Analysis
-
max time kernel
294s -
max time network
287s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/03/2024, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe
Resource
win7-20240221-en
General
-
Target
612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe
-
Size
424KB
-
MD5
7660d1df7575e664c8f11be23a924bba
-
SHA1
22a6592b490e2ef908f7ecacb7cad34256bdd216
-
SHA256
612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc
-
SHA512
77c22370eaed5e096a476778d24c26fcd0105d56419bbd1a5af125028dea702aa8537017629920de08f9b7c20d3b9242606e37ace3e456d34730d0e54f20c15e
-
SSDEEP
12288:ryWjrJS5FchtDO/V4Cqi0RlYZTRjzg2AYU:ryoJ8KhtDgVfJLTRjs2AYU
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral1/memory/1640-763-0x0000000000830000-0x0000000004128000-memory.dmp family_zgrat_v1 behavioral1/memory/1640-769-0x000000001EF70000-0x000000001F080000-memory.dmp family_zgrat_v1 behavioral1/memory/1640-773-0x0000000005AB0000-0x0000000005AD4000-memory.dmp family_zgrat_v1 -
Glupteba payload 23 IoCs
resource yara_rule behavioral1/memory/2060-524-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1492-525-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/2060-526-0x0000000002BC0000-0x00000000034AB000-memory.dmp family_glupteba behavioral1/memory/2308-542-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/2308-551-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/2312-548-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1492-545-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/2256-555-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/2060-557-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1692-561-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1692-588-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/2256-592-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/2312-590-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1600-593-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1600-728-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1600-747-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1600-812-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1600-837-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1600-844-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1600-852-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1600-869-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1600-870-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1600-886-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\o0ux229IUgMZfOZnJsn4PXgg.exe = "0" o0ux229IUgMZfOZnJsn4PXgg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\AKPqkG1XdFQPyrpprX0gnGsC.exe = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\rDqQVjdJtztifq3NkTSYjW43.exe = "0" rDqQVjdJtztifq3NkTSYjW43.exe -
Modifies boot configuration data using bcdedit 14 IoCs
pid Process 1008 bcdedit.exe 2292 bcdedit.exe 2724 bcdedit.exe 2908 bcdedit.exe 1644 bcdedit.exe 488 bcdedit.exe 2372 bcdedit.exe 1932 bcdedit.exe 1520 bcdedit.exe 1632 bcdedit.exe 1672 bcdedit.exe 1944 bcdedit.exe 2376 bcdedit.exe 2148 bcdedit.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\Winmon.sys csrss.exe -
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2676 netsh.exe 2388 netsh.exe 2572 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Drops startup file 9 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP9l6p7MjDj80ZYBKlmvFR0P.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A8vjjWWItIEFitEjYg56bE69.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O2jnQWDTGnMr5SqtxFGpmU2g.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6mmV5oDRUNfppU7MeWh1owBE.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yJ8EaZ6Zw7PHyO0tonvxHyLs.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bvM5tzf8C09EVC2xwlTk1s3t.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aMH7ZC9LmJOMOyqpwqnsv22K.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VL0mSn1j6nd3j1Rz11atcWvI.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Za7OeW34cNHVdPhAmWPwEjiT.bat regsvcs.exe -
Executes dropped EXE 17 IoCs
pid Process 568 0zd39W1gHkkSNhQHuOaQ1Q3z.exe 848 2mMfUGxyHICIaTRCXyxj5igi.exe 2060 AKPqkG1XdFQPyrpprX0gnGsC.exe 1492 o0ux229IUgMZfOZnJsn4PXgg.exe 2308 rDqQVjdJtztifq3NkTSYjW43.exe 2312 o0ux229IUgMZfOZnJsn4PXgg.exe 2256 rDqQVjdJtztifq3NkTSYjW43.exe 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 2296 ufs.0.exe 1600 csrss.exe 1652 patch.exe 2860 injector.exe 580 ufs.1.exe 1308 EHDHIDAEHC.exe 3008 dsefix.exe 1368 windefender.exe 2408 windefender.exe -
Loads dropped DLL 36 IoCs
pid Process 2468 regsvcs.exe 2468 regsvcs.exe 2468 regsvcs.exe 2468 regsvcs.exe 2468 regsvcs.exe 2468 regsvcs.exe 2468 regsvcs.exe 2468 regsvcs.exe 2468 regsvcs.exe 568 0zd39W1gHkkSNhQHuOaQ1Q3z.exe 568 0zd39W1gHkkSNhQHuOaQ1Q3z.exe 568 0zd39W1gHkkSNhQHuOaQ1Q3z.exe 568 0zd39W1gHkkSNhQHuOaQ1Q3z.exe 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 840 Process not Found 1600 csrss.exe 1652 patch.exe 1652 patch.exe 1652 patch.exe 1652 patch.exe 1652 patch.exe 568 0zd39W1gHkkSNhQHuOaQ1Q3z.exe 568 0zd39W1gHkkSNhQHuOaQ1Q3z.exe 568 0zd39W1gHkkSNhQHuOaQ1Q3z.exe 568 0zd39W1gHkkSNhQHuOaQ1Q3z.exe 2296 ufs.0.exe 2296 ufs.0.exe 1640 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 1640 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 1640 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 1652 patch.exe 1652 patch.exe 1652 patch.exe 1360 cmd.exe 1600 csrss.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x00050000000120c9-889.dat upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\rDqQVjdJtztifq3NkTSYjW43.exe = "0" rDqQVjdJtztifq3NkTSYjW43.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\AKPqkG1XdFQPyrpprX0gnGsC.exe = "0" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\o0ux229IUgMZfOZnJsn4PXgg.exe = "0" o0ux229IUgMZfOZnJsn4PXgg.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" AKPqkG1XdFQPyrpprX0gnGsC.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" o0ux229IUgMZfOZnJsn4PXgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 pastebin.com 5 pastebin.com -
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
description ioc Process File opened for modification \??\WinMon csrss.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2000 set thread context of 2468 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 28 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN rDqQVjdJtztifq3NkTSYjW43.exe File opened (read-only) \??\VBoxMiniRdrDN o0ux229IUgMZfOZnJsn4PXgg.exe File opened (read-only) \??\VBoxMiniRdrDN AKPqkG1XdFQPyrpprX0gnGsC.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe AKPqkG1XdFQPyrpprX0gnGsC.exe File opened for modification C:\Windows\rss o0ux229IUgMZfOZnJsn4PXgg.exe File opened for modification C:\Windows\rss rDqQVjdJtztifq3NkTSYjW43.exe File created C:\Windows\rss\csrss.exe o0ux229IUgMZfOZnJsn4PXgg.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss AKPqkG1XdFQPyrpprX0gnGsC.exe File created C:\Windows\Logs\CBS\CbsPersist_20240328223117.cab makecab.exe File created C:\Windows\rss\csrss.exe rDqQVjdJtztifq3NkTSYjW43.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2684 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ufs.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ufs.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ufs.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ufs.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ufs.0.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2472 schtasks.exe 1840 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" rDqQVjdJtztifq3NkTSYjW43.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" windefender.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1232 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2308 rDqQVjdJtztifq3NkTSYjW43.exe 2060 AKPqkG1XdFQPyrpprX0gnGsC.exe 1492 o0ux229IUgMZfOZnJsn4PXgg.exe 2060 AKPqkG1XdFQPyrpprX0gnGsC.exe 2256 rDqQVjdJtztifq3NkTSYjW43.exe 2256 rDqQVjdJtztifq3NkTSYjW43.exe 2256 rDqQVjdJtztifq3NkTSYjW43.exe 2256 rDqQVjdJtztifq3NkTSYjW43.exe 2256 rDqQVjdJtztifq3NkTSYjW43.exe 2312 o0ux229IUgMZfOZnJsn4PXgg.exe 2312 o0ux229IUgMZfOZnJsn4PXgg.exe 2312 o0ux229IUgMZfOZnJsn4PXgg.exe 2312 o0ux229IUgMZfOZnJsn4PXgg.exe 2312 o0ux229IUgMZfOZnJsn4PXgg.exe 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 2296 ufs.0.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 1640 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 1640 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 1640 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 2860 injector.exe 1640 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 1640 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe 2860 injector.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2468 regsvcs.exe Token: SeDebugPrivilege 2308 rDqQVjdJtztifq3NkTSYjW43.exe Token: SeImpersonatePrivilege 2308 rDqQVjdJtztifq3NkTSYjW43.exe Token: SeDebugPrivilege 2060 AKPqkG1XdFQPyrpprX0gnGsC.exe Token: SeImpersonatePrivilege 2060 AKPqkG1XdFQPyrpprX0gnGsC.exe Token: SeDebugPrivilege 1492 o0ux229IUgMZfOZnJsn4PXgg.exe Token: SeImpersonatePrivilege 1492 o0ux229IUgMZfOZnJsn4PXgg.exe Token: SeDebugPrivilege 2060 AKPqkG1XdFQPyrpprX0gnGsC.exe Token: SeImpersonatePrivilege 2060 AKPqkG1XdFQPyrpprX0gnGsC.exe Token: SeSystemEnvironmentPrivilege 1600 csrss.exe Token: SeDebugPrivilege 1640 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Token: SeSecurityPrivilege 2684 sc.exe Token: SeSecurityPrivilege 2684 sc.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 580 ufs.1.exe 580 ufs.1.exe 580 ufs.1.exe 580 ufs.1.exe 580 ufs.1.exe 580 ufs.1.exe 580 ufs.1.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 580 ufs.1.exe 580 ufs.1.exe 580 ufs.1.exe 580 ufs.1.exe 580 ufs.1.exe 580 ufs.1.exe 580 ufs.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2468 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 28 PID 2000 wrote to memory of 2468 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 28 PID 2000 wrote to memory of 2468 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 28 PID 2000 wrote to memory of 2468 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 28 PID 2000 wrote to memory of 2468 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 28 PID 2000 wrote to memory of 2468 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 28 PID 2000 wrote to memory of 2468 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 28 PID 2000 wrote to memory of 2468 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 28 PID 2000 wrote to memory of 2468 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 28 PID 2000 wrote to memory of 2468 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 28 PID 2000 wrote to memory of 2468 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 28 PID 2000 wrote to memory of 2468 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 28 PID 2000 wrote to memory of 2584 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 29 PID 2000 wrote to memory of 2584 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 29 PID 2000 wrote to memory of 2584 2000 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 29 PID 2468 wrote to memory of 568 2468 regsvcs.exe 30 PID 2468 wrote to memory of 568 2468 regsvcs.exe 30 PID 2468 wrote to memory of 568 2468 regsvcs.exe 30 PID 2468 wrote to memory of 568 2468 regsvcs.exe 30 PID 2468 wrote to memory of 848 2468 regsvcs.exe 31 PID 2468 wrote to memory of 848 2468 regsvcs.exe 31 PID 2468 wrote to memory of 848 2468 regsvcs.exe 31 PID 2468 wrote to memory of 848 2468 regsvcs.exe 31 PID 2468 wrote to memory of 2060 2468 regsvcs.exe 32 PID 2468 wrote to memory of 2060 2468 regsvcs.exe 32 PID 2468 wrote to memory of 2060 2468 regsvcs.exe 32 PID 2468 wrote to memory of 2060 2468 regsvcs.exe 32 PID 2468 wrote to memory of 1492 2468 regsvcs.exe 33 PID 2468 wrote to memory of 1492 2468 regsvcs.exe 33 PID 2468 wrote to memory of 1492 2468 regsvcs.exe 33 PID 2468 wrote to memory of 1492 2468 regsvcs.exe 33 PID 2468 wrote to memory of 2308 2468 regsvcs.exe 36 PID 2468 wrote to memory of 2308 2468 regsvcs.exe 36 PID 2468 wrote to memory of 2308 2468 regsvcs.exe 36 PID 2468 wrote to memory of 2308 2468 regsvcs.exe 36 PID 2256 wrote to memory of 2368 2256 rDqQVjdJtztifq3NkTSYjW43.exe 42 PID 2256 wrote to memory of 2368 2256 rDqQVjdJtztifq3NkTSYjW43.exe 42 PID 2256 wrote to memory of 2368 2256 rDqQVjdJtztifq3NkTSYjW43.exe 42 PID 2256 wrote to memory of 2368 2256 rDqQVjdJtztifq3NkTSYjW43.exe 42 PID 568 wrote to memory of 2296 568 0zd39W1gHkkSNhQHuOaQ1Q3z.exe 44 PID 568 wrote to memory of 2296 568 0zd39W1gHkkSNhQHuOaQ1Q3z.exe 44 PID 568 wrote to memory of 2296 568 0zd39W1gHkkSNhQHuOaQ1Q3z.exe 44 PID 568 wrote to memory of 2296 568 0zd39W1gHkkSNhQHuOaQ1Q3z.exe 44 PID 2368 wrote to memory of 2572 2368 cmd.exe 45 PID 2368 wrote to memory of 2572 2368 cmd.exe 45 PID 2368 wrote to memory of 2572 2368 cmd.exe 45 PID 2312 wrote to memory of 2292 2312 o0ux229IUgMZfOZnJsn4PXgg.exe 46 PID 2312 wrote to memory of 2292 2312 o0ux229IUgMZfOZnJsn4PXgg.exe 46 PID 2312 wrote to memory of 2292 2312 o0ux229IUgMZfOZnJsn4PXgg.exe 46 PID 2312 wrote to memory of 2292 2312 o0ux229IUgMZfOZnJsn4PXgg.exe 46 PID 2292 wrote to memory of 2388 2292 cmd.exe 48 PID 2292 wrote to memory of 2388 2292 cmd.exe 48 PID 2292 wrote to memory of 2388 2292 cmd.exe 48 PID 1692 wrote to memory of 2880 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 49 PID 1692 wrote to memory of 2880 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 49 PID 1692 wrote to memory of 2880 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 49 PID 1692 wrote to memory of 2880 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 49 PID 2880 wrote to memory of 2676 2880 cmd.exe 51 PID 2880 wrote to memory of 2676 2880 cmd.exe 51 PID 2880 wrote to memory of 2676 2880 cmd.exe 51 PID 1692 wrote to memory of 1600 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 53 PID 1692 wrote to memory of 1600 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 53 PID 1692 wrote to memory of 1600 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 53 PID 1692 wrote to memory of 1600 1692 AKPqkG1XdFQPyrpprX0gnGsC.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe"C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe"C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Users\Admin\AppData\Local\Temp\ufs.0.exe"C:\Users\Admin\AppData\Local\Temp\ufs.0.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHDHIDAEHC.exe"5⤵
- Loads dropped DLL
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\EHDHIDAEHC.exe"C:\Users\Admin\AppData\Local\Temp\EHDHIDAEHC.exe"6⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\EHDHIDAEHC.exe7⤵PID:2040
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
PID:1232
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ufs.1.exe"C:\Users\Admin\AppData\Local\Temp\ufs.1.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:580 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
-
-
C:\Users\Admin\Pictures\2mMfUGxyHICIaTRCXyxj5igi.exe"C:\Users\Admin\Pictures\2mMfUGxyHICIaTRCXyxj5igi.exe"3⤵
- Executes dropped EXE
PID:848
-
-
C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe"C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe"C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2676
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:2472
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:2360
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1652 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER7⤵
- Modifies boot configuration data using bcdedit
PID:1008
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:7⤵
- Modifies boot configuration data using bcdedit
PID:2292
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:7⤵
- Modifies boot configuration data using bcdedit
PID:2724
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows7⤵
- Modifies boot configuration data using bcdedit
PID:2908
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe7⤵
- Modifies boot configuration data using bcdedit
PID:1644
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe7⤵
- Modifies boot configuration data using bcdedit
PID:488
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 07⤵
- Modifies boot configuration data using bcdedit
PID:2372
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn7⤵
- Modifies boot configuration data using bcdedit
PID:1932
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 17⤵
- Modifies boot configuration data using bcdedit
PID:1520
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}7⤵
- Modifies boot configuration data using bcdedit
PID:1632
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast7⤵
- Modifies boot configuration data using bcdedit
PID:1672
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 07⤵
- Modifies boot configuration data using bcdedit
PID:1944
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}7⤵
- Modifies boot configuration data using bcdedit
PID:2376
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2860
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v6⤵
- Modifies boot configuration data using bcdedit
PID:2148
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe6⤵
- Executes dropped EXE
PID:3008
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:1840
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:2252
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe"C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe"C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2388
-
-
-
-
-
C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe"C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe"C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2572
-
-
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2000 -s 7162⤵PID:2584
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240328223117.log C:\Windows\Logs\CBS\CbsPersist_20240328223117.cab1⤵
- Drops file in Windows directory
PID:2276
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2408
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
579B
MD5f55da450a5fb287e1e0f0dcc965756ca
SHA17e04de896a3e666d00e687d33ffad93be83d349e
SHA25631ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA51219bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
Filesize252B
MD5b57e543da6de4fbb05b4555667da9570
SHA14cc3b53cc3f71cb8e8de8304aaae0c8866c92ea1
SHA256758b023ef6efb9dbf6b2e99c2338063c92f31f7dabfa9778c4da5bb020cc32dc
SHA51201a4fe7edac34b9007b333f7312fd1367abf3fc044bd3dc47a38689d100687b41f7c25cdacb94b682f3991915c7d10838aefcb15c7dadf3113afea8c9fa91f24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD599cf7b6506ea0d7485b675565754e96d
SHA14094768195a7a13f196e9a8096ff694f625103e9
SHA256a839e39de22476b8ca866a4a03e317070ca64a58dc17be6ad42e69464aacd140
SHA512b9b993e58059e4b22f06dd7a477cf1da6e8daacf18d251d2e786454a4567230d1d46c9903e06a562f601740ed6b7e46875aea934499e50db3dc242acf7d019da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e9ab9a60be7f59e4b38fa274a1b2014d
SHA1c07d0eab19083dbcec74dab2ab59bc127ff66824
SHA2567b3808589d3bb7f2e3a5b64591ac52f0271138205cf664c0033b5dd9681d95ec
SHA512390f288747a05e603b1292dcb5fdd7dc5dc13225390e586391fcebee679a3a925fed471b75e72c5a8eb11d05dd4311d7f545ed3c8a475bf27c14c3c2963c66bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bccc938cc929506388be0bef73f525e6
SHA1c314b95a46a9cc5d953445ea8210f9a0d5329cff
SHA256dbceaab8100f59bb3f1930dbf4016dd2efddf2385735d4d3eab2e7430662dde9
SHA5125246c79f24abc7fd35bc22e55ed4c1ed4b5f5e0183ec89fc874575fd1bad1c6c5537cbfc680c9c1a0e7bbcf6060fb3302a0f1f87412a0e8fd7a717584206bb04
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fb6ceb73a79ca5ed404726a5d2340717
SHA1518c19a12ffb629be3359d0810a01ac93bea6f70
SHA2560fccc824fff10c25b9cb7b83611e37af8b0539600ed6da50786f10f5a6b0776e
SHA5127a2a1dc8f19dab46a39858953fe64c388a7dc7c8bfb292a85ea38fc26063be3b6b4097c880c86376ac6497b1fd37bfe0da6e8b0ec99e332ac327f9f9ab844ec9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5182f9b898ff075633af60fb85b4c4fe7
SHA1d157410b25f3063d6fe1d2f63143c0ab8b17cdc9
SHA256c162c107e137011a7ecea2e05228009a324f7feb3dc7ed7f3e0361f00a941c8e
SHA512fdd838367edf961a7b07c779b739b9c338b99558d7ec0f46f3879ae9a1bf4fff2a84216ca2f7d3e5a2bf21a35dfbef6bf97960af9da79ced3e9da57141fbd05e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56fa4f47ca5b55eb0d517383bc8aac83c
SHA105b14dd4d1eb13cd4f379a3a298f65aefacd4955
SHA256c2723bc5c9a0d94d955b2702a7c11e0a551770c21225b39501928e8f3ae8e72c
SHA512c9c54914d0fad2e8f6b28923d4da605fc619c3641efe82e194f38056d6f19ac5a38363a7af7eef8899129770992f8902401c336f873f9064894a61ac09cfdf4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5abfa15d66f2ac533a60737cb53965306
SHA1193149a247f2ca777a4f9bf7ac597dad4870889b
SHA256f83d99ae0e3507bd44673843e10317cefe07fee0b18bdcc426ca765ab41bcb8f
SHA512fa742e0ccef3430515b2557f421af208dad16240cf04aced0eab97797b1e20bd1e43ac95b17e6635df89ee666a91ec645397de0281ea84f669545dab47814713
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD577fa2e5f10a94917406fcf6678466bb6
SHA10ced973d3f4a713ded271991028aea44d954e92b
SHA256508b21d2cd346c88e63283c52fc781cec6e0af8e12fc8529a4d97a6a40b203e1
SHA51242513bb4808179871446275ef1e4c588498b936cdf7d8607eddc56254ae2a6b6737bf552263170fee85391e46593bb51978fb01c30d6f47d086685b50bdb7ace
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b67364e9555c9b02de431039e212c12e
SHA17616e3e96ddd6d0dda709674b7f9ae0653668a36
SHA256e191511c79bb9ec990358b470f9f21a21a8639bc1960cd6d04cf83d0927de8d6
SHA51274e77fbcfadfef4e184038bacb4d277ca41437c60b5284ae3e488b532ce74ecba38b194e3b8bd8fec41d64428008e5feb85fa5bc55e529b8674679541accba55
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d150943e20deff0d3af6df0e77c49e9c
SHA159abe75dd23b4cbc72b7c534f3e51caf18099683
SHA256b4580105c2ec53ce7eedcd81713dad6507cfc52ac6cda665d75c52db01093c67
SHA512677c02b59f864fa529bac3b0c675a59435a5dc7128be1244758fb0c1b40f0839a0a101cc73a24364ba7c138fa4695f48add459fec83d4bd9979b6edd998160e6
-
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\049b7335d372bd07248452d0b58e37cfb8420ac5b148b226adcb19ae95655a7b\8ca5b49aa6234bb0a6791bfa64796b65.tmp
Filesize1KB
MD5f5dc21b613bdb1a461c2c9ed9929733e
SHA19d0972ae8042a6663ff73b0700be9d407bacf2b2
SHA2563fb5b624e3b11b7f568ffd8fdbfc1f0d045154d160930f2bf0c887cc2de98f31
SHA5124c3ab279b0d06d34a9e1edb75d76379b25350d53373d57fd30f0e36aea0d357cda721802c9555a1dad47995c2fdad0157ce2ac3744985363585766994fe296ad
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize492KB
MD5fafbf2197151d5ce947872a4b0bcbe16
SHA1a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
Filesize
2KB
MD5a71df0da9cf583851dabb1807aa81c09
SHA189e2780bd65f11dbeccce441d1e158d8721340c5
SHA25675791c9e1cfb73b8eac4a54c4231975e9a4d452160311ae493d88ad2daa0bba0
SHA5120eb36277a28f428877006a766d65342919beaedb84bbad80e2ae79398c0d3c73cdce6873e463fa5c7db428c633a3acc13c96d43416798e296de0ed5d6c9e5e3d
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
4.1MB
MD55f066ebf9264cad80bdb1384ce2a6b34
SHA1a6bfd2df4ad14b8b0f90951b688a7de61f7d4bbc
SHA2565c2b1d90d0299ff70ea73f89a9326628e602cf9f72c425b570ac5272279372e1
SHA5120b0ce2214f57be9155b6eb7de144a96b09a9699fd75e82e4be525a4048a027c509c3f1495f111a3cc1c62b283deb150779d6458b13022095614d502a9805f1c5
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
106KB
MD5fe380780b5c35bd6d54541791151c2be
SHA17fe3a583cf91474c733f85cebf3c857682e269e1
SHA256b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c
-
Filesize
94KB
MD5d98e78fd57db58a11f880b45bb659767
SHA1ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831
-
Filesize
1.5MB
MD5f0616fa8bc54ece07e3107057f74e4db
SHA1b33995c4f9a004b7d806c4bb36040ee844781fca
SHA2566e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA51215242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c
-
Filesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
Filesize
259KB
MD54524e1a1e2725e159d68b3bca2c1b296
SHA10e3b226d0ebd227b911c5fc25d6a28478ed0a957
SHA25612a5bac24e4e354bfc93a989c398df11ac5ec63c9d9834e0a9062bd8857cdda7
SHA512870e0e4e86593a3f060643b043d41f2aa6108af8075f19c0ba6c9d276a28df5c6f6e02a6cd088eb88382af35a41bcd626ea5add747494d468158abb7e610f3ca
-
Filesize
403KB
MD57fcc0bae1fa98de1d16819e6f85de171
SHA1d8ba9866840e0449ddb78d31d6bcf2762ed3e6e4
SHA25628249276aafcf8911cc5fc8b6adebe10efb7141f3869ab2ec2f0bf5cffc1c82a
SHA51258cf14e662f68b61339dd3517dae6c831a5094ef01eab8e5ee64cf85a23e26b3ffce43912ba62356fdf1a4bbeba7249f55de222154b729b8d85fa48744ddbe29
-
Filesize
372KB
MD5e2a6c1f58b137874e490b8d94382fcdb
SHA171529c5d708091b1e1a580227dc52e62a140edd1
SHA2564801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA51224d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff
-
Filesize
4.1MB
MD56126c6923b352edf2507639b7fe78e8a
SHA11fd3edb62b8d44673772fb58a05c43d5360e8e5b
SHA25698db3710f7b5e68beb18c0ec584909ad3c92d66bbf093164892d5cd00d1021dd
SHA51293fcbbc0a3f42f9fab3c5e0a5cbc83308b5d93999fa89f449c2b50653860de2fe3dbb42fc463bf34f5f5e5e69390dae8b6a1dfed8e742dcb0059a445cf041736