Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
21-11-2024 09:10
General
-
Target
d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
-
Size
622KB
-
MD5
8a423b0b243d49e96392376d8e8e0014
-
SHA1
78fc0ecebd67137303039e921b1d9686eca492e1
-
SHA256
d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b
-
SHA512
7ed8ac1fd6efa67ecfafe8df93cc3d2e0bbb349ebdeaec43ae2484ce52e8bd23ddbec46acaf5e0685561b56a14a5ef1922512607426d8380d97faea7abce286a
-
SSDEEP
12288:vuiqx0MsTe7IArn6xI51Ahl/9EG5/0Ty2LEGQ8WCorG44JmLJFK9yy:vubP+wIk6xI5ul/9EgnQQ/CtJIJFeyy
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 62 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 23 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe"C:\Users\Admin\AppData\Local\Temp\d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 254 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1d8 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d8 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d8 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 25c -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 26c -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 244 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 24c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 26c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 278 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 280 -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 288 -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 288 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 1d8 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 24c -NGENProcess 244 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 298 -NGENProcess 1d8 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 258 -NGENProcess 284 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 26c -NGENProcess 1d8 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a8 -NGENProcess 24c -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 278 -NGENProcess 244 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 218 -NGENProcess 1e4 -Pipe 200 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 254 -NGENProcess 1bc -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1bc -NGENProcess 208 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 208 -NGENProcess 22c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 1dc -NGENProcess 24c -Pipe 230 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 264 -NGENProcess 208 -Pipe 218 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 24c -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 264 -NGENProcess 274 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 254 -NGENProcess 24c -Pipe 204 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 22c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 27c -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 274 -NGENProcess 254 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 22c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 22c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 28c -NGENProcess 254 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 258 -NGENProcess 254 -Pipe 290 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 29c -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 294 -NGENProcess 288 -Pipe 208 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 254 -Pipe 22c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 254 -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 284 -NGENProcess 2a8 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a8 -NGENProcess 2a4 -Pipe 26c -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 284 -Pipe 2b0 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 284 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 284 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2bc -NGENProcess 2d8 -Pipe 2ac -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 274 -NGENProcess 2e0 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2e0 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ec -NGENProcess 2d8 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2e8 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2bc -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 288 -NGENProcess 2dc -Pipe 274 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2ec -NGENProcess 2f4 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f4 -NGENProcess 304 -Pipe 300 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 308 -NGENProcess 2dc -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2cc -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 310 -NGENProcess 304 -Pipe 288 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 30c -Pipe 2e0 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 30c -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 318 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 320 -NGENProcess 310 -Pipe 2fc -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 308 -Pipe 2ec -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 318 -Pipe 2dc -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 318 -Pipe 2f4 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 310 -Pipe 320 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 308 -Pipe 324 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 318 -Pipe 328 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 310 -Pipe 32c -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 330 -NGENProcess 308 -Pipe 344 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 34c -NGENProcess 318 -Pipe 334 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 310 -Pipe 338 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 308 -Pipe 33c -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 318 -Pipe 340 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 35c -NGENProcess 358 -Pipe 308 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 330 -NGENProcess 310 -Pipe 34c -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 368 -NGENProcess 354 -Pipe 304 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 354 -NGENProcess 35c -Pipe 358 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 370 -NGENProcess 310 -Pipe 350 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 35c -Pipe 330 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 310 -Pipe 364 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 36c -Pipe 368 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 35c -Pipe 354 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 310 -Pipe 370 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 35c -Pipe 378 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 310 -Pipe 37c -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 35c -Pipe 384 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 310 -Pipe 388 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 38c -NGENProcess 36c -Pipe 390 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3a4 -NGENProcess 194 -Pipe 318 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 310 -Pipe 394 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 36c -Pipe 398 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 194 -Pipe 39c -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 310 -Pipe 3a0 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 36c -Pipe 38c -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 194 -Pipe 3a4 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 310 -Pipe 3a8 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 36c -Pipe 3ac -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 194 -Pipe 3b0 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 310 -Pipe 3b4 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 36c -Pipe 3b8 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c4 -NGENProcess 194 -Pipe 3d8 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3bc -NGENProcess 3d4 -Pipe 3c0 -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3dc -NGENProcess 36c -Pipe 35c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 194 -Pipe 3c8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 194 -NGENProcess 3bc -Pipe 3d4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 194 -InterruptEvent 3e8 -NGENProcess 36c -Pipe 3d0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 36c -NGENProcess 3e0 -Pipe 3e4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3f0 -NGENProcess 3bc -Pipe 3dc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3e8 -NGENProcess 3bc -Pipe 3ec -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3f8 -NGENProcess 3e0 -Pipe 194 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3f4 -Pipe 3c4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3f4 -NGENProcess 3e8 -Pipe 3bc -Comment "NGen Worker Process"2⤵
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD520c08e02a7a956471eeb82d0a72d5771
SHA12d4acb5c0ca6df96984e18ec5d3f76b84ebf07d7
SHA25689157d1e7e518de857b25dd387426673368f26e61fd86a8a33154a876820faef
SHA5125e76d2640d95d87bef7df27e89ddc732ba82012443f6d5919541839a0eb0c173083afd1aa7912c0181b72ba296c92547b1da14bd7eccc25690cb8c7dc2f98eea
-
Filesize
30.1MB
MD543485c61988330df6c02bf34af7a2ad9
SHA15e8d45b34d8978d5c87ab28a2cb9322d68e0cc1b
SHA256ea771861c5744ef96e0ab85f79085062030ad66a768ccfbe8a0c25803462077e
SHA51223e5cf8fc105a792db005b3bd31e6712c5ee67d4c0e5cf587187479a766f3e3bbb994cf0c9046d12ca3179b9e01a9e7e07cba0745bb39dd10b424db9691db96f
-
Filesize
781KB
MD55cf3b121d3b673ebde381c72e9113728
SHA1bb0826cb5f481555d05fc9a5f19a9f9e7af53481
SHA25600e0ebabd8184119d30d8ad1e62bfecccce586d4fe04b434f3157859f046ec99
SHA51225e4110903d79c6ec8513d0f28d7f1ef447ae682acbc0c5559e01819640b960d9877893d1fad6c4ccbbc0a088b885e55e35ecef0a0e30ebf5d967d8b7fd94dad
-
Filesize
2.1MB
MD510be6990fc7249a16da3084e43dd5038
SHA17891d78403b40dd6a857eddf3a35cb17988b6323
SHA256d8323e76bfcc34740011eaf2ff01ebdcae9516121480305a3c5fa5e00ec8b579
SHA51235561accf1949ea049b7f3092d1c5ce3b0215a336d268622f6c41dd272d2b6de0cc67c80c2e11247f9a92baf5bb1aff10671ff70d51d7ccbb1a235f9dfba306f
-
Filesize
1024KB
MD551da34a4f22540e7676f7e66bbb3d544
SHA1963a8594079797affc9f8761097d2923fbdaaa79
SHA2569f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6
SHA51233cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f
-
Filesize
24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD5441bc160f3ce05fa31eef8a4641f2135
SHA19b5e3edc50c8bab2308a948805bc42b506701356
SHA25675ca4d893d7ccaedd5c5c4781ab938b9f66dc884e13b56861e408a3658ab9055
SHA512868b4a46d694ac9bfe7a98c6a92490e3407e938a7559dcd2e80687498e09c5a4acaf4c54d88db2663295739b36f47dc956048abc4f321366e9493619778d5354
-
Filesize
678KB
MD5ad33f64f0e36852ccee373dc3669b27d
SHA16c805dc7305771184b0a272c3fa7c1ff695b99d5
SHA256977d8e05112f120e95534f9fe69f24d84b7431b6796c2b5017c36cdf03365d62
SHA5122e27e92203a55595e5bc6874aea3a1b00e3e637b19060e67401f127db41d7c34b011eb006b8fc79a3930b936a3dcba881855132bb91f9fe0197ad36b7306a037
-
Filesize
8KB
MD5c076356058553635bb9b6ca08aba05f4
SHA193cddea84159e7d9dc11e65933464be902c49b15
SHA256d51030f563704df0d5f0fce81da9c73e70e2ab5ea76486ca7838018a1d9b4887
SHA512745117dd339c23c8d6a97d58b3ea57f68bdeb9815ba62314dca238e5aef3278fa67829acd2cd16521915c0c86756d4390cbff657086b43fe2cc75b2aaf22cc04
-
Filesize
625KB
MD5594dccb246bf3b7dcb63a2e194577039
SHA1d1a4594f0d85b28b38da1816af72c768cea830a4
SHA256cdfea5bbbf6a3ed5e5c0a1d94c49f94187546121d47653a0ed933d69869da84d
SHA5120a58eb55745c76d2cc640c15b1e746e05430b675f69b0c84a3080b4b925d3dd538d07b10d31d3c180688314a67c203c2a93afc6988698cc2d32c8c20ee12d275
-
Filesize
1003KB
MD5c2d882d934d8fb1b975d618e993805d1
SHA1a7885ace712c44085923a6d85b1eadecbd0a79b2
SHA2562a8710a77e875677d2ed94c6991a0e39d0c848c094789593272277b28828f1aa
SHA5125e1db2e9d009f7cbc1a935106028b1198342922f39b9b32b4796c35a487e5de76b508c1055b6e558748a4741b24f1a4481114a0ad741a759fd1edf0c22dceafe
-
Filesize
656KB
MD56ef3c6dd6decdc4067f8973f055286f5
SHA1f1b7992426f0b92ec7610f04b165693e7b0b8a5b
SHA2566f157344350f73bf92a5a6c7f6ed485892c1776c1740ac66881fabf8a97e4936
SHA512ea44b901296393156ce3d70cd0ed6127d709936b83eabbab01e434832daaa2a8ce0163c794c6510fb5322436389764edc69d752c4887b04626848103916be82f
-
Filesize
587KB
MD5ec3594d4b79ba2cff42d9238b18420d3
SHA1fe6c91081777d87a56d633793c1200ae6b879edf
SHA2561fe24770fca0eebad9379dd335929d560bbd18416da470edd05f163d8ee844a5
SHA512e8cb7dadf81a25f7308eb506aa80eea007418b5e623b7a91634aa3125ce222d2bd7a479bcd4e3acaaf6f0dc1f4a70d8951a9e1b4d2132082249e768f69ac2acb
-
Filesize
577KB
MD52d8db21a089763d9d3d96b48ea79d122
SHA10ac1acaefb798adccb11053fa78eeba3a92b4127
SHA256ef5b992a649d42c93cf3ece60fe91fd58730d10069c912766335eb6cee84ae05
SHA512c075f08da1a6e6886f3ebd8cc639f604aa95425e274e9b45aee828b7dcf263a9b6a9a3d0fc4ac9d4a371b022cccfaaad28fc93cd2c903cbcb3983d95bf3d4c50
-
Filesize
1.1MB
MD50bf30d3b9581a9fdda9c44cc3d0dbbca
SHA1d8eeda1055eff037dd3829281b9c012d6c672c0b
SHA25687d26173cdaf7d6d770ebe1a312661d95bf650ec4a896ddb54ece024093fa7fa
SHA512d5d8abbe6657e6d9e284932aa83c4598cc811059b13a45f850d219960d9ea05aede1e4b571597298b6a5503cd93b8b702929e1ccac5742f373779ec0937914d2
-
Filesize
2.1MB
MD5fe9b87e5a89ba4749cebb16453e76be0
SHA171e98d22e748b872248b54fdfe2559f9b3df05de
SHA256b71fc54eb80dbf43a9c48e3fdacd29607f89d757e6c062db85c451c8827cbf8d
SHA5125929c986c64875523dabc3f779f424e3cd95a5f9ad8454cdc7d7aae15e97c67af55028e54d490cc6eaae805c593957f439fe27ad4dc171b9e7c26905e42a3034
-
Filesize
1.1MB
MD523b9f956573f7bb55a11e4fd22377481
SHA15bc8813209f030fe8a74646ec13bcba912ffcd8f
SHA256a460ab6668fe586e3c5d1b977270283d31fd98487d94961b1d4e6685b53daede
SHA512ca8156426290006b626d2e6901e90e4e3a2132e5238b0170a8e0c47ca75303968cc32540d13aed44308e70c8b4d77a1ea8e292ec525946cf1a52c6294227528c
-
Filesize
765KB
MD55b160713d764ef2de69e21253f1e85cb
SHA165c51affb46d788f611f8886f45f9435ea98d3f6
SHA256f561f72ad64cfc03417981eea0c30851e362fb035355a5a34b9c5af64b161922
SHA51232744dc69c4148dea1fccbcd64a2bc17f2c2301616e38ab5294fbe70620675ac60603c40394b95ce3d6faffdeca4d071524e39b9d48a285e2058402c77f48880
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
Filesize
105KB
MD5d9c0055c0c93a681947027f5282d5dcd
SHA19bd104f4d6bd68d09ae2a55b1ffc30673850780f
SHA256dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed
SHA5125404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930
-
Filesize
1.1MB
MD57835e60e560a49049ae728698da3d301
SHA187b357b1b3c9a2ad2f3b89b10a42af021ab76afe
SHA256df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa
SHA512b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993
-
Filesize
238KB
MD50a4ed78b7995d94fa42379f84cd5f8e9
SHA190ba188fe0ebd38ad225e7ce3a24dd9b6b68056b
SHA2560a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86
SHA51286ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184
-
Filesize
248KB
MD54bbf44ea6ee52d7af8e58ea9c0caa120
SHA1f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3
-
Filesize
1.8MB
MD59958f23efa2a86f8195f11054f94189a
SHA178ec93b44569ea7ebce452765568da5c73511931
SHA2563235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6
SHA5123061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1
-
Filesize
1.0MB
MD5598a06ea8f1611a24f86bc0bef0f547e
SHA15a4401a54aa6cd5d8fd883702467879fb5823e37
SHA256e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512
SHA512774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570
-
Filesize
58KB
MD53d6987fc36386537669f2450761cdd9d
SHA17a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA25634c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA5121d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11
-
Filesize
205KB
MD50a41e63195a60814fe770be368b4992f
SHA1d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA2564a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA5121c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728
-
Filesize
43KB
MD568c51bcdc03e97a119431061273f045a
SHA16ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA2564a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8
-
Filesize
198KB
MD59d9305a1998234e5a8f7047e1d8c0efe
SHA1ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA51258b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c
-
Filesize
305KB
MD5949cc4ce8e51dff149442990e10d5688
SHA1626883d1a86cb0c63ca36cc5d27a82217ec90fc7
SHA256b661138c435d0e53b9f166b4b713e23fc9d18528f31428b2cb3909ffb81d5f14
SHA51267d23d29ccc35ee175c43179d11cc58c5e0f2914b6aab46639d20ef246277eddeb02a82b187cca60d3fc611cb59eb351afb976471850a468b3725e0156de36d6
-
Filesize
122KB
MD551b6fc9d5c863b546a388e9f7dc86327
SHA1db5e6970185367c9d0a887ce4623bb9ff0800d33
SHA256a3d31bad54c7a1dfd14f4631fab26d69fa9899600db80f3ca37e34e75af14c0f
SHA5124839290f611c2032d3be288d20357ffbcc0e39252cf0d3f398f145d497e69ccd220a8ae0f2d2b8aa1017cec4eb1035c6d935a7c2366c3417c2503be9c3ffc10d
-
Filesize
70KB
MD557b601497b76f8cd4f0486d8c8bf918e
SHA1da797c446d4ca5a328f6322219f14efe90a5be54
SHA2561380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA5121347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850
-
Filesize
87KB
MD5ed5c3f3402e320a8b4c6a33245a687d1
SHA14da11c966616583a817e98f7ee6fce6cde381dae
SHA256b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a
-
Filesize
221KB
MD54c646c0467503195bac3c5602e07af45
SHA131f5dfedd777604cc7a5d8aca8b128859f60b05b
SHA2564c340351360b95c6da3fbc100f3380fc59b3ec893215f4b563ffc2d7d7454443
SHA512c110ef63c433acdaf6c4e6262caf32ebb90fd75f1ac3268102b2689d14f016856f3931b56e78ae493683a1ac29588eea85fe9918cca94a2934ff9ae5217f8005
-
Filesize
271KB
MD5c16f323dccc2bd1858c7369a37a2ce02
SHA1e8353ef4cccc87a5d0648f3f5e94c8697d64bbd2
SHA256cc8ba217027c27c369411fc54f5b9b5cf55db7f2da4ca89895c6c6f4036f9833
SHA5122ca066c6fac94d4b29e99639ce293a13a5f91e62fe7b6ceb6a82b9121eb211fdff18657b84626471c4c26e08b8ab20198805e90e858e2117c8cce309eb99a4f8
-
Filesize
82KB
MD52eeeff61d87428ae7a2e651822adfdc4
SHA166f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA25637f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a
-
Filesize
58KB
MD5a8b651d9ae89d5e790ab8357edebbffe
SHA1500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA2561c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce
-
Filesize
85KB
MD55180107f98e16bdca63e67e7e3169d22
SHA1dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA51227d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363
-
Filesize
298KB
MD55fd34a21f44ccbeda1bf502aa162a96a
SHA11f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA2565d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA51258c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125
-
Filesize
43KB
MD5dd1dfa421035fdfb6fd96d301a8c3d96
SHA1d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA5128e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1
-
Filesize
124KB
MD5929653b5b019b4555b25d55e6bf9987b
SHA1993844805819ee445ff8136ee38c1aee70de3180
SHA2562766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2
SHA512effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013
-
Filesize
2.1MB
MD510b5a285eafccdd35390bb49861657e7
SHA162c05a4380e68418463529298058f3d2de19660d
SHA2565f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a
SHA51219ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452
-
Filesize
88KB
MD51f394b5ca6924de6d9dbfb0e90ea50ef
SHA14e2caa5e98531c6fbf5728f4ae4d90a1ad150920
SHA2569db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998
SHA512e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476
-
Filesize
691KB
MD57cab9314e2b30a7a7356b08782595a58
SHA12631e3b50ac2bb6e240856b087427f3738745c6f
SHA2560db4b8a11b26e5ce717f7786a97345c0413f0462f3c2c83386bc6ca4b12a6f8c
SHA512dfced967d37d7aa0dac7d8660adb5daa003722d07ffc69f836f6183ae1b83897a62ca9a7ee52e40421001e847ad5b61b1249c32d680a877bf504cb5829480945
-
Filesize
2.0MB
MD52c71a897935b6b3bf42cdbd42a69fcb8
SHA145c045ebbeb48f317a55ed1b6bd1d8d38e4b65f6
SHA256b6330f85f1a797714bf2e61e2ab936666ae0ce1a64033eef337f20ab6b32de92
SHA512a7d1b6340507d50aced6f3e8b14ab9df7b57eddc040e19f269aa1c4b1a524234a0c516274165afa7b458ed27190a713d0059f5b7279f9385921ebdc2ee5f4ce7
-
Filesize
648KB
MD5b727a5527e24a76f017023013176a563
SHA1f439e1500f553e5f4955c1a4e0d8e9ecacc31976
SHA25619057c2818ef26a349ed6484eb90199ede6391ac49d906150d32a24bf3583b4a
SHA512f1ae26548f6d451cfbfcec9406a85987e03a6a71d6cc876a06d540c96eec28b8b75c9145ec2d0024f25f8c97a46574a0df40bb242c08b51c12674c3f80129fc0
-
Filesize
603KB
MD57a698ed36f0c695ec15467c7b13400ce
SHA130b2839a95f93b32685122c755b5636bd3917340
SHA25634302e99cc1fd30e643f6de1ab8ec882ca76b8ad570c23f15a67fc276c10fa84
SHA5128ffe38e3fd06535dfdfb6380cd1fb2c8797972edf3108e9f635e5475347a90c785cc9054f88367cb45b81cf58fe7459f850476c4e0c35e0b164041e6436307df
-
Filesize
644KB
MD5264d0aa6e0f3a6805a5250444f2ee6ee
SHA1d203fe8831c8a2d0285b3f902e2de403ddd4e555
SHA256047d3684dab9db3d608e34e528b31f596355471ed10436739a0a4582d4b4c699
SHA512a6c3756885ee8581b1c0c0b7dccc5ed24fc5a5963c4f3b255637757c9f457672b5ea982458294ed5f066350657d8d5765fd6168fa3a982ecd70eb3fe9d64cd77
-
Filesize
674KB
MD58cc9edeba4c286e18f24bad2d22c6c4f
SHA1e15da03746c8dae1401261a4af149bf5c855c00a
SHA2566019c5b0df7b56babb14407918c9d9865aba4e9e4cca10ab0b51d64824d4fbf3
SHA512c02c6370c226e1c60d6254522b05c0d208ce6fab3fda5fbaf384a5f93cd62217b641091ef5207a132cedecd2e272a06c7be71c2d09775ad56174d71f3c474338
-
Filesize
705KB
MD53f28624fcf8df742df253def06beebdd
SHA1d9732de1867efa0c2ebfda268a0c78164fb7fb03
SHA2561c13ff1ffefd62f1bb2da739300e779b606e2b05b5af1fa50138dc1d170f7962
SHA51297386272c581a4404066609739c073e07d08d0c706a481c2d9230ab2a9501929516570388a32e83e751fc57fa366459665decf60c4da85f4d4e7361f5e94c598
-
Filesize
691KB
MD51ad2a2c99e27b603df6e74eee413da45
SHA19827765d10e1c8f2145c21bd7b2238002494d910
SHA256160b084c78971d161b948c0386eda2312042f6bd833c1268acc3af08de38a463
SHA512abfa46c964274205e7b74bf9aeb4a3283f0b0203c1bdb63f40691b8b36442d2f6a357d1819989e903bdba3b92705316e9309ee89f6458474bd765acaaba08429
-
Filesize
581KB
MD58923c851db49586204f8d36bdb884623
SHA102c486c06533f62cb9f73c1cf9bcbc4c238a0ced
SHA256d4f30b7b1eedd86ceaa42e77953553eb12995f5950a0567325c266cbfc396c16
SHA512d718efef51594001fb0c8fe7d99880b6b45e90bd1c687a1d71f01cdc92affcde14ecd36050ca12f387079da2651e54c83937250e2e6228e991f27e56ea4e44ed
-
Filesize
2.0MB
MD56a47daab00c257f24dc8d879fea35694
SHA17d01cf4a7d902acff3e74057bcf1a9917c8fad22
SHA256e3af68f2f0f9033100cc93ab9afca3a2821920d1d20941ee8bebdd85eb39a10d
SHA512be2db3c76c5862c7f9a8ad7cd8d834b7a8028f9bce72afc4178d933bb3e1b22cf09db135dc53476c187464cfc03ad77617ce7b33e055d47d4a7f2f6ac23f4ab0
-
Filesize
1.2MB
MD5eda3ce93525343195011930cd8f4402f
SHA1b16232ee5856f47e11f6df610f26766669209c6c
SHA256e3341e15fac0a70d75b6a368dee090ef4449a564c169aadcc85b4d426c44e369
SHA512166572efe248fa6fbc42382d6d8d15656634cdcd7dd6e4d6f9a85c5d1c2fff9b77054d869d91ca16f818c9feebba25746b9b7103aac530913a8e8063ab91cff7
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
744KB
-
Filesize
668KB
-
Filesize
384KB
-
Filesize
668KB
-
Filesize
384KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
600KB
-
Filesize
600KB
-
Filesize
672KB
-
Filesize
30.1MB
-
Filesize
30.1MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
408KB
-
Filesize
632KB
-
Filesize
408KB
-
Filesize
632KB
-
Filesize
408KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
600KB
-
Filesize
600KB
-
Filesize
672KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
596KB
-
Filesize
596KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
672KB
-
Filesize
636KB
-
Filesize
636KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
672KB
-
Filesize
1.1MB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
1.1MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
696KB
-
Filesize
384KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
672KB