Analysis
-
max time kernel
107s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-02-2024 09:58
Static task
static1
Behavioral task
behavioral1
Sample
117a962cde2568514649b76a004190f1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
117a962cde2568514649b76a004190f1.exe
Resource
win10v2004-20240226-en
General
-
Target
117a962cde2568514649b76a004190f1.exe
-
Size
259KB
-
MD5
117a962cde2568514649b76a004190f1
-
SHA1
e92ab6267e005eb78bac3c13b9de881b726bc7f2
-
SHA256
8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0
-
SHA512
a2eb2cd551bea8eead2cc7cf17dd91849395c475f329e9bd47ff4ebab8aff0c9a1e33921e4fc6af9ca762b6c80c48056b8991f8813b7e19a7eca4dfb0914041d
-
SSDEEP
3072:15QiI6J/iVo/QgheGRdWfPy0R9gSMGFwLh4+giekZXfSg55xGT+yx:1gVo/Qgp+lR9g+OhlRR9qwxGT
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.lkhy
-
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw
Extracted
vidar
8
9b0f0dc6c2ca6ddeab1d498d4cdc7267
https://t.me/neoschats
https://steamcommunity.com/profiles/76561199644883218
-
profile_id_v2
9b0f0dc6c2ca6ddeab1d498d4cdc7267
-
user_agent
Mozilla/5.0 (Linux; Android 11; M2102J20SG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Mobile Safari/537.36 EdgA/97.0.1072.78
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
117a962cde2568514649b76a004190f1.exe9EAF.exeschtasks.exeschtasks.exedescription ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 117a962cde2568514649b76a004190f1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\eac8bb84-4bc6-4e79-aa09-3d74104203c0\\9EAF.exe\" --AutoStart" 9EAF.exe 2228 schtasks.exe 2692 schtasks.exe -
Detect Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1364-164-0x0000000000290000-0x00000000002C4000-memory.dmp family_vidar_v7 behavioral1/memory/1804-171-0x0000000000400000-0x0000000000647000-memory.dmp family_vidar_v7 behavioral1/memory/1804-182-0x0000000000400000-0x0000000000647000-memory.dmp family_vidar_v7 -
Detected Djvu ransomware 13 IoCs
Processes:
resource yara_rule behavioral1/memory/2736-19-0x0000000002670000-0x000000000278B000-memory.dmp family_djvu behavioral1/memory/2580-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2580-27-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2580-28-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2580-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1852-78-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1852-79-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1852-140-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1852-141-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1852-145-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1852-147-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1852-148-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1852-166-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1432-379-0x0000000000400000-0x00000000026BE000-memory.dmp family_glupteba behavioral1/memory/1432-381-0x0000000004420000-0x0000000004D0B000-memory.dmp family_glupteba behavioral1/memory/1632-414-0x0000000000400000-0x00000000026BE000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Processes:
1DC3.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 1DC3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 1DC3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 1DC3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 1DC3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 1DC3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 1DC3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\1DC3.exe = "0" 1DC3.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
684C.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 684C.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 2416 netsh.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
684C.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 684C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 684C.exe -
Deletes itself 1 IoCs
Processes:
pid Process 1200 -
Executes dropped EXE 16 IoCs
Processes:
9EAF.exe9EAF.exe9EAF.exe9EAF.exebuild2.exebuild2.exebuild3.exebuild3.exe492.exe1DC3.exe3CD8.exe1DC3.exemstsca.exeatbwgij684C.execsrss.exepid Process 2736 9EAF.exe 2580 9EAF.exe 2792 9EAF.exe 1852 9EAF.exe 1364 build2.exe 1804 build2.exe 2040 build3.exe 564 build3.exe 3068 492.exe 1432 1DC3.exe 700 3CD8.exe 1632 1DC3.exe 1084 mstsca.exe 2144 atbwgij 1568 684C.exe 1936 csrss.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
684C.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine 684C.exe -
Loads dropped DLL 21 IoCs
Processes:
9EAF.exe9EAF.exe9EAF.exe9EAF.exeWerFault.exeWerFault.exe1DC3.exepid Process 2736 9EAF.exe 2580 9EAF.exe 2580 9EAF.exe 2792 9EAF.exe 1852 9EAF.exe 1852 9EAF.exe 1852 9EAF.exe 1852 9EAF.exe 2828 WerFault.exe 2828 WerFault.exe 2828 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 1200 1632 1DC3.exe 1632 1DC3.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Processes:
1DC3.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 1DC3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 1DC3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 1DC3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 1DC3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 1DC3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\1DC3.exe = "0" 1DC3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 1DC3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9EAF.exe1DC3.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\eac8bb84-4bc6-4e79-aa09-3d74104203c0\\9EAF.exe\" --AutoStart" 9EAF.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 1DC3.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 api.2ip.ua 28 api.2ip.ua 48 api.2ip.ua -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
684C.exepid Process 1568 684C.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
9EAF.exe9EAF.exebuild2.exebuild3.exedescription pid Process procid_target PID 2736 set thread context of 2580 2736 9EAF.exe 29 PID 2792 set thread context of 1852 2792 9EAF.exe 33 PID 1364 set thread context of 1804 1364 build2.exe 36 PID 2040 set thread context of 564 2040 build3.exe 40 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
1DC3.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN 1DC3.exe -
Drops file in Windows directory 4 IoCs
Processes:
1DC3.exe684C.exemakecab.exedescription ioc Process File created C:\Windows\rss\csrss.exe 1DC3.exe File created C:\Windows\Tasks\explorgu.job 684C.exe File created C:\Windows\Logs\CBS\CbsPersist_20240229095948.cab makecab.exe File opened for modification C:\Windows\rss 1DC3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 2828 3068 WerFault.exe 44 600 1804 WerFault.exe 36 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
117a962cde2568514649b76a004190f1.exeatbwgijdescription ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 117a962cde2568514649b76a004190f1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 117a962cde2568514649b76a004190f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI atbwgij Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI atbwgij Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI atbwgij Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 117a962cde2568514649b76a004190f1.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2228 schtasks.exe 2692 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
1DC3.exenetsh.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" 1DC3.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" 1DC3.exe -
Processes:
build2.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
117a962cde2568514649b76a004190f1.exepid Process 2220 117a962cde2568514649b76a004190f1.exe 2220 117a962cde2568514649b76a004190f1.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
117a962cde2568514649b76a004190f1.exeatbwgijpid Process 2220 117a962cde2568514649b76a004190f1.exe 2144 atbwgij -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
1DC3.exedescription pid Process Token: SeShutdownPrivilege 1200 Token: SeShutdownPrivilege 1200 Token: SeDebugPrivilege 1432 1DC3.exe Token: SeImpersonatePrivilege 1432 1DC3.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
684C.exepid Process 1568 684C.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9EAF.exe9EAF.exe9EAF.exe9EAF.exebuild2.exebuild3.exebuild3.exedescription pid Process procid_target PID 1200 wrote to memory of 2736 1200 28 PID 1200 wrote to memory of 2736 1200 28 PID 1200 wrote to memory of 2736 1200 28 PID 1200 wrote to memory of 2736 1200 28 PID 2736 wrote to memory of 2580 2736 9EAF.exe 29 PID 2736 wrote to memory of 2580 2736 9EAF.exe 29 PID 2736 wrote to memory of 2580 2736 9EAF.exe 29 PID 2736 wrote to memory of 2580 2736 9EAF.exe 29 PID 2736 wrote to memory of 2580 2736 9EAF.exe 29 PID 2736 wrote to memory of 2580 2736 9EAF.exe 29 PID 2736 wrote to memory of 2580 2736 9EAF.exe 29 PID 2736 wrote to memory of 2580 2736 9EAF.exe 29 PID 2736 wrote to memory of 2580 2736 9EAF.exe 29 PID 2736 wrote to memory of 2580 2736 9EAF.exe 29 PID 2736 wrote to memory of 2580 2736 9EAF.exe 29 PID 2580 wrote to memory of 1624 2580 9EAF.exe 31 PID 2580 wrote to memory of 1624 2580 9EAF.exe 31 PID 2580 wrote to memory of 1624 2580 9EAF.exe 31 PID 2580 wrote to memory of 1624 2580 9EAF.exe 31 PID 2580 wrote to memory of 2792 2580 9EAF.exe 32 PID 2580 wrote to memory of 2792 2580 9EAF.exe 32 PID 2580 wrote to memory of 2792 2580 9EAF.exe 32 PID 2580 wrote to memory of 2792 2580 9EAF.exe 32 PID 2792 wrote to memory of 1852 2792 9EAF.exe 33 PID 2792 wrote to memory of 1852 2792 9EAF.exe 33 PID 2792 wrote to memory of 1852 2792 9EAF.exe 33 PID 2792 wrote to memory of 1852 2792 9EAF.exe 33 PID 2792 wrote to memory of 1852 2792 9EAF.exe 33 PID 2792 wrote to memory of 1852 2792 9EAF.exe 33 PID 2792 wrote to memory of 1852 2792 9EAF.exe 33 PID 2792 wrote to memory of 1852 2792 9EAF.exe 33 PID 2792 wrote to memory of 1852 2792 9EAF.exe 33 PID 2792 wrote to memory of 1852 2792 9EAF.exe 33 PID 2792 wrote to memory of 1852 2792 9EAF.exe 33 PID 1852 wrote to memory of 1364 1852 9EAF.exe 34 PID 1852 wrote to memory of 1364 1852 9EAF.exe 34 PID 1852 wrote to memory of 1364 1852 9EAF.exe 34 PID 1852 wrote to memory of 1364 1852 9EAF.exe 34 PID 1364 wrote to memory of 1804 1364 build2.exe 36 PID 1364 wrote to memory of 1804 1364 build2.exe 36 PID 1364 wrote to memory of 1804 1364 build2.exe 36 PID 1364 wrote to memory of 1804 1364 build2.exe 36 PID 1364 wrote to memory of 1804 1364 build2.exe 36 PID 1364 wrote to memory of 1804 1364 build2.exe 36 PID 1364 wrote to memory of 1804 1364 build2.exe 36 PID 1364 wrote to memory of 1804 1364 build2.exe 36 PID 1364 wrote to memory of 1804 1364 build2.exe 36 PID 1364 wrote to memory of 1804 1364 build2.exe 36 PID 1364 wrote to memory of 1804 1364 build2.exe 36 PID 1852 wrote to memory of 2040 1852 9EAF.exe 37 PID 1852 wrote to memory of 2040 1852 9EAF.exe 37 PID 1852 wrote to memory of 2040 1852 9EAF.exe 37 PID 1852 wrote to memory of 2040 1852 9EAF.exe 37 PID 2040 wrote to memory of 564 2040 build3.exe 40 PID 2040 wrote to memory of 564 2040 build3.exe 40 PID 2040 wrote to memory of 564 2040 build3.exe 40 PID 2040 wrote to memory of 564 2040 build3.exe 40 PID 2040 wrote to memory of 564 2040 build3.exe 40 PID 2040 wrote to memory of 564 2040 build3.exe 40 PID 2040 wrote to memory of 564 2040 build3.exe 40 PID 2040 wrote to memory of 564 2040 build3.exe 40 PID 2040 wrote to memory of 564 2040 build3.exe 40 PID 2040 wrote to memory of 564 2040 build3.exe 40 PID 564 wrote to memory of 2228 564 build3.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe"C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2220
-
C:\Users\Admin\AppData\Local\Temp\9EAF.exeC:\Users\Admin\AppData\Local\Temp\9EAF.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\9EAF.exeC:\Users\Admin\AppData\Local\Temp\9EAF.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\eac8bb84-4bc6-4e79-aa09-3d74104203c0" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:1624
-
-
C:\Users\Admin\AppData\Local\Temp\9EAF.exe"C:\Users\Admin\AppData\Local\Temp\9EAF.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\9EAF.exe"C:\Users\Admin\AppData\Local\Temp\9EAF.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe"C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe"C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 14367⤵
- Loads dropped DLL
- Program crash
PID:600
-
-
-
-
C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe"C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe"C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
PID:2228
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\492.exeC:\Users\Admin\AppData\Local\Temp\492.exe1⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1242⤵
- Loads dropped DLL
- Program crash
PID:2828
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1304.bat" "1⤵PID:2504
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:760
-
-
C:\Users\Admin\AppData\Local\Temp\1DC3.exeC:\Users\Admin\AppData\Local\Temp\1DC3.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\1DC3.exe"C:\Users\Admin\AppData\Local\Temp\1DC3.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1632 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:2936
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2416
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:2692
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:1516
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵PID:1272
-
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240229095948.log C:\Windows\Logs\CBS\CbsPersist_20240229095948.cab1⤵
- Drops file in Windows directory
PID:880
-
C:\Users\Admin\AppData\Local\Temp\3CD8.exeC:\Users\Admin\AppData\Local\Temp\3CD8.exe1⤵
- Executes dropped EXE
PID:700
-
C:\Windows\system32\taskeng.exetaskeng.exe {C27D1A91-7763-4A41-B821-6DE1C680802C} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵PID:2040
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:1084
-
-
C:\Users\Admin\AppData\Roaming\atbwgijC:\Users\Admin\AppData\Roaming\atbwgij2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\684C.exeC:\Users\Admin\AppData\Local\Temp\684C.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:1568
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2660
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1c41⤵PID:632
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5a2002b54d5fe6c2ebe31fa91b13f7360
SHA1998cdb8ce80164cd94f3054e26dd2ef046ea5114
SHA2565369bd1618a4c6d3f7d054d53c79b2c55d16ce29417a693cd85da2a7bb75a884
SHA5125cadf8c6fd1a10fd19df7eb40548390a52a4bf980202ad19fa2605978572e2a0dbac148e83a7224f218e4fd9b74da453d68a6531dc43aea82efe17446caefeb3
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD599cf43afc01623efa3b9781714b546c5
SHA15be0a653c318b5f7d35f3783086e3c685d895f2a
SHA256b6b539a56e82bc78fd4145eeece7122e0f106552960627a1f11dd04838a75729
SHA512ad349279b52e5df07bad1ae1c2285af87bbdafd05dcde5648d55082719057f184b237a8adad37d20734eb26f0e0e0a19c48252ff54b7c1245b8b33ed2cd40236
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d5594999b3e7839c4d3ff505e244c61a
SHA16cebd58546c0c33cbdda73182f40b1d72b7d2fa2
SHA256ba7cca389363e38131c3a86978d96c05c4de4c8e1554a0960436e7b31ca68797
SHA512a3079a8d4610139134f08cecf984c6e091a3f4a52649992f9c1e3d25fcdaa35f059020315fc020d4de88b773c52852ff5a23e5f7307bf904d4b8061825ab839a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a5dc1ca8f3e5cac876e38cbbfcf9a06e
SHA1b00e65820cb59ae3b864b519a1323195a8420b26
SHA256381c86e84e68c02ff2166159a31b6b7f7e92a184888faa851702dc9da06c14d6
SHA51230e1e42f36fb65e4b2502c9cc387920c56fbd084d1866d301aa577f0d05f7d2ea5aa3846c79e797749639f182b80a47e71ac5eec77f3df5d39e8c1d5a25bd01a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59b4f8c00e95799dd26668a8166529946
SHA138645ede20a5dd3a68fe4c971de2918162c14499
SHA25666d3b911ddbf05cc6e1f7ee8e30650cf9d89c9531459ca79561fc158f152dd01
SHA5127597f67ab686110be6861b3e026b3a24eeefb50f4feb998ff180f2d334332f70e32e58ac090681289da0f556a71cc04feeca7de8983fd6cc093edb6faa317ef0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b1b85a1df51617f1227522fb20ae3195
SHA1d9214c842d07a7a1d7d3c8f04861553be9320b4b
SHA256d7051a322d4dcb0bb032d40a7def1d99b44048516cd0be000bfd3cdbfacf4512
SHA51248946e65df57c3cf069f16d369777563b6805d6b5b53ecdb6749f1052e38bf9fb34c5bbbbb9160c991f5c4447222dfb0d6907e5c3313145ca5968c9b319af782
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a712d1e7b208ec75790f7ae0e9973160
SHA1bb63cfaf00bda9e3a9865861062d134923e5445a
SHA25695edd9c3e7af744bdf492d1f585a0f10664de1ac74a067397c18b460265367fa
SHA51281adf7e91c7e5b84ec4e03052e1bc77d069a81985938a29b0ddc4e7f097f5aeb27739cdc8063f176a8f306ad758348c0bda6ea630492cb661c6592874a99e709
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56fc5d0241a33361f89c615734aa219d3
SHA1a40df413e88183262124d9b0d925b0a416418330
SHA25690021b58da6b5da26809bdfd0dd5a1f1b6293a893ec4cab97533fd9dd51d6a92
SHA512fb2b09b3803d3df940d5c1f941ec228365932fbf8f4c421f3679fc74bbc99dd4fc7238f22936853dc2734b69ccc8134b7a461814c1f93ab70a2e1b339a2acb3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5cdd77ae5325d76e21f7e1fe60544f2fb
SHA1fd646a12028c541897927848c33c86e752064581
SHA2567cea23441f2fbd2e03e8f16a1b0a2b243964b806e3cd03683e0e92c2b49d9928
SHA5121e486f631dfdde7b3dc0ede43c9cc1ea3c1993d68a45ab0a4b8ead0d6d79170fcb4171a95f16c5836da715b5375a239fa0bfd1be5e033c113145415007ecc727
-
Filesize
125KB
MD52b55c7eb9fb5007d1a71f7ad68dd32f3
SHA154b39a6b98926b011853ce183fc939516abf68bf
SHA2562ede657c7fb4c831453285d260339393a10a345101b37dda28858ededc5671ee
SHA5126199184f279977c184cf82483bc85e9de9c8c3cb35a95828529b715150928d05e1741d89d7fd043c0ec1941647af456cf658eb65fe3aafc58d19e81205dba541
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
2.0MB
MD5705ebd77c44dead41c4ebaadcd2bf2e3
SHA107fc952dca37ad1797aa693294fab87cfc918bac
SHA256749f93f653efb9f13f49857b4a79871e99e534795f264ef7633cd6312bd78141
SHA512ed93b8f1238c83e12e422a0497df01c0e27c872278bec278759b16fb56b49f1f3ef03704adc3949bb647938d984bb5ada38625c095cd7bfdfabde8c73241724b
-
Filesize
1.2MB
MD55cd729a81f8df732af6b2c09fd916f97
SHA13d3414d23871b631d86a333cf96c32b5b9ecc8b3
SHA25623186a89509523382778522137057e76a4bb70d280e112b87bbcca198002fc51
SHA512df67cf0a507774938e64d73286ed1071f5c79b0f02c22e9e0aa9322836b2aa5443321766143df7556710f1109a7ded9d7b80e4e8f74994f4b6eefa685db508b1
-
Filesize
4.1MB
MD55c829441a341d8eed9d445081e889d52
SHA1c281d3934466c592eca5f712b18f3e83fabcbbf6
SHA256934b7cbd70c39bcdfaba46448139c74b5343e9663efc2c9f2dfb16893eca24f5
SHA512ae061c786c0ba9e451c620dfcf30bf9fea566c722dca458dc24b1a686d60ae40900941b512ae92e407f7a33e64c6348bf9b2404b7a8c4964a5395bfb37c36d45
-
Filesize
256KB
MD5e8b6adc564f16b5296dd0381cdacdd00
SHA12c422a97782ffbc01fa854615279ee5a86b954fd
SHA256fbb0c4aca1a1e4379dbc39a7fc02f6d2f742938865a95dac4a363974523eee22
SHA5129a2bd41a64d1fa95939fe5f5267561cbd66676ebb14d405e14307a668a34fa1a1a5c49b0aaf40023456578f1b26ddd995124ebd391225933bc7a90bbb834ab6a
-
Filesize
3.5MB
MD5667806f6f5a82c03b1b24395847c4fb9
SHA18f5a65f02cd7bf6f1f243fa755ba4d0277189242
SHA2566da7593d439e67e3847cea55c7f53fa090616994fc62f2189b8bb024b0694ca7
SHA51269f4438de8073d0934ae101fe3478f1700d82ee0e18ae00743fbaabecab74b161005a9a9a0ac6caa6f8c94fd3be9e33b77dc85bd61b80f83bfcc83e9897bf80f
-
Filesize
5.5MB
MD5d689d942a645a468007b85fdf9413de9
SHA1c94e0a7ff515c05a73048f3c6d2dd0c95071c4b6
SHA25682177bd7ae6c995aa53d63d21e5c53883af16f3b84832d5557fe3dfce3cf58cd
SHA512525184773ae2e1642e05bee15b58457a995a3225f417a8b26580d306bd292ab880d9768187b6e5c144bf9d4eb3f95f2a2b82f7402eb11b3239740f5412f7608c
-
Filesize
5.1MB
MD5a31c4d9ca7b9b490af9a2cb5e46fea5e
SHA1be44090ac837f880229c28b0628225600d3cb70f
SHA2561bce914bf6be2103d06d72c9b0668e9e604db11a6cd5df6c1bad41b743d8f23d
SHA51263609aacd1812c5d8d9135fa8cdd7d26289a0b6ecaa7e405c4d7dab4e901fb5b6f7b9a1b5d3e275d7466a13e9df14d90c6d934c11baed895749ea712393655fc
-
Filesize
1.8MB
MD5bba0531fe3059f01c86aac9293b32aeb
SHA159442b3a3550acac19829378e5630262e929c3e8
SHA256ccd9f047538afd0c8e7b7ecdeb83c2cfbdffea220c45019f3600b268e7371b69
SHA512c62bc4bca11fdbac0237232c7cc96b72328968fd75c520ae2a789595d7692f0464faf151308c125534c61facbd225547120000eea380cf9aaaa17e3d9eb9b730
-
Filesize
832KB
MD597171292fd1f59b0fa5b3ea5be92a2ae
SHA128b239a979e602ec968fd5fce7aac82a01c37308
SHA256c406edd320595812e56cb3dcff082f9adeed60bcb21432b8dc09494bd6999dcd
SHA5120422d1fd59635ff1eb0d0f43aae20bc9944c4ec0f2dad00f2ed196dcc90d0030d1b8ffa1cd7903218da519b77598e6467e8a30753f075a1b3bb6f16041df9b2e
-
Filesize
700KB
MD5ac282e0c3008238e949df7acf56bd7e7
SHA13f27bf2d71cb268636064ae950a2f14ea2df3433
SHA2564f0fea97eaf9353a2ce670fa8f46a72d3937edf86a090941b2d15487b43254bf
SHA51293609e746c9a806ab5fddf50c7df44d00d069ce585e0105d305d83848735db1d905c5b38ca3d273e33a3585a4e5a61a0e38def517fd67b8209bea6406e05bc01
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
259KB
MD5117a962cde2568514649b76a004190f1
SHA1e92ab6267e005eb78bac3c13b9de881b726bc7f2
SHA2568dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0
SHA512a2eb2cd551bea8eead2cc7cf17dd91849395c475f329e9bd47ff4ebab8aff0c9a1e33921e4fc6af9ca762b6c80c48056b8991f8813b7e19a7eca4dfb0914041d
-
Filesize
64KB
MD59d644d8a8bba44410a771ed01ea0faf3
SHA1ab3da8560deeeffbb47adc26b35b3844943f6dc0
SHA256ab905fe3625b31b46eac60cd0b26f1a5c16ac7231746a445245164320e3b1545
SHA512e5264404843792ca53e8dd99513eaaec4884fdacb664ff6c7b254a67e2afcceeb65329f1ec1860d62acdb09f20496f888a8b996dee8333bd78292d16bcd966fa
-
Filesize
1.1MB
MD5946845d21eaefa58a757859e7f4b9d58
SHA1489a4a78b8c58ee37f8ee6959665b203a283e5c3
SHA2568ac4235d2f161d6770ee354a8b00ba0de571ceff168042467f025e9b50b05616
SHA512711d784c1c41b65de2baaaa0138c14c4fbaa7eaf94be8385201529d3bda05d01c23156739832ccea21ee8152527a9932a7013174e89ab745c0c1be478ae0f704
-
Filesize
960KB
MD55266071c933122f9c408e160ef434196
SHA144d7e5e29ee21132a7db908e756a43a685df4e08
SHA2560f7e3454607dfb099f2c6b238d0d95d5c2208515c9c563d71d345507bca9201e
SHA512ec098f12c18a3442e7e276cbaf0552f2e752b6935981e47b5227a8b895352357fb49ae1fa2ebd232d092a6afa5126455336574ece0761045ea72717a9553af5c
-
Filesize
232KB
MD50aeafe1b6afa524ffe3dd410c6dc1c69
SHA13a77fc97517c528d3b325f30b9b75cb32b5dd71f
SHA256b336240bcc57cbfb7de07464a0804ad8a229cf85654286c6c1ffa477f7cc3136
SHA512d7a2444b9f7d1b410c5a14d8f6de74bb739b595152a9df5936f992722e2abcc26b312b00a79eee93b19a3e6a3266b89fa7df33ba07dfb04ec95ce1c080f63f1f
-
Filesize
95KB
MD58911b8fbcd0fd3905034a6e675f1df13
SHA1afb96215b9f41a6ee996e4e34cbe5dba13dac587
SHA25665b359f6ebb341d435219b8eb76b50ae1cf08a3d6396f42b5dca4bc617d0ebef
SHA51258b0c6b723458f38f8d760f03bba93b746dd85f08590c427fb0e46bef6140b4ea5e696cd598ba21995514f6b0901ed14733a26abe04cb3efb051e97e0bd66608
-
Filesize
10.4MB
MD521a466eb1827ebda177690e7a2abb02f
SHA1193f97e2e014ee0e1cc299a9414033fe07938efa
SHA256b28cb126a6c06709c383dbe8a8d1358671131cab5c94b1f65490bd6c64115317
SHA512ff4683d9148ee1c360e906c74e28f0f35fc545fb6976ad45c9a9b848214b2c8a7bff4581418dbb1264d31bb62af301b280c8715c7378c2823c49d5a86c75a2f3
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
Filesize
1.5MB
MD5f0616fa8bc54ece07e3107057f74e4db
SHA1b33995c4f9a004b7d806c4bb36040ee844781fca
SHA2566e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA51215242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c
-
Filesize
1.6MB
MD56579312b2970bfd3b6059852ae2716c1
SHA1c86b2d66a44dc5d1c2e5d8eb6c082cb458ace916
SHA25696e14d6a37c3b6ac5418737e2b91e087908eab76817a41917161bfc38434c5d8
SHA512db6854116859ea6c80a49574b3208b982e6db48aa376092893cdb124ba03d07967af50c98849ef3fdedbada02b5140b208a0fe17314e0d64838f3b13cdd45f7a