Analysis
-
max time kernel
298s -
max time network
301s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-02-2024 04:48
Static task
static1
Behavioral task
behavioral1
Sample
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe
Resource
win10-20240221-en
General
-
Target
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe
-
Size
215KB
-
MD5
beea0c962def411b794fe5fd33f4e5b9
-
SHA1
2c4743812c810d05d42ab11bb9beda423bdd7d2a
-
SHA256
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c
-
SHA512
bfff88b479bf97ad6878f1c90197263d9c0cc9485eda0ba5f9ef5bf39b0f02e3236ee31e7ac581348da5497e805cff56853965797b778e01a73c852f6479c6ac
-
SSDEEP
1536:SPWQAMcx0G0QR9UMpkjgwoqC3Pbn2PhNxl0NtC3l6mRB4TG3RS6gGVUxpCQPKRcb:SPtI/j230wrV3Y8Wx1PwBHxDYSc5Dra
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
smokeloader
pub1
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
socks5systemz
http://bffingb.com/search/?q=67e28dd83955a42b4006aa1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978f671ea771795af8e05c646db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923b6f8bf816c3e693
Signatures
-
DcRat 3 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exeschtasks.exeschtasks.exedescription ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe 2364 schtasks.exe 2840 schtasks.exe -
Glupteba payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2740-349-0x0000000002B50000-0x000000000343B000-memory.dmp family_glupteba behavioral1/memory/2740-350-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 1776 netsh.exe -
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
pid Process 1224 -
Executes dropped EXE 25 IoCs
Processes:
736C.exe82A9.exe8F19.exe8F19.tmppowershell.exe9BE6.exe9BE6.exeA94F.exedvd32plugin.exeD427.exeE1ED.exe45C.exe45C.tmp288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeFourthX.exeBroomSetup.exensj3FB1.tmpvueqjgslwynd.exerdbcgsh288c47bbc1871b439df19ff4df68f076.execsrss.exeinjector.exepatch.exepid Process 2572 736C.exe 2216 82A9.exe 1984 8F19.exe 2772 8F19.tmp 1720 powershell.exe 2624 9BE6.exe 2276 9BE6.exe 3000 A94F.exe 1664 dvd32plugin.exe 2840 D427.exe 2000 E1ED.exe 2344 45C.exe 2288 45C.tmp 2740 288c47bbc1871b439df19ff4df68f076.exe 2484 InstallSetup4.exe 2668 FourthX.exe 2704 BroomSetup.exe 2844 nsj3FB1.tmp 480 2988 vueqjgslwynd.exe 884 rdbcgsh 1536 288c47bbc1871b439df19ff4df68f076.exe 1928 csrss.exe 1736 injector.exe 1840 patch.exe -
Loads dropped DLL 41 IoCs
Processes:
regsvr32.exe8F19.exe8F19.tmp9BE6.exe9BE6.exeWerFault.exe45C.exe45C.tmpD427.exeInstallSetup4.exensj3FB1.tmp288c47bbc1871b439df19ff4df68f076.execsrss.exepatch.exepid Process 2596 regsvr32.exe 1984 8F19.exe 2772 8F19.tmp 2772 8F19.tmp 2772 8F19.tmp 2772 8F19.tmp 2624 9BE6.exe 2276 9BE6.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 2344 45C.exe 2288 45C.tmp 2288 45C.tmp 2288 45C.tmp 2288 45C.tmp 2840 D427.exe 2840 D427.exe 2840 D427.exe 2840 D427.exe 2840 D427.exe 2484 InstallSetup4.exe 2484 InstallSetup4.exe 2484 InstallSetup4.exe 2484 InstallSetup4.exe 2484 InstallSetup4.exe 480 2844 nsj3FB1.tmp 2844 nsj3FB1.tmp 2484 InstallSetup4.exe 1536 288c47bbc1871b439df19ff4df68f076.exe 1536 288c47bbc1871b439df19ff4df68f076.exe 1928 csrss.exe 856 1840 patch.exe 1840 patch.exe 1840 patch.exe 1840 patch.exe 1840 patch.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2276-188-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2276-194-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2276-245-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 152.89.198.214 -
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 288c47bbc1871b439df19ff4df68f076.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9BE6.exe288c47bbc1871b439df19ff4df68f076.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" 9BE6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 288c47bbc1871b439df19ff4df68f076.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
736C.exedescription ioc Process File opened for modification \??\PHYSICALDRIVE0 736C.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exeFourthX.exedescription ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe FourthX.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9BE6.exedescription pid Process procid_target PID 2624 set thread context of 2276 2624 9BE6.exe 36 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe -
Drops file in Windows directory 4 IoCs
Processes:
wusa.exemakecab.exe288c47bbc1871b439df19ff4df68f076.exedescription ioc Process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\Logs\CBS\CbsPersist_20240222045201.cab makecab.exe File opened for modification C:\Windows\rss 288c47bbc1871b439df19ff4df68f076.exe File created C:\Windows\rss\csrss.exe 288c47bbc1871b439df19ff4df68f076.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid Process 2108 sc.exe 2016 sc.exe 2764 sc.exe 2160 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3016 2216 WerFault.exe 31 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
E1ED.exerdbcgsh3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exedescription ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E1ED.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rdbcgsh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rdbcgsh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E1ED.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E1ED.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rdbcgsh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsj3FB1.tmpdescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsj3FB1.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsj3FB1.tmp -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2364 schtasks.exe 2840 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exe288c47bbc1871b439df19ff4df68f076.exenetsh.exedescription ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0b8a6924a65da01 powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe -
Processes:
patch.execsrss.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exepid Process 2940 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe 2940 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exeE1ED.exerdbcgshpid Process 2940 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe 2000 E1ED.exe 884 rdbcgsh -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
powershell.exepowershell.exe288c47bbc1871b439df19ff4df68f076.execsrss.exedescription pid Process Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeShutdownPrivilege 1224 Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2740 288c47bbc1871b439df19ff4df68f076.exe Token: SeImpersonatePrivilege 2740 288c47bbc1871b439df19ff4df68f076.exe Token: SeSystemEnvironmentPrivilege 1928 csrss.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
8F19.tmp45C.tmppid Process 1224 1224 2772 8F19.tmp 2288 45C.tmp -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid Process 1224 1224 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid Process 2704 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exe8F19.exe8F19.tmp9BE6.exe82A9.exedescription pid Process procid_target PID 1224 wrote to memory of 2824 1224 28 PID 1224 wrote to memory of 2824 1224 28 PID 1224 wrote to memory of 2824 1224 28 PID 1224 wrote to memory of 2824 1224 28 PID 1224 wrote to memory of 2824 1224 28 PID 2824 wrote to memory of 2596 2824 regsvr32.exe 29 PID 2824 wrote to memory of 2596 2824 regsvr32.exe 29 PID 2824 wrote to memory of 2596 2824 regsvr32.exe 29 PID 2824 wrote to memory of 2596 2824 regsvr32.exe 29 PID 2824 wrote to memory of 2596 2824 regsvr32.exe 29 PID 2824 wrote to memory of 2596 2824 regsvr32.exe 29 PID 2824 wrote to memory of 2596 2824 regsvr32.exe 29 PID 1224 wrote to memory of 2572 1224 30 PID 1224 wrote to memory of 2572 1224 30 PID 1224 wrote to memory of 2572 1224 30 PID 1224 wrote to memory of 2572 1224 30 PID 1224 wrote to memory of 2216 1224 31 PID 1224 wrote to memory of 2216 1224 31 PID 1224 wrote to memory of 2216 1224 31 PID 1224 wrote to memory of 2216 1224 31 PID 1224 wrote to memory of 1984 1224 32 PID 1224 wrote to memory of 1984 1224 32 PID 1224 wrote to memory of 1984 1224 32 PID 1224 wrote to memory of 1984 1224 32 PID 1224 wrote to memory of 1984 1224 32 PID 1224 wrote to memory of 1984 1224 32 PID 1224 wrote to memory of 1984 1224 32 PID 1984 wrote to memory of 2772 1984 8F19.exe 33 PID 1984 wrote to memory of 2772 1984 8F19.exe 33 PID 1984 wrote to memory of 2772 1984 8F19.exe 33 PID 1984 wrote to memory of 2772 1984 8F19.exe 33 PID 1984 wrote to memory of 2772 1984 8F19.exe 33 PID 1984 wrote to memory of 2772 1984 8F19.exe 33 PID 1984 wrote to memory of 2772 1984 8F19.exe 33 PID 2772 wrote to memory of 1720 2772 8F19.tmp 58 PID 2772 wrote to memory of 1720 2772 8F19.tmp 58 PID 2772 wrote to memory of 1720 2772 8F19.tmp 58 PID 2772 wrote to memory of 1720 2772 8F19.tmp 58 PID 1224 wrote to memory of 2624 1224 35 PID 1224 wrote to memory of 2624 1224 35 PID 1224 wrote to memory of 2624 1224 35 PID 1224 wrote to memory of 2624 1224 35 PID 2624 wrote to memory of 2276 2624 9BE6.exe 36 PID 2624 wrote to memory of 2276 2624 9BE6.exe 36 PID 2624 wrote to memory of 2276 2624 9BE6.exe 36 PID 2624 wrote to memory of 2276 2624 9BE6.exe 36 PID 2624 wrote to memory of 2276 2624 9BE6.exe 36 PID 2624 wrote to memory of 2276 2624 9BE6.exe 36 PID 2624 wrote to memory of 2276 2624 9BE6.exe 36 PID 2624 wrote to memory of 2276 2624 9BE6.exe 36 PID 2624 wrote to memory of 2276 2624 9BE6.exe 36 PID 1224 wrote to memory of 3000 1224 37 PID 1224 wrote to memory of 3000 1224 37 PID 1224 wrote to memory of 3000 1224 37 PID 1224 wrote to memory of 3000 1224 37 PID 2216 wrote to memory of 3016 2216 82A9.exe 38 PID 2216 wrote to memory of 3016 2216 82A9.exe 38 PID 2216 wrote to memory of 3016 2216 82A9.exe 38 PID 2216 wrote to memory of 3016 2216 82A9.exe 38 PID 2772 wrote to memory of 1664 2772 8F19.tmp 39 PID 2772 wrote to memory of 1664 2772 8F19.tmp 39 PID 2772 wrote to memory of 1664 2772 8F19.tmp 39 PID 2772 wrote to memory of 1664 2772 8F19.tmp 39 PID 1224 wrote to memory of 2840 1224 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe"C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2940
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\71A7.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\71A7.dll2⤵
- Loads dropped DLL
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\736C.exeC:\Users\Admin\AppData\Local\Temp\736C.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2572
-
C:\Users\Admin\AppData\Local\Temp\82A9.exeC:\Users\Admin\AppData\Local\Temp\82A9.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1282⤵
- Loads dropped DLL
- Program crash
PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\8F19.exeC:\Users\Admin\AppData\Local\Temp\8F19.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp"C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp" /SL5="$60122,3536428,54272,C:\Users\Admin\AppData\Local\Temp\8F19.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i3⤵PID:1720
-
-
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s3⤵
- Executes dropped EXE
PID:1664
-
-
-
C:\Users\Admin\AppData\Local\Temp\9BE6.exeC:\Users\Admin\AppData\Local\Temp\9BE6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\9BE6.exeC:\Users\Admin\AppData\Local\Temp\9BE6.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\A94F.exeC:\Users\Admin\AppData\Local\Temp\A94F.exe1⤵
- Executes dropped EXE
PID:3000
-
C:\Users\Admin\AppData\Local\Temp\D427.exeC:\Users\Admin\AppData\Local\Temp\D427.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1536 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:1564
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1776
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1928 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:2840
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:1736
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1840
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2704 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵PID:1768
-
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:1648
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- DcRat
- Creates scheduled task(s)
PID:2364
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsj3FB1.tmpC:\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2844
-
-
-
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2668 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:3024
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
PID:2052
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:2016
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:2764
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\E1ED.exeC:\Users\Admin\AppData\Local\Temp\E1ED.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2000
-
C:\Users\Admin\AppData\Local\Temp\45C.exeC:\Users\Admin\AppData\Local\Temp\45C.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp"C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp" /SL5="$201D2,4081152,54272,C:\Users\Admin\AppData\Local\Temp\45C.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2288
-
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5CB69B68-B144-45D1-A502-65DD0B912653} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵PID:1444
-
C:\Users\Admin\AppData\Roaming\rdbcgshC:\Users\Admin\AppData\Roaming\rdbcgsh2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:884
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222045201.log C:\Windows\Logs\CBS\CbsPersist_20240222045201.cab1⤵
- Drops file in Windows directory
PID:1304
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
959KB
MD58bbd17268553afbc04023cc63aef85eb
SHA1a8f53690f84ce08aae9743517f4596eae4bbd7fc
SHA2563ce243722a96761fa4e0a144aec00bd2c59164a41711e35f150fccc7cfc6c496
SHA512c421e2a960bcc572c87007e1f0780c05f7121a7623f7e1cc8c06b18d005e699a57d77a7fd57bec30bb5913effa9c3e57b34a597f75079716278e845dd594dbaa
-
Filesize
1.8MB
MD5ff5a180388a510c6676371f4d9b2044a
SHA13f50ebf4b803f61b2510b431f6ed7d5515b38304
SHA2560feda44f964c38fd6ab029483e4928c448c4782573fd8f02748ea3a1ac3707df
SHA512e9758a4f715773545ae0a3d66e522e6581a15320d96cde7fa8cb50d575aca0bcee88da522264fbddd4389fe06f26a443cf68b391b1de283880266d471a41d9c5
-
Filesize
2.6MB
MD5c723d8f98ea6aee2a3bb9207c0ad0756
SHA1884b20e05dd3cf3e8eb77fcbeb261ecff629cd46
SHA256162364d752758e1743962ae44ad58cc0db546741dfa598536006b9f2b9dc7d7c
SHA512c1e225dde0cc6bb6d6a060023e9c0dff4da25ad0f0e6bb5df967bfe499e69d98618f8ed5c2f01c378540ce2a424ba6773521b7e0e57a5eada8dfe73e744f350f
-
Filesize
960KB
MD5bb486db60f46546a48a5f1aae6e0827a
SHA17b42ffca2385ecc9d4cc78c65c7c2523a57be083
SHA256fb5fb059056015482a4a26e724534a6145b393eff15d88d3cd7646d0ad6f500f
SHA512e788127b8d3e12b598a25eedecef7ed66b1f4fc24ac2fa16c7cb467369d087441c1405876a7a8e4a881785389e65b1af628dd4a43d9137a097147ed594499d53
-
Filesize
1.1MB
MD53b66557b08111e0f88d2929a0f912d54
SHA1395d4d43ffb7de91181c2def0ca7df444ba7d20f
SHA256d9ff5549256d46c3befb517124b8b650c466572242be5066be76f6628083829d
SHA512e809231114bdfb6591faaf0b8442911bc6838c67d78483168de20c21dc754ff0bb681f0b4083900f7c33d69f011b421476bbde6cdb7b0eb63668974ba2afbabd
-
Filesize
122KB
MD56231b452e676ade27ca0ceb3a3cf874a
SHA1f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA2569941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c
-
Filesize
64KB
MD5fc38310973cf92ef5d0eaf23758c5420
SHA1f67e38d66151d77eb528dd37e9c492dfeb913011
SHA256b2ae25d2170d4ddc0ca6f24766a5a11a82d92c48b33e3f7ddc39f5252cf7f73b
SHA512a041e229870805a1128582fd32fa83b1fccb8c750535ff29a903a1adf8962a412b0719f260033d9bf5b9e9c389a28b148837687441919f226b324ff69d98c77a
-
Filesize
576KB
MD589848a95cf00ff11f64f2f17b36cf096
SHA10b457b1790674539c7c8309ef7ed1c9751fbfdbb
SHA2568d585e24302b62dc845fa00622dc2486f2927a4307f780096cbf049bb7d4d4c9
SHA5128ccdb4cb7359c5b3c73621a7ff556432a412fe7b9b3cc998312f80f11de3b3c2321c2f200bf13d56fec0829512a9b8caa031d8ccae04ab47dd01af8192fc87ab
-
Filesize
896KB
MD5dd5a32a7f2fab74f19a49e2c37798ab8
SHA1925b6abd47bfe2ee9cfa3aa06702cc38779c6f4d
SHA256f087a526570e1c5af6ec0cf3a6b30ef13a0d1cbb49ad25353b00a7f9860053ac
SHA512397004ede888de708b751aa6ffb1309d48ed8e0048f40e64d4666d9361bee967003cb6a9ad438f671b2117701f3e6e1997487f498e0d1a67af93cd2d1e7ec705
-
Filesize
1.2MB
MD54ccae7375cb42d61a39b54ba85c7b496
SHA1a77211f398f4bd7aa1c2d25a5126a8998c3e6768
SHA2561ea4758e2af060bf5a0923a6a6cdbbb41a26a8c91b125135773438267ad7658f
SHA5124ab5fea2dc4c2d072f84572826f7782fb655a86aa1592e170f1a9b3bca617cb2326ba7275ec4da12c32cb0f90091b439165cb19cde735408b1e9e88bc7440f19
-
Filesize
704KB
MD5562599d4dd56fc758c0698e17200e7a7
SHA139e8dc6c69406658b312ec71cbbbcc16d62e50de
SHA2562a4b7e8b4a51d6dc7ddd3ffb49fe8424c2112b461892f8853171d69037081d69
SHA512d5bf4bea1bb1a2f4d9dabb9554719be681563dd0325a8e95facfc0b6c81bf22b0d241ab9b446a87a08d65368913e0b928f313c5693930602e7eb90d5341d4ad4
-
Filesize
2.6MB
MD5405fe91c736dfd5d67770881bb147272
SHA1be8f088b303dc625dbecad44264bdf4a7ee8c691
SHA25635cd503f042a7031124b2f5c09c62a3028f344cefc72e82f570f18263bb4379c
SHA512665e902b7b6a51a4496ee382ed4ad8dd67cef564ffc84294c261fc850aed70db688f5f75f3add8b6d0c57aae2f407f100115101856b3c506a0e78725e9fc03a0
-
Filesize
832KB
MD5f64d53ca3c3cde35f3f37619d4bddbe2
SHA143d7b4d48e54c24e83f819f02d1d4f2c79293202
SHA256267078352f349687ef4e8bb4faf28d1be0751e649525f4a4aac36103bdcb8c04
SHA512c78ccd2cd756be518883987ad0cc2aecb85dc1260b4da38eeed4f15712f4c4bde5630ef0ab5a9b7e89e86d4f40fff2ac15805b5ed9feec4d616ebaeb84121b2b
-
Filesize
1.6MB
MD5ec6878849a30cad1ddb5ab3ff4921124
SHA10c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA2563bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb
-
Filesize
421KB
MD51996a23c7c764a77ccacf5808fec23b0
SHA15a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23
-
Filesize
5.4MB
MD549608dbbd93509d8b380a26b95fd0e22
SHA1c721e50cef31c20dabe7bda1ca711b72e42dcc8e
SHA256324cd2784ee56feab35c1829b56618b75307ef261ac2e81ae0dc1860d630c4f8
SHA5124938f7c7aa505c1db4abb08025373d6ef5d9f57d4d5a74736ba840f319211480cb1138048bdf33043afd8769b2b7a658a6df66271318204bd0f90b242c488852
-
Filesize
2.4MB
MD5e1a8ab826ea29f8f32a84cb4ca6f50a7
SHA122a8acfbbc687f1b3ce9d717205eefae2e540df4
SHA256e56159aa2ef592286e937eb698af2579aeb4868c43c11425b4d8f7b170cd6920
SHA512ae7b1a19f680f9bba8dd0e858aeab387e852d299fa22f988137653856823c128ca0a38bb32f34d6b6bafce3e71206a39cb64ffd5fa728b086ed5c02a5a6ef91f
-
Filesize
896KB
MD59d94c8a214ffdb9de808b00e61975da1
SHA1b489adc10775fa35bdddbe0fa9c6dfb04eebfbaa
SHA256b9a90ead06412ea4e3c455d17f9f634c1fd1230586c30f138b05893debeabc2e
SHA512cb26cb3f5e0621d2425b0a0d56a1791e63d4afa4a51c4c9b7c3b3075c326ffba39f2d29cbce335debefe995e5f2f7fb0ae143f2fce5aff1fbe99df4dc42d6534
-
Filesize
815KB
MD5119a178d50840d09c06731afe3dc119e
SHA1790e2491c68639c0b1899f57be2f13b40745b446
SHA256d4805a4f0f69a0bb524f38cbd9b7bafcef591be20dcbcf759c6137e21e3c02bf
SHA5121a3fcf4edc07597a31219726a1671aeec13c5d11d929672d128b4373b54ad271c4a43d46d477c33cb75f6301b93762aee6a4afb0d1ae39904ae04a555071ea38
-
Filesize
512KB
MD54747e2f3642706b27dfbc28a301a89ad
SHA1f208fdc35cf02083029dac18df73776540647c00
SHA2561696262dd12b5ed1460b9dd25376f8ce55cae2f1bbb555387d8496fb0edabcac
SHA5124db4fffa3701935fa3b9843f5a972e31fcb3f223bd04f8662aa14aa644368c0c9371274e035820eb08c2aa1f8581b6d9bc05d98c3bbe154b0a6489a504f2a4dc
-
Filesize
1.4MB
MD56f6acad159c227395d99e3e777afe1bf
SHA1c50b629119f2a842f5926d1be2886a502bdae0f9
SHA2569c69bc44be42ab3766f48caf1de6b7ef8ee6849453e08af589b5879d8421ff08
SHA512bdc7dfa1c78f11d66ce49ababb5f61e78514a8b7cfd4a0e0859d628d3ac92f8887a4b73eb80e99a9b75eb4e06b64455dcae05f47f0afc58a17a050af45b5dc67
-
Filesize
128KB
MD5835c882e0af6ca0ed24c23c46b1a26f2
SHA11b042d777ce1a563585b746e176e00567d7da273
SHA256943c8fb5f44cf04f77b5734a0027f50f1251e2baefdaf4a331d7f9773e9e99a2
SHA51278b116ca9c150ebd2fe0d2350d67412b8f6b36cd5b11de85e2731ba56b310094ea4bbd9ebca0c966013dddec8c37e559ffdfd9f77dc939439a2d75307502f083
-
Filesize
64KB
MD5072dbb69fe6ddfdadbd663f3b792b9a9
SHA1de348487969deca900b9162b4cc2cc7fb2666f6b
SHA25697b30cb95b924b30f6b143f5555c9fca7453249a8dad6f625eede036e57c7041
SHA512a4a5806345c3f6db94a8c4f66e58851e9176336b9d0fc16c2b9004271390e196f822bac187745da119ea78db277a70a8f31f644365cc35ad717a5bab56102c39
-
Filesize
672KB
MD5b13e7afed63a0124c4a11def76536012
SHA1935fb2c98361f6f0bea9b214d1995d8d405acfbd
SHA256edd5213e9d59e8ca71a2563f2bfbbc903a16830630f4d3ffe1ab19a7c0e03306
SHA512dde6e74644a35009d267ae0e10b440d4ec90c911108f04bbe634c5766500cd26c29fed0b9a00211ed298b19010d4174ec0c71278b39c5db5cfd74b19de741179
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
3.6MB
MD56337ae180de93ab9d39151602bf74bbf
SHA18d52f389699d4e1601ccbbec82fd620e75a7ada2
SHA2567f7955c19aad191a94fdb51d950b1b98bb66a9fcf9f086c4acc8154621dc212e
SHA51234c061ee4b93e74ea37a49ae187849da81684fb26ef14f9d08be6bb9fbcade0f1e76d50b492d7b675cdfd7778d18f075bfe4c4fabbbe271bd41e6ec5aa2877cf
-
Filesize
3.1MB
MD50866b1a679c5089c802afca72bb3a57f
SHA12a2810c95ebebfb258947574c3eb1089a606a118
SHA25650a8268fd89cba268a210c6f96ac6f342dbcd7b988ab6498c2df9e608097b02a
SHA512ed3c22ace7add1e7d374b44a49c28969cb49c83459652955415d5d3eac26d43d63bf8720cb86536f29a3f9e44f7f3b352d4376112e6484ff3cf262e6ec057a66
-
Filesize
214KB
MD53dd02e3a7d6552f6312e29bc4189c06a
SHA1c52bb026df26445a1e4ccf66baf61d99ecd1ff8a
SHA256cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70
SHA5124a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485
-
Filesize
442KB
MD5df5467f5507da73eec6838c209fdd2fc
SHA12cdc2f5eceaede0dc87493187c1caff51ab61a53
SHA25654fbd7979fab9d25b55aa67dfc1e532bac8d62638d9363603213d385bcb7aa15
SHA5123badb2bfff5db281e9d01667eb2f82b1c3a842cc5589cbfe2fbc9bb0dcca8f29412d0e5139b75430373297885d16bd1b0ec96cc1107bf347414562cdfa4bf476
-
Filesize
292KB
MD5930c01374aef1f140168059d062e1637
SHA11dd2d3fb415bb36852c700b68a34194552b305e0
SHA25613fcd3bbcf047c57995083501db7c0aaaf9a429931b918a9001cb2b7c51f8214
SHA5128cce9edbf63f9478df0daab3e5121d6c94aa443ac8f7ba2c1d85a87e4110ce527bc02e3f0891b55f34e239cde7a8877eaf58a298874cbdcbb3b08fa63ae674e1
-
Filesize
1.3MB
MD5d5ac8347ec7fe6b3267af60cf71255a7
SHA1f8258729ec532f3161b0affd5082fbb5b194805d
SHA256ee209b00280174cb7429c8540fd48f9fdee1634cdc26a6639b32af6f0cbc1c27
SHA5127fc29e5305f71df670ad85ea59a7d30b89dbee5183fb4e5f670a7a7c17a0b0c4898177ac6e4d1d401dddf7c38e106f9ff1f5ca2f33a399009232bcb0a5b47296
-
Filesize
1.9MB
MD58964d20ad832e50ab1ebeeb4896f00ca
SHA1fb2406a9d3066349937987a87f67253d0e82a87a
SHA25617947e1227e767b6ddd00884eab28ecaffc7c97591a141912c12f165733a673c
SHA51250e5554a1d9329d22894e9693231aff91ebdc87964fd3d69b633b0265273242b31c4cad25d674fb6acd823ff0996136d6f96a4851cd2850917c99d309c267366
-
Filesize
1.4MB
MD54626175ba0623cc4880048b3ae8d8031
SHA1f7ef48364340de4aa3602ab4eb2fa046b88d3b26
SHA256172ae6a6a9f1e4b95d037c612ed5214497eee330bb4b9261148ec39cf6f43c36
SHA5123895eeec818b8b8ba966a21f00d1a4da6350ada9749ff35bc337d50c7daabe72f368d756d8eecf3526cd4890374901a0cefcb4f27c8b2ebcf6818bb451c6ecd9
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
689KB
MD51ba055823154222509be8b1cb57f0d49
SHA1a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA5122a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a
-
Filesize
689KB
MD5b11909d5e4e08b1a6da220eca474d49f
SHA1b42582ab65d400f3450907ddc0857092c4daa4a8
SHA25697f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff
SHA5128e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab
-
Filesize
3.6MB
MD5170d66f9d75e64f50a295116ca704c25
SHA1db0854fd1c8c705d62411aa8f13be7d2ebe2e476
SHA256f6de5ced2a6adeb6c8422030a373c0a25756c5c79c5b066d9999a03ad9c04fd7
SHA512d51b5ae12e52adf56941e8c4fadedaa6683fc013f6aa6a8c431db72fbf882d74ae75a940f53e7b793bf11e0740cc68eee3715e33eb526c4bdef42b51b74062c9
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
215KB
MD5beea0c962def411b794fe5fd33f4e5b9
SHA12c4743812c810d05d42ab11bb9beda423bdd7d2a
SHA2563ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c
SHA512bfff88b479bf97ad6878f1c90197263d9c0cc9485eda0ba5f9ef5bf39b0f02e3236ee31e7ac581348da5497e805cff56853965797b778e01a73c852f6479c6ac
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
144KB
MD55139053d024a9da330ff0e32a495a045
SHA196abc8f721e48e6b6c9e3525a8937a3475722401
SHA256f7eeaeb642f4e3b5403d71ca019f7e9d8483aa4d53b8bbd77501ae3d2d8aa9cf
SHA51220a0c673f82dc7cc918300e6ffb9384b9e2fa3a3f2cc866421de6e426ca1a26922a381722c385cdcb9b703570b11bfbbcce0c4ba5146d6afc13ede6203fcf95a
-
Filesize
956KB
MD5f35939be721e0d38e4ab57965311694b
SHA139daa2054d6591e6802db5e168930c56013ce2dd
SHA25649c8acc88a566de72465addf1d462e99af855ecd54d2a96ea89372ad3371682c
SHA5124b10bf68a8c832436107c63aecee845402748dda2e898e6bd9d8bf7d0bede1b83733b9342d6139359d358c967f42c79df0d61346f5d6ea90b906b0ad41be5a64
-
Filesize
1013KB
MD5527892d24e299272a39583fe739ec0af
SHA14cf673bd3bf661962136fe49435ec3188a9ba0e6
SHA256525509489b7a77dd42523f6aef3aaa90577aa50f0e032ce320c9de3563dcf9a2
SHA5120bf75b3a5d431b3653be862904ebcdaf5345d2200036b0fd57919062aa9258299010040baf3606d6ebce28e40ba63ac6b2b03380bd49417ef524864143577a68
-
Filesize
1.4MB
MD5344a760c2777f4bf07311fb956f11685
SHA112bda6db311abef44838f5479fedb3e95e77bb59
SHA25637806ba861d54958d091c7ea286dcf8082d29c6966ecadf5bcfc5e19e02b5ae5
SHA5126e5598ac49ca7bbc85e212fb49bb74301a8e5ef3c7ab9b520af3cd28236398900d934a7375c9bd7262d3cc5a43fc60a4a8ae38d97e31bd8e853e1c587bf3eb74
-
Filesize
1.5MB
MD5003c4a6cb61927efc72075cf82eb01be
SHA1a99a44c6408c27aea06815df86363b33f811f852
SHA2569fa5ede9244c2e90dd3170b8181744aad307c2dae70f4a95881a3e0f99a061fc
SHA512345e66fd8b959aa1daeaac3fdf139ffe084115e64f3e98108b6069c6d2d4927cfdd79d9045f8b5b92b5800c9cb72025223154991ec691494a66f629fa8aabc3f
-
Filesize
640KB
MD518926f85c5bc4e9e96f9bebfeaf6dd5d
SHA1329ced720e2c377f036887dc5412ecfbf6a460fc
SHA2566b4b2b13978c408a6a9fd29e47efbe62cd02cc34b2043307b3111d1d4a55e5c4
SHA5129f8ff747f8f61bc078ce45fedf259fc03ff0b99ef895bc4228b70e83a8b3903a3a73829ea260a78f18b11c48ee9fc8f9dfe468f3a8c57c82651906a3b784a39f
-
Filesize
1.4MB
MD53e20597b095b7a9ec311e3b400b7de46
SHA1b491811b3f8ba87355a5bd9f62f92a8d3ad38065
SHA2560ea117f712e73b4df98604e93f3f9996b83cee2a4691b3da4ac9db8f20ddd5dc
SHA5129d9690bc075e8a569a6aa0fed91a14cdd2def622787eb533fd00c51018ba9d9e96d48409358f76490c839f2f731cb6f718ceb414b3e0de694640513065ced202
-
Filesize
2.4MB
MD50d5f374fa1c2fac7376928989cfea6f0
SHA146ed00f7c83da010550b837d6707e8fe1daa4624
SHA256e048e1f884d872128067c35dc1662077111eae7f8af502159a018ffa3588033a
SHA5127693b6827301313093780c46823d59e314461875e3f90dad298dee8302f61a8aa7efc1aa345ad84df91e29594410eac49c60bc138c4ee3df7b88519e6f5fa83a
-
Filesize
1.5MB
MD5c14e37b962abf0187890ecaf1e9ba297
SHA15eb4051bec82052a52560b75d946623b522c0ace
SHA256645cd7d7d72740e02fa0660a6961e6e68f7de68a002dd2f0e26e9ffa622526bb
SHA512a095eada15b74b8af35ce1741cc29fb8a288ec4445b486c1e6d8e8b3f0642d54786b4fd842cff1a118ca16724e88ecfc4d063727052923ff03615a42071fffbe
-
Filesize
2.1MB
MD56ac48873f3053963255fd1c9bfa6fc52
SHA1385f778fb0abf8b2fb3699940b192e0c02d454cc
SHA2568b0ee35ed3d795c078ca345cf7007489bde9a9ef358318bfb39f8809707930da
SHA512dff1e929775f9d9cd797d84cb95b1d6ed5ec2d3b4b44128eab76ce186a16c3090d48965b83a979a3c99f0bfa4174ca150d3bc59778c6cdd334da66efed405d24
-
Filesize
1.8MB
MD5147f5f5bbc80b2ad753993e15f3f32c2
SHA116d73b4abeef12cf76414338901eb7bbef46775f
SHA25640dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA5129c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6
-
Filesize
704KB
MD5ec4d8aac8488a649f67226d75195dc37
SHA1f7ec802e35df103763914c8f4f2dd4ae6ed2e630
SHA25648f86f927f57af901b0151176d45425f1d2b65dc61df150d2ad05c77cf15660f
SHA512234bd4cd0e1712f99296ef0a4340d994864843238ce8b58a0c7bb8184f7b711e0c1aea9ad23b6f1479fe9dcadd4bf6a4f2182bfbbfde312cd683b4f9c519b8af
-
Filesize
832KB
MD5b29cd31f15d37cebbe2804adc62ce2e9
SHA1e036f370e3b9a849609823c1cf295c07968b91a0
SHA256082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2
SHA5122a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4
-
Filesize
766KB
MD5cda03a2814a5374a41390ea28da94400
SHA1846cd8dc546accdba445aa724b5a8ebf240d46a1
SHA256e0d1d7cae3c1c4cb2860839e59d068e1b4890ff173d4e6024f8e0bb6b30c112d
SHA5126089aa7e78ab8bf28134b366fec3c13c87ae0aa706ae1f86075de608fd567674ac1517d29f3b2e0d4dff2886afa3fad58cd7a570561c2602222188362d458d2c
-
Filesize
704KB
MD54b0c012a59404fe817f1f6b79b83aa74
SHA1645324aa66bc9b7b7074d6d0be8f917e05e0095e
SHA2569f982dd9649c268011003f805c41db3d2e1df629aefd9c35724626c87bae8f44
SHA5128821467c4fc3768ecc6d86e8e1c8e9261a9b0d3baed0ebe85bb0b36bf884657dbdf5a24b481cfec21408cddcf39db3746248c7edce3627bda07cbf3b44aaf56a
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
226KB
MD51d264333dd61f6b795e8b5583203ff9e
SHA188bb193ee2e8b088bd7d3174c2ebe67eab3c6bd6
SHA25671027e689116445930e37ce7c8837654f3d457dff6feabb0a6726d3899b7d1d2
SHA512d1dd4fbda68053b80cd3b889c9f66c6cd2077ed353cd17ddb35cfc6a85d30f7d16150852593e89ac2a4d11bcde7e0d1289c343bb9228d9de86d4c8bc01c6aaa7
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d