Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
25-02-2024 22:45
Static task
static1
Behavioral task
behavioral1
Sample
0b31dc8d9eeaa4a6803873a6c1380c72.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
0b31dc8d9eeaa4a6803873a6c1380c72.exe
Resource
win10v2004-20240221-en
General
-
Target
0b31dc8d9eeaa4a6803873a6c1380c72.exe
-
Size
211KB
-
MD5
0b31dc8d9eeaa4a6803873a6c1380c72
-
SHA1
89a3961bb7b5e29ce53cfc9bb64daa216259a85e
-
SHA256
7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
-
SHA512
7c00f36554dfb6b611227255da75b92bb2200ceadcf92f71fd280cad4c55ee64ed588338b4ed73b110cbf054ea4774c71abc2a66220a65549e04b642404fd26d
-
SSDEEP
3072:gyJtJkIZYF/TgVdkyrp90TvT5A70CutWTFlEz/BVwNMtyMz7:gyDahrgVdjrpc5EJkQMz
Malware Config
Extracted
smokeloader
tfd5
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.lkhy
-
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw
Extracted
vidar
7.9
7f6c51bbce50f99b5a632c204a5ec558
https://t.me/hypergog
https://steamcommunity.com/profiles/76561199642171824
-
profile_id_v2
7f6c51bbce50f99b5a632c204a5ec558
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Signatures
-
DcRat 6 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exe0b31dc8d9eeaa4a6803873a6c1380c72.exe84BB.exeschtasks.exeschtasks.exepid process 2252 schtasks.exe 2084 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b31dc8d9eeaa4a6803873a6c1380c72.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1cf4e57f-32c3-4019-88f0-dbc6891395db\\84BB.exe\" --AutoStart" 84BB.exe 2260 schtasks.exe 2344 schtasks.exe -
Detect Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2244-112-0x0000000000470000-0x00000000004A6000-memory.dmp family_vidar_v7 behavioral1/memory/2284-114-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 behavioral1/memory/2284-117-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 behavioral1/memory/2284-118-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 behavioral1/memory/2284-366-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 -
Detect ZGRat V1 9 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\EDE2.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\EDE2.exe family_zgrat_v1 behavioral1/memory/2684-506-0x0000000000F80000-0x000000000152A000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\2F75.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\2F75.exe family_zgrat_v1 behavioral1/memory/1560-547-0x0000000001280000-0x00000000018D2000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\34C3.exe family_zgrat_v1 behavioral1/memory/2300-594-0x00000000002E0000-0x0000000000642000-memory.dmp family_zgrat_v1 C:\containerProviderhost\sppsvc.exe family_zgrat_v1 -
Detected Djvu ransomware 14 IoCs
Processes:
resource yara_rule behavioral1/memory/2648-30-0x00000000034E0000-0x00000000035FB000-memory.dmp family_djvu behavioral1/memory/2940-33-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2940-37-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2940-38-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2940-61-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1952-71-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1952-72-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1952-87-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1952-88-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1952-92-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1952-94-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1952-95-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1952-96-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1952-177-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2812-368-0x0000000003B00000-0x00000000043EB000-memory.dmp family_glupteba behavioral1/memory/2812-369-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral1/memory/2812-373-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral1/memory/1088-375-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral1/memory/1088-391-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral1/memory/1624-393-0x0000000003C80000-0x000000000456B000-memory.dmp family_glupteba behavioral1/memory/1624-395-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral1/memory/1624-532-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Processes:
C851.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C851.exe = "0" C851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C851.exe -
Modifies boot configuration data using bcdedit 14 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 2992 bcdedit.exe 1224 bcdedit.exe 2952 bcdedit.exe 1036 bcdedit.exe 2780 bcdedit.exe 2988 bcdedit.exe 2964 bcdedit.exe 2796 bcdedit.exe 2824 bcdedit.exe 2372 bcdedit.exe 1592 bcdedit.exe 2380 bcdedit.exe 2476 bcdedit.exe 1780 bcdedit.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
csrss.exedescription ioc process File created C:\Windows\system32\drivers\Winmon.sys csrss.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1392 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Deletes itself 1 IoCs
Processes:
pid process 1256 -
Executes dropped EXE 27 IoCs
Processes:
84BB.exe84BB.exe84BB.exe84BB.exebuild2.exebuild2.exebuild3.exebuild3.exeB8D6.exeC851.exeC851.exeDE51.execsrss.exepatch.exeinjector.exeEDE2.exemstsca.exemstsca.exe2F75.exe34C3.exedsefix.exewindefender.exewindefender.exeruntimenetSvc.exeservices.exemstsca.exemstsca.exepid process 2648 84BB.exe 2940 84BB.exe 2972 84BB.exe 1952 84BB.exe 2244 build2.exe 2284 build2.exe 788 build3.exe 1508 build3.exe 2544 B8D6.exe 2812 C851.exe 1088 C851.exe 1568 DE51.exe 1624 csrss.exe 2068 patch.exe 1424 injector.exe 2684 EDE2.exe 2760 mstsca.exe 2000 mstsca.exe 1560 2F75.exe 984 34C3.exe 2704 dsefix.exe 1268 windefender.exe 308 windefender.exe 2300 runtimenetSvc.exe 1740 services.exe 1248 mstsca.exe 2008 mstsca.exe -
Loads dropped DLL 41 IoCs
Processes:
84BB.exe84BB.exe84BB.exe84BB.exeWerFault.exeWerFault.exeC851.exepatch.execsrss.exeWerFault.execmd.exeWerFault.exepid process 2648 84BB.exe 2940 84BB.exe 2940 84BB.exe 2972 84BB.exe 1952 84BB.exe 1952 84BB.exe 1952 84BB.exe 1952 84BB.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe 1256 1088 C851.exe 1088 C851.exe 852 2068 patch.exe 2068 patch.exe 2068 patch.exe 2068 patch.exe 2068 patch.exe 1624 csrss.exe 2068 patch.exe 2068 patch.exe 2068 patch.exe 1624 csrss.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 2120 WerFault.exe 1312 cmd.exe 1312 cmd.exe 1196 WerFault.exe 1196 WerFault.exe 1196 WerFault.exe 1196 WerFault.exe 1196 WerFault.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Processes:
resource yara_rule behavioral1/memory/1268-593-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Processes:
C851.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C851.exe = "0" C851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C851.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C851.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
84BB.exeC851.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1cf4e57f-32c3-4019-88f0-dbc6891395db\\84BB.exe\" --AutoStart" 84BB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C851.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 api.2ip.ua 22 api.2ip.ua 32 api.2ip.ua -
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMon csrss.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
84BB.exe84BB.exebuild2.exebuild3.exemstsca.exemstsca.exedescription pid process target process PID 2648 set thread context of 2940 2648 84BB.exe 84BB.exe PID 2972 set thread context of 1952 2972 84BB.exe 84BB.exe PID 2244 set thread context of 2284 2244 build2.exe build2.exe PID 788 set thread context of 1508 788 build3.exe build3.exe PID 2760 set thread context of 2000 2760 mstsca.exe mstsca.exe PID 1248 set thread context of 2008 1248 mstsca.exe mstsca.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
C851.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN C851.exe -
Drops file in Program Files directory 3 IoCs
Processes:
runtimenetSvc.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe runtimenetSvc.exe File created C:\Program Files (x86)\Windows Defender\de-DE\6cb0b6c459d5d3 runtimenetSvc.exe File created C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe runtimenetSvc.exe -
Drops file in Windows directory 6 IoCs
Processes:
C851.exemakecab.execsrss.exeruntimenetSvc.exedescription ioc process File opened for modification C:\Windows\rss C851.exe File created C:\Windows\rss\csrss.exe C851.exe File created C:\Windows\Logs\CBS\CbsPersist_20240225224649.cab makecab.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\Speech\Common\en-US\cmd.exe runtimenetSvc.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 636 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2628 2284 WerFault.exe build2.exe 2592 2544 WerFault.exe B8D6.exe 2120 2684 WerFault.exe EDE2.exe 1196 1560 WerFault.exe 2F75.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
0b31dc8d9eeaa4a6803873a6c1380c72.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b31dc8d9eeaa4a6803873a6c1380c72.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b31dc8d9eeaa4a6803873a6c1380c72.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b31dc8d9eeaa4a6803873a6c1380c72.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2260 schtasks.exe 2344 schtasks.exe 2252 schtasks.exe 2084 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
C851.exewindefender.exenetsh.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C851.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C851.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Processes:
build2.execsrss.exepatch.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a441400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0b31dc8d9eeaa4a6803873a6c1380c72.exepid process 2932 0b31dc8d9eeaa4a6803873a6c1380c72.exe 2932 0b31dc8d9eeaa4a6803873a6c1380c72.exe 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 480 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
0b31dc8d9eeaa4a6803873a6c1380c72.exepid process 2932 0b31dc8d9eeaa4a6803873a6c1380c72.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
C851.execsrss.exesc.exeruntimenetSvc.exeservices.exedescription pid process Token: SeShutdownPrivilege 1256 Token: SeShutdownPrivilege 1256 Token: SeDebugPrivilege 2812 C851.exe Token: SeImpersonatePrivilege 2812 C851.exe Token: SeSystemEnvironmentPrivilege 1624 csrss.exe Token: SeShutdownPrivilege 1256 Token: SeShutdownPrivilege 1256 Token: SeSecurityPrivilege 636 sc.exe Token: SeSecurityPrivilege 636 sc.exe Token: SeDebugPrivilege 2300 runtimenetSvc.exe Token: SeDebugPrivilege 1740 services.exe Token: SeShutdownPrivilege 1256 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exe84BB.exe84BB.exe84BB.exe84BB.exebuild2.exebuild3.exedescription pid process target process PID 1256 wrote to memory of 2884 1256 cmd.exe PID 1256 wrote to memory of 2884 1256 cmd.exe PID 1256 wrote to memory of 2884 1256 cmd.exe PID 2884 wrote to memory of 2552 2884 cmd.exe reg.exe PID 2884 wrote to memory of 2552 2884 cmd.exe reg.exe PID 2884 wrote to memory of 2552 2884 cmd.exe reg.exe PID 1256 wrote to memory of 2648 1256 84BB.exe PID 1256 wrote to memory of 2648 1256 84BB.exe PID 1256 wrote to memory of 2648 1256 84BB.exe PID 1256 wrote to memory of 2648 1256 84BB.exe PID 2648 wrote to memory of 2940 2648 84BB.exe 84BB.exe PID 2648 wrote to memory of 2940 2648 84BB.exe 84BB.exe PID 2648 wrote to memory of 2940 2648 84BB.exe 84BB.exe PID 2648 wrote to memory of 2940 2648 84BB.exe 84BB.exe PID 2648 wrote to memory of 2940 2648 84BB.exe 84BB.exe PID 2648 wrote to memory of 2940 2648 84BB.exe 84BB.exe PID 2648 wrote to memory of 2940 2648 84BB.exe 84BB.exe PID 2648 wrote to memory of 2940 2648 84BB.exe 84BB.exe PID 2648 wrote to memory of 2940 2648 84BB.exe 84BB.exe PID 2648 wrote to memory of 2940 2648 84BB.exe 84BB.exe PID 2648 wrote to memory of 2940 2648 84BB.exe 84BB.exe PID 2940 wrote to memory of 2844 2940 84BB.exe icacls.exe PID 2940 wrote to memory of 2844 2940 84BB.exe icacls.exe PID 2940 wrote to memory of 2844 2940 84BB.exe icacls.exe PID 2940 wrote to memory of 2844 2940 84BB.exe icacls.exe PID 2940 wrote to memory of 2972 2940 84BB.exe 84BB.exe PID 2940 wrote to memory of 2972 2940 84BB.exe 84BB.exe PID 2940 wrote to memory of 2972 2940 84BB.exe 84BB.exe PID 2940 wrote to memory of 2972 2940 84BB.exe 84BB.exe PID 2972 wrote to memory of 1952 2972 84BB.exe 84BB.exe PID 2972 wrote to memory of 1952 2972 84BB.exe 84BB.exe PID 2972 wrote to memory of 1952 2972 84BB.exe 84BB.exe PID 2972 wrote to memory of 1952 2972 84BB.exe 84BB.exe PID 2972 wrote to memory of 1952 2972 84BB.exe 84BB.exe PID 2972 wrote to memory of 1952 2972 84BB.exe 84BB.exe PID 2972 wrote to memory of 1952 2972 84BB.exe 84BB.exe PID 2972 wrote to memory of 1952 2972 84BB.exe 84BB.exe PID 2972 wrote to memory of 1952 2972 84BB.exe 84BB.exe PID 2972 wrote to memory of 1952 2972 84BB.exe 84BB.exe PID 2972 wrote to memory of 1952 2972 84BB.exe 84BB.exe PID 1952 wrote to memory of 2244 1952 84BB.exe build2.exe PID 1952 wrote to memory of 2244 1952 84BB.exe build2.exe PID 1952 wrote to memory of 2244 1952 84BB.exe build2.exe PID 1952 wrote to memory of 2244 1952 84BB.exe build2.exe PID 2244 wrote to memory of 2284 2244 build2.exe build2.exe PID 2244 wrote to memory of 2284 2244 build2.exe build2.exe PID 2244 wrote to memory of 2284 2244 build2.exe build2.exe PID 2244 wrote to memory of 2284 2244 build2.exe build2.exe PID 2244 wrote to memory of 2284 2244 build2.exe build2.exe PID 2244 wrote to memory of 2284 2244 build2.exe build2.exe PID 2244 wrote to memory of 2284 2244 build2.exe build2.exe PID 2244 wrote to memory of 2284 2244 build2.exe build2.exe PID 2244 wrote to memory of 2284 2244 build2.exe build2.exe PID 2244 wrote to memory of 2284 2244 build2.exe build2.exe PID 2244 wrote to memory of 2284 2244 build2.exe build2.exe PID 1952 wrote to memory of 788 1952 84BB.exe build3.exe PID 1952 wrote to memory of 788 1952 84BB.exe build3.exe PID 1952 wrote to memory of 788 1952 84BB.exe build3.exe PID 1952 wrote to memory of 788 1952 84BB.exe build3.exe PID 788 wrote to memory of 1508 788 build3.exe build3.exe PID 788 wrote to memory of 1508 788 build3.exe build3.exe PID 788 wrote to memory of 1508 788 build3.exe build3.exe PID 788 wrote to memory of 1508 788 build3.exe build3.exe PID 788 wrote to memory of 1508 788 build3.exe build3.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2932
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6E2E.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\84BB.exeC:\Users\Admin\AppData\Local\Temp\84BB.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\84BB.exeC:\Users\Admin\AppData\Local\Temp\84BB.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\1cf4e57f-32c3-4019-88f0-dbc6891395db" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\84BB.exe"C:\Users\Admin\AppData\Local\Temp\84BB.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\84BB.exe"C:\Users\Admin\AppData\Local\Temp\84BB.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe"C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe"C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2284 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 14567⤵
- Loads dropped DLL
- Program crash
PID:2628 -
C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe"C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe"C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe"6⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
PID:2260
-
C:\Users\Admin\AppData\Local\Temp\B8D6.exeC:\Users\Admin\AppData\Local\Temp\B8D6.exe1⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1242⤵
- Loads dropped DLL
- Program crash
PID:2592
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BD88.bat" "1⤵PID:848
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\C851.exeC:\Users\Admin\AppData\Local\Temp\C851.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\C851.exe"C:\Users\Admin\AppData\Local\Temp\C851.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1088 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:628
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1392 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1624 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:2344 -
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:608
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2068 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}5⤵
- Modifies boot configuration data using bcdedit
PID:2992 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 05⤵
- Modifies boot configuration data using bcdedit
PID:2952 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast5⤵
- Modifies boot configuration data using bcdedit
PID:1036 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}5⤵
- Modifies boot configuration data using bcdedit
PID:2780 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 15⤵
- Modifies boot configuration data using bcdedit
PID:2988 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn5⤵
- Modifies boot configuration data using bcdedit
PID:2964 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 05⤵
- Modifies boot configuration data using bcdedit
PID:2796 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe5⤵
- Modifies boot configuration data using bcdedit
PID:2824 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe5⤵
- Modifies boot configuration data using bcdedit
PID:2372 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows5⤵
- Modifies boot configuration data using bcdedit
PID:1592 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:5⤵
- Modifies boot configuration data using bcdedit
PID:2380 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:5⤵
- Modifies boot configuration data using bcdedit
PID:2476 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER5⤵
- Modifies boot configuration data using bcdedit
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe4⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
PID:1224 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:2084 -
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:1096
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:636
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240225224649.log C:\Windows\Logs\CBS\CbsPersist_20240225224649.cab1⤵
- Drops file in Windows directory
PID:1476
-
C:\Users\Admin\AppData\Local\Temp\DE51.exeC:\Users\Admin\AppData\Local\Temp\DE51.exe1⤵
- Executes dropped EXE
PID:1568
-
C:\Users\Admin\AppData\Local\Temp\EDE2.exeC:\Users\Admin\AppData\Local\Temp\EDE2.exe1⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 5642⤵
- Loads dropped DLL
- Program crash
PID:2120
-
C:\Windows\system32\taskeng.exetaskeng.exe {7FE3199C-699E-4998-9CDF-A768539BA244} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵PID:2108
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2760 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- DcRat
- Creates scheduled task(s)
PID:2252 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1248 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2008
-
C:\Users\Admin\AppData\Local\Temp\2F75.exeC:\Users\Admin\AppData\Local\Temp\2F75.exe1⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 5642⤵
- Loads dropped DLL
- Program crash
PID:1196
-
C:\Users\Admin\AppData\Local\Temp\34C3.exeC:\Users\Admin\AppData\Local\Temp\34C3.exe1⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe"2⤵PID:1600
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\containerProviderhost\SSJnjC24t.bat" "3⤵
- Loads dropped DLL
PID:1312 -
C:\containerProviderhost\runtimenetSvc.exe"C:\containerProviderhost/runtimenetSvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CCTxfaFxh3.bat"5⤵PID:2064
-
C:\Windows\system32\chcp.comchcp 650016⤵PID:2872
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:1780 -
C:\containerProviderhost\services.exe"C:\containerProviderhost\services.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:3048
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:308
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5610f387cecd6b98e4abcb72626ee7d13
SHA1791f01f69d1e025c15660cc87c6a2d332c16d1c7
SHA256dd9c87c9d210b8dcb6f9d2b897c11b0a480b955a0aeaf4bb9b661f1bdc0604d1
SHA51297d58a6504e70c4ceb4f255c6327d076b8ffc017945a9a8474f1ece483a5326d572ef13d6e4e5ba6bc2dba4b9575f99085ca2af2dbabc375f6bf0e8bef554858
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD503fa66209b4cb101cc0ca864da3d5487
SHA19b794bb5ad8c9b3110e47a8523fe9fe852de97a2
SHA256bc77e3b84899b3f13f5fc75cc7f619a907504455937106d7e824920d6b0108d9
SHA5121449a85046331be1ae0d416d3cb519f9ae69d3c050b22b1174664ccfb4c7e8cab2bfb7b0352099bc3de10abfd9f5f5b84f947dedaa86dd79a7e81674092469c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ad6566517eb3e9171d634756fbf3b078
SHA178705160e78e929c0e09232faa819175a1063c87
SHA256a99f05d8aca8b5c545166628141a585021bc5275d4686eb2ac03a7445df5edb4
SHA5123d42510ccc7a3b144da47849943f4a89f02ad28da6e733ecce52893dfe973329097ccc618b681c7c6e059b0a4bc4db0032d282e4e181f18b659f68c5b17c23c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b2435d7a3ab468fc33970264424b92ab
SHA1cd48c08aa31ae033e1ed796770296caa664f29c1
SHA256d390ce7bfe6923bb7a45110c217ddffd4b8bd09606e72a1d6ed672d95c0cfa20
SHA5125d90246fe4ca8d1fccd072a6a35e7dec288e9a8e71adac9e6f25f38aa360041fe0237e1572a82d0c6fd6924aeb38d5e88d372faf41f0d0b3420653792a0b973b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ce8858719d79eed3452092ee81b11f57
SHA1b39a7a679383ddfd742df2be9aaa8f266b996e89
SHA2562cdacbb582edb4e554d8a087946a7899b9b6d894249dee8cb93090a1637f5c20
SHA512ceb3100ccdd39e90ac90c9d316b90a37ff10551f18ad67f3e311c820272c496cf371c1c2e760d7ece3c6ba28abbf9929a733dfba87de6c9918cc0db8d48db26e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b11d6fd7ea686d12419300f2087b125e
SHA1d51f803ad9e34ddc59250ee1a383547207454c15
SHA256352b00f64ca7be1f4ae360b0e4555456c56c4bedea7c3f06f8a7435887dd4c7a
SHA512528ce67df59c97c799a707e1e133d7ddee13ecb88424127b37f35e06bde6c1ed543776f4439860d2233107ac84b24705997fbe0c3916fc2871bbcf400fc010d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59ebb75a2ee551a4cd3b5b7b39c3a8314
SHA19396c3710604e25efec53cdb48e4bebdc2ddbe62
SHA256360d2ca65d4ff9c142c2bc0d1f7814c9847405f150a8e5cb8a2814bb6fac732c
SHA51259854413e16a2480828c6fab0012652eb177d66d29a93fab1df8496d455686cb52ee3e6f0c759e151417b656d9466623b5382d2a81e269475d437032d7b7dd1f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5ee838a25e9da12e2a5819cc7e940d21e
SHA12f6c9e7c286639e8a02f5c77089da35d03d2bc39
SHA2561b3833124a22415acee38345934fe8c65f17ec48b4d254388b11d30915823555
SHA512f8f4e6705c009a7e3940e6e91b16726c649d67fcf7a45e0d1b02d8263ca52a1b21ed11f646dc7d23a87a7a3791688817914e86e1a44745bf16ced580e11b2d16
-
Filesize
334KB
MD5c6d3d647baad8a5b93b81d2487f4f072
SHA1e9c1105dc41f85d4f7e94d4e004f8427787c8802
SHA2567754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a
SHA51255425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049
-
Filesize
779KB
MD51ac1efba731f3020e96754f2472ec55c
SHA143dc7ed8b3f4521b118f3deae27a249ce2fe582e
SHA2562040989b03a916d23217ede49ec52652294eef5000140e4f9819ba164af6de8f
SHA5123e9ebcf535bf9eaf92ce03605269e90a8c2a9c00b80c65681f7f5ab25d0abfac7deedd12043f2ab93bd289dc8244463997f7670ed2be69028d24287cd0e2abeb
-
Filesize
1.1MB
MD5f9f0fd78f541e1427a1c531becb20aff
SHA15c881f95a2902af550ef160a0a1d8f52ca51f802
SHA256d94196430230b97ab47ec68df839598c21a9996fe45580a95712be8d561ccaf2
SHA5126d39115a303fc9c69a2ba18d69438f346e7c4e546a43c41f7c3910f4e7ef13ee4f898826ed250aec77af2b70dc5a10eb81494efdcf33009c23e2829f05e30318
-
Filesize
1.7MB
MD5f987e9af00984e438d535ffbcee2c6ed
SHA1c11fed0146bb3927544fa4616caa2aaf38273253
SHA256336f07ff04674d30e651ea22fa3de86f0ca7f9588ffb73d2f7623f6016efd5db
SHA512d5f42a51caff69825485cee2c23fb09a456afadc505aeea8bdbef1186243f085dc3583792ed5995520b8d0710aaf417e58f7e20278266c138de2e4c849686b1d
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
742KB
MD53d196de47911047d26c003e31a878038
SHA1c368e8a2dacb6c322064f7f2aeb0b3cbcb274cd9
SHA25619b9c4e7ba38960b14cf6557c7b6b7989009f0a7e368f1936050d1606c4cfc4a
SHA51230871d6b7a9d94a602f21a6f5325f017c735db491351b64d9044b497c0f2d1cd8f0988857a358f29e077047ab5800a6384a2aa2ab17a539c2092d8828e87581b
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
3.8MB
MD5ae508ddc1d7aa4458eee2e5d0589d309
SHA140d76a78c2233779b2ae684c3d514ad01a3f6243
SHA2565bd900c94124ecfacb040aa8a991715591808e22e71ff15b11935b02db6e4b9d
SHA51236510d03a35975e612944c859fda03a4f10d6dd1292d654dacb7a0d3e1ad5e86407e9339aea03d855c666d21a0f67035323ecdda6aeaffce5d7d81c52fee1d56
-
Filesize
4.1MB
MD5c4cd2dabf6fe55752749ff664f9f9820
SHA1b999a991aa6013a1cfe8d0bf5ee3e7ccd79012c9
SHA256ecf58130e5f5905c6ab24345d42aa8ebf185bc45452fe9c93941d774d1d56c2e
SHA512a2b64bbf37b291dbe3937100d228851024b44a953e91de6fedf1636dcaba7b4c02bcbd33fa21f0ce9fbdfde75a14893501ba583b0ddca0dce6968e67af5b6936
-
Filesize
1.8MB
MD5e2809f14a2f6abe51e7c3a9358b45320
SHA16c5e3bd8c078a1dc6cc36e8357ecd61ecb1ed879
SHA2562496048773f210ec237d6559b673c29375537de6b1c7afc04157f4521b9945ae
SHA512f5fbefba490e94d8bf3276a6fa964fd368a30c43fa9751c39d4ed14caa74eed17181c90f841442e3ec9800a36a80475557276cf20ae34a1b9f5e0d9e5614d9a9
-
Filesize
1.9MB
MD53ab209ecb992b40aed1e8302dccc40e3
SHA168fe47da7d354cda05d4c013211a85a585501e11
SHA256dccd5f02946183688b6e2158588eb3854b56cc5b60fc03af8eadb66e005d36b9
SHA5121bee2fbd894ce760cd86a9c27c1ff035c84e9196ca417521b902688b86ae1b796738a0184183ab7b9f7f74189ca380f19965d1b9fa6fd153f4a6c19d1f5d230c
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
1.5MB
MD541078ddcc4883c53b851fb092bcb79e1
SHA16370138391cc217a6b735ca2c1025d0382841a8e
SHA2563d43f5bf00ff3e51dc4ccbc86bf0536859ea6db02b08097d6fe243405cb8d87a
SHA512a5e9c66a734896ff3a08b2b791fe4463dff945a244a486fb0db67f899f283bde0fc5682dc324b0065e7679781bf7c09b45f9cac332d5b5356c2834535f84dce3
-
Filesize
409KB
MD500e3f4882f137105fd422a68c1abedd2
SHA1e95713020236e6dc1efedea5deff6680190572b5
SHA256f54394470bb9a9688de3aacd78430ad27e63803d1968d0c6e65fb0a6ebe94620
SHA512d37b053a536fbbe581611e71b9c2a2f6a345fd8ca308a360d4573f4a9d1500b614a02923cd3d1194305b430f790c4e644b16f2d415192b58ccd48fbaa0b7207f
-
Filesize
761KB
MD536903ff1f3ff595fa0f07a184f2b5c62
SHA1231f4500ee88f271024365da8d6f2e01f179968f
SHA2569a5f9fa96d69e821725c4696328b745791448c4c81e69a93ff5085ab174a29d1
SHA5121607eecbaf48c0a5bb6c13210ca757857664f98dc18f8e78d66d49390ccaf86af9c31d6159d2bb8dfcce50f36b234c70f3accbf77682206c23e2bde1a71f0458
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize521KB
MD5e7db04d67a840dc680bcd3cb6f71ce1a
SHA1bb2c457d1b56eeedd242346baf85487b21f76ebc
SHA2563c506e4cd2fb70ab2501011287489a936a950d89f6cefb9845f6310bcbde05b6
SHA512a89e3afe09e27b124693e8c24cca1d6e13c664981a1ac0c5194a770d8480373db7d99f3a4514d1805a30a281559a017051de05e691784903df287242eca24c2f
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize492KB
MD5fafbf2197151d5ce947872a4b0bcbe16
SHA1a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
967KB
MD575cf9f6562ff34c3f0d52def91ea9749
SHA1b07a693940408a71d9c958abe95b7146885788d7
SHA25625c73a2f36e8c76791011ad0793d78b55abe7c4559139c5d05185ff864bcc89b
SHA512b6848bc9263515b56e9c614fec192c22c13ab4dd92ca10c7de0bf41fd712c4068b19cda514bf27448c0ad3a24912d4ee74584a041c3a017fce1f4dcbfb9a8fc1
-
Filesize
908KB
MD50a6178814666c904769cb0f68e458af3
SHA1e5382d19a1d27d64368cbf2225c8acf665cc7dd5
SHA25649e6370aa9cbf74ced549635578146197d2ac789094cc4d8eeb75c8ad027e850
SHA512ca382921c45af4624adbc3f0e738899118e924afb4451a925aa17eaa5c6d374eae28ae9a72fadd39f1593cc39422885f855b3f04bdbbb5a4f9f9571ca72f83c0
-
Filesize
82KB
MD5b9f99ea071fccbb26ff2c02a6d20dd4a
SHA173468c2f9c19c09bcbedf7ae97e7665c623428e3
SHA256c6aea7891b35e84fbaaf0c023da4c69fc5d37890a3333bff07992fffc38416d4
SHA512d9a31c672e510f2367d0e8d8892de504cf18879f58effd2176876e5e9f953158cb8ee149865d50bf4d5df9e11b10069bf0787bc76b23dcd544625e83e34430fe
-
Filesize
640KB
MD50bccade864c0d26ce69bb20b4078cc7e
SHA107100885604cfae2503a7bbf45d1c1b9cefdc793
SHA256c33f6fada92bd7d7987696dfbe0967a2d6d290bbb8ea39eea385f3b8b93dd0eb
SHA5124802d4cdf9f7bb2c77b1ff87e393886583b45b96c5783faa438a7fbd599df5076101c992c81823cfdd678458714a62daaa5df7a3b0d4d11235d85f2fdc13c7ea
-
Filesize
21KB
MD5b6189d36e70cbe35c31ed3868422625e
SHA16e3df2a994e44b3ab10f7a100d087a386517775e
SHA25621e27a779afc78bf8dfa75b34a112b062bd522e29eba8ce5c3e43648c0ead0d8
SHA512ce1e5d1a5909425695bedbe9597246782f469ec69d9b07c4a8459668e2471060f1859ebe1e8e86faef497e53325c4017188b963cfb35336c1dc908bebd096e7a
-
Filesize
3.4MB
MD592bf2463d72a410bf291db2bbb0176f5
SHA1bcc41c9861ce8ad99e2d951c49c50429b4dc8d7f
SHA25692883022e82b89d32c6936ad8f94a35ac1eb0c2313656029977aec1b4973b808
SHA512c803d47482aec6ac9c74ee20b401f03f3f2d4a1cc80770e1cf70319cbb7da715ee204cb15e585dbd6d9df0d9fb81254fdb6f6dae5d2147cbbbd85c3cf5b8d300
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
3.3MB
MD591044e59972a50c139e40982ecd634a4
SHA136670182a5166f591780b98bedbef83bcac94950
SHA2567285d2b17ba50b7cce109b7699f0cdcdd6adc900db2bc2279e751beb06bbb2b7
SHA51293bc7fbf61afc7c42c1df62d59ed56e73eee4e06d518575633633211ede84be4f29afe240e417a2ca67a3fa5a26214d403d42257f1e612e24d40bea0803cfabc
-
Filesize
3.8MB
MD516d54f0d49c41790e1d265bc7452791a
SHA14f970896c8be729497106eac5c163321f1ba03f5
SHA25620554829d97eb199a690636c1646ef1cbbc6ca93b078f5eae8a1c284b98d6a40
SHA512ca121507f2833d31405201ef320fc5aa969d02e17fd754c7b6b088be102dcf38141e39a7f5f9ada76b6a9cc015cd6126145b9cdf7c6380d065e84a72085f32e9
-
Filesize
3.4MB
MD5452d723c71b94983947183117a818966
SHA14b2fc7a2d747355eabb97da3988e7daccf942933
SHA256b26f5d92a5a9761ca3f6935b55716e97ac3d59c31672b94660e52f74b2a043f6
SHA5128c5f575e163eba6caecd6dc4062eca95756b46be6949910666ab0875f2f8fe4a4b8bf3d46213633d12bc8b44bac7a38598a5abd68c049dda713165bb46659558
-
Filesize
1.5MB
MD5c617562971e5552332875f43dae92533
SHA192d2950d251b21da4b5a857b16f062f77179d296
SHA256132f86e54a7ed28ca3d12789924a03770382eabc5f2ddbf8a72349b4b7e2453f
SHA5120325463290224213cce0fd1b8488df105b3846a0ca177e9a3a809c9c2d10f200ecee93e1c2662cf532388f705808ea93ed76df98a82cbb31936801b5654b6208
-
Filesize
1.1MB
MD5be81c865af1555afb8eebadc41ddd23d
SHA11b7c70c5993c853abd63ef0979c43d29e5af85b4
SHA25657a3a50b9879911442aa8288969013c4c4e58819ed6755144a3d184c3a0e5326
SHA512f535655ad385bd8510a74ccffefde9686c1c3e62f5b09c6a6f1ff31fa62efd2bc01f7e05b440f4cf3ce9a67ef1cb1d9c0bf7f37cc9636dc0bd5720462e149b02
-
Filesize
871KB
MD5da4d522afbbd4bfd319233177d1d29a5
SHA10763dafe8fc71605e47b2362d0ae9894c52918d0
SHA25650d491bb9335a9aca1ecff83423dd210555e63972e373dd7e55d372aaa20fcd1
SHA5123bdc8435f2f72c77000dce9fa753faad8f32fe2549c2b678b8d4b6126a6c7cc8a39161f987cfad83fd75b4a7d8b586382839b7021d3041e0743cedbd2da087ce
-
Filesize
1.0MB
MD5fa5fe67bbf51720a1810a8c78ba98767
SHA18caee866641a5f1f44e488929f3baa14baaf0816
SHA256515d636ba9a21819b512ca3ed1767fda2334b5cd7c854cc1a55f712104d32113
SHA51272880a5da5c838b0e26242dd8d12ea4dde40e551982223e598d655210f277996668f8e8259c9f18ea304007a0545ed2764582dc7c999e6fb1868fc56c0605f36
-
Filesize
643KB
MD5e421a139e44cfa762f19f169856dce92
SHA1a4c28ed01efd28b55d5ae4df38b9ee372c58a4d9
SHA256eb9366f7df2c1b52e18bc26c62b858ce23f72fe6a1eb16e81bc7a950d0ca9d59
SHA512c89746ab379e39d55b81cf6bb40be24198f55831549e4920fd965a5be1bc576c5a45feb6204226295dd31158997b6bc1e460fa1fb53ee8bbca26808164261518
-
Filesize
910KB
MD5c11e6f45c4ace36caad7e0fc37c29adc
SHA154f7e63f9f431653169c8737877a49dc3525802e
SHA256037ba343cc3876e31e33834401d28c10f3ab0ef11d6157e0d965bca8f0b237fd
SHA51233d71133bb7414f163cef6314d34f96735bb8ce41a31af98dc6eafbe398020fa669a82cda8a507c88505a8eddc6bbba2886940edaf67ca4d03fb5a5c2b70fe7a
-
Filesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
Filesize
914KB
MD5e06990f0d06b7d15911516f269e3a6ba
SHA1ad6a54f561cf5bd104102d633563099583b85955
SHA2568064f14de52225193e4beeb67bba22f365326f8e75c821418652f03c9485036a
SHA51243b2cb09e0760dd3012738828607ca0a817cb3b5f88be68ed57d8e4c58cbfd15a393cc6686297591efc8305b6e480360017dfc2b540db81c0f3328900cdd1b58
-
Filesize
1.2MB
MD59f34c2e370064241cedad4c516d45abb
SHA1e46153375c4f9d022835808bc22a9830d3c49a40
SHA2565c6e0a903792ccd74f468357295e4ba7e523c1ff4b4ea425b84681cc725ad805
SHA51223cee66a628ee3ea2262aaae1f9486d002e04ccdc21311fd5543441a0ee62c9a5bf2a67a6e45434509b2c29ce902a88b2805297a15a3a9af16aee69cfec288cf