-
Filesize
315KB
MD53e50933e28b0ac08f7158e3a783f6bf4
SHA12178728de734670785b749499e4cfda7e1e30f60
SHA2567d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a
SHA5123324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6
-
Filesize
1.9MB
MD5674447f18caace5e1163fb227e4cf08d
SHA162082108201e8be712cd52806a66503cf51fe714
SHA25656dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84
SHA51289fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8
-
Filesize
1.1MB
MD5855914201fde2285b71d87c05c4bbcc2
SHA18bc1bdbb97c2775c0399e9d0e90a036f41357a4c
SHA256580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6
SHA5127040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb
-
Filesize
2.2MB
MD54f79b56c4bebf4683f731c2fa68126ce
SHA1be502d11260c83f3bdb67279f796b137094248b6
SHA25628130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63
SHA5123384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f
-
Filesize
24KB
MD550f77484e5ebbab4178d226457277f61
SHA1f9ce26a5dac69bc620481e76ff4bcaa44610b4f1
SHA25676a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5
SHA512f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da
-
Filesize
100KB
MD536896e5b8ff559857c870c8d60470d79
SHA18abe9941ec44d19b2f079fa66c118d60ecd75141
SHA25657f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823
SHA512ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793
-
Filesize
2.9MB
MD5aea6964efb6bfc8723f85e191c6db9b0
SHA1f213e8ae0088838ae76d9d5841f9e9a2376c78a9
SHA25689a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac
SHA51284a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a
-
Filesize
27KB
MD5928b8e104bc50973bad9150c577aaa64
SHA133eb7ed6547d26bbb8dbb087a45baf41292d01d2
SHA256b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629
SHA5123b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2
-
Filesize
15KB
MD5ba3845f4986d242d62641e1f6e14caba
SHA19278fe4d60ed3462835a90c56bf187cadc35ddda
SHA256ab5d0fa375fd11f411293552ffa7b127a62ecc7bef74c5c3a49cad629413e38b
SHA5124ccc206b30208cf1ceef1e7341cf7f28e36f3ba90daff5051ee706841a1f30d49d654399c33b2d336d330789b76e5d3fac39d22d6d45d6d76a3ef643750a70cf
-
Filesize
16KB
MD5e7120b5779730efb615235cf0107e386
SHA1455ea9f216bbfcd1876f142d7a1b634fd85ef819
SHA256ace34e85a2e954ed07ec11390cbdea7097ae4e56efd8b1bcef35788ce08c6777
SHA51291f893b93d771eb1ac9b9f666561375da5c9a282bf778bca76489306f8aa398fd31bfa59eaeca2f1b1b16a598dc0f5cfa9d3f3d98b0a4cd2ec9fd5539bc3efb3
-
Filesize
364KB
MD5ca95f207ec70ba34b46c785f7bcb5570
SHA125c0d45cb9f94892e2877033d06fe8909e5b9972
SHA2568ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb
SHA512c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831
-
Filesize
561KB
MD55576bf4d22dc695564e49a68cbc98bc2
SHA180e0e045162a65d84939e22a821ecbbbde3f31d6
SHA25620f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801
SHA5124b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972
-
Filesize
84KB
MD5f18364fa5084add86c6e73e457404f18
SHA16d87c4b9dbf78af88fddf0d4d5febe845c8e4e6a
SHA25639c43d67f546fc898f7406d213b73dcb1bc30fc811ddfa3a02b6b50c29d11f91
SHA512716892492390fe4314f3289286f733d07b8b84de1f5af0676b26e68c0be01808682d35ad2bb9e9491247b7bb5a0ea297a6850e26de9baf88621c789206107db3
-
Filesize
11KB
MD5ca332bb753b0775d5e806e236ddcec55
SHA1f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA5122de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00
-
Filesize
48B
MD503c428287cda463a22246ffbdad673ac
SHA13197594021217adb588e677c1d0dad07796c517a
SHA256b1d41e7f840179dd076b3a94b37b4e6e241108e3ce3e20089866387d97c72573
SHA5125e28a754043447fdb8ea0b054691d7181fffd703aae19358733af9c2ae638367cf0f7e82763fed04c8fc7a5d2cd7820a94e5d92890684cac09cb4096391d9784
-
Filesize
48B
MD57dfe43819f9f07241e24cf8bd3c1ad39
SHA180ec6790abcbe6ecf2a7a3843698a4cff770e3b8
SHA25621416e32fc60be4dba5e55c1740bd6865db5a117a3d5a090ebe2d916133c1a16
SHA512373bffe3604ac9e781b57056105ce3c3e796b45af8998caa7e4aac44108522bb3fc5f07ac7e15ab70e336cf3dbb3dc94feb57b0dda72c8fc8f8ef2740628e74b
-
Filesize
104B
MD5a70ec6dbdca2cce54d6c3795d9c4bfcb
SHA137aba0d3a5ed04de8376b6bf0e41e9e3e10e346b
SHA256a7f9ea929e8a6a8a222b98e47aed058d9a04e89df6509fabfd557d08d37ba10f
SHA512f1acfda45285ed4c612114782f02e934f489cfb05f4d3bf43b97cdaf4b4f0249097757a9683677efa3492dc1ba6eff99ae78e7e1bfea5583017bb4dcf8653171
-
Filesize
195KB
MD571c143221c4d2f06e495ee3f9e51a7f0
SHA144a3aa0ca190243d6f21becbd5b0c5e923426135
SHA2568d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9
SHA51298a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445
-
Filesize
196KB
MD594fa9ff9c26724e0b8ac910c1e7c40aa
SHA10cf47957200dec349d6b6da432e24165afd590eb
SHA256adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09
SHA512becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb
-
Filesize
849KB
MD599dc199a4a390a86f2728f5232a2f9a6
SHA121b03b2dacbc5e19f3334054703ce53c8ba4a15f
SHA25612b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9
SHA5128ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db
-
Filesize
409KB
MD5e34827bf55cae867e83cc6122d25154a
SHA1e513c23028532a6997692965765e235d42d96efa
SHA2567f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a
SHA512506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2
-
Filesize
23.7MB
MD5f6c9de8f9bee493d5699b88282ceea03
SHA18175def3ef9f7dba1afeccec0fb2dfed02c4ee64
SHA256f563f1822db2bc09caaf73ab2990837303d9702f9c43eb8fcb0b05851823aa51
SHA5120fc42d403d02c61b79a967723fefcb7e6c8982b516636d544138082d60390a61cb72b1c7f7017d55cfe046a76358060ed3ca048fd3e8709842686189f2d8fe70
-
\??\Volume{5110105b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c844e0d5-f967-41cb-b641-4f3c6c4a9ad2}_OnDiskSnapshotProp
Filesize6KB
MD53f5f71e671b5bfca955d2db63a054640
SHA1d1b24a0620388d5d821ac332e380a2c2b6f36c0b
SHA256f6778d17676a3e5fed603f3f292b91d4b5f720372da076b8a16757d867809116
SHA5124f9a4e11c2997184510164a5f91a365e174a0854c6ef0835fc2975b0aa07e2447bd091aca7dd24fdc4d73835fdac41fd9cdd3a73ed1b42b0ec5b2e544a0cb310