Analysis
-
max time kernel
852s -
max time network
1604s -
platform
windows10-1703_x64 -
resource
win10-20240404-es -
resource tags
arch:x64arch:x86image:win10-20240404-eslocale:es-esos:windows10-1703-x64systemwindows -
submitted
04/04/2024, 17:20
Static task
static1
Behavioral task
behavioral1
Sample
fenix atc/ATCFenixTelco.exe
Resource
win10-20240404-es
Behavioral task
behavioral2
Sample
fenix atc/FenixATCInstaller.exe
Resource
win10-20240404-es
General
-
Target
fenix atc/FenixATCInstaller.exe
-
Size
5.3MB
-
MD5
423ce463869b85b1581e26a3535d3377
-
SHA1
8ad5f7430cf4b2f0a9755af8cd111f7ac9a76711
-
SHA256
ba4da4c0e7257660436b8c4c49f8046c6d0fd5348a7d24f3cc7734b4dbb31f4d
-
SHA512
598136d28ceb6002ebb2dae2b1b9f4edc53f60ce24f0806d3ed15b61d48ce606936b869241730b16e6643787e25dfcb932abca8005d8db449587ddd5b0014c4b
-
SSDEEP
98304:gmbEM8+51vYLB0VhaA8dhakIneoXggn/JWxog7bWgq5t63XCoBj0F:zn/drXg4JqWgkt6ioBj0F
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3916 LinkCreator.exe -
Loads dropped DLL 18 IoCs
pid Process 2756 MsiExec.exe 2756 MsiExec.exe 2756 MsiExec.exe 2756 MsiExec.exe 2756 MsiExec.exe 2756 MsiExec.exe 2756 MsiExec.exe 2756 MsiExec.exe 2756 MsiExec.exe 1260 FenixATCInstaller.exe 1376 MsiExec.exe 1376 MsiExec.exe 1376 MsiExec.exe 1376 MsiExec.exe 1376 MsiExec.exe 1376 MsiExec.exe 2756 MsiExec.exe 2756 MsiExec.exe -
Registers COM server for autorun 1 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6673B1C-A73E-474C-92E4-AB5E94671004}\InprocServer32\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3D84B75C-CFA2-465B-9E1E-7F006548EFF5}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{323F3798-5552-42BB-B220-AC4A2C5D6C23}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{323F3798-5552-42BB-B220-AC4A2C5D6C23}\InprocServer32\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C69C7B9A-43FF-4CA5-A1FF-3121B57854B5}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3D84B75C-CFA2-465B-9E1E-7F006548EFF5}\InprocServer32\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46856CFF-3BBB-45C9-B233-ECDEF7D7336C}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{41C6678B-39FC-4147-AEC1-EA83E190DFCA}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{41C6678B-39FC-4147-AEC1-EA83E190DFCA}\InprocServer32\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46856CFF-3BBB-45C9-B233-ECDEF7D7336C}\InprocServer32\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8EB26D16-0389-4306-8C61-344C752A9D0E}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8EB26D16-0389-4306-8C61-344C752A9D0E}\InprocServer32\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6A0EE08-3102-47BB-85E0-306695307D96}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6A0EE08-3102-47BB-85E0-306695307D96}\InprocServer32\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DEEE1BC3-7100-4E13-88EC-3BFD50FEEC89}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C69C7B9A-43FF-4CA5-A1FF-3121B57854B5}\InprocServer32\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D6141D-CB63-4777-A679-6B529B52CFA5}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D6141D-CB63-4777-A679-6B529B52CFA5}\InprocServer32\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6673B1C-A73E-474C-92E4-AB5E94671004}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DEEE1BC3-7100-4E13-88EC-3BFD50FEEC89}\InprocServer32\ msiexec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: FenixATCInstaller.exe File opened (read-only) \??\A: FenixATCInstaller.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: FenixATCInstaller.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: FenixATCInstaller.exe File opened (read-only) \??\Q: FenixATCInstaller.exe File opened (read-only) \??\R: FenixATCInstaller.exe File opened (read-only) \??\G: FenixATCInstaller.exe File opened (read-only) \??\X: FenixATCInstaller.exe File opened (read-only) \??\Y: FenixATCInstaller.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: FenixATCInstaller.exe File opened (read-only) \??\S: FenixATCInstaller.exe File opened (read-only) \??\V: FenixATCInstaller.exe File opened (read-only) \??\X: FenixATCInstaller.exe File opened (read-only) \??\Y: FenixATCInstaller.exe File opened (read-only) \??\P: FenixATCInstaller.exe File opened (read-only) \??\Z: FenixATCInstaller.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: FenixATCInstaller.exe File opened (read-only) \??\Q: FenixATCInstaller.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: FenixATCInstaller.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: FenixATCInstaller.exe File opened (read-only) \??\Z: FenixATCInstaller.exe File opened (read-only) \??\L: FenixATCInstaller.exe File opened (read-only) \??\S: FenixATCInstaller.exe File opened (read-only) \??\U: FenixATCInstaller.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: FenixATCInstaller.exe File opened (read-only) \??\T: FenixATCInstaller.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: FenixATCInstaller.exe File opened (read-only) \??\E: FenixATCInstaller.exe File opened (read-only) \??\I: FenixATCInstaller.exe File opened (read-only) \??\L: FenixATCInstaller.exe File opened (read-only) \??\A: FenixATCInstaller.exe File opened (read-only) \??\M: FenixATCInstaller.exe File opened (read-only) \??\N: FenixATCInstaller.exe File opened (read-only) \??\J: FenixATCInstaller.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: FenixATCInstaller.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: FenixATCInstaller.exe File opened (read-only) \??\B: FenixATCInstaller.exe File opened (read-only) \??\H: FenixATCInstaller.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: FenixATCInstaller.exe File opened (read-only) \??\M: FenixATCInstaller.exe File opened (read-only) \??\V: FenixATCInstaller.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: FenixATCInstaller.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: FenixATCInstaller.exe File opened (read-only) \??\W: FenixATCInstaller.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSBIND.DLL msiexec.exe File created C:\Windows\SysWOW64\MSSTDFMT.DLL msiexec.exe File created C:\Windows\SysWOW64\mtxas.dll msiexec.exe File created C:\Windows\SysWOW64\perfc009.dat msiexec.exe File created C:\Windows\SysWOW64\AUTPRX32.DLL msiexec.exe File created C:\Windows\SysWOW64\CLIREG32.EXE msiexec.exe File created C:\Windows\SysWOW64\COMCT332.OCX msiexec.exe File created C:\Windows\SysWOW64\MSCOMCT2.OCX msiexec.exe File created C:\Windows\SysWOW64\perfh009.dat msiexec.exe File created C:\Windows\SysWOW64\MSDATGRD.OCX msiexec.exe File created C:\Windows\SysWOW64\TABCTL32.OCX msiexec.exe File created C:\Windows\SysWOW64\VB6STKIT.DLL msiexec.exe File created C:\Windows\SysWOW64\textField.ocx msiexec.exe File created C:\Windows\SysWOW64\MSCOMCTL.OCX msiexec.exe File created C:\Windows\SysWOW64\MSFLXGRD.OCX msiexec.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\GATCFenix\{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}\PaginarATC.TLB msiexec.exe File created C:\Program Files (x86)\GATCFenix\ST6UNST.LOG msiexec.exe File created C:\Program Files (x86)\GATCFenix\{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}\bllFenixTelco.TLB msiexec.exe File created C:\Program Files (x86)\GATCFenix\{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}\Codifica.TLB msiexec.exe File created C:\Program Files (x86)\GATCFenix\{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}\dalFenixTelco.TLB msiexec.exe File created C:\Program Files (x86)\GATCFenix\{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}\InterfazFACTURA.TLB msiexec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\INF\stornvme.PNF msiexec.exe File opened for modification C:\Windows\INF\capimg.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\iastorv.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\sdstor.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\urssynopsys.PNF FenixATCInstaller.exe File created C:\Windows\INF\capimg.PNF msiexec.exe File created C:\Windows\INF\sdstor.PNF msiexec.exe File created C:\Windows\INF\ufxsynopsys.PNF msiexec.exe File opened for modification C:\Windows\INF\mdmbtmdm.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\hdaudbus.PNF msiexec.exe File opened for modification C:\Windows\INF\ksfilter.PNF msiexec.exe File opened for modification C:\Windows\INF\iai2c.PNF msiexec.exe File opened for modification C:\Windows\INF\mtconfig.PNF msiexec.exe File created C:\Windows\INF\netevbda.PNF msiexec.exe File opened for modification C:\Windows\INF\hidir.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\iaLPSS2i_I2C_SKL.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\circlass.PNF msiexec.exe File opened for modification C:\Windows\INF\iaLPSS2i_GPIO2_BXT_P.PNF msiexec.exe File opened for modification C:\Windows\INF\wdmaudio.PNF msiexec.exe File opened for modification C:\Windows\INF\netavpna.PNF msiexec.exe File opened for modification C:\Windows\INF\umpass.PNF msiexec.exe File opened for modification C:\Windows\INF\usbport.PNF msiexec.exe File created C:\Windows\INF\bcmfn2.PNF msiexec.exe File created C:\Windows\INF\errdev.PNF msiexec.exe File created C:\Windows\INF\usbstor.PNF msiexec.exe File opened for modification C:\Windows\INF\acpitime.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\iaLPSS2i_GPIO2_BXT_P.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\vstxraid.PNF FenixATCInstaller.exe File created C:\Windows\INF\iastorv.PNF msiexec.exe File created C:\Windows\INF\usb.PNF msiexec.exe File opened for modification C:\Windows\INF\iai2c.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\netbvbda.PNF msiexec.exe File opened for modification C:\Windows\INF\urschipidea.PNF msiexec.exe File opened for modification C:\Windows\INF\xinputhid.PNF msiexec.exe File opened for modification C:\Windows\INF\vstxraid.PNF msiexec.exe File created C:\Windows\INF\acpidev.PNF msiexec.exe File created C:\Windows\INF\usbport.PNF msiexec.exe File opened for modification C:\Windows\INF\buttonconverter.PNF msiexec.exe File opened for modification C:\Windows\INF\usbprint.PNF msiexec.exe File opened for modification C:\Windows\INF\wvmbus.PNF msiexec.exe File created C:\Windows\INF\iagpio.PNF msiexec.exe File created C:\Windows\INF\iaLPSS2i_GPIO2_SKL.PNF msiexec.exe File opened for modification C:\Windows\INF\umpass.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\uaspstor.PNF msiexec.exe File created C:\Windows\INF\iaLPSS2i_I2C_BXT_P.PNF msiexec.exe File created C:\Windows\INF\msgpiowin32.PNF msiexec.exe File created C:\Windows\INF\virtdisk.PNF msiexec.exe File opened for modification C:\Windows\INF\winusb.PNF FenixATCInstaller.exe File created C:\Windows\INF\input.PNF msiexec.exe File created C:\Windows\INF\usbhub3.PNF msiexec.exe File created C:\Windows\Tasks\{1382EE9A-F428-4369-96DD-923A48199735}.job MsiExec.exe File opened for modification C:\Windows\INF\wstorflt.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\errdev.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\ialpssi_gpio.PNF msiexec.exe File opened for modification C:\Windows\INF\wdmaudio.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\urssynopsys.PNF msiexec.exe File opened for modification C:\Windows\INF\wvmgid.PNF msiexec.exe File opened for modification C:\Windows\INF\ialpssi_i2c.PNF msiexec.exe File opened for modification C:\Windows\INF\iastorv.PNF msiexec.exe File opened for modification C:\Windows\INF\hidbatt.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\hidbth.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\nvdimmn.PNF FenixATCInstaller.exe File opened for modification C:\Windows\INF\xboxgip.PNF FenixATCInstaller.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Programmable\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F6AA700-D188-11CD-AD48-00AA003C9CB6}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C3-4442-11D1-8906-00A0C9110049}\ = "_DDataBoundAndDataSourceClass" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{586A6352-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E3BF6AB-8E4E-4C0E-B29B-F3D2DF534266}\TypeLib\Version = "1.0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C466B8-499F-101B-BB78-00AA00383CBB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE42-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{41C6678B-39FC-4147-AEC1-EA83E190DFCA}\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C19B1691-4543-4993-9892-8E1795CFB605}\TypeLib\Version = "1.0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDE57A52-8B86-11D0-B3C6-00A0C90AEA82}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E60C550-7BD6-11D0-9482-00A0C91110ED}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41C6678B-39FC-4147-AEC1-EA83E190DFCA}\ProgID msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2F13ED0-91B0-11D0-9484-00A0C91110ED}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{603C7E7E-87C2-11D1-8BE3-0000F8754DA1} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{38911D91-E448-11D0-84A3-00DD01104159} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\TypeLib\Version = "6.0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30}\MiscStatus\1\ = "131473" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11D6141D-CB63-4777-A679-6B529B52CFA5}\InstalledVersion\ = "1,0,0,0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\VersionIndependentProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "131473" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\MiscStatus\ = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5522DAF8-06D6-11D2-8D70-00A0C98B28E2}\TypeLib\ = "{38911DA0-E448-11D0-84A3-00DD01104159}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\ = "ImageListEvents" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20DD1B9D-87C4-11D1-8BE3-0000F8754DA1}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{38911D8F-E448-11D0-84A3-00DD01104159}\TypeLib\ = "{38911DA0-E448-11D0-84A3-00DD01104159}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38911D8F-E448-11D0-84A3-00DD01104159}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8EB26D16-0389-4306-8C61-344C752A9D0E}\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38911D92-E448-11D0-84A3-00DD01104159}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl.2\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41C6678B-39FC-4147-AEC1-EA83E190DFCA}\AppID = "{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Control\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.0\0 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E67C3C6D-1314-473F-92AF-1C292D583170}\1.0\0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5522DAF9-06D6-11D2-8D70-00A0C98B28E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\ = "Licensing: Copying the keys may be a violation of established copyrights." msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5522DAF7-06D6-11D2-8D70-00A0C98B28E2}\ = "Band" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB26D16-0389-4306-8C61-344C752A9D0E}\AppID = "{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDE57A43-8B86-11D0-B3C6-00A0C90AEA82}\Programmable\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56BF9020-7A2F-11D0-9482-00A0C91110ED}\1.0\FLAGS\ = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CDE57A52-8B86-11D0-B3C6-00A0C90AEA82}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38911D92-E448-11D0-84A3-00DD01104159}\Required Categories msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\MiscStatus\ = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\MiscStatus\ = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}\TypeLib msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4324 msiexec.exe 4324 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 4324 msiexec.exe Token: SeCreateTokenPrivilege 1260 FenixATCInstaller.exe Token: SeAssignPrimaryTokenPrivilege 1260 FenixATCInstaller.exe Token: SeLockMemoryPrivilege 1260 FenixATCInstaller.exe Token: SeIncreaseQuotaPrivilege 1260 FenixATCInstaller.exe Token: SeMachineAccountPrivilege 1260 FenixATCInstaller.exe Token: SeTcbPrivilege 1260 FenixATCInstaller.exe Token: SeSecurityPrivilege 1260 FenixATCInstaller.exe Token: SeTakeOwnershipPrivilege 1260 FenixATCInstaller.exe Token: SeLoadDriverPrivilege 1260 FenixATCInstaller.exe Token: SeSystemProfilePrivilege 1260 FenixATCInstaller.exe Token: SeSystemtimePrivilege 1260 FenixATCInstaller.exe Token: SeProfSingleProcessPrivilege 1260 FenixATCInstaller.exe Token: SeIncBasePriorityPrivilege 1260 FenixATCInstaller.exe Token: SeCreatePagefilePrivilege 1260 FenixATCInstaller.exe Token: SeCreatePermanentPrivilege 1260 FenixATCInstaller.exe Token: SeBackupPrivilege 1260 FenixATCInstaller.exe Token: SeRestorePrivilege 1260 FenixATCInstaller.exe Token: SeShutdownPrivilege 1260 FenixATCInstaller.exe Token: SeDebugPrivilege 1260 FenixATCInstaller.exe Token: SeAuditPrivilege 1260 FenixATCInstaller.exe Token: SeSystemEnvironmentPrivilege 1260 FenixATCInstaller.exe Token: SeChangeNotifyPrivilege 1260 FenixATCInstaller.exe Token: SeRemoteShutdownPrivilege 1260 FenixATCInstaller.exe Token: SeUndockPrivilege 1260 FenixATCInstaller.exe Token: SeSyncAgentPrivilege 1260 FenixATCInstaller.exe Token: SeEnableDelegationPrivilege 1260 FenixATCInstaller.exe Token: SeManageVolumePrivilege 1260 FenixATCInstaller.exe Token: SeImpersonatePrivilege 1260 FenixATCInstaller.exe Token: SeCreateGlobalPrivilege 1260 FenixATCInstaller.exe Token: SeCreateTokenPrivilege 1260 FenixATCInstaller.exe Token: SeAssignPrimaryTokenPrivilege 1260 FenixATCInstaller.exe Token: SeLockMemoryPrivilege 1260 FenixATCInstaller.exe Token: SeIncreaseQuotaPrivilege 1260 FenixATCInstaller.exe Token: SeMachineAccountPrivilege 1260 FenixATCInstaller.exe Token: SeTcbPrivilege 1260 FenixATCInstaller.exe Token: SeSecurityPrivilege 1260 FenixATCInstaller.exe Token: SeTakeOwnershipPrivilege 1260 FenixATCInstaller.exe Token: SeLoadDriverPrivilege 1260 FenixATCInstaller.exe Token: SeSystemProfilePrivilege 1260 FenixATCInstaller.exe Token: SeSystemtimePrivilege 1260 FenixATCInstaller.exe Token: SeProfSingleProcessPrivilege 1260 FenixATCInstaller.exe Token: SeIncBasePriorityPrivilege 1260 FenixATCInstaller.exe Token: SeCreatePagefilePrivilege 1260 FenixATCInstaller.exe Token: SeCreatePermanentPrivilege 1260 FenixATCInstaller.exe Token: SeBackupPrivilege 1260 FenixATCInstaller.exe Token: SeRestorePrivilege 1260 FenixATCInstaller.exe Token: SeShutdownPrivilege 1260 FenixATCInstaller.exe Token: SeDebugPrivilege 1260 FenixATCInstaller.exe Token: SeAuditPrivilege 1260 FenixATCInstaller.exe Token: SeSystemEnvironmentPrivilege 1260 FenixATCInstaller.exe Token: SeChangeNotifyPrivilege 1260 FenixATCInstaller.exe Token: SeRemoteShutdownPrivilege 1260 FenixATCInstaller.exe Token: SeUndockPrivilege 1260 FenixATCInstaller.exe Token: SeSyncAgentPrivilege 1260 FenixATCInstaller.exe Token: SeEnableDelegationPrivilege 1260 FenixATCInstaller.exe Token: SeManageVolumePrivilege 1260 FenixATCInstaller.exe Token: SeImpersonatePrivilege 1260 FenixATCInstaller.exe Token: SeCreateGlobalPrivilege 1260 FenixATCInstaller.exe Token: SeCreateTokenPrivilege 1260 FenixATCInstaller.exe Token: SeAssignPrimaryTokenPrivilege 1260 FenixATCInstaller.exe Token: SeLockMemoryPrivilege 1260 FenixATCInstaller.exe Token: SeIncreaseQuotaPrivilege 1260 FenixATCInstaller.exe Token: SeMachineAccountPrivilege 1260 FenixATCInstaller.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1260 FenixATCInstaller.exe 1260 FenixATCInstaller.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 4324 wrote to memory of 2756 4324 msiexec.exe 75 PID 4324 wrote to memory of 2756 4324 msiexec.exe 75 PID 4324 wrote to memory of 2756 4324 msiexec.exe 75 PID 2756 wrote to memory of 4588 2756 MsiExec.exe 76 PID 2756 wrote to memory of 4588 2756 MsiExec.exe 76 PID 2756 wrote to memory of 4588 2756 MsiExec.exe 76 PID 1260 wrote to memory of 4824 1260 FenixATCInstaller.exe 77 PID 1260 wrote to memory of 4824 1260 FenixATCInstaller.exe 77 PID 1260 wrote to memory of 4824 1260 FenixATCInstaller.exe 77 PID 4324 wrote to memory of 1376 4324 msiexec.exe 80 PID 4324 wrote to memory of 1376 4324 msiexec.exe 80 PID 4324 wrote to memory of 1376 4324 msiexec.exe 80 PID 2756 wrote to memory of 3916 2756 MsiExec.exe 86 PID 2756 wrote to memory of 3916 2756 MsiExec.exe 86 PID 2756 wrote to memory of 3916 2756 MsiExec.exe 86 PID 1260 wrote to memory of 2248 1260 FenixATCInstaller.exe 88 PID 1260 wrote to memory of 2248 1260 FenixATCInstaller.exe 88 PID 1260 wrote to memory of 2248 1260 FenixATCInstaller.exe 88 PID 1260 wrote to memory of 3168 1260 FenixATCInstaller.exe 90 PID 1260 wrote to memory of 3168 1260 FenixATCInstaller.exe 90 PID 1260 wrote to memory of 3168 1260 FenixATCInstaller.exe 90 PID 2248 wrote to memory of 604 2248 cmd.exe 92 PID 2248 wrote to memory of 604 2248 cmd.exe 92 PID 2248 wrote to memory of 604 2248 cmd.exe 92 PID 3168 wrote to memory of 4352 3168 cmd.exe 93 PID 3168 wrote to memory of 4352 3168 cmd.exe 93 PID 3168 wrote to memory of 4352 3168 cmd.exe 93 PID 2248 wrote to memory of 4464 2248 cmd.exe 94 PID 2248 wrote to memory of 4464 2248 cmd.exe 94 PID 2248 wrote to memory of 4464 2248 cmd.exe 94 PID 2248 wrote to memory of 3924 2248 cmd.exe 95 PID 2248 wrote to memory of 3924 2248 cmd.exe 95 PID 2248 wrote to memory of 3924 2248 cmd.exe 95 PID 2248 wrote to memory of 4728 2248 cmd.exe 96 PID 2248 wrote to memory of 4728 2248 cmd.exe 96 PID 2248 wrote to memory of 4728 2248 cmd.exe 96 PID 3168 wrote to memory of 3772 3168 cmd.exe 97 PID 3168 wrote to memory of 3772 3168 cmd.exe 97 PID 3168 wrote to memory of 3772 3168 cmd.exe 97 PID 3168 wrote to memory of 4564 3168 cmd.exe 98 PID 3168 wrote to memory of 4564 3168 cmd.exe 98 PID 3168 wrote to memory of 4564 3168 cmd.exe 98 PID 3168 wrote to memory of 2928 3168 cmd.exe 99 PID 3168 wrote to memory of 2928 3168 cmd.exe 99 PID 3168 wrote to memory of 2928 3168 cmd.exe 99 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 604 attrib.exe 4352 attrib.exe 4464 attrib.exe 3772 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe"C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe"C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe" /i "C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC 1.0\install\FenixATCInstaller.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\GATCFenix" CLIENTPROCESSID="1260" SECONDSEQUENCE="1" CHAINERUIPROCESSID="1260Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="LinkCreator,MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQFILES="C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe" AI_PREREQDIRS="C:\Users\Admin\AppData\Roaming\Tulpep Services" AI_MISSING_PREREQS="Link Creator" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\fenix atc\" EXE_CMD_LINE="/exenoupdates " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe" AI_INSTALL="1"2⤵
- Enumerates connected drives
PID:4824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE5288.tmp.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\attrib.exeATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\TULPEP~1\FENIXA~1.0\install\FENIXA~1.MSI"3⤵
- Views/modifies file attributes
PID:604
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE5288.tmp.bat"3⤵
- Views/modifies file attributes
PID:4464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE5288.tmp.bat" "3⤵PID:3924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"3⤵PID:4728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE5306.tmp.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\attrib.exeATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\TULPEP~1\FENIXA~1.0\install\FENIXA~1.MSI"3⤵
- Views/modifies file attributes
PID:4352
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE5306.tmp.bat"3⤵
- Views/modifies file attributes
PID:3772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE5306.tmp.bat" "3⤵PID:4564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"3⤵PID:2928
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 94B722DBF6921C3B1AAB63C7E2B771AF C2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe"C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe" /groupsextract:100; /out:"C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites" /callbackid:27563⤵PID:4588
-
-
C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe"C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe"3⤵
- Executes dropped EXE
PID:3916
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 918CB0791A687C072AF098ADB1AA54DA2⤵
- Loads dropped DLL
PID:1376
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4576
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
549KB
MD57c5a29ecb20c76f38ec79bf3fb4fc1bb
SHA11107c11200ef74a623a6584b4528cb8022f94cc4
SHA256a523026d1c240b23a6e9f09474a4d1305c6237cd05949083556c546feb2e3948
SHA512a6e1ba81def48a50e548563d90cec895c3c7eb71110c60d6c528b842a0e8f2ed8b6174982146bf6c04275b9ef804273f6b714f78ee5e037a8301c430abf0c65c
-
Filesize
3KB
MD564e447b9b303d386f4970839dc815705
SHA16042a4edc7d8e2ab41c589530283c3c43788ea0c
SHA256ca9e2568668e53b2d5f8e276581f31d517cd8d490daba5013a743bd497de5f73
SHA5122b35642edbb881cd45efc6cfbb3c39cedb235b0a17abe12c2194cd352109f9aeb646dd70279c2290ab8ea2e043528786fac61404733b7987eb8172c6ee81db98
-
Filesize
12KB
MD58d5de8960e1a6886365d3f1dc3f81fe4
SHA1a3ea4a68c7c59d41daa2a12ec2ddd481bda8fe24
SHA2566e1731d0bc8ceb2bb5677d4b0c5c76ca5510602e0707b19ecb6e8d6f6f51eb8f
SHA512ac81f511a8dcbce9018569ea0c0fbaced44a3191466c77bb5ab5bc3aac313d08643803d7d11619fa7f8cf10411e870e9a73246ed6f84cea9121e78c3e150b94d
-
Filesize
415B
MD5eaaf90b679bc25bc2dd01274b26a6f77
SHA14a5b148f002b2e20d18aa08d3ec30975b5e5ce1a
SHA256ec2627a53a98411f35c2ad2006d9dcfde7b78522e4e50d381ea738ff1c5aeac4
SHA5122a06b1749b525ba5a3ed7ff672e8c94fcfa2baac4aff98103ffa18149ed5e09d92d2a82d0b19153b821ee543281ad2e08d9aa7f6e623b9ec410a6da0593df021
-
Filesize
415B
MD5673b8f14e6881c7fd676140fb34064a7
SHA10a77ea00c4b662e2e6dec4da1ef28b1e74efd1b2
SHA25682a3f673899d47cc4057ac37286334ff353d13eac2a77c68bcfdab0944a18b8e
SHA512abad273f53d98ca2b1efc76c0f1de0fd372793ae4f49bb43d8c2a5d9218ca55d3aade70fc6e4d0b22bc4c5f81e337e2a1d8c1a492370d824940752135d2c7131
-
Filesize
209KB
MD555760599c990fee4c086e60299fa0dfc
SHA156505e3b1b3c934c8838c8daf4f69eb2de31e067
SHA25640a493cb6d5a97cb5462f260ea0753ec47e07ac837d0e12d4cab33f985a5a14f
SHA512c0a9b1ceb796d92362661d690ccb0fe0146c6d5b0edceb404b165544ceecc7ca9cf8ae36afafc96adae90837bd24e62b1cbfc50600fc676b2c19928fabd217aa
-
Filesize
364KB
MD5bce340727602986cc8af524c0b9cd485
SHA103a542bb35d1d87e769488d6f23f0b2be29ba756
SHA256cb5636ea725024d13398a51a487227deca2bbdeaa7bb046064ea3cd33b4680ef
SHA51267faa08f55d878a455292b73ff0cbaaee9d81c7ab6a874e579143cf621fe22ac864c2be8ac9f9707a9cf52cf2c62754e54fa08be54501ed9d2327900a4079fc6
-
Filesize
3.2MB
MD5032bb369103dac02606fb919f6658f3c
SHA160b39428ab3493aab7babf3a1c5f2a951ae853bd
SHA256daa61c42d53be45c7709a0b0f66a51a0a47ca84eab787e0627f6da255c96ddff
SHA5120f1fb9bb34e699ee6d4a1dc58f99514fb1df81ad0cf37b3ffe938295a70d832a5702cec3df16d30d400c77014d09228e6d02d3e65d5d6d0f1c5e34f39d55e313
-
Filesize
1.5MB
MD5bda8dc57111676f6b43f2d5bbe53dffb
SHA13ef31fe9ecaba05f94655a7ed648d4e95360635a
SHA256bcd6373798ab7a398b5022d01ff3eb69338e7e4438816c8af88a61d357762b2c
SHA5128ee3f8f9abaa752ed8760e645e3b337dfa079dd5c185a0c5caa8238edc64b21ba074b60880daba8b879bc371c6375b5784809783fa211b3152de0f7083e4f5bf
-
Filesize
2.0MB
MD57135aa7efe759b7e0cb9dcf9e97decc2
SHA1adbb38f5448afaa6319fc521e4f1a201b096013c
SHA25695d0e7a9a24b64de615e408b80819d50272a126202e199f5849b03b45c281d8f
SHA51265888da58a5e2bec2ba08f2ba0899c3f2976290a60e14353280960a1ba628e51cd5a5e8ce119f4ca9ff480f4bf72e6163b1b9ac07822278e1ea4ecf5653e9e91
-
Filesize
260KB
MD5cb5af0df19fb79cd9e28214ea1cc63c6
SHA1f96c597d9fe1f97a6db7722637a0376d861eb4cd
SHA256804b33e2a9d7c6a5c21c1f2b138e84fa703156671411460395953b203f4d3eda
SHA512fa5cb7da665c39013daa8f4cc8dcfb16c99f22b6b4a835ab5c35d7f0ea263e8318a1603ab48fd91a1218b0ab53f4f89169ba76213fcc623a7936f33c51e083ef
-
Filesize
46KB
MD592d8821c54a5373c52f2e57f5c226015
SHA1cb4efac6b966ecb5339923dc4df0fb12a89990a5
SHA2562f15d7ca940e8ffd4fdbe888aa20fb34f852c6ee6bab1ab95542772ce7ff3557
SHA51230767e2d583e57105f48532125f9de05160f89ca511264c6bf09c9b41a9c4f1a9d3a9c6d9b82608ca5f7eff70358a386e2eb1f58123d015418c1911ac8e65c58