Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25-02-2024 22:45
Static task
static1
Behavioral task
behavioral1
Sample
0b31dc8d9eeaa4a6803873a6c1380c72.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
0b31dc8d9eeaa4a6803873a6c1380c72.exe
Resource
win10v2004-20240221-en
General
-
Target
0b31dc8d9eeaa4a6803873a6c1380c72.exe
-
Size
211KB
-
MD5
0b31dc8d9eeaa4a6803873a6c1380c72
-
SHA1
89a3961bb7b5e29ce53cfc9bb64daa216259a85e
-
SHA256
7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
-
SHA512
7c00f36554dfb6b611227255da75b92bb2200ceadcf92f71fd280cad4c55ee64ed588338b4ed73b110cbf054ea4774c71abc2a66220a65549e04b642404fd26d
-
SSDEEP
3072:gyJtJkIZYF/TgVdkyrp90TvT5A70CutWTFlEz/BVwNMtyMz7:gyDahrgVdjrpc5EJkQMz
Malware Config
Extracted
smokeloader
tfd5
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.lkhy
-
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw
Extracted
vidar
7.9
7f6c51bbce50f99b5a632c204a5ec558
https://t.me/hypergog
https://steamcommunity.com/profiles/76561199642171824
-
profile_id_v2
7f6c51bbce50f99b5a632c204a5ec558
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
https://scandalbasketballoe.shop/api
Signatures
-
DcRat 5 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exe0b31dc8d9eeaa4a6803873a6c1380c72.exe9B28.exeschtasks.exeschtasks.exepid process 5140 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b31dc8d9eeaa4a6803873a6c1380c72.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f12340f9-b0e6-42e3-a341-afc21e6d6dfd\\9B28.exe\" --AutoStart" 9B28.exe 4196 schtasks.exe 5668 schtasks.exe -
Detect Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3500-73-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 behavioral2/memory/388-76-0x00000000005E0000-0x0000000000616000-memory.dmp family_vidar_v7 behavioral2/memory/3500-78-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 behavioral2/memory/3500-79-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 behavioral2/memory/3500-103-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 -
Detect ZGRat V1 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DBD.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\DBD.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\5343.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\5343.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\611E.exe family_zgrat_v1 C:\containerProviderhost\runtimenetSvc.exe family_zgrat_v1 -
Detected Djvu ransomware 16 IoCs
Processes:
resource yara_rule behavioral2/memory/4760-21-0x0000000003900000-0x0000000003A1B000-memory.dmp family_djvu behavioral2/memory/1364-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1364-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1364-25-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1364-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1364-38-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4116-44-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4116-45-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4116-46-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4116-53-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4116-54-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4116-58-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4116-60-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4116-61-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4116-100-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4116-106-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 10 IoCs
Processes:
resource yara_rule behavioral2/memory/528-130-0x0000000003F10000-0x00000000047FB000-memory.dmp family_glupteba behavioral2/memory/528-131-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/4696-191-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/528-193-0x0000000003F10000-0x00000000047FB000-memory.dmp family_glupteba behavioral2/memory/528-206-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/4696-344-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/4528-396-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/4528-429-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/4528-469-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/4528-564-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
MsBuild.exedescription pid process target process PID 3352 created 2572 3352 MsBuild.exe sihost.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3724 netsh.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9B28.exe9B28.exe611E.exeWScript.exeruntimenetSvc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation 9B28.exe Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation 9B28.exe Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation 611E.exe Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation runtimenetSvc.exe -
Deletes itself 1 IoCs
Processes:
pid process 3444 -
Executes dropped EXE 21 IoCs
Processes:
9B28.exe9B28.exe9B28.exe9B28.exebuild2.exebuild2.exebuild3.exeDEC9.exeEB1F.exeF88E.exeEB1F.exeDBD.execsrss.exeinjector.exe5343.exewindefender.exewindefender.exe611E.exeruntimenetSvc.execsrss.exebuild3.exepid process 4760 9B28.exe 1364 9B28.exe 5952 9B28.exe 4116 9B28.exe 388 build2.exe 3500 build2.exe 1936 build3.exe 5420 DEC9.exe 528 EB1F.exe 5700 F88E.exe 4696 EB1F.exe 2372 DBD.exe 4528 csrss.exe 3916 injector.exe 3208 5343.exe 2876 windefender.exe 2804 windefender.exe 2612 611E.exe 4036 runtimenetSvc.exe 3696 csrss.exe 3852 build3.exe -
Loads dropped DLL 2 IoCs
Processes:
DBD.exe5343.exepid process 2372 DBD.exe 3208 5343.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Processes:
resource yara_rule C:\Windows\windefender.exe upx C:\Windows\windefender.exe upx C:\Windows\windefender.exe upx behavioral2/memory/2876-411-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2804-441-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2804-583-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
9B28.exeEB1F.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f12340f9-b0e6-42e3-a341-afc21e6d6dfd\\9B28.exe\" --AutoStart" 9B28.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" EB1F.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 48 api.2ip.ua 57 api.2ip.ua 47 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
9B28.exe9B28.exebuild2.exeDBD.exe5343.exebuild3.exedescription pid process target process PID 4760 set thread context of 1364 4760 9B28.exe 9B28.exe PID 5952 set thread context of 4116 5952 9B28.exe 9B28.exe PID 388 set thread context of 3500 388 build2.exe build2.exe PID 2372 set thread context of 4760 2372 DBD.exe MsBuild.exe PID 3208 set thread context of 3352 3208 5343.exe MsBuild.exe PID 1936 set thread context of 3852 1936 build3.exe build3.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
EB1F.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN EB1F.exe -
Drops file in Program Files directory 6 IoCs
Processes:
runtimenetSvc.exedescription ioc process File created C:\Program Files\Windows Media Player\Media Renderer\886983d96e3d3e runtimenetSvc.exe File created C:\Program Files\Windows Mail\fontdrvhost.exe runtimenetSvc.exe File created C:\Program Files\Windows Mail\5b884080fd4f94 runtimenetSvc.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\csrss.exe runtimenetSvc.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\886983d96e3d3e runtimenetSvc.exe File created C:\Program Files\Windows Media Player\Media Renderer\csrss.exe runtimenetSvc.exe -
Drops file in Windows directory 4 IoCs
Processes:
csrss.exeEB1F.exedescription ioc process File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss EB1F.exe File created C:\Windows\rss\csrss.exe EB1F.exe File created C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 1664 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4960 3500 WerFault.exe build2.exe 3864 3352 WerFault.exe MsBuild.exe 916 3352 WerFault.exe MsBuild.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
0b31dc8d9eeaa4a6803873a6c1380c72.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b31dc8d9eeaa4a6803873a6c1380c72.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b31dc8d9eeaa4a6803873a6c1380c72.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b31dc8d9eeaa4a6803873a6c1380c72.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4196 schtasks.exe 5668 schtasks.exe 5140 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
EB1F.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" EB1F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-572 = "China Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" EB1F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" EB1F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" EB1F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" EB1F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" EB1F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" EB1F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" EB1F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" EB1F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" EB1F.exe -
Modifies registry class 2 IoCs
Processes:
611E.exeruntimenetSvc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings 611E.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings runtimenetSvc.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0b31dc8d9eeaa4a6803873a6c1380c72.exepid process 4272 0b31dc8d9eeaa4a6803873a6c1380c72.exe 4272 0b31dc8d9eeaa4a6803873a6c1380c72.exe 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
0b31dc8d9eeaa4a6803873a6c1380c72.exepid process 4272 0b31dc8d9eeaa4a6803873a6c1380c72.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeEB1F.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exeruntimenetSvc.execsrss.exedescription pid process Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeDebugPrivilege 5644 powershell.exe Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeDebugPrivilege 528 EB1F.exe Token: SeImpersonatePrivilege 528 EB1F.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeDebugPrivilege 2260 powershell.exe Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeDebugPrivilege 5964 powershell.exe Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeDebugPrivilege 4516 powershell.exe Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeDebugPrivilege 2000 powershell.exe Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeDebugPrivilege 4924 powershell.exe Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeSystemEnvironmentPrivilege 4528 csrss.exe Token: SeSecurityPrivilege 1664 sc.exe Token: SeSecurityPrivilege 1664 sc.exe Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeDebugPrivilege 4036 runtimenetSvc.exe Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeDebugPrivilege 3696 csrss.exe Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 Token: SeShutdownPrivilege 3444 Token: SeCreatePagefilePrivilege 3444 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exe9B28.exe9B28.exe9B28.exe9B28.exebuild2.execmd.exeEB1F.exedescription pid process target process PID 3444 wrote to memory of 3640 3444 cmd.exe PID 3444 wrote to memory of 3640 3444 cmd.exe PID 3640 wrote to memory of 5048 3640 cmd.exe reg.exe PID 3640 wrote to memory of 5048 3640 cmd.exe reg.exe PID 3444 wrote to memory of 4760 3444 9B28.exe PID 3444 wrote to memory of 4760 3444 9B28.exe PID 3444 wrote to memory of 4760 3444 9B28.exe PID 4760 wrote to memory of 1364 4760 9B28.exe 9B28.exe PID 4760 wrote to memory of 1364 4760 9B28.exe 9B28.exe PID 4760 wrote to memory of 1364 4760 9B28.exe 9B28.exe PID 4760 wrote to memory of 1364 4760 9B28.exe 9B28.exe PID 4760 wrote to memory of 1364 4760 9B28.exe 9B28.exe PID 4760 wrote to memory of 1364 4760 9B28.exe 9B28.exe PID 4760 wrote to memory of 1364 4760 9B28.exe 9B28.exe PID 4760 wrote to memory of 1364 4760 9B28.exe 9B28.exe PID 4760 wrote to memory of 1364 4760 9B28.exe 9B28.exe PID 4760 wrote to memory of 1364 4760 9B28.exe 9B28.exe PID 1364 wrote to memory of 4088 1364 9B28.exe icacls.exe PID 1364 wrote to memory of 4088 1364 9B28.exe icacls.exe PID 1364 wrote to memory of 4088 1364 9B28.exe icacls.exe PID 1364 wrote to memory of 5952 1364 9B28.exe 9B28.exe PID 1364 wrote to memory of 5952 1364 9B28.exe 9B28.exe PID 1364 wrote to memory of 5952 1364 9B28.exe 9B28.exe PID 5952 wrote to memory of 4116 5952 9B28.exe 9B28.exe PID 5952 wrote to memory of 4116 5952 9B28.exe 9B28.exe PID 5952 wrote to memory of 4116 5952 9B28.exe 9B28.exe PID 5952 wrote to memory of 4116 5952 9B28.exe 9B28.exe PID 5952 wrote to memory of 4116 5952 9B28.exe 9B28.exe PID 5952 wrote to memory of 4116 5952 9B28.exe 9B28.exe PID 5952 wrote to memory of 4116 5952 9B28.exe 9B28.exe PID 5952 wrote to memory of 4116 5952 9B28.exe 9B28.exe PID 5952 wrote to memory of 4116 5952 9B28.exe 9B28.exe PID 5952 wrote to memory of 4116 5952 9B28.exe 9B28.exe PID 4116 wrote to memory of 388 4116 9B28.exe build2.exe PID 4116 wrote to memory of 388 4116 9B28.exe build2.exe PID 4116 wrote to memory of 388 4116 9B28.exe build2.exe PID 388 wrote to memory of 3500 388 build2.exe build2.exe PID 388 wrote to memory of 3500 388 build2.exe build2.exe PID 388 wrote to memory of 3500 388 build2.exe build2.exe PID 388 wrote to memory of 3500 388 build2.exe build2.exe PID 388 wrote to memory of 3500 388 build2.exe build2.exe PID 388 wrote to memory of 3500 388 build2.exe build2.exe PID 388 wrote to memory of 3500 388 build2.exe build2.exe PID 388 wrote to memory of 3500 388 build2.exe build2.exe PID 388 wrote to memory of 3500 388 build2.exe build2.exe PID 388 wrote to memory of 3500 388 build2.exe build2.exe PID 4116 wrote to memory of 1936 4116 9B28.exe build3.exe PID 4116 wrote to memory of 1936 4116 9B28.exe build3.exe PID 4116 wrote to memory of 1936 4116 9B28.exe build3.exe PID 3444 wrote to memory of 5420 3444 DEC9.exe PID 3444 wrote to memory of 5420 3444 DEC9.exe PID 3444 wrote to memory of 5420 3444 DEC9.exe PID 3444 wrote to memory of 5812 3444 cmd.exe PID 3444 wrote to memory of 5812 3444 cmd.exe PID 5812 wrote to memory of 1652 5812 cmd.exe reg.exe PID 5812 wrote to memory of 1652 5812 cmd.exe reg.exe PID 3444 wrote to memory of 528 3444 EB1F.exe PID 3444 wrote to memory of 528 3444 EB1F.exe PID 3444 wrote to memory of 528 3444 EB1F.exe PID 528 wrote to memory of 5644 528 EB1F.exe powershell.exe PID 528 wrote to memory of 5644 528 EB1F.exe powershell.exe PID 528 wrote to memory of 5644 528 EB1F.exe powershell.exe PID 3444 wrote to memory of 5700 3444 F88E.exe PID 3444 wrote to memory of 5700 3444 F88E.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2572
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8491.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\9B28.exeC:\Users\Admin\AppData\Local\Temp\9B28.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\9B28.exeC:\Users\Admin\AppData\Local\Temp\9B28.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f12340f9-b0e6-42e3-a341-afc21e6d6dfd" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\9B28.exe"C:\Users\Admin\AppData\Local\Temp\9B28.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5952 -
C:\Users\Admin\AppData\Local\Temp\9B28.exe"C:\Users\Admin\AppData\Local\Temp\9B28.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe"C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe"C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe"6⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 22207⤵
- Program crash
PID:4960 -
C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe"C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1936 -
C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe"C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe"6⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
PID:5140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3500 -ip 35001⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\DEC9.exeC:\Users\Admin\AppData\Local\Temp\DEC9.exe1⤵
- Executes dropped EXE
PID:5420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E33F.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:5812 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\EB1F.exeC:\Users\Admin\AppData\Local\Temp\EB1F.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5644 -
C:\Users\Admin\AppData\Local\Temp\EB1F.exe"C:\Users\Admin\AppData\Local\Temp\EB1F.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:3084
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5964 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4516 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:5488
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:4196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:5668 -
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:5704
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
C:\Users\Admin\AppData\Local\Temp\F88E.exeC:\Users\Admin\AppData\Local\Temp\F88E.exe1⤵
- Executes dropped EXE
PID:5700
-
C:\Users\Admin\AppData\Local\Temp\DBD.exeC:\Users\Admin\AppData\Local\Temp\DBD.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2372 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:3324
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\5343.exeC:\Users\Admin\AppData\Local\Temp\5343.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3208 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 4363⤵
- Program crash
PID:3864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 4283⤵
- Program crash
PID:916
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2804
-
C:\Users\Admin\AppData\Local\Temp\611E.exeC:\Users\Admin\AppData\Local\Temp\611E.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe"2⤵
- Checks computer location settings
PID:3084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\containerProviderhost\SSJnjC24t.bat" "3⤵PID:1044
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:4908 -
C:\containerProviderhost\runtimenetSvc.exe"C:\containerProviderhost/runtimenetSvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FSRA6W5YHr.bat"5⤵PID:2584
-
C:\Windows\system32\chcp.comchcp 650016⤵PID:5276
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:2460 -
C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\csrss.exe"C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3352 -ip 33521⤵PID:5332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3352 -ip 33521⤵PID:5324
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5610f387cecd6b98e4abcb72626ee7d13
SHA1791f01f69d1e025c15660cc87c6a2d332c16d1c7
SHA256dd9c87c9d210b8dcb6f9d2b897c11b0a480b955a0aeaf4bb9b661f1bdc0604d1
SHA51297d58a6504e70c4ceb4f255c6327d076b8ffc017945a9a8474f1ece483a5326d572ef13d6e4e5ba6bc2dba4b9575f99085ca2af2dbabc375f6bf0e8bef554858
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD51614610ded3e92091cb4a735cbd2b486
SHA1a45cdac15521127de130232ee79a7e766576a4e3
SHA256f069678a6146a5412e1d4ae7a11dc6a1cd1f63830790872e202d7aab14bd4303
SHA5124a291fa54485381497065e10b2adc718420697ec243f8afda8fe44c354ab3bcbb81bc05eac5e4c36275d80861f0d39a7b0efe08c580d1995bb5ffed6ac28b04f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD561069f3e5ec893a06611f1e74f5193f9
SHA1c7d77c232343d594a9b55274ee482edb9d879971
SHA25663f54ad995160d65ece7dc146e050409d6f72bfceaaf28e4d7333fe2e619cec8
SHA5125c972dc939629e86e564e692091935d1b2af8e80f8f9872c7edba8ac5272a845691c7a9cd6440b3fb7822fb864f05adcb706879c9c1d0f2f5a55222fb4b376c3
-
Filesize
1.2MB
MD5769e796d195a615491199dcc178f39d7
SHA1cd0f2a19ab3a01baa8b2da992d3f2902c60f16cc
SHA2561edea0c154bc699abb18a119be5a97d4fed233b41e6bc14d2a6c8583a90089b8
SHA512ce93ba5cdc766acf9d1aa517e63e0477af9ecc743b72a098f5e00668d5f92ab59fff031224d6c176359b06885d22bb10339c613accdd435ffc76b78abe9f3e9f
-
Filesize
1.5MB
MD5f01f17070d6c361d7cf2fccacba7a82c
SHA1a0b5ba4309eeb8039bb7ad8b4292118ff66c01dc
SHA25621a1d9069914a274913301f71f4ddb4b991a16e13f99bbabeb6dc71c7ff8655a
SHA51272858c907d1558befca030650b6d0abb6cc0eee7b67edd112f0fcbcb55283ae450de4777a8839993a214da1c4f78ba251ba3d6b2b7b02973347cff207601b49a
-
Filesize
3.7MB
MD520de31c5226fde5ddae74894f2e3f618
SHA103b514401eb1c179f4eec5211f646148de8b0426
SHA2566d5060a8430247a2500bd235d4588710f5ae1c3f8fa48b146914c672f8cc394a
SHA512aa43a6436aa1dd518f36281b83e25f09d52e72d2f9df316eda8f32ec11296272acfa257c1d37b5a46a72b047fb14f1a25637e5923de7aa30240be78e888a5039
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
742KB
MD53d196de47911047d26c003e31a878038
SHA1c368e8a2dacb6c322064f7f2aeb0b3cbcb274cd9
SHA25619b9c4e7ba38960b14cf6557c7b6b7989009f0a7e368f1936050d1606c4cfc4a
SHA51230871d6b7a9d94a602f21a6f5325f017c735db491351b64d9044b497c0f2d1cd8f0988857a358f29e077047ab5800a6384a2aa2ab17a539c2092d8828e87581b
-
Filesize
211KB
MD530c8e825e7a455fa783bb3406d35ac43
SHA1adc8ac816c6d79fc1d6362717a410364b0e94376
SHA2564d9c4fe34f11890db331ecdd6cb2b4eef95eb63ef6734004c2ace6ba2706c040
SHA512d4b9c459ceac01779387a6c00d1ac5edf0ca96955e56ef149a0933c624fa8db4e4f9bd2fcd2d72567eb9dd712fa8581900eab4ef7b57b1ea21b3a0c7cfd54cdd
-
Filesize
408KB
MD5a5aa54a5dc4ff7156be31f9d45974b72
SHA1c832ab6f3cf67feede0736a0151c46a96146511b
SHA256972a6f8ef6ae10efa416e366916df1502188c48c66cd72e6135965d94349d78f
SHA51203010898fd05b97677e5c01cbaf0e74c5931f47672376e3075a0d47926bca1acd0011b4a8178344d4970a322548a4bb5c6a2fd9781209253af61c9f426efa3c6
-
Filesize
3.5MB
MD5e7323dbd6ea98dfdaeb364570ac5f374
SHA17c9a750c958aa9ee8554a1bbd3e5d9c2ccd9ebab
SHA25604513f58c810278c4fcb89a532fb8b3460cb010979257d30d6ceb5f4df06bab8
SHA512183d7f064c6892f303753b92cec34822c50cbeec6171a54e937b07c5c08b3fe1a2920cebf782cbd7272d63ec52bd91a6363a68fc782b4417fcbd7e25257eeda9
-
Filesize
3.2MB
MD53882d53bb4fa9b34225dcd65476dbfea
SHA1749ec3be884d1026e55576ff382e5f8bb5a71cb8
SHA256bb9806e7e371d593ebff525132d9e16107adaa58cd04b1b0fb37230366b64e98
SHA51225927023a8c74ec7a22f2d8e0406400a92af2e951169621ca3af7191cc8250e02ef443b968a994210615df0907c82e5091be480305d8c5ea796a871912d5f922
-
Filesize
3.6MB
MD5466ecbc5ca2ad88dc3b4266a305c46a0
SHA1b4bb744f6d7d1b40108e9b49b779fe5408dcf2e8
SHA256ba43638566c64d2a62e3affda029e768ce1acdbf11dbe8951fde17f07281566c
SHA512374da55d1efd703225618cc58c4a33191d8477d04dbea607fccb299115f6343b6450f3430e5484a6b527ab77cc342aab0d397ee87151d752d3e24734bff52a28
-
Filesize
2.9MB
MD5b7865292d9c37de3f9306365814344cc
SHA1b5f59e17c84a7ba0b2f60cd7da78e9d8e36c758e
SHA256f9e8294aea84cf597ddbadd29e63a3f470e1a98da704a755d6cd3b936f0f726b
SHA512f4dd38f1c0e718ea23e28bd8d6d4b97a70582518b669e143f9708fff33a6afdbc45d75841be7bca9bcc53f1e2b4502e3bba4420338963dee7642bf0e0a5ec1bd
-
Filesize
1.1MB
MD556dac0c9a7abb2e3ff23131d40981cea
SHA1cf8ef3fd440de49cd411569b3647e1b679d6daec
SHA256fc869d43604b2a00ba8b7f372d9d7261bb6e6e72b4ad1f729f1cbcfd34d2b3df
SHA5121202e19b14f519262680342a4acc15e1124370d9bf5b8d8d8024c195d323a6bcd580712143cdebbdf4a7a6e5ee3684796896a7845b711a9a3ee225147fc05b5e
-
Filesize
135KB
MD59dae0e68915238849a0fa9df128f3ab4
SHA1a1d1654fdb9d045d91c9399af62a0c7609f0e2fb
SHA256c0c87892ac16ddc0d66cceffe4cf574aa9d07516fb7e07bc32f4b80d542ee03b
SHA5128b9330bbde4a9327b96b6fa1cfcab7f4b040b706ad75f99c4a248cc015dee1cffdb708d095f6eb94e2b13ea34fd58c4de7f47b35780abc201cd334ddd4c089d9
-
Filesize
70KB
MD5f00fc30d862188dde528abbc6b596b1a
SHA164d0811a72ce0ed361a3420cd53e272ca76a7519
SHA2566841a8d26ef03994c271eabe988a6d548345352fc7e944c07556c649439cb592
SHA512ff8e37e9bb113eba4d8a27cb70a901606cdb079902addb8e395d4a8f9e4e7a56f43cd13a9d353b1758672c56cffd8aaa1d0d8560b666f7f1fc334964101cdcca
-
Filesize
192B
MD5f729ebef6ff1fe529297eaa249e6de7a
SHA144b6c28705981eebdce8fcd7ba51d9413b2e4fbe
SHA2569ef5b5fb4391d4125e926d464e664783fa7e283bf293e2c42d812c9d5e56e4bd
SHA5126f27be6fb0f348d38b1c673a84e4ff6b276d2f71095aef1f45ae73924ddf905040a1861947756714d0bb191e3d54f4ce8de6ad5aed3899dc94843eee0536322b
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
334KB
MD5c6d3d647baad8a5b93b81d2487f4f072
SHA1e9c1105dc41f85d4f7e94d4e004f8427787c8802
SHA2567754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a
SHA51255425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5d2d0070d6238f7bdd91b8d0b26e9b1a8
SHA1b2a8934734dcbd5617407914dde85d016d5745d0
SHA256e5757dbd9cf7c4d41fbd87d9a9b708d352109bb7d18645d09f24f71eef31d958
SHA5125652b890033a85f9abc202d99b87fce115147c36e9ede148d1522231b72fd6d1405d5f6245088982c63d5e6b8d71f1115157438d8e54049c8df7c85d0570fa49
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a22e9f55c7fad9fe3a587b8362ef4f27
SHA1b5ff7c697a38969e115928302f64da8f412b7912
SHA25652edbfd5f8e6bc0653bced5ae77af65b15459b8cb2f88cade21f6a7afe37d12c
SHA51281c32ec149fa5b9c83ee57597ec1c9d24ca0b5a5b839b6cdf099b70dbbbe544a30ab9d320949506ee128d741909ab26a981bbba74bf8b637ae34a1a65b9a8f6d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56d0a02f17cf7de01d2c9a515cf9aadc7
SHA16315fed881ababf93995293d12c6af01898fdcb5
SHA256ddbd55f95723a7fcc0b21024c075058d264c2f9e1aaa74e5b3a5838a212c4eb8
SHA512651cb1afb3feaf862ac64690ca0bb408c5715cb21304ad77de5b61e9ea4d4e4a4b702b8317e3a0f72563a6c232c8bf519b12bfba3a32ae4a3869b5351fdf8632
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56f3dccff57bc5aff185aca77e00ff5fb
SHA11ec7526e90893871da011486ab2528dc8b8f8fb0
SHA256964c27c8bc8178dffba23c2ef4b46adf7d33f896948e28f2e5a8e4ff803ee44c
SHA51218ea93f158eb1dcc9004d8e937febac614c7f9698f6f28b7e1dbdcce26f7100e7167a71a4f4692ce9409926c496297907186797a2dc938aebfa79fdfa6424231
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5d800345005c3b4d0da179a1254e0673e
SHA17e9d19b17b69d2a1c71b602cfaa5224fbac7cfa9
SHA256914ee6fd2ddafbefe9f02baba2569d4f47cb0cc6498ef56ff350729fccc30ab3
SHA5128b4fa1a5de3458fc6a09461cdbbba2898c56947d06841e04acf051c29d7bb73e5376bd9f4fab9aa2561975bd180bae607597f09792e4e9600e735bc54fb85da5
-
Filesize
159KB
MD5e0e7ec5e6d3d82af46d75eefabd40073
SHA18919251b8a6e42b886a4e87bb7c7e8bb6d2534e9
SHA256ae361995ab8d3160af4dcbdc9f0733bbcab6685edf3948f10ec514f8d8844438
SHA51219d3f33f7431830a2e11f861a8aa7645e25ffa15a8956d9dcbd81fe269ec55fe9f335a1636f5f70f259bc9b746e87536e2b1369b32baa3df76ab2957e4d08276
-
Filesize
329KB
MD54e1f7c6af1652e7bc059064547f141bc
SHA194a97f8e05c08236da2b769d54bf33280178d3ed
SHA25636fc1e92f1f3af429651720b8e7ea5eb1ca2e83c5c74e233543275c09b57eb20
SHA512f30069ed3c482cc15d5f5be84ab2b1fda85e151c2312b90b6e9019dcd24e2930ca1a09b1a4ba2a2f910e0fad8cf2a7dfe3bf4f42a8d247609bae540bb233c652
-
Filesize
133KB
MD506a3afb990a7d4ed8d740fa739415939
SHA1c543f51909015a789bf199f4beb9285a37c04eec
SHA25662d8e9ed58e04749e3e234b807dfef245debdfc6242589b97cd5371c6d2b3562
SHA512f58cb43b92dfe4469abda5d07b7e4f305ead4f40664029a98c5cd03d1959d465e15d9a23e5d31e0bafc2ebdfda6096c7d2083258fce47fa90612db6105e8f0f2
-
Filesize
73KB
MD5d52a110e8a644ad42e0d39987f44104c
SHA1902cc386d545ed58a7f64203d7ab21f2dbe6c210
SHA256f578866815f89accb31570f45c894052511294bb38ef813bcd32e4ec24e653af
SHA512d194af10513ee157f7fd23c2a23c030b11a9aefc09ed90e0f011a3df66c107859ea8b016b0c26b0db2881d6f7e0e470d3e146c2b0dc32636748979894120947e
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
180B
MD508387ad767f4e9e7c670d0eeafe302ef
SHA14ba6af1e421c43ee693b6537a06639c3f50a7abf
SHA2562bdca7aa3916a7a0bb6e1b22d895b9696f14c1512554a7af00d5dbc048e43672
SHA51294f7743519a768d233130ba4d2b3ccf62f67f0999382cc984051fe5f8ae02deb17926e01482d1e763447d3f54fb3b548ee241d7a40cf34d45d7e968ce8f6975f
-
Filesize
209B
MD549ca6dc4705e383d4162260db0d5bf84
SHA1b6e1e8f086245aa07a5c2d352e69a9a2fa5c460d
SHA2566fe6c22a6b3c1de777b489d553073631d8c7e2b76738b9700198876521ff7ba4
SHA512684c61fba0a98723a41504bc1e7ce4debe0a785a0eb78f13e1cb291d77aa95aa4e82a80166060be8319a35785f6f710dbbaabf710545c4b9556440477b1bde7f
-
Filesize
3.4MB
MD592bf2463d72a410bf291db2bbb0176f5
SHA1bcc41c9861ce8ad99e2d951c49c50429b4dc8d7f
SHA25692883022e82b89d32c6936ad8f94a35ac1eb0c2313656029977aec1b4973b808
SHA512c803d47482aec6ac9c74ee20b401f03f3f2d4a1cc80770e1cf70319cbb7da715ee204cb15e585dbd6d9df0d9fb81254fdb6f6dae5d2147cbbbd85c3cf5b8d300