Resubmissions
22-02-2024 01:08
240222-bhbzhsab77 10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-02-2024 01:08
Static task
static1
General
-
Target
1334bbd7e0d0d3bb073194939f7dada8.exe
-
Size
135KB
-
MD5
1334bbd7e0d0d3bb073194939f7dada8
-
SHA1
1b94edaf8a275a4c2e2ec6550a4567fd2048dcf4
-
SHA256
c89ac5cb4dbb4116ed1d3b9630aac5a927066938e5b4a24649cf09116882a146
-
SHA512
e960d3ea5bda9f39afb449fed300e9863dbbc7ee1c216cd8fa4b681316f78515316bb1fb1f7b4743d689b6a5896f2d4b6bb4a52052d2a298af210888cacf8336
-
SSDEEP
1536:KjHKFCXmbMDnue3MtblERG2rnWQ19hfEgDld5kvG8tZC3PHpJLs/QEGAI7yn+ovO:kHKCXmW3VV1VDldmvGu6Q/wAI7y7+Vg
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
smokeloader
pub1
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
DcRat 3 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
1334bbd7e0d0d3bb073194939f7dada8.exeschtasks.exeschtasks.exedescription ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1334bbd7e0d0d3bb073194939f7dada8.exe 1436 schtasks.exe 1956 schtasks.exe -
Glupteba payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2352-255-0x0000000002B90000-0x000000000347B000-memory.dmp family_glupteba behavioral1/memory/2352-259-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2352-375-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2416-378-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2416-400-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1004-403-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 288c47bbc1871b439df19ff4df68f076.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 896 netsh.exe -
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
pid Process 1224 -
Executes dropped EXE 22 IoCs
Processes:
7550.exeF93F.exe5267.exe5267.tmp742B.exe742B.exe82FA.exeeewbigsA470.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeBroomSetup.exeFourthX.exeB34F.exensoBAE8.tmpCBB0.exeCBB0.tmp288c47bbc1871b439df19ff4df68f076.execsrss.exepatch.exeinjector.exevueqjgslwynd.exepid Process 2860 7550.exe 2060 F93F.exe 1104 5267.exe 3052 5267.tmp 1372 742B.exe 1556 742B.exe 928 82FA.exe 1700 eewbigs 1604 A470.exe 2352 288c47bbc1871b439df19ff4df68f076.exe 3020 InstallSetup4.exe 2596 BroomSetup.exe 2804 FourthX.exe 2640 B34F.exe 1536 nsoBAE8.tmp 1096 CBB0.exe 2280 CBB0.tmp 2416 288c47bbc1871b439df19ff4df68f076.exe 1004 csrss.exe 872 patch.exe 760 injector.exe 2548 vueqjgslwynd.exe -
Loads dropped DLL 40 IoCs
Processes:
regsvr32.exeWerFault.exe5267.exe5267.tmp742B.exe742B.exeA470.exeInstallSetup4.exeCBB0.exeCBB0.tmp288c47bbc1871b439df19ff4df68f076.exepatch.execsrss.exensoBAE8.tmppid Process 2712 regsvr32.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 1104 5267.exe 3052 5267.tmp 3052 5267.tmp 3052 5267.tmp 1372 742B.exe 1556 742B.exe 1604 A470.exe 1604 A470.exe 1604 A470.exe 3020 InstallSetup4.exe 1604 A470.exe 1604 A470.exe 3020 InstallSetup4.exe 3020 InstallSetup4.exe 3020 InstallSetup4.exe 3020 InstallSetup4.exe 1096 CBB0.exe 2280 CBB0.tmp 2280 CBB0.tmp 2280 CBB0.tmp 2416 288c47bbc1871b439df19ff4df68f076.exe 2416 288c47bbc1871b439df19ff4df68f076.exe 860 872 patch.exe 872 patch.exe 872 patch.exe 872 patch.exe 872 patch.exe 1004 csrss.exe 1536 nsoBAE8.tmp 1536 nsoBAE8.tmp 3020 InstallSetup4.exe 480 480 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1556-194-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1556-197-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1556-349-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 288c47bbc1871b439df19ff4df68f076.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 288c47bbc1871b439df19ff4df68f076.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
7550.exedescription ioc Process File opened for modification \??\PHYSICALDRIVE0 7550.exe -
Drops file in System32 directory 4 IoCs
Processes:
vueqjgslwynd.exepowershell.exeFourthX.exepowershell.exedescription ioc Process File opened for modification C:\Windows\system32\MRT.exe vueqjgslwynd.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe FourthX.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
742B.exedescription pid Process procid_target PID 1372 set thread context of 1556 1372 742B.exe 38 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe -
Drops file in Windows directory 5 IoCs
Processes:
wusa.exemakecab.exe288c47bbc1871b439df19ff4df68f076.exewusa.exedescription ioc Process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\Logs\CBS\CbsPersist_20240222011007.cab makecab.exe File opened for modification C:\Windows\rss 288c47bbc1871b439df19ff4df68f076.exe File created C:\Windows\rss\csrss.exe 288c47bbc1871b439df19ff4df68f076.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid Process 1032 sc.exe 2788 sc.exe 3064 sc.exe 568 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2876 2060 WerFault.exe 33 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
eewbigs1334bbd7e0d0d3bb073194939f7dada8.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eewbigs Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eewbigs Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eewbigs Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1334bbd7e0d0d3bb073194939f7dada8.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1334bbd7e0d0d3bb073194939f7dada8.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1334bbd7e0d0d3bb073194939f7dada8.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsoBAE8.tmpdescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsoBAE8.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsoBAE8.tmp -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 1436 schtasks.exe 1956 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.exenetsh.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" 288c47bbc1871b439df19ff4df68f076.exe -
Processes:
csrss.exepatch.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1334bbd7e0d0d3bb073194939f7dada8.exepid Process 2356 1334bbd7e0d0d3bb073194939f7dada8.exe 2356 1334bbd7e0d0d3bb073194939f7dada8.exe 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
1334bbd7e0d0d3bb073194939f7dada8.exeeewbigspid Process 2356 1334bbd7e0d0d3bb073194939f7dada8.exe 1700 eewbigs -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.execsrss.exepowershell.exepowershell.exedescription pid Process Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeDebugPrivilege 2352 288c47bbc1871b439df19ff4df68f076.exe Token: SeImpersonatePrivilege 2352 288c47bbc1871b439df19ff4df68f076.exe Token: SeSystemEnvironmentPrivilege 1004 csrss.exe Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
5267.tmpCBB0.tmppid Process 3052 5267.tmp 2280 CBB0.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid Process 2596 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exeF93F.exe5267.exe742B.exetaskeng.exeA470.exedescription pid Process procid_target PID 1224 wrote to memory of 2700 1224 28 PID 1224 wrote to memory of 2700 1224 28 PID 1224 wrote to memory of 2700 1224 28 PID 1224 wrote to memory of 2700 1224 28 PID 1224 wrote to memory of 2700 1224 28 PID 2700 wrote to memory of 2712 2700 regsvr32.exe 29 PID 2700 wrote to memory of 2712 2700 regsvr32.exe 29 PID 2700 wrote to memory of 2712 2700 regsvr32.exe 29 PID 2700 wrote to memory of 2712 2700 regsvr32.exe 29 PID 2700 wrote to memory of 2712 2700 regsvr32.exe 29 PID 2700 wrote to memory of 2712 2700 regsvr32.exe 29 PID 2700 wrote to memory of 2712 2700 regsvr32.exe 29 PID 1224 wrote to memory of 2860 1224 30 PID 1224 wrote to memory of 2860 1224 30 PID 1224 wrote to memory of 2860 1224 30 PID 1224 wrote to memory of 2860 1224 30 PID 1224 wrote to memory of 2060 1224 33 PID 1224 wrote to memory of 2060 1224 33 PID 1224 wrote to memory of 2060 1224 33 PID 1224 wrote to memory of 2060 1224 33 PID 2060 wrote to memory of 2876 2060 F93F.exe 34 PID 2060 wrote to memory of 2876 2060 F93F.exe 34 PID 2060 wrote to memory of 2876 2060 F93F.exe 34 PID 2060 wrote to memory of 2876 2060 F93F.exe 34 PID 1224 wrote to memory of 1104 1224 35 PID 1224 wrote to memory of 1104 1224 35 PID 1224 wrote to memory of 1104 1224 35 PID 1224 wrote to memory of 1104 1224 35 PID 1224 wrote to memory of 1104 1224 35 PID 1224 wrote to memory of 1104 1224 35 PID 1224 wrote to memory of 1104 1224 35 PID 1104 wrote to memory of 3052 1104 5267.exe 36 PID 1104 wrote to memory of 3052 1104 5267.exe 36 PID 1104 wrote to memory of 3052 1104 5267.exe 36 PID 1104 wrote to memory of 3052 1104 5267.exe 36 PID 1104 wrote to memory of 3052 1104 5267.exe 36 PID 1104 wrote to memory of 3052 1104 5267.exe 36 PID 1104 wrote to memory of 3052 1104 5267.exe 36 PID 1224 wrote to memory of 1372 1224 37 PID 1224 wrote to memory of 1372 1224 37 PID 1224 wrote to memory of 1372 1224 37 PID 1224 wrote to memory of 1372 1224 37 PID 1372 wrote to memory of 1556 1372 742B.exe 38 PID 1372 wrote to memory of 1556 1372 742B.exe 38 PID 1372 wrote to memory of 1556 1372 742B.exe 38 PID 1372 wrote to memory of 1556 1372 742B.exe 38 PID 1372 wrote to memory of 1556 1372 742B.exe 38 PID 1372 wrote to memory of 1556 1372 742B.exe 38 PID 1372 wrote to memory of 1556 1372 742B.exe 38 PID 1372 wrote to memory of 1556 1372 742B.exe 38 PID 1372 wrote to memory of 1556 1372 742B.exe 38 PID 1224 wrote to memory of 928 1224 39 PID 1224 wrote to memory of 928 1224 39 PID 1224 wrote to memory of 928 1224 39 PID 1224 wrote to memory of 928 1224 39 PID 1376 wrote to memory of 1700 1376 taskeng.exe 41 PID 1376 wrote to memory of 1700 1376 taskeng.exe 41 PID 1376 wrote to memory of 1700 1376 taskeng.exe 41 PID 1376 wrote to memory of 1700 1376 taskeng.exe 41 PID 1224 wrote to memory of 1604 1224 42 PID 1224 wrote to memory of 1604 1224 42 PID 1224 wrote to memory of 1604 1224 42 PID 1224 wrote to memory of 1604 1224 42 PID 1604 wrote to memory of 2352 1604 A470.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe"C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2356
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\7159.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\7159.dll2⤵
- Loads dropped DLL
PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\7550.exeC:\Users\Admin\AppData\Local\Temp\7550.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2860
-
C:\Users\Admin\AppData\Local\Temp\F93F.exeC:\Users\Admin\AppData\Local\Temp\F93F.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 1282⤵
- Loads dropped DLL
- Program crash
PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\5267.exeC:\Users\Admin\AppData\Local\Temp\5267.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp"C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp" /SL5="$50178,3536428,54272,C:\Users\Admin\AppData\Local\Temp\5267.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3052
-
-
C:\Users\Admin\AppData\Local\Temp\742B.exeC:\Users\Admin\AppData\Local\Temp\742B.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\742B.exeC:\Users\Admin\AppData\Local\Temp\742B.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556
-
-
C:\Users\Admin\AppData\Local\Temp\82FA.exeC:\Users\Admin\AppData\Local\Temp\82FA.exe1⤵
- Executes dropped EXE
PID:928
-
C:\Windows\system32\taskeng.exetaskeng.exe {A7302DB8-F729-4676-9955-4D2092735EF2} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Roaming\eewbigsC:\Users\Admin\AppData\Roaming\eewbigs2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1700
-
-
C:\Users\Admin\AppData\Local\Temp\A470.exeC:\Users\Admin\AppData\Local\Temp\A470.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2416 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:1864
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:896
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1004 -
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:1204
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:872
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:760
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2596 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵PID:1060
-
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:1696
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- DcRat
- Creates scheduled task(s)
PID:1436
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmpC:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1536
-
-
-
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2804 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:320
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
PID:280
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:1032
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:2788
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:3064
-
-
-
C:\Users\Admin\AppData\Local\Temp\B34F.exeC:\Users\Admin\AppData\Local\Temp\B34F.exe1⤵
- Executes dropped EXE
PID:2640
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222011007.log C:\Windows\Logs\CBS\CbsPersist_20240222011007.cab1⤵
- Drops file in Windows directory
PID:2212
-
C:\Users\Admin\AppData\Local\Temp\CBB0.exeC:\Users\Admin\AppData\Local\Temp\CBB0.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\is-BD0E2.tmp\CBB0.tmp"C:\Users\Admin\AppData\Local\Temp\is-BD0E2.tmp\CBB0.tmp" /SL5="$2024C,3525380,54272,C:\Users\Admin\AppData\Local\Temp\CBB0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2280
-
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2548 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:3036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1632
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
PID:2284
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD56231b452e676ade27ca0ceb3a3cf874a
SHA1f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA2569941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c
-
Filesize
1.5MB
MD54fda302de5dbc796575a887375e61a3b
SHA105488e1eba9053f3c09062832d64652b30f4aedb
SHA2568714e3d1c6a611e658b08721b38dbf5a371b590ec9d4dd8fcaa800ce692048a0
SHA5127488616f0d367a97b99d33bea8a18bfe0c7f740e104a6a6622031e1a46dc1d21bf495dd276f2a9fedf8950f3f37587ad90d2885be28e6dfa0d8ebb91e710f799
-
Filesize
1.4MB
MD5b9e83f5d06d65f1a132f55308bc72726
SHA17738e1f34abf3568bcd38bed45d535f1ba8c6970
SHA2560b9222bc3e0db767e3fb419d7cec2303c882616f9c6ebdfa6eb3592fcce119fe
SHA512d7c7601f4c55e534c1a29d00398908958a89ef0e94359b9f509a0c08791e7155038a6fd33124f30b78844668e071574301f3017fe0c1016a4fd38a4f79866889
-
Filesize
1.9MB
MD537bd3380e2dc5ed47b453915f177ab15
SHA13d10f3ebc6df0df7c17a559c6b199be8f33aed7b
SHA256f20d482959d619e57359f139a987d46a9b7a4af6a4c50689ffba91c38649dd62
SHA5126e9fb9e54c0b0e0481231fe7949c5f32358e2fc82cca476811b8ae2e4a10fd26e45da18ecea7a146c69200eb59a8588e2509aed0dabdfa5290c7444b5887b10f
-
Filesize
3.0MB
MD543ff0c8090b7222492667f4e6a84290a
SHA1200428a87920d4b51f23cd696aa6258deea613ac
SHA256eaba9bed52a9d6a8bc0fa3d0634937a9350aec04ffefa818307f55c397302d4c
SHA512962d140e0d09171352d823231479c29e519484ceea25b652a2927fc4581bd9ad7ef4e90e405f6c54e991fb8db09c62adfbdc99deac11fb2b4e3c575099868a32
-
Filesize
293KB
MD5c836e1e341835ec964deacc3b20c7a2e
SHA11b6ffc277c2ad658878f71fc07a9de212530277f
SHA256fd018900a82a02b350bb3a71fb38e68054d813efba13ca16a93e1ef2012fe8b1
SHA512af92e13587d7db0534723d6bc91a9d8011c012352713edbee01fb87e5f1ccd91a79012906e759276e8e3524388d19bbb2973b59602a28267e224387b7e78ab92
-
Filesize
209KB
MD51b5cbc787026fe7eaf1e54d1aafdcc06
SHA1f2e634922e1ac230fc409259f54d94c98b5ca577
SHA256941fe0ff18caff6afaa4454c34102dc6ac04ef2aa5535a525ab11d6d246f8de3
SHA5120af0eb234ba7a5087d2e14ec5ef999152035d3f80ee7c62fbe34a09e9a82aae958e1b7129074abccfae8eddd8af8fd5408036ccbfb0ee741b208d1a5aadc4f26
-
Filesize
1.6MB
MD5ec6878849a30cad1ddb5ab3ff4921124
SHA10c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA2563bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb
-
Filesize
1.6MB
MD5ed6e3e72abf6a1a19c269143092af11a
SHA1e33257a9ef5ff4640e9acd98486500d8a4bf4e71
SHA256ea8819ef7ff190739df7f329843f64157c6d9aa9eb4a029b5e441d378ff78afb
SHA5120d91337a9ae4357bf1b5c5b94024224e6b6f75270a2ed6545e3435d4311f59b4a0fd1319edaf37080de40b6b738f968061508a84456db9d5be358e1bc9924408
-
Filesize
1.5MB
MD55e481d9cd54e5b71bf09c4b999f5b3a0
SHA1f4ff6302eadba9c2e94ac12e0defc0eb7d136e2c
SHA256c4d8500b7ef3b483a09d09d2122119fcdcd461a3fb37f243abd8297699bdf632
SHA512761950f84231bb4211e163d018a370fab0dd7b01c53804071eae075b92d14404b3806846110b2893d8fffc9aec95d82711a73a267ef3124e2ddf2b75b3cb28aa
-
Filesize
1.7MB
MD5718b0dcddc2bbaa0e243f8df12262b02
SHA1f47e4c5cbe04b9435b8192b028ebfc42eda30bd0
SHA2568296fd54d27268a1efbc03f2087376f8bc2a9b5d3e11079ef8839e51554301d5
SHA512a3e44253d36abee30b31e151bcb2c3ff356d7204aef235e32e075e7b406ed766a5ed97de8a36890780b76eae04b6a3ed3e0cc4220165c97a95aa39997f4a857f
-
Filesize
943KB
MD5ba596889eb548175469af702b3a22cd7
SHA173871abcad36ebaa97368c4d73d8166cc94dc669
SHA25636f8a5365149510153da15602a8129d8b57804352687cf1be4da8614a36cff38
SHA512d2dcf18499f847435471c66fc276fcdae2fa5df1c1f79c1d2bd9885241ac2f1675b38fbc14cc62cbba6856670607ff3457d62773eb366f1ed4e0ad4601818546
-
Filesize
421KB
MD51996a23c7c764a77ccacf5808fec23b0
SHA15a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23
-
Filesize
2.2MB
MD53eb3a47ac3ccb90ead8ec9a6a394ff18
SHA136584c7254f909e9a26b147e67394adf7978b75d
SHA2563fbb77385ba74580e1fb42ecb8f709e53720dcb7269c60fa8976dbdf0b01c206
SHA512cb6c39d46bf4ff2224b6a67a090d4bfed757db06d4eca8d6ea45c950a081dff98afd4bc07298c7daa7fa615170dda4962de62aac9ad1a3427dade34353aee1f5
-
Filesize
2.2MB
MD5e6a0c31600adc9cbc2122f266740c6bd
SHA17f8ab813cd05965fe6ea3ca7430a31642c8f1bcb
SHA2567211f3dc9dfca6922741e10fffd4a9edaa6345444a4f7c08420270efaeb1fb2d
SHA512463349e59d66a894624f90488aa6f91454a913af2830688f0e956fcc1840a1a97cecc4a0893bf4c53286caf76705dad2c9f9c03a3c8635e0ed3c7c924115a7a0
-
Filesize
214KB
MD53dd02e3a7d6552f6312e29bc4189c06a
SHA1c52bb026df26445a1e4ccf66baf61d99ecd1ff8a
SHA256cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70
SHA5124a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485
-
Filesize
618KB
MD53e716dd2d7035b3385ae32ca101b0c04
SHA15b2ceb8b857e6f4a1871e8aa85ca8e385f46d88a
SHA256d72941f91a3dc82f0c46069955228683dc95afec1719da9bd007a23f45043a97
SHA5124813eea3440344d8035573cb7e9c49b2748ffdf221695b6b2ae0f947266da460ec671ae0c208558013faf775c19bb09346057418f1ed6e69ad09f9ff40095edd
-
Filesize
2.2MB
MD5406045df6eea45a7ccf305dd73d93174
SHA19fee5b539390e703792070b23953277f215a42d1
SHA2569d4b6ac45865161c1858566c241dccf59fbb771832b30791cbc34bb87335ef71
SHA5124d3c078c9896593d80251836f6082efea4debdf8c17e01e21b61c29009ceaf161f4bd922a133e99ff3117b0aad66b0d3422e4b95fcced7fb826242b2e392a38d
-
Filesize
3.1MB
MD5924961a55a148f673993c2a030705f55
SHA14102c1955090cdc1e98dd81908a87f646c281bbe
SHA2562629f29216a5ade8bc496abc00421578f0d20a426d0bc92a8e2a2588bf1bd387
SHA512e236af25ed1940c952a0f6a7daa4e5747632463e0639538a75eab97085498313545c5a665583b7826bcf9224d185f03adb23d7623bc4e138d5293a9008a8d10a
-
Filesize
2.8MB
MD58eb0f03a13fcbdcaa98c7386f78fcf18
SHA17effdb669cc14fbb4be22c7509ef5c418f8dbee5
SHA256e1fa1a210c73c3d5f2c2e23ff9a0df777b0bbb206f2f6c688a1a6b25dc0895a3
SHA5129a17504d9285008d4c10997eec0cb44e9a6046fd4baa6410edd6a5a6008635002de1c2ec138f9bfeac65170325eca28e45825e2f457f9e97fa941897098815d2
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
1.4MB
MD53e20597b095b7a9ec311e3b400b7de46
SHA1b491811b3f8ba87355a5bd9f62f92a8d3ad38065
SHA2560ea117f712e73b4df98604e93f3f9996b83cee2a4691b3da4ac9db8f20ddd5dc
SHA5129d9690bc075e8a569a6aa0fed91a14cdd2def622787eb533fd00c51018ba9d9e96d48409358f76490c839f2f731cb6f718ceb414b3e0de694640513065ced202
-
Filesize
481KB
MD5fbc61539cf79c584550feb6e32097375
SHA15b1ad62930eb630d7a3f3cb37789d86017a3bb95
SHA256fa52bb8552c4f4c4ff2c01963e0e31fe8f0dcb261af163fc3041e92aff2cbe45
SHA51265172a8b242c9ada1be8aa57bd29fb81e53fbec4917837d5f9c6bb68e13f0b3c8424522d583f738dc9bece951afd72fb1c711403f8784307115bbf1d9d4658cf
-
Filesize
301KB
MD5878b583e6ebb6ef4dbd7ea4f09cb7b9d
SHA1b10171ed3355b5a6264ff0780c337fc54797c165
SHA256c9e51f74264355c711734f434131d49465212d88cb3c3e9a268330e94e97c76e
SHA51269e35f2ff9360bd620879065ebc6b80d14e0206f94afbb935b51c86679db5819b3968632ee8a84bf877e65a9d6da09241a2054082e167461880e5916d1186dc8
-
Filesize
458KB
MD5c3a261e56b6e319874069534de7bdb68
SHA135583528bc7d1fe3cf1b087d912a9f25d3ba2a4f
SHA2562d21a8c41233de40e5ae14fbbf6c2447ffcd688d80e49aee41d12d45a3557bfd
SHA512a22993cacf8f2defc2d4a5eeef9e8a8aec32363af278cec3055835e1c0da70ba841197c8a23673c3262c0650519b3da626d0e399e93735deab7008cda3c87bfc
-
Filesize
567KB
MD5f37545e69e6966ece6bf860bd2ae3e7e
SHA18bbc5c6487a1a4918cb8a4b1d4f6c23779a98989
SHA256b83c8fb67e206c0d316705d070fca3e51e2356458c3eb3ebdda9d956e474db25
SHA512be9bc35b19a61bbfafd7d423473ea1f44fb679985b538100a7ac37a5a4b508517fac953edcaae8ddd533e334ed63fd11c0db30d7562980c0ca7a1d3c36e64369
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
Filesize
689KB
MD5d33381c9542ef119f3e2c73822539b13
SHA104c855c2a6a0052850a2781ba03d57eac8d1e344
SHA256679b09a828efb0b30e6ae3d95cf67903807848d87c99af5799a902d5b28901d1
SHA512a30b153837fc00ce3cf56d62fcc15e9b9a2506fcb29383ed614d454fb742ac5945cecfcd5e389dc61e1b7198131cf04574a2d2fe97b8b0735939387de17b3daa
-
Filesize
64KB
MD549becb0626a04b87221c00d30c3d14a2
SHA196e2f9ea00aa118ce62a368ded287f6b888c0cd4
SHA25695480cadb85d9df813521fd2360328eafc500001fa487324d3ec571397382b3f
SHA512a1f4fef9d039fd42a704d68b68552e3932d258123a02a3c66c78b8b2d48623b1e305662b378e0024d9c8b419824d3fd1b91dec96c5149123d945e7707bd6eda2
-
Filesize
226KB
MD54e947abc3916088f9aeb96ca58ae4b2a
SHA1ed78b516acdea1e79c242f585d4c1a2a3f45661e
SHA256ecc6907c2fdbab7c96faf570aa575097d1f151e157acea3a958f21adf6de6abe
SHA51280a58e16729d8d14675123cdf28b5c86ffb24ebe244d5d6caedd5ccdf97db6f430e90fea7375213e57e46d74e8c5e3558a13677e330acee7d119b8c42069fa2e
-
Filesize
1024KB
MD536faf3a793dbb6e80cd9ec2282ae4404
SHA16118ce7d7e64040e97018d6d4383ddfb6f1394e5
SHA256f8785b8eef542d5f08fdcb9d8d275aab8d8980dece2e4e5c7f26df3b02879cec
SHA512f395e3d2c71117f5b8256ec25172f280ae74b99e4e7c3eec40e21ab14d486dfaeed3851437851deab9c7c54c3725b3c5a485e562cdd02e548ee9edd1df031e8e
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
135KB
MD51334bbd7e0d0d3bb073194939f7dada8
SHA11b94edaf8a275a4c2e2ec6550a4567fd2048dcf4
SHA256c89ac5cb4dbb4116ed1d3b9630aac5a927066938e5b4a24649cf09116882a146
SHA512e960d3ea5bda9f39afb449fed300e9863dbbc7ee1c216cd8fa4b681316f78515316bb1fb1f7b4743d689b6a5896f2d4b6bb4a52052d2a298af210888cacf8336
-
Filesize
384KB
MD5dd76b1ea2a8bf2f7e800e0a11f01f5e9
SHA1d31c1ff5b3bfff45af20f5fce0579b80819c5390
SHA25698ddd0a4e39f3693a0bdda3844934a3211e119eee2d5155e17778b0af18e6b89
SHA5122b3118524ede04678a6306af55dff202a5dbd1a5443bd815dc6a7e3122518ca3593841b942b46b04c3053e553cf20c8baca39461f27cc7fe5d293e26050b2508
-
Filesize
3.4MB
MD51b80fb22665c5c506faadcc5f2a4cd7f
SHA180b615e0ae9ea791b521d802f3d1f8480af6380f
SHA25602d595587af4a8fe7aa6c44f6b1cba48f21725b83de6ee5aa31e2a9f6ff85a93
SHA512ded746797b1d0a80ab456024011bc4b0ca30d05959227b0baaca920e9504a92a11a4ab70fbd1b096b55673ea0941f7151708d1ca6595889a6e7666d405ba88a0
-
Filesize
689KB
MD51ba055823154222509be8b1cb57f0d49
SHA1a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA5122a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a
-
Filesize
1.5MB
MD5a486410370f5a463bf078d5f47877a14
SHA1924647b7ae1ec7afcfdf7cb2cf679f70479d2a8a
SHA256ccd896850a8ab91a46f9c6349c25ee5e0fcedf627bde50791c2b5db6c6027578
SHA512aff2aa42dc5e570310e877d7d864eede54f245595c21bed1be24eb1477952d330be18d6b88844bacf00df90c93a38044fa009792e448218bca65bb94140c66d3
-
Filesize
1.8MB
MD5798c22621ebef52bd51fe7fb8cbaaaaa
SHA14e3bd2ab8437e9883640c2e120cadf9da63f5ca8
SHA25661313cb6a5a5b47318a539d35004846c37c48247b81e0e3dd89cfb23797531e1
SHA51211607770258bea188df7a56222f697881546f1be14e3550dec5b4b85a9f98b1e67697e4d2d2c90966d53c428d35e496b310ebb78e9c7ddab87893fbfc0efd527
-
Filesize
1.4MB
MD5247c47483cf0e34f9e0cc0fbe4f62c5f
SHA137ab13e1b2a42f918471c0903e2eb0160f6bfe81
SHA2568f82ad96d1529c156b3770283661a0dbaa18bfb587d8055eff4de731e65b0ab7
SHA5124f52d45c85181290ba5f42a39f470a8817d060696b7a74e544bd133e1d88323dbdea9eccc8b89a1e42515f87d3c73913943fb836c276ebd10fbb043640adcac1
-
Filesize
401KB
MD51288cc1eb11e86422709338555055aaf
SHA1ca9321bb0d87bb41e24e88535a2d56ba9ee418ed
SHA256ed8aaf9b082317abcc59c6f39c3cb7524ee7c50988657670d75a115c4fc77432
SHA512fabcb0ec74fd6baac93a341e0337eeb1c5fd81f958a1f75cf67a8e49eb617b7def964936d5a21c24e76df6b2122868f84ec64cf37ad0107338222ce373b2693c
-
Filesize
5.6MB
MD5479342d62078aaf31881972c7574f6f2
SHA1382fa9a95746ca6199e7dfb9ae2bd035f4000fb4
SHA256a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d
SHA5120e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da
-
Filesize
4.3MB
MD57ac31ea0bb9eddf0ff88ccd4fab3496b
SHA1a0f4deb7b973cbff8b41cd8fd957cc6d706b7d69
SHA25673d9e6f9775c055b03c07ac1223fb4b8ea7722def3d4e0bf8d75779c2f2c35a3
SHA51228ca3b4d8f228080a4f8fa353ff4f48d6157f556d67c0425572f18b2144b869cd9fbc5cfc9b2bc24deabea33b9ff254ec9ba37f2478158f97cf069ea8e3fdb1f
-
Filesize
1.2MB
MD547a81177e545fed243b05499fcc59adb
SHA1151377fe78ad52031c3095265378a3691d735846
SHA256ccafaf7fb8f16c51e5846ff03b40b334715ec9f8663ced4fb2790741600c2baa
SHA512e7ee4069385f06cc82e4aa083b7e8d3a24359ad9af90ed2db9b90e22856d3e8f6d207f72c2ebaf7718b5496ac6148813573d45b44ff5d1acd08dc10bdf9409d0
-
Filesize
773KB
MD557bb8084c1d4f6ecb5208996ce9f5735
SHA157c58eb385d8d77350ca81072cb47acb3406ade5
SHA256bca7ede0c71ea6eec7311c4cbb8fba154a77ad5149bc97f9ecc22654a67da454
SHA512772c711ba86978f09845700d43fd959c29f5f329c0bf87a37fcc00ad701b56f749b8b6b5d1db15c18f4b58c9c2cd9c76b4aad9ced4095b48bb78b9153df39020
-
Filesize
507KB
MD578d668aa5fa6346dcb355967a7079278
SHA15b017af60a553b355442f7d5836b236dafd60b09
SHA256e52e0827f09b43184994deb7780e6bced7c62cfb80b64a84a80fb3244750746a
SHA5125f5d506dd7bb50450fc84f41839573693040480b90724ebb5191b2696d6029f532869e8f5304894c925cd0642c0aa08caad536f34239d89ea48c63f89f408db4
-
Filesize
1.1MB
MD584c2a426a9c5508f54a3f58d355da401
SHA1f0cfcedd79caee5b4a48390904e6b1ae6e23d6f6
SHA25694f70ac20af9250c5866a192bf3b87cb4d90fcfe12663f9d2df57e8e4b5f3fd0
SHA512f542f5e6ff3cf8e93c326494fb23694bb4dbe2b6330f72d5c2f3fe75ca1f15d9142b13e335bf211236e0414bda9a82c813200c1cc92eeef81cc98e22d7167381
-
Filesize
1.5MB
MD5f0616fa8bc54ece07e3107057f74e4db
SHA1b33995c4f9a004b7d806c4bb36040ee844781fca
SHA2566e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA51215242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c
-
Filesize
98KB
MD5ebe053359c813af4a16486ab11e4fe1c
SHA1659da1403674751bccefe708f87b4214259d8445
SHA256e45305bab7308f51605436b715c667ca2de46156f8e28cc4bba105b5d200aa7c
SHA512771250568e9a9f418ba69f80a27fd35e7cedbe0677c66245a62e195a2c68d78f7d5dfb4c4110541ee4422ea3828a0438b6ddfa2304008c8232d1f0d1f8d27e30
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
1.1MB
MD5a9a6778b7b83e913b9b55eb4d1476042
SHA13256dede4bd1214ba19e0bc67900ffbae364f854
SHA256f5872a7bab6d3dd42bb26aa43dcfc7ea54f18e91d315ab252f6737d1db41e01d
SHA5125037711a23458f9deb618391d57b50a6a5e8dce52fd10415783540ed23ddb31dc823e2d4fecbcd607f38625eb6259d289eecee30c5eda50578df86ac042dae59
-
Filesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
Filesize
517KB
MD5cc15bd28b9297f0de54462d1f4151963
SHA11e723fce28c94b777b821e4b1884a42d352d4f7f
SHA256e8d430ceb5cde61da0716fcef9c406537ac7997565e251f90b21ffa8b0152b21
SHA5122e50e53c119c70995337a296d3dddd08bcb8df7083a46b2133f0e8433e5efde5c6d3b924fac9e644c193855208d439ff3589e53be3d11a2d30f18470858aab4c
-
Filesize
448KB
MD5fb8129e365391576bb219e9c32633d1e
SHA18bea7c52cfb0921c24446e00351d19c8a9cb8484
SHA2569e73f75e4b618189e5624f02c4cc5dfb810600181434ede34815a645cc4b24b1
SHA512941ab808da324d78f3aeef63e274994ff50d8d4270315fe9f3a4029ce86efe372c28b6ab6d39accb61f03eab27ae432fc11155d2dc2f74fe0fb621675016c93f