Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 09:51
Static task
static1
Behavioral task
behavioral1
Sample
1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
Resource
win7-20240221-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
-
Size
9.2MB
-
MD5
69f900118f985990f488121cd1cf5e2b
-
SHA1
33f6b7aac2afaba74eeac1a44ba9ec5d0a53d00c
-
SHA256
1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
-
SHA512
09ae36c29bfbb09ed1fdc3da5ed365fa61cf2905e177909b6a8fcef8e0a25742d1acffdb13378b91c3fa607ecece4de39b380894b6df9152f06350972bbfaa42
-
SSDEEP
196608:zhbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cv1HDQfgaP:FbWzPM5HCZNrgMVw6wyZUupkjSPcv1jO
Score
10/10
Malware Config
Extracted
Family
darkgate
Version
5.2.4
Botnet
civilian1337
C2
http://185.130.227.202
Attributes
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
2351
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
true
-
crypto_key
VPsTDMdPtonzYs
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
civilian1337
Signatures
-
Detect DarkGate stealer 61 IoCs
resource yara_rule behavioral1/memory/1400-132-0x0000000002FA0000-0x00000000032CA000-memory.dmp family_darkgate_v6 behavioral1/memory/1400-141-0x0000000002FA0000-0x00000000032CA000-memory.dmp family_darkgate_v6 behavioral1/memory/1400-142-0x0000000002FA0000-0x00000000032CA000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-147-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-148-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1400-145-0x0000000002FA0000-0x00000000032CA000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-149-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-155-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-156-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-164-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-165-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-166-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-167-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-168-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-169-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-170-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-171-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-172-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-173-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-174-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-175-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-187-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-188-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-190-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-191-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-192-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-194-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-195-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-196-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-197-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-198-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-199-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-200-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-201-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-202-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-203-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-204-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-205-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-206-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-207-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-208-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-209-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-210-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-211-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-212-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-213-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-214-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-215-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-216-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-217-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-218-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-219-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-220-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-221-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-222-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-223-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-224-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-225-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-226-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-227-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 behavioral1/memory/1600-228-0x0000000000400000-0x0000000000465000-memory.dmp family_darkgate_v6 -
Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs
description pid Process procid_target PID 1400 created 1304 1400 Autoit3.exe 44 PID 1400 created 1124 1400 Autoit3.exe 19 PID 1400 created 768 1400 Autoit3.exe 45 PID 1400 created 1888 1400 Autoit3.exe 43 PID 1400 created 1124 1400 Autoit3.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 PID 1600 created 1232 1600 cmd.exe 20 PID 1600 created 1124 1600 cmd.exe 19 -
Blocklisted process makes network request 42 IoCs
flow pid Process 5 1600 cmd.exe 6 1600 cmd.exe 7 1600 cmd.exe 8 1600 cmd.exe 9 1600 cmd.exe 10 1600 cmd.exe 13 1600 cmd.exe 14 1600 cmd.exe 15 1600 cmd.exe 16 1600 cmd.exe 17 1600 cmd.exe 18 1600 cmd.exe 19 1600 cmd.exe 20 1600 cmd.exe 21 1600 cmd.exe 22 1600 cmd.exe 23 1600 cmd.exe 24 1600 cmd.exe 25 1600 cmd.exe 26 1600 cmd.exe 27 1600 cmd.exe 28 1600 cmd.exe 29 1600 cmd.exe 30 1600 cmd.exe 31 1600 cmd.exe 32 1600 cmd.exe 33 1600 cmd.exe 34 1600 cmd.exe 35 1600 cmd.exe 36 1600 cmd.exe 37 1600 cmd.exe 38 1600 cmd.exe 39 1600 cmd.exe 40 1600 cmd.exe 41 1600 cmd.exe 42 1600 cmd.exe 43 1600 cmd.exe 44 1600 cmd.exe 45 1600 cmd.exe 46 1600 cmd.exe 47 1600 cmd.exe 48 1600 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edhbhad.lnk cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2172 ICACLS.EXE 1060 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1400 set thread context of 1600 1400 Autoit3.exe 50 -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f76b04d.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSIB24F.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\f76b04c.msi msiexec.exe File created C:\Windows\Installer\f76b04d.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f76b04c.msi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 2860 windbg.exe 1400 Autoit3.exe -
Loads dropped DLL 8 IoCs
pid Process 1108 MsiExec.exe 1108 MsiExec.exe 1108 MsiExec.exe 1108 MsiExec.exe 1108 MsiExec.exe 2860 windbg.exe 2860 windbg.exe 1600 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.bin\ = "bin_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\bin_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\bin_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.bin rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\bin_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\bin_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\bin_auto_file rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2248 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2588 msiexec.exe 2588 msiexec.exe 1400 Autoit3.exe 1400 Autoit3.exe 1400 Autoit3.exe 1400 Autoit3.exe 1400 Autoit3.exe 1400 Autoit3.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe 1600 cmd.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 2184 msiexec.exe Token: SeIncreaseQuotaPrivilege 2184 msiexec.exe Token: SeRestorePrivilege 2588 msiexec.exe Token: SeTakeOwnershipPrivilege 2588 msiexec.exe Token: SeSecurityPrivilege 2588 msiexec.exe Token: SeCreateTokenPrivilege 2184 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2184 msiexec.exe Token: SeLockMemoryPrivilege 2184 msiexec.exe Token: SeIncreaseQuotaPrivilege 2184 msiexec.exe Token: SeMachineAccountPrivilege 2184 msiexec.exe Token: SeTcbPrivilege 2184 msiexec.exe Token: SeSecurityPrivilege 2184 msiexec.exe Token: SeTakeOwnershipPrivilege 2184 msiexec.exe Token: SeLoadDriverPrivilege 2184 msiexec.exe Token: SeSystemProfilePrivilege 2184 msiexec.exe Token: SeSystemtimePrivilege 2184 msiexec.exe Token: SeProfSingleProcessPrivilege 2184 msiexec.exe Token: SeIncBasePriorityPrivilege 2184 msiexec.exe Token: SeCreatePagefilePrivilege 2184 msiexec.exe Token: SeCreatePermanentPrivilege 2184 msiexec.exe Token: SeBackupPrivilege 2184 msiexec.exe Token: SeRestorePrivilege 2184 msiexec.exe Token: SeShutdownPrivilege 2184 msiexec.exe Token: SeDebugPrivilege 2184 msiexec.exe Token: SeAuditPrivilege 2184 msiexec.exe Token: SeSystemEnvironmentPrivilege 2184 msiexec.exe Token: SeChangeNotifyPrivilege 2184 msiexec.exe Token: SeRemoteShutdownPrivilege 2184 msiexec.exe Token: SeUndockPrivilege 2184 msiexec.exe Token: SeSyncAgentPrivilege 2184 msiexec.exe Token: SeEnableDelegationPrivilege 2184 msiexec.exe Token: SeManageVolumePrivilege 2184 msiexec.exe Token: SeImpersonatePrivilege 2184 msiexec.exe Token: SeCreateGlobalPrivilege 2184 msiexec.exe Token: SeBackupPrivilege 3044 vssvc.exe Token: SeRestorePrivilege 3044 vssvc.exe Token: SeAuditPrivilege 3044 vssvc.exe Token: SeBackupPrivilege 2588 msiexec.exe Token: SeRestorePrivilege 2588 msiexec.exe Token: SeRestorePrivilege 2436 DrvInst.exe Token: SeRestorePrivilege 2436 DrvInst.exe Token: SeRestorePrivilege 2436 DrvInst.exe Token: SeRestorePrivilege 2436 DrvInst.exe Token: SeRestorePrivilege 2436 DrvInst.exe Token: SeRestorePrivilege 2436 DrvInst.exe Token: SeRestorePrivilege 2436 DrvInst.exe Token: SeLoadDriverPrivilege 2436 DrvInst.exe Token: SeLoadDriverPrivilege 2436 DrvInst.exe Token: SeLoadDriverPrivilege 2436 DrvInst.exe Token: SeRestorePrivilege 2588 msiexec.exe Token: SeTakeOwnershipPrivilege 2588 msiexec.exe Token: SeRestorePrivilege 2588 msiexec.exe Token: SeTakeOwnershipPrivilege 2588 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2184 msiexec.exe 2184 msiexec.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 2588 wrote to memory of 1108 2588 msiexec.exe 32 PID 2588 wrote to memory of 1108 2588 msiexec.exe 32 PID 2588 wrote to memory of 1108 2588 msiexec.exe 32 PID 2588 wrote to memory of 1108 2588 msiexec.exe 32 PID 2588 wrote to memory of 1108 2588 msiexec.exe 32 PID 2588 wrote to memory of 1108 2588 msiexec.exe 32 PID 2588 wrote to memory of 1108 2588 msiexec.exe 32 PID 1108 wrote to memory of 2172 1108 MsiExec.exe 33 PID 1108 wrote to memory of 2172 1108 MsiExec.exe 33 PID 1108 wrote to memory of 2172 1108 MsiExec.exe 33 PID 1108 wrote to memory of 2172 1108 MsiExec.exe 33 PID 1108 wrote to memory of 2380 1108 MsiExec.exe 35 PID 1108 wrote to memory of 2380 1108 MsiExec.exe 35 PID 1108 wrote to memory of 2380 1108 MsiExec.exe 35 PID 1108 wrote to memory of 2380 1108 MsiExec.exe 35 PID 1108 wrote to memory of 2860 1108 MsiExec.exe 37 PID 1108 wrote to memory of 2860 1108 MsiExec.exe 37 PID 1108 wrote to memory of 2860 1108 MsiExec.exe 37 PID 1108 wrote to memory of 2860 1108 MsiExec.exe 37 PID 1108 wrote to memory of 2860 1108 MsiExec.exe 37 PID 1108 wrote to memory of 2860 1108 MsiExec.exe 37 PID 1108 wrote to memory of 2860 1108 MsiExec.exe 37 PID 2860 wrote to memory of 1400 2860 windbg.exe 38 PID 2860 wrote to memory of 1400 2860 windbg.exe 38 PID 2860 wrote to memory of 1400 2860 windbg.exe 38 PID 2860 wrote to memory of 1400 2860 windbg.exe 38 PID 1108 wrote to memory of 1632 1108 MsiExec.exe 39 PID 1108 wrote to memory of 1632 1108 MsiExec.exe 39 PID 1108 wrote to memory of 1632 1108 MsiExec.exe 39 PID 1108 wrote to memory of 1632 1108 MsiExec.exe 39 PID 1108 wrote to memory of 1060 1108 MsiExec.exe 41 PID 1108 wrote to memory of 1060 1108 MsiExec.exe 41 PID 1108 wrote to memory of 1060 1108 MsiExec.exe 41 PID 1108 wrote to memory of 1060 1108 MsiExec.exe 41 PID 1400 wrote to memory of 1888 1400 Autoit3.exe 43 PID 1400 wrote to memory of 1888 1400 Autoit3.exe 43 PID 1400 wrote to memory of 1888 1400 Autoit3.exe 43 PID 1400 wrote to memory of 1888 1400 Autoit3.exe 43 PID 1400 wrote to memory of 1888 1400 Autoit3.exe 43 PID 1400 wrote to memory of 1888 1400 Autoit3.exe 43 PID 1400 wrote to memory of 1888 1400 Autoit3.exe 43 PID 1400 wrote to memory of 1304 1400 Autoit3.exe 44 PID 1400 wrote to memory of 1304 1400 Autoit3.exe 44 PID 1400 wrote to memory of 1304 1400 Autoit3.exe 44 PID 1400 wrote to memory of 1304 1400 Autoit3.exe 44 PID 1304 wrote to memory of 2248 1304 cmd.exe 46 PID 1304 wrote to memory of 2248 1304 cmd.exe 46 PID 1304 wrote to memory of 2248 1304 cmd.exe 46 PID 1304 wrote to memory of 2248 1304 cmd.exe 46 PID 1400 wrote to memory of 1600 1400 Autoit3.exe 50 PID 1400 wrote to memory of 1600 1400 Autoit3.exe 50 PID 1400 wrote to memory of 1600 1400 Autoit3.exe 50 PID 1400 wrote to memory of 1600 1400 Autoit3.exe 50 PID 1400 wrote to memory of 1600 1400 Autoit3.exe 50 PID 1400 wrote to memory of 1600 1400 Autoit3.exe 50 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1232
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2184
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 33DF895E18D052F8865FB2C0DE5349382⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-50e2401b-7739-4981-b395-09d897fbcdc6\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:2172
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:2380
-
-
C:\Users\Admin\AppData\Local\Temp\MW-50e2401b-7739-4981-b395-09d897fbcdc6\files\windbg.exe"C:\Users\Admin\AppData\Local\Temp\MW-50e2401b-7739-4981-b395-09d897fbcdc6\files\windbg.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\tmpa\Autoit3.exec:\tmpa\Autoit3.exe c:\tmpa\script.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MW-50e2401b-7739-4981-b395-09d897fbcdc6\files\data.bin5⤵
- Modifies registry class
PID:1888
-
-
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpa\* & rmdir /s /q c:\tmpa\ exit5⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:2248
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.15⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Drops startup file
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1600
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-50e2401b-7739-4981-b395-09d897fbcdc6\files"3⤵PID:1632
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-50e2401b-7739-4981-b395-09d897fbcdc6\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:1060
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B8" "000000000000051C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1162903896-1761164196-491736567-4127658271242572465208818592074864332340587364"1⤵PID:768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170B
MD5ed4a658accf4ec8dec3e30dd1a2578f1
SHA1e17d3f75a474da6a2c56aa214d210476151d5e17
SHA2567a57eba1debe15541564b089fc3e1a8d22d7ca7c7968165e851105d6771bac3a
SHA51241bfadc679fd4ea1a44ddc2d8735a6ff8d6561f32726e979b0913533167c19055bfa173c12d00d97e1ea6d19d5fbbf00f01521b3b9d8585b86cb383d8c9e6c36
-
Filesize
8.9MB
MD53a4de3260c72e38f814cc2a7b2d42df7
SHA119458fb6838dd9d8be113b0b9983c7d77c12eb25
SHA256411776c8e92afa462d734d14b7c569341442e5d7726009e80eaa497b5e09deb7
SHA5123493664ecdb50d0c0d4f2646aabdd24a20fb435f4799af96f95f625aa983842c1baf7977956964d77d5b344c9e2551d60f007230838bc7a82bc40a2c9714cc0e
-
Filesize
1.1MB
MD5fd49f38e666f94abdbd9cc0bb842c29b
SHA136a00401a015d0719787d5a65c86784760ee93ff
SHA2561f5620bf07b2c25dd18fea78288c48fb2f7b5f0a5cfc1ee6c8d8dbf6029c442f
SHA5122fc40f776e84574f915e418c4b946097234faceb9902239015d2b80e683fe61d623035644055dddb6f7b92160b3c8663795f8a27bf16c5b137c7053cc9f4f612
-
Filesize
1.0MB
MD5f68d2ca13e1268dd79e95591b976ec45
SHA1588454301e3c25065349740573282145aa0a5c7b
SHA256af008f94fe42c29b1c7da7abe02e5edaaf9b89b1c8383e646ccfc8e0e7a66460
SHA512a34b648c8453df91b88d7143237e5decf84a979bfe19a98ae5cff2d37081683236502ad2f62b585409cefae98da89e92acfc8665af40d3f7c9ece4c90e32ebae
-
Filesize
1.1MB
MD57dbe5e4b98d7601585cfb9697f265e0f
SHA1da8477a2494b1436664c535d7c854bf778942a76
SHA256c3c4c040c61bbf8432d4450e34b7101110de26e5e4671736d64535b06189a288
SHA51238e8d0e103096fee998aae33179ad15eee50acc57236bb75bf115f99bd7fa1e1d5fe386ab9a3adcced910f5114c36459c06b55b2218e8020832066eea3755d9e
-
Filesize
1.0MB
MD585da5b7fd4b6983fffe78853c5276c03
SHA149a68d92beabfdfce7b2939f35a7b3e4bdc2bc96
SHA256ff2a43f449bf81510c74eee9cd867bef4226c9c909b698e636ca8c56135d57ba
SHA512c1d19bde8f9d434e29322edb8ac8892a475385bf97b5afd2f655175f1da6ce3ebc9df196585f3ea6a2a1755a1ec0fba2b60f203408ceebbea7801f4d1ab92f5b
-
Filesize
1.0MB
MD5602b44b5e0a94c61c7ae501966eb4fd5
SHA1853f5c83bedd4523cb72ca127cc6c269ac99e2d9
SHA2562e3feac0a21a7fa351458ef1fed86f6f7a282c15fbc7f21cac29f874db9da4f3
SHA512e7fe6c8965a35faecb3ab7bf6a3f8ed7a58aba891c5d5a2addec6aeda4a6790cef78a7874a386d89327d6bcb1e90ad376444d37d44fd0c604d6905dbd7ac6c97
-
Filesize
1.1MB
MD59a40cf65a81a8f618a4f562e2494a557
SHA13b06e119cc017bbe99c06906779f40f2d04b08ad
SHA256087b59e3bfe212a96303f20122e9b9636753956fedaf2e1c8336e2e08c39f4e6
SHA512745722fdeeb9d5f9011825d4826fb3c7c0fdeb0751a156a396b537c458854c376aac60a4709036ebf78e6d2d27cfeb302ef52ecfb1bfa3a6c238240d98839920
-
Filesize
1.1MB
MD5452b0afd9436be767a0ee61e98ef0356
SHA1736f12f84f8af0bd04f5b207f31cba8dd359ae03
SHA2560348e5297e8040b2cc3e83e2c6edf6ccbfa122af0b3880ebd079c0dda3286c9a
SHA5122fc4deaadd35f691aca0af4fb2e36201a2f68e7f7dcda9fe4da01d0b72c4cb8e448ca69d90d1cb230abfc2dc795ff785c1a1b2e95b5ab8fc0833d86013660338
-
Filesize
159KB
MD5008b295295c49c6d07161baff5f7212b
SHA1f89d13817531957967be21327c8180a35960d04d
SHA2569f42965324b20db9ad4b9ab00217eade01e6978d9e68d03669adbe9a9fe66134
SHA5126d8aae2cca7f283c0b850236763a0cb51947053b50758e4be7515ce76fc4e47876e6478e08934922e57ba9646e2fe35be23369617b7904038eee452ba363495e
-
Filesize
92KB
MD58b305b67e45165844d2f8547a085d782
SHA192b8ed7652e61fdf3acb4ce74f48bcc9ed14b722
SHA256776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b
SHA5122bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6
-
Filesize
1.8MB
MD57673659bf664bd45a6f3c38b7d1c25d3
SHA1a9b40ab4590b77887417ec33ecd061c98490176a
SHA25641339e85c54f960b04039fd47df735c5ce78d99ede511364c8c8c2ad81f38c7d
SHA51214ca50e20b3830765e8f116fc48ea49faabf3e7ede9f8768d5d0e70803d466ef506fe953f53057eb7e2f78009029d87b780c78127e1026b161bb095bf8c4ab24
-
Filesize
542KB
MD5a1defa998f5984c7819cffd68664e00a
SHA19b0b17a2d660a2a51c8188186f394f8fe1650552
SHA256abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f
SHA512792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24
-
Filesize
370B
MD5dbf8ec78223d569573d2253df4ccd2f0
SHA16978bdd41cacacef8594a8427427e4a881baaec6
SHA256b85f819143cfd0d28e96fe1224ad5005b5f5b95c1d2295b0fa15d4d2f5fb3dcc
SHA512c195d438869a21bf26c80f7916c603e5d351e14c86ffa849ba72128126b3f0f506c433f4f3d6f97695a04fe9e7c27656988a2d71c3360c50cd885de4eb25895b
-
Filesize
1KB
MD58304cab5a9a3dba44a41ba86b31dc533
SHA17326ee160604b1237737e94609211a4e706c79ae
SHA25616b0fe2c8470eb8a521af71f1625cd4ae08ef51bfa376063aa7d6a94ef7af3c5
SHA512b1ea28e1d3bd288ee2b8c527721f412295bbca9c97accd8901b1824daacfd555be64754f65dd1b307be3e7a3390e7582a8743734bf60139b9d00852dc5625021
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
490KB
MD5e6c14274f52c3de09b65c182807d6fe9
SHA15bd19f63092e62a0071af3bf031bea6fc8071cc8
SHA2565fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9
SHA5127aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e
-
Filesize
474KB
MD504ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA158dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA5125b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
