Analysis
-
max time kernel
535s -
max time network
517s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08-02-2024 15:18
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231222-en
General
-
Target
file.exe
-
Size
914KB
-
MD5
12ad4c2b63d32b4579f03992e362f8ef
-
SHA1
c38692667cdfd7f2b8bc67f3d7165f72fba74552
-
SHA256
d699d584b651c6da780801cb6c2fb074464ce36e46b287658913d8bb67d2329b
-
SHA512
c03c47ce05435eeed509021cd844a0530480b9cef30a60d0b7c1c4914b7b425edf86ef78be0e2929d198c5561e69445605d02a10a73a66ba11183f079f500ca0
-
SSDEEP
24576:+am4MROxnFD3wrXYf1rrcI0AilFEvxHPmE7ooj:+OMiJJrrcI0AilFEvxHP
Malware Config
Extracted
orcus
4.tcp.eu.ngrok.io:15428
0133d229c4e24006957c0e4ab3a52531
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
System3222
-
taskscheduler_taskname
System3222
-
watchdog_path
AppData\Sys322.exe
Signatures
-
Orcus main payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000014a56-28.dat family_orcus -
Orcurs Rat Executable 3 IoCs
resource yara_rule behavioral1/memory/1416-0-0x0000000001040000-0x000000000112A000-memory.dmp orcus behavioral1/files/0x0007000000014a56-28.dat orcus behavioral1/memory/3048-35-0x00000000011D0000-0x00000000012BA000-memory.dmp orcus -
Drops file in Drivers directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui cmd.exe -
Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll cmd.exe -
Deletes itself 1 IoCs
pid Process 2560 cmd.exe -
Executes dropped EXE 8 IoCs
pid Process 2052 WindowsInput.exe 2700 WindowsInput.exe 3048 Orcus.exe 2604 Orcus.exe 2020 Sys322.exe 2896 Sys322.exe 1648 Orcus.exe 2232 Sys322.exe -
Loads dropped DLL 23 IoCs
pid Process 1416 file.exe 1416 file.exe 3048 Orcus.exe 3048 Orcus.exe 3048 Orcus.exe 3048 Orcus.exe 3048 Orcus.exe 3048 Orcus.exe 3048 Orcus.exe 3048 Orcus.exe 3048 Orcus.exe 3048 Orcus.exe 3048 Orcus.exe 2012 dw20.exe 2012 dw20.exe 2012 dw20.exe 2012 dw20.exe 2012 dw20.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\System3222 = "\"C:\\Program Files (x86)\\Orcus\\Orcus.exe\"" Orcus.exe -
Drops desktop.ini file(s) 51 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\AM0353~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMD694~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM989B~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM9AF0~1.163\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM3E43~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMB428~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM281C~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM7B95~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMEEEB~1.163\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM5CD3~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMB8AA~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM0112~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMC0AD~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMAB03~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM1464~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM912A~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMFD52~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMF946~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM15B7~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM5043~1.164\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM9934~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM5C97~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMCF3A~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM425B~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\assembly\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMEE05~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMCA4A~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AME19A~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMFA6B~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM1B18~1.163\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AME009~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM131F~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM50D0~1.175\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM6927~1.175\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM076B~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMCCDB~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM71C7~1.163\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMFF91~1.164\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM814E~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM2971~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMC04C~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM0FD6~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMFB84~1.175\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMA45F~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM28D3~1.163\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMC003~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMDF32~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM3A5B~1.175\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMB6BD~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM082E~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM2473~1.163\desktop.ini cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 2 4.tcp.eu.ngrok.io -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\BITLOC~1\autorun.inf cmd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\de-DE\runonce.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\es-ES\L2SecHC.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\wbem\tcpip.mof cmd.exe File opened for modification C:\Windows\SysWOW64\wbem\viewprov.dll cmd.exe File opened for modification C:\Windows\SysWOW64\de-DE\diskcopy.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\es-ES\dpwsockx.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\es-ES\PeerDist.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\it-IT\ocsetup.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\de-DE\hcproviders.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\wininet.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\wbem\en-US\wscenter.mfl cmd.exe File opened for modification C:\Windows\SysWOW64\en-US\mrinfo.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\icm32.dll cmd.exe File opened for modification C:\Windows\SysWOW64\iscsium.dll cmd.exe File opened for modification C:\Windows\SysWOW64\themeui.dll cmd.exe File opened for modification C:\Windows\SysWOW64\browcli.dll cmd.exe File opened for modification C:\Windows\SysWOW64\es-ES\devenum.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\eval\PROFES~1\license.rtf cmd.exe File opened for modification C:\Windows\SysWOW64\ja-JP\oflc.rs.mui cmd.exe File opened for modification C:\Windows\SysWOW64\de-DE\wavemsp.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\colorcpl.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\it-IT\cngprovider.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\ja-JP\apss.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\tvratings.dll cmd.exe File opened for modification C:\Windows\SysWOW64\wbem\fr-FR\xml.xsl cmd.exe File opened for modification C:\Windows\SysWOW64\es-ES\WcsPlugInService.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\neth.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\odbcad32.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\sfc.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\MUI\0407\mscorees.dll cmd.exe File opened for modification C:\Windows\SysWOW64\shacct.dll cmd.exe File opened for modification C:\Windows\SysWOW64\es-ES\VaultCredProvider.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\it-IT\comres.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\ja-JP\raschap.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\es-ES\WPDSp.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\es-ES\WMPhoto.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\it-IT\Ribbons.scr.mui cmd.exe File opened for modification C:\Windows\SysWOW64\loghours.dll cmd.exe File opened for modification C:\Windows\SysWOW64\en-US\ieetwcollectorres.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\dpmodemx.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\fltMC.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\shlwapi.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\it-IT\MFC42u.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\it-IT\PeerDistSh.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\it-IT\wscript.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\migwiz\DLMANI~1\BITSExtensions-Server-Console-DL.man cmd.exe File opened for modification C:\Windows\SysWOW64\de-DE\twext.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\msv1_0.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\ja-JP\accessibilitycpl.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\ja-JP\WerFault.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\RmClient.exe cmd.exe File opened for modification C:\Windows\SysWOW64\shellstyle.dll cmd.exe File opened for modification C:\Windows\SysWOW64\WINDOW~1\v1.0\it-IT\about_Throw.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\de-DE\TpmInit.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\wsecedit.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\ja-JP\appmgr.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\ja-JP\netbtugc.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\BWContextHandler.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\ja-JP\d2d1.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\ja-JP\diskpart.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\msaatext.dll cmd.exe File opened for modification C:\Windows\SysWOW64\es-ES\sdiagprv.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\ja-JP\cmdkey.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\WF.msc cmd.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\WINDOW~3\en-US\MpAsDesc.dll.mui cmd.exe File opened for modification C:\PROGRA~3\Adobe\Acrobat\9.0\REPLIC~1\Security\DIRECT~1.ACR cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CPU~1.GAD\images\dialdot_lrg.png cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\Images\shuffle_over.png cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\ko-KR\tipresx.dll.mui cmd.exe File opened for modification C:\PROGRA~1\Java\JDK17~1.0_8\jre\bin\server\classes.jsa cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\System\ado\msadrh15.dll cmd.exe File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\images\settings_right_rest.png cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\undocked_black_moon-first-quarter.png cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\es-ES\mip.exe.mui cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\modern_h.png cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\System\OLEDB~1\es-ES\sqlxmlx.rll.mui cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\SPECIA~1\whitemask1047.png cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Travel\btn-back-static.png cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\ja\System.Data.Entity.Design.Resources.dll cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\USERAC~1\DEFAUL~1\usertile20.bmp cmd.exe File opened for modification C:\PROGRA~2\WI54FB~1\it-IT\wmpnssui.dll.mui cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\BabyBoy\BabyBoyMainBackground.wmv cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\de-DE\flyout.html cmd.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\PLUG_I~1\prc\MYRIAD~1.OTF cmd.exe File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\System.Web.Entity.Resources.dll cmd.exe File opened for modification C:\PROGRA~2\WI54FB~1\es-ES\WMPDMCCore.dll.mui cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CPU~1.GAD\images\back_lrg.png cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\rtscom.dll.mui cmd.exe File opened for modification C:\PROGRA~1\WI54FB~1\fr-FR\wmplayer.exe.mui cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\PICTUR~1.GAD\de-DE\css\picturePuzzle.css cmd.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\TYPESU~1\Unicode\Mappings\Mac\CYRILLIC.TXT cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\it-IT\ShapeCollector.exe.mui cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\System\msadc\de-DE\msdaprsr.dll.mui cmd.exe File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\System.WorkflowServices.dll cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\boxed-join.avi cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\images\rssLogo.gif cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_black_thunderstorm.png cmd.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\es\UIAutomationClientsideProviders.resources.dll cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CALEND~1.GAD\images\calendar_double.png cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\System\OLEDB~1\msdatt.dll cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Stacking\NavigationRight_ButtonGraphic.png cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\images\16-on-black.gif cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\30.png cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\de-DE\TipTsf.dll.mui cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\images\settings_divider_right.png cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\USERAC~1\DEFAUL~1\usertile17.bmp cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\System\fr-FR\wab32res.dll.mui cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\es-ES\TipRes.dll.mui cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\ja-JP\js\RSSFeeds.js cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\ja-JP\settings.html cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\fr-FR\js\currency.js cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\it\System.Data.Linq.Resources.dll cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CURREN~1.GAD\images\add_down.png cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\TipRes.dll cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\System\msadc\en-US\msaddsr.dll.mui cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Pets\Pets_image-frame-ImageMask.png cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\it\PresentationFramework.resources.dll cmd.exe File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\System.Management.Instrumentation.Resources.dll cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\FSDEFI~1\main\base_rtl.xml cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\System.Data.Services.Design.resources.dll cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\undocked_black_moon-full.png cmd.exe File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\System\msadc\msaddsr.dll cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\logo.png cmd.exe File opened for modification C:\PROGRA~1\WI54FB~1\fr-FR\WMPMediaSharing.dll.mui cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\de-DE\rtscom.dll.mui cmd.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Help\mui\0409\applocker_help.CHM cmd.exe File opened for modification C:\Windows\winsxs\AM30D3~1.163\wait_rl.cur cmd.exe File opened for modification C:\Windows\winsxs\AM8A3F~1.163\MSHDC~1.INF cmd.exe File opened for modification C:\Windows\winsxs\AMBEF1~2.163\Amd64\EP0LVP1Q.GPD cmd.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\NTUSER~1.BLF cmd.exe File opened for modification C:\Windows\winsxs\AM49E6~1.163\DO177C~1.PNG cmd.exe File opened for modification C:\Windows\winsxs\AM3FB7~1.163\USKRS~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AM9EAA~1.163\Amd64\IF7000.GPD cmd.exe File opened for modification C:\Windows\winsxs\Backup\AM42E0~1.MAN cmd.exe File opened for modification C:\Windows\PLA\Reports\es-ES\Report.System.CPU.xml cmd.exe File opened for modification C:\Windows\winsxs\AMCAA7~1.163\rasctrs.ini cmd.exe File opened for modification C:\Windows\winsxs\AM15C8~1.163\CNBP_3~4.MUI cmd.exe File opened for modification C:\Windows\winsxs\AMB677~1.163\TTYUI.HLP cmd.exe File opened for modification C:\Windows\winsxs\AM7256~1.163\Amd64\KYKM2540.GPD cmd.exe File opened for modification C:\Windows\winsxs\MANIFE~2\AMA9A6~1.MAN cmd.exe File opened for modification C:\Windows\winsxs\AM93A1~1.163\SECLOG~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AM7201~1.175\sqmapi.dll cmd.exe File opened for modification C:\Windows\winsxs\Backup\AM5ED1~1.DLL cmd.exe File opened for modification C:\Windows\winsxs\FileMaps\$$3D40~1.CDF cmd.exe File opened for modification C:\Windows\winsxs\MANIFE~2\AMED3F~1.MAN cmd.exe File opened for modification C:\Windows\winsxs\AM039D~1.163\DIAGPE~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AM5E70~1.163\RelPost.exe cmd.exe File opened for modification C:\Windows\winsxs\AM5719~1.163\CNFRAC.ICC cmd.exe File opened for modification C:\Windows\winsxs\Backup\AM70B0~1.MAN cmd.exe File opened for modification C:\Windows\winsxs\MANIFE~2\AM5423~1.MAN cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MIC541~1.CAT cmd.exe File opened for modification C:\Windows\winsxs\AM5B26~2.163\PROVSV~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AM2B7A~1.163\RE5002~1.XML cmd.exe File opened for modification C:\Windows\winsxs\AM21AD~1.163\POLICY~1.DLL cmd.exe File opened for modification C:\Windows\winsxs\Backup\AMF97F~1.MAN cmd.exe File opened for modification C:\Windows\winsxs\AM8EF3~1.163\IMJPCAC.DLL cmd.exe File opened for modification C:\Windows\winsxs\AM30E4~1.175\SPCINS~1.MAN cmd.exe File opened for modification C:\Windows\winsxs\Backup\AM7DE1~1.MAN cmd.exe File opened for modification C:\Windows\winsxs\MANIFE~2\AME7C1~1.MAN cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\diasymreader.dll cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\v3.0\WINDOW~1\ja\SMDiagnostics.resources.dll cmd.exe File opened for modification C:\Windows\winsxs\AM6EB5~1.163\WINSOC~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AM22B0~1.163\prnlx00a.inf cmd.exe File opened for modification C:\Windows\winsxs\FileMaps\$$_SYS~3.CDF cmd.exe File opened for modification C:\Windows\winsxs\MANIFE~2\AMBDBE~1.MAN cmd.exe File opened for modification C:\Windows\winsxs\AM8030~1.175\MIF9BA~1.DLL cmd.exe File opened for modification C:\Windows\winsxs\AM8E53~1.175\SED6FA~1.XRM cmd.exe File opened for modification C:\Windows\winsxs\AM3192~1.163\MULTID~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\MANIFE~2\AM9FE9~1.MAN cmd.exe File opened for modification C:\Windows\POLICY~1\ja-JP\WindowsRemoteManagement.adml cmd.exe File opened for modification C:\Windows\winsxs\AMAF2B~1.175\MICROS~1.DLL cmd.exe File opened for modification C:\Windows\winsxs\Backup\AMCB2B~1.MAN cmd.exe File opened for modification C:\Windows\winsxs\AMCA53~1.163\NFSNPD~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AME4BD~1.175\NL18CC~1.DLL cmd.exe File opened for modification C:\Windows\winsxs\AMEEFC~1.163\interop.mfl cmd.exe File opened for modification C:\Windows\winsxs\AMCD99~1.163\Amd64\FXUCCM01.INI cmd.exe File opened for modification C:\Windows\winsxs\MANIFE~2\AM13A7~1.MAN cmd.exe File opened for modification C:\Windows\POLICY~1\PerformancePerftrack.admx cmd.exe File opened for modification C:\Windows\winsxs\AM6F09~1.164\F12.dll cmd.exe File opened for modification C:\Windows\winsxs\AMF9FC~2.163\NDISUI~1.INF cmd.exe File opened for modification C:\Windows\winsxs\MANIFE~2\AMD416~1.MAN cmd.exe File opened for modification C:\Windows\winsxs\AMFF60~1.163\MSADP3~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\Backup\X861BA~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\MANIFE~2\AM2413~1.MAN cmd.exe File opened for modification C:\Windows\winsxs\MANIFE~2\AM2D94~1.MAN cmd.exe File opened for modification C:\Windows\winsxs\MANIFE~2\AMC29E~1.MAN cmd.exe File opened for modification C:\Windows\winsxs\AM40E4~2.163\WCSPLU~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AM2EC8~1.164\IEADVP~1.DLL cmd.exe File opened for modification C:\Windows\winsxs\MANIFE~2\AMFD6D~1.MAN cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 888 2896 WerFault.exe 34 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2896 Sys322.exe 2896 Sys322.exe 2896 Sys322.exe 3048 Orcus.exe 3048 Orcus.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe 2896 Sys322.exe 3048 Orcus.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3048 Orcus.exe Token: SeDebugPrivilege 2020 Sys322.exe Token: SeDebugPrivilege 2896 Sys322.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3048 Orcus.exe 2012 dw20.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3048 Orcus.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3048 Orcus.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1416 wrote to memory of 2052 1416 file.exe 28 PID 1416 wrote to memory of 2052 1416 file.exe 28 PID 1416 wrote to memory of 2052 1416 file.exe 28 PID 1416 wrote to memory of 2052 1416 file.exe 28 PID 1416 wrote to memory of 3048 1416 file.exe 30 PID 1416 wrote to memory of 3048 1416 file.exe 30 PID 1416 wrote to memory of 3048 1416 file.exe 30 PID 1416 wrote to memory of 3048 1416 file.exe 30 PID 2736 wrote to memory of 2604 2736 taskeng.exe 32 PID 2736 wrote to memory of 2604 2736 taskeng.exe 32 PID 2736 wrote to memory of 2604 2736 taskeng.exe 32 PID 2736 wrote to memory of 2604 2736 taskeng.exe 32 PID 3048 wrote to memory of 2020 3048 Orcus.exe 33 PID 3048 wrote to memory of 2020 3048 Orcus.exe 33 PID 3048 wrote to memory of 2020 3048 Orcus.exe 33 PID 3048 wrote to memory of 2020 3048 Orcus.exe 33 PID 2020 wrote to memory of 2896 2020 Sys322.exe 34 PID 2020 wrote to memory of 2896 2020 Sys322.exe 34 PID 2020 wrote to memory of 2896 2020 Sys322.exe 34 PID 2020 wrote to memory of 2896 2020 Sys322.exe 34 PID 2736 wrote to memory of 1648 2736 taskeng.exe 38 PID 2736 wrote to memory of 1648 2736 taskeng.exe 38 PID 2736 wrote to memory of 1648 2736 taskeng.exe 38 PID 2736 wrote to memory of 1648 2736 taskeng.exe 38 PID 3048 wrote to memory of 2560 3048 Orcus.exe 39 PID 3048 wrote to memory of 2560 3048 Orcus.exe 39 PID 3048 wrote to memory of 2560 3048 Orcus.exe 39 PID 3048 wrote to memory of 2560 3048 Orcus.exe 39 PID 2896 wrote to memory of 2232 2896 Sys322.exe 42 PID 2896 wrote to memory of 2232 2896 Sys322.exe 42 PID 2896 wrote to memory of 2232 2896 Sys322.exe 42 PID 2896 wrote to memory of 2232 2896 Sys322.exe 42 PID 2232 wrote to memory of 2012 2232 Sys322.exe 43 PID 2232 wrote to memory of 2012 2232 Sys322.exe 43 PID 2232 wrote to memory of 2012 2232 Sys322.exe 43 PID 2232 wrote to memory of 2012 2232 Sys322.exe 43 PID 2896 wrote to memory of 888 2896 Sys322.exe 44 PID 2896 wrote to memory of 888 2896 Sys322.exe 44 PID 2896 wrote to memory of 888 2896 Sys322.exe 44 PID 2896 wrote to memory of 888 2896 Sys322.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
PID:2052
-
-
C:\Program Files (x86)\Orcus\Orcus.exe"C:\Program Files (x86)\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Roaming\Sys322.exe"C:\Users\Admin\AppData\Roaming\Sys322.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 3048 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Roaming\Sys322.exe"C:\Users\Admin\AppData\Roaming\Sys322.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 3048 "/protectFile"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Roaming\Sys322.exe"C:\Users\Admin\AppData\Roaming\Sys322.exe" /launchClientAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 28965⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4086⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2012
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 8405⤵
- Loads dropped DLL
- Program crash
PID:888
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\{498b2b4f-a2e5-46da-adc0-5ecc1674a6bf}.bat""3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Deletes itself
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2560
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:2700
-
C:\Windows\system32\taskeng.exetaskeng.exe {92230B5E-56A3-4D1C-8A16-4C4F56C88D55} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Program Files (x86)\Orcus\Orcus.exe"C:\Program Files (x86)\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
PID:2604
-
-
C:\Program Files (x86)\Orcus\Orcus.exe"C:\Program Files (x86)\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
PID:1648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD5ed6dacae95f4fe79741659d53f2e719b
SHA17d510cf109f62deb9a4b294ee9a105e00d90d62c
SHA256ca8f8753d31a32ba700635c8cd1c587ce435878a1b654d51069eacd3ee7ec10b
SHA512fccfa86f677d7cea7bf13fdf400f3081a7d772f38920cbbd2e5914cc91aa1453436ba23ca11356b6b5cfed3fc40f473a33929c1b171db9eedd832ca7b2b75c33
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
70B
MD512888c690be6b5a4d468481b3c141167
SHA18f684102864ba7e9951024447c4894052af708fe
SHA25610661b06e91d2a6dfb39f59e22a9ee88b6629db80e85b1f4f0f03eb197447236
SHA512e7e95e6f66fc12714b399a135d6b127535d69a949005db29dc4af4b70c0fb8ff5243f873ad8318559817d055a517233635efcff78102b633e52ea84468caaf05
-
Filesize
448KB
MD59a27bfdd0fa06e1b42e64e150a58fd3e
SHA1bc66f567791528160df80521813a530b00136f7b
SHA256d6d5fd47f18954e0addd8e2ddb360e4dcc4bf88ee9a2afdffbcd70dfdc68f1d8
SHA512cff99b270af9e6b76da100be307da763cb72bec54b94d0813adfd94db8a9af2e2a158d132412b3b6034b793ff399eaf575ed502a71fde6520fb3b62f9595ac88
-
Filesize
1.3MB
MD5ac6acc235ebef6374bed71b37e322874
SHA1a267baad59cd7352167636836bad4b971fcd6b6b
SHA256047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA51272ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
7KB
MD5362ce475f5d1e84641bad999c16727a0
SHA16b613c73acb58d259c6379bd820cca6f785cc812
SHA2561f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899
SHA5127630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
914KB
MD512ad4c2b63d32b4579f03992e362f8ef
SHA1c38692667cdfd7f2b8bc67f3d7165f72fba74552
SHA256d699d584b651c6da780801cb6c2fb074464ce36e46b287658913d8bb67d2329b
SHA512c03c47ce05435eeed509021cd844a0530480b9cef30a60d0b7c1c4914b7b425edf86ef78be0e2929d198c5561e69445605d02a10a73a66ba11183f079f500ca0
-
Filesize
125KB
MD52b44c70c49b70d797fbb748158b5d9bb
SHA193e00e6527e461c45c7868d14cf05c007e478081
SHA2563762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0
-
Filesize
271KB
MD598eb5ba5871acdeaebf3a3b0f64be449
SHA1c965284f60ef789b00b10b3df60ee682b4497de3
SHA256d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2
-
Filesize
338KB
MD5934da0e49208d0881c44fe19d5033840
SHA1a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA25602da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59
-
Filesize
247KB
MD5ffb4b61cc11bec6d48226027c2c26704
SHA1fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA51248aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e