Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 12:14
Static task
static1
Behavioral task
behavioral1
Sample
84b607224b08194b311683727ad11950.exe
Resource
win7-20240221-en
General
-
Target
84b607224b08194b311683727ad11950.exe
-
Size
246KB
-
MD5
84b607224b08194b311683727ad11950
-
SHA1
f40b14acd72941439165a1df48e04a80ab978f34
-
SHA256
01006e47ba030748e7843e01ec62fdf7970d003931434837fa79cd4b84e3e0e0
-
SHA512
f83140c375769e3f8eff768b7888de1a6c6a209dbdc60b92c0361b1e331d2fd5968163b0bb32a56b2075d70b5c6c68fed7886d4661d866a634cb70da4144dcf2
-
SSDEEP
3072:ZjbSZBZLDOAnav+tyPoESrTGpe3HZaBsfCf+NjXjMnN5J5c5f8:ZU+KyPolrTGA3HZssfCWNbWJC5f
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Extracted
smokeloader
pub1
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat 5 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
84b607224b08194b311683727ad11950.exe9E63.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 84b607224b08194b311683727ad11950.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" 9E63.exe 4476 schtasks.exe 4116 schtasks.exe 4356 schtasks.exe -
Glupteba payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4108-197-0x0000000002DB0000-0x000000000369B000-memory.dmp family_glupteba behavioral2/memory/4108-205-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4108-285-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4108-320-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4108-321-0x0000000002DB0000-0x000000000369B000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2820 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8D9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 8D9.exe -
Deletes itself 1 IoCs
Processes:
pid process 3352 -
Executes dropped EXE 20 IoCs
Processes:
9E63.exe9E63.exeC0A1.exeC584.exeCBEE.exeCBEE.tmpcddvdidentifier.execddvdidentifier.exe8D9.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeFourthX.exeBroomSetup.exensu1D2A.tmp3A5A.exe288c47bbc1871b439df19ff4df68f076.execsrss.exevueqjgslwynd.exeinjector.exewindefender.exepid process 1784 9E63.exe 3496 9E63.exe 4244 C0A1.exe 3616 C584.exe 1756 CBEE.exe 3004 CBEE.tmp 3184 cddvdidentifier.exe 2628 cddvdidentifier.exe 3228 8D9.exe 4108 288c47bbc1871b439df19ff4df68f076.exe 1688 InstallSetup4.exe 2340 FourthX.exe 3888 BroomSetup.exe 1464 nsu1D2A.tmp 4504 3A5A.exe 3340 288c47bbc1871b439df19ff4df68f076.exe 4660 csrss.exe 1704 vueqjgslwynd.exe 4104 injector.exe 2412 windefender.exe -
Loads dropped DLL 9 IoCs
Processes:
CBEE.tmpInstallSetup4.exeregsvr32.exensu1D2A.tmppid process 3004 CBEE.tmp 3004 CBEE.tmp 3004 CBEE.tmp 1688 InstallSetup4.exe 1688 InstallSetup4.exe 2968 regsvr32.exe 1464 nsu1D2A.tmp 1464 nsu1D2A.tmp 1688 InstallSetup4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3496-20-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3496-21-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3496-17-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3496-22-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3496-23-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3496-24-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3496-65-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3496-91-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3496-114-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3496-126-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3496-183-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3496-312-0x0000000000400000-0x0000000000848000-memory.dmp upx C:\Windows\windefender.exe upx C:\Windows\windefender.exe upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
9E63.exe288c47bbc1871b439df19ff4df68f076.execsrss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" 9E63.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
C584.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 C584.exe -
Drops file in System32 directory 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exeFourthX.exepowershell.exepowershell.exewindefender.exevueqjgslwynd.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\MRT.exe FourthX.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive windefender.exe File opened for modification C:\Windows\system32\MRT.exe vueqjgslwynd.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
9E63.exevueqjgslwynd.exedescription pid process target process PID 1784 set thread context of 3496 1784 9E63.exe 9E63.exe PID 1704 set thread context of 4416 1704 vueqjgslwynd.exe conhost.exe PID 1704 set thread context of 4524 1704 vueqjgslwynd.exe explorer.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe -
Drops file in Windows directory 4 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.execsrss.exedescription ioc process File opened for modification C:\Windows\rss 288c47bbc1871b439df19ff4df68f076.exe File created C:\Windows\rss\csrss.exe 288c47bbc1871b439df19ff4df68f076.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 3540 sc.exe 4008 sc.exe 1452 sc.exe 4060 sc.exe 2896 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4468 1896 WerFault.exe powershell.exe 3636 4108 WerFault.exe 288c47bbc1871b439df19ff4df68f076.exe 3520 1464 WerFault.exe nsu1D2A.tmp -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
84b607224b08194b311683727ad11950.exe3A5A.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 84b607224b08194b311683727ad11950.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 84b607224b08194b311683727ad11950.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 84b607224b08194b311683727ad11950.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3A5A.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3A5A.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3A5A.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsu1D2A.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsu1D2A.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsu1D2A.tmp -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4476 schtasks.exe 4116 schtasks.exe 4356 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
84b607224b08194b311683727ad11950.exepid process 4220 84b607224b08194b311683727ad11950.exe 4220 84b607224b08194b311683727ad11950.exe 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
84b607224b08194b311683727ad11950.exe3A5A.exepid process 4220 84b607224b08194b311683727ad11950.exe 4504 3A5A.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeDebugPrivilege 1896 powershell.exe Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeDebugPrivilege 4108 288c47bbc1871b439df19ff4df68f076.exe Token: SeImpersonatePrivilege 4108 288c47bbc1871b439df19ff4df68f076.exe Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeDebugPrivilege 1636 powershell.exe Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeDebugPrivilege 2108 powershell.exe Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeDebugPrivilege 4964 powershell.exe Token: SeDebugPrivilege 4224 powershell.exe Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 3608 powershell.exe Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeDebugPrivilege 1556 powershell.exe Token: SeLockMemoryPrivilege 4524 explorer.exe Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 Token: SeDebugPrivilege 4968 powershell.exe Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
CBEE.tmppid process 3004 CBEE.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid process 3888 BroomSetup.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3352 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9E63.exeCBEE.exeCBEE.tmp8D9.exeInstallSetup4.exeBroomSetup.execmd.exe288c47bbc1871b439df19ff4df68f076.exeregsvr32.exedescription pid process target process PID 3352 wrote to memory of 1784 3352 9E63.exe PID 3352 wrote to memory of 1784 3352 9E63.exe PID 3352 wrote to memory of 1784 3352 9E63.exe PID 1784 wrote to memory of 3496 1784 9E63.exe 9E63.exe PID 1784 wrote to memory of 3496 1784 9E63.exe 9E63.exe PID 1784 wrote to memory of 3496 1784 9E63.exe 9E63.exe PID 1784 wrote to memory of 3496 1784 9E63.exe 9E63.exe PID 1784 wrote to memory of 3496 1784 9E63.exe 9E63.exe PID 1784 wrote to memory of 3496 1784 9E63.exe 9E63.exe PID 1784 wrote to memory of 3496 1784 9E63.exe 9E63.exe PID 1784 wrote to memory of 3496 1784 9E63.exe 9E63.exe PID 3352 wrote to memory of 4244 3352 C0A1.exe PID 3352 wrote to memory of 4244 3352 C0A1.exe PID 3352 wrote to memory of 4244 3352 C0A1.exe PID 3352 wrote to memory of 3616 3352 C584.exe PID 3352 wrote to memory of 3616 3352 C584.exe PID 3352 wrote to memory of 3616 3352 C584.exe PID 3352 wrote to memory of 1756 3352 CBEE.exe PID 3352 wrote to memory of 1756 3352 CBEE.exe PID 3352 wrote to memory of 1756 3352 CBEE.exe PID 1756 wrote to memory of 3004 1756 CBEE.exe CBEE.tmp PID 1756 wrote to memory of 3004 1756 CBEE.exe CBEE.tmp PID 1756 wrote to memory of 3004 1756 CBEE.exe CBEE.tmp PID 3004 wrote to memory of 3184 3004 CBEE.tmp cddvdidentifier.exe PID 3004 wrote to memory of 3184 3004 CBEE.tmp cddvdidentifier.exe PID 3004 wrote to memory of 3184 3004 CBEE.tmp cddvdidentifier.exe PID 3004 wrote to memory of 2628 3004 CBEE.tmp cddvdidentifier.exe PID 3004 wrote to memory of 2628 3004 CBEE.tmp cddvdidentifier.exe PID 3004 wrote to memory of 2628 3004 CBEE.tmp cddvdidentifier.exe PID 3352 wrote to memory of 3228 3352 8D9.exe PID 3352 wrote to memory of 3228 3352 8D9.exe PID 3352 wrote to memory of 3228 3352 8D9.exe PID 3228 wrote to memory of 4108 3228 8D9.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3228 wrote to memory of 4108 3228 8D9.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3228 wrote to memory of 4108 3228 8D9.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3228 wrote to memory of 1688 3228 8D9.exe InstallSetup4.exe PID 3228 wrote to memory of 1688 3228 8D9.exe InstallSetup4.exe PID 3228 wrote to memory of 1688 3228 8D9.exe InstallSetup4.exe PID 3228 wrote to memory of 2340 3228 8D9.exe FourthX.exe PID 3228 wrote to memory of 2340 3228 8D9.exe FourthX.exe PID 1688 wrote to memory of 3888 1688 InstallSetup4.exe BroomSetup.exe PID 1688 wrote to memory of 3888 1688 InstallSetup4.exe BroomSetup.exe PID 1688 wrote to memory of 3888 1688 InstallSetup4.exe BroomSetup.exe PID 1688 wrote to memory of 1464 1688 InstallSetup4.exe nsu1D2A.tmp PID 1688 wrote to memory of 1464 1688 InstallSetup4.exe nsu1D2A.tmp PID 1688 wrote to memory of 1464 1688 InstallSetup4.exe nsu1D2A.tmp PID 3888 wrote to memory of 4988 3888 BroomSetup.exe cmd.exe PID 3888 wrote to memory of 4988 3888 BroomSetup.exe cmd.exe PID 3888 wrote to memory of 4988 3888 BroomSetup.exe cmd.exe PID 4988 wrote to memory of 1636 4988 cmd.exe chcp.com PID 4988 wrote to memory of 1636 4988 cmd.exe chcp.com PID 4988 wrote to memory of 1636 4988 cmd.exe chcp.com PID 4988 wrote to memory of 4476 4988 cmd.exe schtasks.exe PID 4988 wrote to memory of 4476 4988 cmd.exe schtasks.exe PID 4988 wrote to memory of 4476 4988 cmd.exe schtasks.exe PID 4108 wrote to memory of 1896 4108 288c47bbc1871b439df19ff4df68f076.exe powershell.exe PID 4108 wrote to memory of 1896 4108 288c47bbc1871b439df19ff4df68f076.exe powershell.exe PID 4108 wrote to memory of 1896 4108 288c47bbc1871b439df19ff4df68f076.exe powershell.exe PID 3352 wrote to memory of 4504 3352 3A5A.exe PID 3352 wrote to memory of 4504 3352 3A5A.exe PID 3352 wrote to memory of 4504 3352 3A5A.exe PID 3352 wrote to memory of 2100 3352 regsvr32.exe PID 3352 wrote to memory of 2100 3352 regsvr32.exe PID 2100 wrote to memory of 2968 2100 regsvr32.exe regsvr32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4220
-
C:\Users\Admin\AppData\Local\Temp\9E63.exeC:\Users\Admin\AppData\Local\Temp\9E63.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\9E63.exeC:\Users\Admin\AppData\Local\Temp\9E63.exe2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
PID:3496
-
-
C:\Users\Admin\AppData\Local\Temp\C0A1.exeC:\Users\Admin\AppData\Local\Temp\C0A1.exe1⤵
- Executes dropped EXE
PID:4244
-
C:\Users\Admin\AppData\Local\Temp\C584.exeC:\Users\Admin\AppData\Local\Temp\C584.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3616
-
C:\Users\Admin\AppData\Local\Temp\CBEE.exeC:\Users\Admin\AppData\Local\Temp\CBEE.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp"C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp" /SL5="$E0058,2248936,56832,C:\Users\Admin\AppData\Local\Temp\CBEE.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -i3⤵
- Executes dropped EXE
PID:3184
-
-
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -s3⤵
- Executes dropped EXE
PID:2628
-
-
-
C:\Users\Admin\AppData\Local\Temp\8D9.exeC:\Users\Admin\AppData\Local\Temp\8D9.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 25164⤵
- Program crash
PID:4468
-
-
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3340 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:4076
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:2820
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:4660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:4116
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:536
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:4104
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:4356
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:4476
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:3540
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 7483⤵
- Program crash
PID:3636
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:1636
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- DcRat
- Creates scheduled task(s)
PID:4476
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmpC:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 24484⤵
- Program crash
PID:3520
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1196
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:4968
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:1452
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:4060
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:2896
-
-
-
C:\Users\Admin\AppData\Local\Temp\3A5A.exeC:\Users\Admin\AppData\Local\Temp\3A5A.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1896 -ip 18961⤵PID:4264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4108 -ip 41081⤵PID:5048
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\516D.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\516D.dll2⤵
- Loads dropped DLL
PID:2968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1464 -ip 14641⤵PID:4356
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1704 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:4416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:4076
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:3248
-
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:1568
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2.5MB
MD5b03886cb64c04b828b6ec1b2487df4a4
SHA1a7b9a99950429611931664950932f0e5525294a4
SHA2565dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA51221d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659
-
Filesize
3.0MB
MD55c64ecde29da99c3f8e2fb087d86873e
SHA1a9f30fcb14242d577b36eef78071c100499fbf99
SHA256a70f1adfea1531f092f4b2d8df46527a927829b21cd41d181b02bb0da3be1261
SHA51250b348fbf1263954107e1ff849e9ce0f1dae72a2c2cbb44ef7c37711e6c49ba189331ea9d5580853b3203c17327252222991830f2d22b2640c2dbb229eee269d
-
Filesize
1.8MB
MD5b908d82e948139ac68759da744a75ce3
SHA1a91fa6b2d2f0e66448f9a6f293f037cfe180a1ec
SHA256ff30431ceb865068054a789fa03b40f905083c27c26191865a6912ec653c72a0
SHA512f762e4c32ea157a4d99e7e33ef0ea776ca090fb7068e73d5bbb582d6c86383de797aa03aed53f19e576889c3e59955a8ebeaffecb335d8879754760f4dc8c4d1
-
Filesize
4.1MB
MD5d122f827c4fc73f9a06d7f6f2d08cd95
SHA1cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA5128755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986
-
Filesize
246KB
MD5b2c14d5c21130dc795b521206c0b97d4
SHA13cfe837b022d15fd869e6262813e38ed8efb92dc
SHA256ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37
SHA512bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107
-
Filesize
2.6MB
MD509cc191faf62ec87441c04cd853644a7
SHA1a0ced79bdf965194c3ecaa156818d38acccdc27a
SHA256ae9e9ca3bae01804f232d93370d42bd4cf7dbfa30e809d4e91ce9d977c49b1a8
SHA5128728e67a2ac66df79c040c6eb16d2777f98a70baf9b2c0f25892b671169efbb94b06ec2548be050608deda0ecad97016d98b9cfbce4165d1efc3faa98cbb13fa
-
Filesize
5.0MB
MD58887a0315f3e8d2b2a4dc28802b8f215
SHA109007b67b0bd115956023f6c4df7843bc3347752
SHA256061f0f07c47578bd9ae8a93554b5d304a40be9fd44b328db115b450f9fdf516a
SHA512cf58efbf119dd223645f02e995842915a4067487f5e9fde839ae013a6e5c4f45b31b2f08f0213d083d9707ba8d2370fdfeec8a8822cdf8a68095d8bd9b12c152
-
Filesize
1.2MB
MD5286796d0050225040303192dffc1c4ef
SHA1daef291b3941387fee3ced03d44a4e254dfec217
SHA2561546488b5733038151f0c4f8e946afc1cc87990b51a4f191b0911d6705ba6e24
SHA51204d623a2fe9fa8ec639b9c0ba467f5a2929992f514a1885f943a93401da94ab50ff1c9e0b3ac3e86b79ea570b7010583fbcca062612e28161a1ac0b62b6b56b8
-
Filesize
1.4MB
MD5da30e7111769af02730a498c7d635877
SHA1052813b8db392217776729867bf3e082d89edd15
SHA2561edd160ab194f1894469cce0d336ae3caa29f1434350c4a7a32dceb30b5ef2e4
SHA51202aa1608592043503b96c48d508699110009c729bbcda779b1def9fad0fd64394e5c78c29f70678d46548c7a1e48ac1620608b850a36c3d680de7dab4ccaa702
-
Filesize
8.7MB
MD5ceae65ee17ff158877706edfe2171501
SHA1b1f807080da9c25393c85f5d57105090f5629500
SHA2560dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
SHA5125214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b
-
Filesize
1.9MB
MD5398ab69b1cdc624298fbc00526ea8aca
SHA1b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA5123b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739
-
Filesize
14KB
MD51ae586467ea8583bac04590fac52c7f2
SHA10e8169c6ab99805b2b43b4fcebf4910a716bd04a
SHA256929fef5c32cc87661cbf730342470b9244af91544f3749826c52d2c2cd47ffea
SHA512d3bbf50c637adefe84721318510f5c6a14f469ee0ca0bb74df1a14807aa65d568f879e4dd60d6941bc75fdbc08a5e204902453d56c9212912835f60c8ed18233
-
Filesize
1.3MB
MD56c23834bfe6181a0b17575b2ce079cbe
SHA156ef6ff395989cfcc4ec8cad75055f62c8334b3c
SHA2563095ebdcbec94aeff052d72e4778ad33b9fdf00a9e294e03143e0f7961c0160f
SHA512c53324d10c7d335a6c7605a82b79757199d730f941756fc8b9a6a6bda4cdd229b797ac113abee5e5e0d0f676893986c869d54d79eec3070e1629fccb919dca77
-
Filesize
6.2MB
MD598032e01a07b787b4416121c3fdf3ae5
SHA165c8dc24c8b5d416c1e51105e190c440762069f3
SHA2568ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
SHA5123db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb
-
Filesize
554KB
MD5a1b5ee1b9649ab629a7ac257e2392f8d
SHA1dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA2562bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA51250ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b
-
Filesize
1.9MB
MD56b1a309c609a892cc6f19a61f3ec7a28
SHA14a99ae82573addac9055915e65b6475931825a3e
SHA2565dddcc5de1a79d8d40b4a02ccea49913292bea3be52b51fdf5f14ebb97fdd776
SHA512c777ceda6a002785f9670b0af85c3f273436e262dd60290c909124d57974eb139a1b40acd34b7a5c4d840ea7a2aa2de76898a240443a44e506b75ae867c8dfc0
-
Filesize
1.5MB
MD566db0d066c82c233d7503d6a50fe91ad
SHA1823a20e83d3a4f61ced3c2f7f6aa634eb25348e0
SHA256d0b2ba7afa9e94cbd574d1a6d386569ab12c12faa9c85ba9f1df0378e405b410
SHA51249cce41f42159e1744ee90f8ff89548c3c9cf2492cfca2b5dae967394260ee5fec250572dae6fa6640c074fc8808cd7ac397c1f2a7800dc81956a3c0639a5b5a
-
Filesize
2.2MB
MD55ca01423a29016851cc4e6281916cb2c
SHA1583cbe4fc8a69b4f324e60257da872531c7b1a5a
SHA2568ff85221e7fdd4c93b8828ebcef9c255273f5beb067a44b24e1ca87d9e898ec1
SHA51268a605768e4dac8ce37ac43d54536429c3f6aa6e5be656e6f0bc61155380a604d434b50899fa986d017316e8397ddf2f91445a9c4ce72a9072580a003ad022a4
-
Filesize
1.6MB
MD504fcc1fdd58f42e0490e828028e69579
SHA1974b63311a31fcff5451cb98dc4df801e855b4e4
SHA256a8fea3f6fe17200d8be207b2bca386e973a636498066594d4cf00e110c37152a
SHA51268e805595a3507e7421ae1dd305c63138c33cd2bb553348f8a6fcd9c222413cfd184fe4f67a8151753c74c9912563064e101fe09f1e2e13a7782b8323889581c
-
Filesize
1.6MB
MD5e26f71a0d7c8b755b4df392aa6a9d1ae
SHA160708c86d2ccce39eeebcda381bef38a4c6ac89c
SHA256a787cf08025716820635f1b5d276c0bc6ccef15b99247b2ee6f3f2cf096b9272
SHA512c141ebe852b86b15cdeb8ea8ebadedca7b6be29dbb296aab953e4ca68a3e938a9c60d75f8e70032aed7b9bc9ad38325926ddab253468413af17b76aaa99ebcf3
-
Filesize
2.0MB
MD528b72e7425d6d224c060d3cf439c668c
SHA1a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA5123e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6
-
Filesize
1.9MB
MD5a5f70019477726fdf048623738b725ce
SHA12432e57e28133351453973cc3c01486966edbac2
SHA256af07b04729c48194245c4c2920cc84470f830c63715c535b7ab24979923fa032
SHA512bd882312cf4a2b62b6155620f84493d35418dcaac735b0ecfea22fa89c788bc219974b62175514aaae143aef2a9db7a66d2cb928284def16695171df7f7c5b2f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
690KB
MD5a1b45df2ed6b73416fdf10a62a69f8f0
SHA1053d566b3d1d4ec47d4dff670611a20802b1a366
SHA2560f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d
SHA512bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
19KB
MD53adaa386b671c2df3bae5b39dc093008
SHA1067cf95fbdb922d81db58432c46930f86d23dded
SHA25671cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
246KB
MD5da812d63d6637fbc245339e746ccf1f9
SHA11d5c645e81e96606b26aa56526fb0022bb68c4b0
SHA2564f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba
SHA51205579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5d2d76c81a044aa0266852ef7d7989fd8
SHA11244c072957954b05ed6fbe35cb2b1106e59af30
SHA256005da31948ac86589ccd25ee68ee00c2a819f07b51bbb061b0e1699d37547a66
SHA512a69f636e55b12348a898eaec42e2ed0c7b9f4370c3510638415f78198155eb253351ae040c8f9b88cdd6cba46587624c55cf3f39c13281a41fd95c2277c3a583
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c5a1cd740f3fccd7c193db7e3a7269fb
SHA185c97899fe1a858d5fa4f563b8d4d7cbdfb6a7c0
SHA256263d5eec2d2c8c8bbea2b82b5e743afdf237d74d8049e3e477830e50404eea74
SHA512cb950b5b04a1e68233a3ec1bd2ef7868863a671c041c0dbbcb3981fefb5ab534c5cf421c21a7ff7cad4cbf5ec77d7161e78d5c412b4cb64c8f94b30199ed3b8f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5f046610a6adeece7f7fd84d060c8cf40
SHA15f8c6b9c26b9fc572c93289297b561da18a0e262
SHA2563a1db8926423c5e0054875963f992b282220024565eee75e1a1c5483dfec2750
SHA512a403a3b5324c197cce732f329340ff9c7b51c33810d3fef9e42a3a76361cb079f6250479ef50d6db9f1ce73ede9752a300d3c9489631ffd1a41e64a7f12c0425
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c926a9f2c66670ae0d75b34af4619902
SHA1d7373210bee43e1c7b4d4155236980c62cc84e70
SHA25691a3cd24b8d05588ca9a9524cf49ac498e187949e88ab953249ba8f40c82752c
SHA512645176757c3f78e1c968686e8ffb800ed4bf74a6469dd7a7e0b75f039425f70734afdf87ff9209083d4dd8b38dc6734a3cb742443056d04c81e9f83d71212685
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD518670145aa9e64dbc3f60006f981821f
SHA1d5ee5077959247e5eaa0665c445fc85125c1bf2f
SHA256fa7a716b5748d8a468af68a784f16926aed492f25a1bcd700404a725ce49245f
SHA512fc66d9e1987d7fa29ab65896ae4756ddd378deb0595e81f2f39c9717a77c3ec3a7449beae3477849490fa977ea722f410c0c83f0b39a35dfef7d96d896fa764c
-
Filesize
1.5MB
MD534666eafe0fffb6a73e31c1e09ecac4f
SHA1ffd5c92070e4a8fab8f8095316d73ccd485f6294
SHA256d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232
SHA512542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966
-
Filesize
1.2MB
MD56bdb234305778c39ec1121b20dbb5b46
SHA19397990981227c7b06a4ad4d1a2b030d38fcd6e1
SHA2560e50b406c6cd99dda7328f15c6dad4c1bf4c5b0a12a2476ee69e58e7d544233b
SHA5126a58cafa3ed7cbbd091da4f240ff88e517d40167d1f901352cdde871931636bcc934f69937b830851969dc15dc1b04c6ce9d7cd689f5a9f864c60a5ad198777a
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
1.4MB
MD5d480d873c3e1a4c4a90b2452fc1ec666
SHA13b0657338cbfe497774af2809b9c6bfd64258aef
SHA256691faf0177d29d8be9e5f8f3e7c0670066524a491891a0c37f3040d93f4d3657
SHA5122c38936a0d17ac94c5b611d4a54cc75f0a9c9b39630ab2dee028ce14ed8660ce86e8694e46fccbed3f9a74ac9845b4f47d279005845d22bfc42d837e04071929