Overview
overview
6Static
static
3pingplotte...ll.exe
windows7-x64
6pingplotte...ll.exe
windows10-2004-x64
6$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$_4_.msi
windows7-x64
6$_4_.msi
windows10-2004-x64
6Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
pingplotter_install.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
pingplotter_install.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
$_4_.msi
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
$_4_.msi
Resource
win10v2004-20240508-en
General
-
Target
pingplotter_install.exe
-
Size
21.4MB
-
MD5
ae2015bc36bb8a0b872d049430c622c2
-
SHA1
c11db0f26d3554dea55b601eecdc50f90eae785d
-
SHA256
3586e0620442b8dfe2ae80f14dd389c224a7b9db7e6b9b29779a5b3d28e4a47f
-
SHA512
85c3b9380c2a803bb2f3f64a667bc062f0ee786f9bc5d50f6ce5157055eae20c76f6c6ae3d0ead0a89f011925dd7bb8097d5c6014c2fb5b077cf5ff734cceaf0
-
SSDEEP
393216:SeHSB8FeRF1NDgVEoZM9m5boLMMzgO+8+X7gj/pIBibcqBKOCCtbP:YzXay9UoL5+RgjLRgEP
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: pingplotter_install.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\I: pingplotter_install.exe File opened (read-only) \??\O: pingplotter_install.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: pingplotter_install.exe File opened (read-only) \??\N: pingplotter_install.exe File opened (read-only) \??\P: pingplotter_install.exe File opened (read-only) \??\R: pingplotter_install.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: pingplotter_install.exe File opened (read-only) \??\L: pingplotter_install.exe File opened (read-only) \??\Q: pingplotter_install.exe File opened (read-only) \??\Y: pingplotter_install.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: pingplotter_install.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: pingplotter_install.exe File opened (read-only) \??\K: pingplotter_install.exe File opened (read-only) \??\T: pingplotter_install.exe File opened (read-only) \??\U: pingplotter_install.exe File opened (read-only) \??\X: pingplotter_install.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: pingplotter_install.exe File opened (read-only) \??\J: pingplotter_install.exe File opened (read-only) \??\S: pingplotter_install.exe File opened (read-only) \??\W: pingplotter_install.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: pingplotter_install.exe File opened (read-only) \??\Z: pingplotter_install.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\PingPlotter_v5_manual.pdf msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\default_settings.json msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.DiaSymReader.Native.arm.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Reflection.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Collections.Specialized.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\SQLitePCLRaw.batteries_v2.dll msiexec.exe File created C:\Program Files (x86)\wpl95gklra.dat PingPlotter.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Cryptography.Internal.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.DotNet.PlatformAbstractions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Configuration.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Annotations.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\FluffySpoon.AspNet.LetsEncrypt.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\launchanexecutable.js msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Security.Principal.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.IO.Pipes.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\AngleSharp.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.ResponseCaching.Abstractions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Hosting.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Win32.Registry.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.Parallel.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Security.SecureString.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Net.WebHeaderCollection.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.DataProtection.Abstractions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authorization.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\launchanexecutable.html msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Topshelf.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.EntityFrameworkCore.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Channels.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.AppContext.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Security.Principal.Windows.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Runtime.Extensions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Runtime.Serialization.Json.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\CommonServiceLocator.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\GalaSoft.MvvmLight.Extras.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\mustache-sharp.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Reflection.Metadata.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Extensions\MOSColumn\package.json msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Threading.Timer.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authorization.Policy.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Certes.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\MathNet.Numerics.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.ObjectModel.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\PingPlotter ICMP Generator.exe.config msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Extensions\AlertAction_LaunchAnExecutable\launchanexecutable.meta.json msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\NGraphics.WPF.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\ParallelExtensionsExtras.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\Fonts\Roboto\Roboto-Regular.ttf msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Security.Cryptography.Cng.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\mustache-netstandard.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.SignalR.Protocols.Json.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Collections.NonGeneric.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Debug.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Addons.Xml.Wpf.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Configuration.Abstractions.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Numerics.Vectors.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Contracts.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Xml.XDocument.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.Runtime.Handles.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\action_hops.bundle msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\MagHubClient.dll msiexec.exe File created C:\Program Files (x86)\PingPlotter 5\System.ValueTuple.dll msiexec.exe -
Drops file in Windows directory 33 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI755F.tmp msiexec.exe File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI6CCE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI71A4.tmp msiexec.exe File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe msiexec.exe File created C:\Windows\Installer\f76514c.ipi msiexec.exe File created C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI6C20.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7473.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8029.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI806A.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76514b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6B74.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI700D.tmp msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat ngen.exe File opened for modification C:\Windows\Installer\f76514c.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI52E3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6DAA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6E38.tmp msiexec.exe File created C:\Windows\Installer\f76514e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6D6B.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI74F1.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSI5361.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSI6C6F.tmp msiexec.exe File opened for modification C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe msiexec.exe File created C:\Windows\Installer\f76514b.msi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 2660 PingPlotter.exe 584 PingPlotter.exe -
Loads dropped DLL 24 IoCs
pid Process 2368 pingplotter_install.exe 2368 pingplotter_install.exe 2880 MsiExec.exe 2880 MsiExec.exe 2880 MsiExec.exe 2880 MsiExec.exe 2880 MsiExec.exe 2880 MsiExec.exe 2880 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 616 MsiExec.exe 616 MsiExec.exe 616 MsiExec.exe 616 MsiExec.exe 616 MsiExec.exe 1700 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 51 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools PingPlotter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5 PingPlotter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5 PingPlotter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5\License = 6ac1c8f0eba2d500424d4348d7ff9d1812a8e946e91a1b3ced7e2b38b4a0fc26eab33f6140021a529c74aad29dc68a5d PingPlotter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software PingPlotter.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\pingplotter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\ = "open" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" /url \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WebInterface = "PingPlotter5Main" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WindowsService = "\x06" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "{5716629D-5364-4C67-9992-4C03A559A38F}.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Version = "85458947" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\ = "&Open PingPlotter Sample Set" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|PingPlotter 5|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\ = "URL:PingPlotter Protocol Handler" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws\ShellNew msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set" msiexec.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 pingplotter_install.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 pingplotter_install.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 pingplotter_install.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 pingplotter_install.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2416 msiexec.exe 2416 msiexec.exe 1700 MsiExec.exe 616 MsiExec.exe 616 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2368 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 2368 pingplotter_install.exe Token: SeRestorePrivilege 2416 msiexec.exe Token: SeTakeOwnershipPrivilege 2416 msiexec.exe Token: SeSecurityPrivilege 2416 msiexec.exe Token: SeCreateTokenPrivilege 2368 pingplotter_install.exe Token: SeAssignPrimaryTokenPrivilege 2368 pingplotter_install.exe Token: SeLockMemoryPrivilege 2368 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 2368 pingplotter_install.exe Token: SeMachineAccountPrivilege 2368 pingplotter_install.exe Token: SeTcbPrivilege 2368 pingplotter_install.exe Token: SeSecurityPrivilege 2368 pingplotter_install.exe Token: SeTakeOwnershipPrivilege 2368 pingplotter_install.exe Token: SeLoadDriverPrivilege 2368 pingplotter_install.exe Token: SeSystemProfilePrivilege 2368 pingplotter_install.exe Token: SeSystemtimePrivilege 2368 pingplotter_install.exe Token: SeProfSingleProcessPrivilege 2368 pingplotter_install.exe Token: SeIncBasePriorityPrivilege 2368 pingplotter_install.exe Token: SeCreatePagefilePrivilege 2368 pingplotter_install.exe Token: SeCreatePermanentPrivilege 2368 pingplotter_install.exe Token: SeBackupPrivilege 2368 pingplotter_install.exe Token: SeRestorePrivilege 2368 pingplotter_install.exe Token: SeShutdownPrivilege 2368 pingplotter_install.exe Token: SeDebugPrivilege 2368 pingplotter_install.exe Token: SeAuditPrivilege 2368 pingplotter_install.exe Token: SeSystemEnvironmentPrivilege 2368 pingplotter_install.exe Token: SeChangeNotifyPrivilege 2368 pingplotter_install.exe Token: SeRemoteShutdownPrivilege 2368 pingplotter_install.exe Token: SeUndockPrivilege 2368 pingplotter_install.exe Token: SeSyncAgentPrivilege 2368 pingplotter_install.exe Token: SeEnableDelegationPrivilege 2368 pingplotter_install.exe Token: SeManageVolumePrivilege 2368 pingplotter_install.exe Token: SeImpersonatePrivilege 2368 pingplotter_install.exe Token: SeCreateGlobalPrivilege 2368 pingplotter_install.exe Token: SeCreateTokenPrivilege 2368 pingplotter_install.exe Token: SeAssignPrimaryTokenPrivilege 2368 pingplotter_install.exe Token: SeLockMemoryPrivilege 2368 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 2368 pingplotter_install.exe Token: SeMachineAccountPrivilege 2368 pingplotter_install.exe Token: SeTcbPrivilege 2368 pingplotter_install.exe Token: SeSecurityPrivilege 2368 pingplotter_install.exe Token: SeTakeOwnershipPrivilege 2368 pingplotter_install.exe Token: SeLoadDriverPrivilege 2368 pingplotter_install.exe Token: SeSystemProfilePrivilege 2368 pingplotter_install.exe Token: SeSystemtimePrivilege 2368 pingplotter_install.exe Token: SeProfSingleProcessPrivilege 2368 pingplotter_install.exe Token: SeIncBasePriorityPrivilege 2368 pingplotter_install.exe Token: SeCreatePagefilePrivilege 2368 pingplotter_install.exe Token: SeCreatePermanentPrivilege 2368 pingplotter_install.exe Token: SeBackupPrivilege 2368 pingplotter_install.exe Token: SeRestorePrivilege 2368 pingplotter_install.exe Token: SeShutdownPrivilege 2368 pingplotter_install.exe Token: SeDebugPrivilege 2368 pingplotter_install.exe Token: SeAuditPrivilege 2368 pingplotter_install.exe Token: SeSystemEnvironmentPrivilege 2368 pingplotter_install.exe Token: SeChangeNotifyPrivilege 2368 pingplotter_install.exe Token: SeRemoteShutdownPrivilege 2368 pingplotter_install.exe Token: SeUndockPrivilege 2368 pingplotter_install.exe Token: SeSyncAgentPrivilege 2368 pingplotter_install.exe Token: SeEnableDelegationPrivilege 2368 pingplotter_install.exe Token: SeManageVolumePrivilege 2368 pingplotter_install.exe Token: SeImpersonatePrivilege 2368 pingplotter_install.exe Token: SeCreateGlobalPrivilege 2368 pingplotter_install.exe Token: SeCreateTokenPrivilege 2368 pingplotter_install.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2368 pingplotter_install.exe 2368 pingplotter_install.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2880 2416 msiexec.exe 29 PID 2416 wrote to memory of 2880 2416 msiexec.exe 29 PID 2416 wrote to memory of 2880 2416 msiexec.exe 29 PID 2416 wrote to memory of 2880 2416 msiexec.exe 29 PID 2416 wrote to memory of 2880 2416 msiexec.exe 29 PID 2416 wrote to memory of 2880 2416 msiexec.exe 29 PID 2416 wrote to memory of 2880 2416 msiexec.exe 29 PID 1432 wrote to memory of 704 1432 vssvc.exe 32 PID 1432 wrote to memory of 704 1432 vssvc.exe 32 PID 1432 wrote to memory of 704 1432 vssvc.exe 32 PID 2416 wrote to memory of 1700 2416 msiexec.exe 33 PID 2416 wrote to memory of 1700 2416 msiexec.exe 33 PID 2416 wrote to memory of 1700 2416 msiexec.exe 33 PID 2416 wrote to memory of 1700 2416 msiexec.exe 33 PID 2416 wrote to memory of 1700 2416 msiexec.exe 33 PID 2416 wrote to memory of 1700 2416 msiexec.exe 33 PID 2416 wrote to memory of 1700 2416 msiexec.exe 33 PID 2416 wrote to memory of 616 2416 msiexec.exe 36 PID 2416 wrote to memory of 616 2416 msiexec.exe 36 PID 2416 wrote to memory of 616 2416 msiexec.exe 36 PID 2416 wrote to memory of 616 2416 msiexec.exe 36 PID 2416 wrote to memory of 616 2416 msiexec.exe 36 PID 2416 wrote to memory of 616 2416 msiexec.exe 36 PID 2416 wrote to memory of 616 2416 msiexec.exe 36 PID 616 wrote to memory of 2276 616 MsiExec.exe 37 PID 616 wrote to memory of 2276 616 MsiExec.exe 37 PID 616 wrote to memory of 2276 616 MsiExec.exe 37 PID 616 wrote to memory of 2276 616 MsiExec.exe 37 PID 2276 wrote to memory of 2340 2276 cmd.exe 39 PID 2276 wrote to memory of 2340 2276 cmd.exe 39 PID 2276 wrote to memory of 2340 2276 cmd.exe 39 PID 2276 wrote to memory of 2340 2276 cmd.exe 39 PID 616 wrote to memory of 1876 616 MsiExec.exe 40 PID 616 wrote to memory of 1876 616 MsiExec.exe 40 PID 616 wrote to memory of 1876 616 MsiExec.exe 40 PID 616 wrote to memory of 1876 616 MsiExec.exe 40 PID 616 wrote to memory of 2404 616 MsiExec.exe 43 PID 616 wrote to memory of 2404 616 MsiExec.exe 43 PID 616 wrote to memory of 2404 616 MsiExec.exe 43 PID 616 wrote to memory of 2404 616 MsiExec.exe 43 PID 2416 wrote to memory of 2660 2416 msiexec.exe 45 PID 2416 wrote to memory of 2660 2416 msiexec.exe 45 PID 2416 wrote to memory of 2660 2416 msiexec.exe 45 PID 2416 wrote to memory of 584 2416 msiexec.exe 47 PID 2416 wrote to memory of 584 2416 msiexec.exe 47 PID 2416 wrote to memory of 584 2416 msiexec.exe 47 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe"C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe"1⤵
- Enumerates connected drives
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2368
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 71AA038CAD480FFCC0C76E5CF8DB81FC C2⤵
- Loads dropped DLL
PID:2880
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A5E138A733F4C4A47734E9DB153227E92⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1700
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7A8242ED9DCD9C02071BA52527CD0DC M Global\MSI00002⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\{B430673A-8214-403C-B687-0E8D828C119E}.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2340
-
-
-
C:\Windows\SysWOW64\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\{B430673A-8214-403C-B687-0E8D828C119E}.bat"3⤵PID:1876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:13⤵
- Drops file in Windows directory
PID:2404
-
-
-
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet2⤵
- Executes dropped EXE
PID:2660
-
-
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe"C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:584
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1432 -s 5522⤵PID:704
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1732
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D0" "00000000000002CC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2820
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵PID:2964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5e5d1920718c10f03a4b02289e3b01023
SHA179a63df6763debd9a07e052d673bc1f362b70ae9
SHA2563b016dd38d6ed5c7694ed903c49b68f24e9a7aef3218d0678a42bfbf0434a985
SHA5122ef9f53acea4c839c36fc7e80d295fa0d1428d16013ea7ca43d9b5148509beaff83cef9330a9a9805f9cbf8324c514daceb03ad1fdc0d29c8b0750df235e1262
-
Filesize
87KB
MD59c43eb18df357b00aaf31b6684e57a53
SHA16de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6
SHA256abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6
SHA512fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309
-
Filesize
677KB
MD5b9d27fbdd161b1879aa1b5bf390b8114
SHA11e9ffc3fcefc25581fd726087c74d257c713ffe4
SHA2563866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4
SHA5124af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6
-
Filesize
929KB
MD56f0e2870c72222d5989e9842d7d9e275
SHA19a847f1d5efe181c945c60bcfeeb43132db3f599
SHA256b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8
SHA512ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d
-
Filesize
315KB
MD53e50933e28b0ac08f7158e3a783f6bf4
SHA12178728de734670785b749499e4cfda7e1e30f60
SHA2567d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a
SHA5123324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6
-
Filesize
1.9MB
MD5674447f18caace5e1163fb227e4cf08d
SHA162082108201e8be712cd52806a66503cf51fe714
SHA25656dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84
SHA51289fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8
-
Filesize
1.1MB
MD5855914201fde2285b71d87c05c4bbcc2
SHA18bc1bdbb97c2775c0399e9d0e90a036f41357a4c
SHA256580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6
SHA5127040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb
-
Filesize
2.2MB
MD54f79b56c4bebf4683f731c2fa68126ce
SHA1be502d11260c83f3bdb67279f796b137094248b6
SHA25628130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63
SHA5123384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f
-
Filesize
24KB
MD550f77484e5ebbab4178d226457277f61
SHA1f9ce26a5dac69bc620481e76ff4bcaa44610b4f1
SHA25676a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5
SHA512f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da
-
Filesize
100KB
MD536896e5b8ff559857c870c8d60470d79
SHA18abe9941ec44d19b2f079fa66c118d60ecd75141
SHA25657f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823
SHA512ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793
-
Filesize
2.9MB
MD5aea6964efb6bfc8723f85e191c6db9b0
SHA1f213e8ae0088838ae76d9d5841f9e9a2376c78a9
SHA25689a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac
SHA51284a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a
-
Filesize
27KB
MD5928b8e104bc50973bad9150c577aaa64
SHA133eb7ed6547d26bbb8dbb087a45baf41292d01d2
SHA256b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629
SHA5123b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD52eee3865f16574bb2c8058a2b4977995
SHA19e65c7b29d8a121cbd4dbdd24161113b7ec774f2
SHA2566de01a7f89ac9c20580975e0f3163a4d355006395a615c71d86c7d0c7c5c007e
SHA5123ec5e1000906b083f0366703a8e660360c80c2c2706beddb2f0976fda723596f955ab9e75f0d5328d02755279cf28e4dd4fc29ae334901eb986e84b9b58cb2c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2
Filesize727B
MD536f5d03cd7b13e5fe0e915b00f4034e9
SHA1c989899d4758051248cbb3edf7300aa356b176ca
SHA25691e9646cae08070083e277fed6d82a39ad9f8ac15e3dfc5f13c893dbc95099d7
SHA512b8ec8a218e62b3de3f63a6de399c438f19f378f3c6fbcf386d2e7719255f8d26c3133bbba6b008ad2a7f22054db2011f4ebd48a50b64bf9500bc2cc68f532238
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5f3caf7a7e82ca0c660532a49d65858d4
SHA134a5babef00151e28ac420f3b84cd90a5e5ac99f
SHA256cdb6c2f46d77119c126ad9b9be53fc57c3fa834e25fe0ae73a8398f10a18701e
SHA5123b3e3f4de4fc948bb15b8ca5f7e4c630deea291092132878a91968501c407057e8be2405b2c6ada56e63682acd1bb27f897480c2ece2680212da66b3287607c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD587e6192ca3fbcf9915e78c9684195f84
SHA16f74fbb7ed33d4e3d92f6e490a25c97367df4ca5
SHA25634a37734eb68c3eef804f148944b43531a841f72f59b0e11a9be98156df78c13
SHA512326712499bcd215077b14de9df09b1e8a5abe3cbefc24f49e8bd596c7768ddb020b5daeca52c201be4f69c0dc3405a6207a2b240d4048fc6a63d9632c3b1033c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2
Filesize408B
MD58c8198d1dea39d829a1fe7081201d815
SHA183bf9c06b86db36e5c9af4476ff80ae21f80db26
SHA2567658d10135763e8e4d23e7063864020a120844712b7bec9ac2294d54cd79a287
SHA512fd1af68f475598be7bf125029664557e6d258995e46cdd34d0e933978730ad1672606ba25f92fdb44de040c252ed690926dfdbfffe9050dff8432125ec0d236d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD562200445ef25a94260c14924735782af
SHA1ad244ba742cca535e91cdc5c28fb0caafe174ae3
SHA2567b9de83ffc1129188c681b30a7c00c7cd6d5dcf368418ee75a79fb0170a51758
SHA5124af1363ab54cb97e01c9a548a2ac2ff53b08c7ae9f7aded9deda0d8f705c198297a3c443e42caf408c5449ef5e62191a99a715944e4a25fdd1c34fdf3c53a3e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5846105a74213fc4fe5c1c99cc99f3664
SHA1900a9047864a047384c7618768047cded7b30181
SHA256e8537cf02c5af5e85481dc9d0d03cea7e478816b0026db250e9613d8fceb2490
SHA5129946140cdd2362b683fb794a5dc80be33df4dee0877de012a2f49418b6167f7b8c9cc788734090c18cf4bb1ba976c6093254c38f3abc47335e8987efa812c5ab
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
364KB
MD5ca95f207ec70ba34b46c785f7bcb5570
SHA125c0d45cb9f94892e2877033d06fe8909e5b9972
SHA2568ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb
SHA512c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831
-
Filesize
561KB
MD55576bf4d22dc695564e49a68cbc98bc2
SHA180e0e045162a65d84939e22a821ecbbbde3f31d6
SHA25620f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801
SHA5124b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
48B
MD51b216f3e50e7b10e4f9a580332235aa2
SHA1f486de6fb2821060e16d756d166b1d906d62bb59
SHA2561be4125c593a76ddfa0fb3bfe1fc249c3f50f885604c363fa1f5b7c8672638d7
SHA5127cc997d977ddd93e54021f9eb54f64189cdb71b880e9a32f4ca2299aa924ef7abae74d1a2a313e7ccf4ab4ec84d2b01d2ee3f7ce12a71d1ada17866cdf95733d
-
Filesize
48B
MD5b06e1c396a21c7bce749e798470227a7
SHA1a3c9952db8107f9d5c18cd6b07e41bc7a27f7c3e
SHA2563e2c52e89065126effaeb0f5b2f01724625a5ba44b235ff87d50ac75862e918a
SHA5126b11bd1517e22c6ab8fa97bd985b96ccf65af8dc0da7efb9e9ff35e528052771c3f5a69b5cfbe78139d76153a6c3e845d058fb34066c228aca51210713dc0d96
-
Filesize
104B
MD52f8261431256e01b71cf769a759372c2
SHA190c2ce5292b4a6470f1305525a447d6dce333f41
SHA256a5a3f6625268b4ffa1101b0cc9dd8b5776348d3a72b71b0cfb5f237ffba3e797
SHA512a99143a3b2e834ad715d01ae382910b94e43585a1125f69f79615842819d520adea71ca5dfd4b0e29b2008d2dbbdecb4fc9249262d3f8b8af5496ced66dd9352
-
Filesize
195KB
MD571c143221c4d2f06e495ee3f9e51a7f0
SHA144a3aa0ca190243d6f21becbd5b0c5e923426135
SHA2568d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9
SHA51298a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445
-
Filesize
196KB
MD594fa9ff9c26724e0b8ac910c1e7c40aa
SHA10cf47957200dec349d6b6da432e24165afd590eb
SHA256adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09
SHA512becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb
-
Filesize
849KB
MD599dc199a4a390a86f2728f5232a2f9a6
SHA121b03b2dacbc5e19f3334054703ce53c8ba4a15f
SHA25612b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9
SHA5128ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db
-
Filesize
409KB
MD5e34827bf55cae867e83cc6122d25154a
SHA1e513c23028532a6997692965765e235d42d96efa
SHA2567f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a
SHA512506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2
-
Filesize
84KB
MD5f18364fa5084add86c6e73e457404f18
SHA16d87c4b9dbf78af88fddf0d4d5febe845c8e4e6a
SHA25639c43d67f546fc898f7406d213b73dcb1bc30fc811ddfa3a02b6b50c29d11f91
SHA512716892492390fe4314f3289286f733d07b8b84de1f5af0676b26e68c0be01808682d35ad2bb9e9491247b7bb5a0ea297a6850e26de9baf88621c789206107db3
-
Filesize
11KB
MD5ca332bb753b0775d5e806e236ddcec55
SHA1f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA5122de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00