Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/06/2024, 01:10
Behavioral task
behavioral1
Sample
9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe
Resource
win10v2004-20240508-en
General
-
Target
9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe
-
Size
292KB
-
MD5
a273044943723ee8f98fc5212a5176b2
-
SHA1
83840f7c21ba99a59cbad0c3a80cdf4fb2d5460b
-
SHA256
9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99
-
SHA512
e3b7f6fd0a1bd922d091dafce5fa73b55a85917aa18a0067b7dc4e89501de916029c35ed46677e4bf24012c97f5347e32c119721bf866ba947bdf4a95660112e
-
SSDEEP
3072:2r+Fu6eC0VjywzvcXcSqviamCIngQMTqGMWH2EZjg1wmxNAntKHzvtCQj:E5vcXgvibeqGNWE9+7AnAHzvtB
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 9 IoCs
resource yara_rule behavioral1/memory/2224-0-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/files/0x0007000000015023-36.dat UPX behavioral1/memory/2536-71-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/memory/2224-116-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/memory/1676-119-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/memory/2668-142-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/memory/2340-536-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/memory/2536-548-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/memory/2536-569-0x0000000000400000-0x000000000040B000-memory.dmp UPX -
Drops file in Drivers directory 60 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui AE 0124 BE.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 2340 winlogon.exe 2536 AE 0124 BE.exe 1676 winlogon.exe 2668 winlogon.exe -
Loads dropped DLL 10 IoCs
pid Process 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 2536 AE 0124 BE.exe 2536 AE 0124 BE.exe 2340 winlogon.exe 2340 winlogon.exe 1676 winlogon.exe 2668 winlogon.exe 2308 msiexec.exe 2308 msiexec.exe -
resource yara_rule behavioral1/memory/2224-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/files/0x0007000000015023-36.dat upx behavioral1/memory/2536-71-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2224-116-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1676-119-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2668-142-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2340-536-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2536-548-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2536-569-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Blocklisted process makes network request 4 IoCs
flow pid Process 3 2308 msiexec.exe 5 2308 msiexec.exe 7 2308 msiexec.exe 9 560 msiexec.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Heritage\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Savanna\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Scenes\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\assembly\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Architecture\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Cityscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Festival\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Quirky\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Sonata\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Delta\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Characters\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Afternoon\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Nature\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini AE 0124 BE.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Drops autorun.inf file 1 TTPs 26 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf AE 0124 BE.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification F:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1\e1e6032e.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\napipsec.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\packager.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\_Default\Starter AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_neutral_423894ded0ba8fdf\WMALFXGFXDSP.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremiumE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\MSVidCtl.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPF6980T.XML AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\INISC253.PPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\LRC1500.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_neutral_9d9a7113099a28a2\sti.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\mdmbr006.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\onexui.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\getmac.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Networking-MPSSVC-Rules-EnterpriseEdition-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\NcdProp.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja\AuthFWSnapIn.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Bubbles.scr AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNB7ULAA.ICM AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\azroles.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\oledlg.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\msorc32r.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\msvcp140_2.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\msprivs.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca003.inf_amd64_neutral_8e91d4aa9330d2f8\prnca003.PNF AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\Amd64\SVC240D.GPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\bitsadmin.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\TRAPI.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~pt-PT~7.1.7601.16492.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\Amd64\BRM867DN.GPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\auditpol.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\sppcc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\authui-migration-replacement.man AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\eventvwr.msc AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~cs-CZ~7.1.7601.16492.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\PeerToPeerGrouping-DL.man AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WfHC.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\oleaut32.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_neutral_c763887719bed95d\arcsas.PNF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\LocationNotifications.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\neth.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\LXKXL.INI AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\powershell_ise.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\multiprt.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\eval\EnterpriseE AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmbr00a.inf_amd64_neutral_aa4f0850ff03674e\mdmbr00a.PNF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\irclass.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\fsutil.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMI-SNMP-Provider-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\EventCreate.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\hu-HU\mlang.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\NetworkExplorer.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\shwebsvc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Command_Syntax.help.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ddrawex.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GSC7526D.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SV1321E3.PPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\dsprop.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\OEM\EnterpriseN AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\multiprt.inf_loc AE 0124 BE.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msdatasrc.dll msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.stdformat.dll msiexec.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll msiexec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.1.7600.16385_none_73373b169fcf68cb AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_4809f54ad4f6614d.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-sysinfo.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_06b08462763a4a1c.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-i..hinese-imepadapplet_31bf3856ad364e35_6.1.7600.16385_none_faff6acb5cd29b45\MSHWCHTRIME.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-u..re-atmini.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_206fe7a92ead27ab\unimdmat.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\Cursors\arrow_r.cur AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\AppCompat.admx AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..an-plugin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_99dd4dbb750b71c2 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-infocard.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_94d8c43d28c969df\icardie.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_nete1g3e.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_fr-fr_abfb90964f382f32.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_ehstorpwddrv.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_fr-fr_580b66583d093b6e.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_mdmminij.inf_31bf3856ad364e35_6.1.7600.16385_none_45ce09cc47709c2b.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-rasplap-mui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bf077f9c01bf086f.manifest AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\190c40c1f98dddf624b7e442286d76d4\System.Runtime.Serialization.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_prnca00h.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e4ee05ae5684cbb1\prnca00h.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-t..cesclient.resources_31bf3856ad364e35_6.1.7601.17514_it-it_5f6e83504ee8d5f5.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-charmap.resources_31bf3856ad364e35_6.1.7600.16385_it-it_73c013b7234bde63.manifest AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng# AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-d..re-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_de4f4a8629efa9ea.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-clip.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f7e05482e7498fc3 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ponent-sku-ultimate_31bf3856ad364e35_6.1.7601.17514_none_f7e6a2aa970662b7\Security-SPP-Component-SKU-Ultimate-OEM-SLPCOA1-ul-oob.xrm-ms AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-mapi_31bf3856ad364e35_6.1.7601.17514_none_ad54ab3a7801c830.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3687be952df5b9b1\settings.css AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_924a71ae0e077dae_msimsg.dll.mui_72e8994f AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_mdmcm28.inf_31bf3856ad364e35_6.1.7600.16385_none_d130a4ccfd6ae450.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-mrc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7e0c8b1a4387b648.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_de-de_c30c9017ee72aff3\WebAdminHelp_Application.aspx.de.resx AE 0124 BE.exe File opened for modification C:\Windows\Fonts\times.ttf AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shdocvw_31bf3856ad364e35_6.1.7601.17514_none_459af2f42285b811 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft.windows.c..ration.online.setup_31bf3856ad364e35_6.1.7600.16385_none_0dbedb7c5ac04a7d AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cc53e808eda33786\rwinsta.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..ification.resources_31bf3856ad364e35_6.1.7600.16385_it-it_870e2d2ecfceb6f2.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..ervicing-management_31bf3856ad364e35_6.1.7600.16385_none_ba9e94bf275d71ed AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68750ba1329f3c6f AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-scrnsave.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_d60e0225bb629349 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\1px.gif AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_45549abb8ab456cb\WsatConfig.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_bth.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_412b6c615d92cd59 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_server-help-chm.comexp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7c2bc1948a9f5086 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-wlan-dialog.resources_31bf3856ad364e35_6.1.7600.16385_en-us_82ceb5cdc1645de3 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\Notes_loop_PAL.wmv AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353.manifest AE 0124 BE.exe File opened for modification C:\Windows\inf\mdmcxhv6.inf AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_prnep00l.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_it-it_f05b7df13002cc8b.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-driverquery.resources_31bf3856ad364e35_6.1.7600.16385_es-es_58d29339dc26477b AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\setting_back.png AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_ff2b8a4884ab92de\msimsg.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..omponents.resources_31bf3856ad364e35_6.1.7600.16385_es-es_912246ee1073420f.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_win7-microsoft-wind..oyment-languagepack_31bf3856ad364e35_7.1.7601.16492_cs-cz_2b0fc458c6c7dba5.manifest AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Handles\v4.0_4.0.0.0__b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c4b9ba2a3ac12f32_msorcl32.chm_650a727b AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-ribbons.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ae6e8472b208da12.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-t..cesclient.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_1927f185bf597f41\mstsc.mfl AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_prnrc005.inf_31bf3856ad364e35_6.1.7600.16385_none_227092d2a7af4a58\prnrc005.cat AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..dlinetool.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ee9d0e0c5a29e375 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_wvmic.inf_31bf3856ad364e35_6.1.7601.17514_none_6007c443630c03aa\vmictimeprovider.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-cdosys.resources_31bf3856ad364e35_6.1.7601.17514_zh-cn_c1d89f450753fc21\cdosys.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-shell32-license_31bf3856ad364e35_6.1.7600.16385_none_70de2556f6dfadae\shell32-license-ppdlic.xrm-ms AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-w..registrar.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a8f8db81d52af370\wcncsvc.mfl AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-adminkitmostfiles_31bf3856ad364e35_8.0.7601.17514_none_27126e7394676c4a\ieakui.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_prnsv004.inf_31bf3856ad364e35_6.1.7600.16385_none_622bdff1f27c66b3\Amd64\SV1392E3.PPD AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-msmq-runtime_31bf3856ad364e35_6.1.7601.17514_none_ff07d9eb4cd00172.manifest AE 0124 BE.exe File opened for modification C:\Windows\security AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Security.aspx.de.resx AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 560 msiexec.exe 560 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2308 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeShutdownPrivilege 2308 msiexec.exe Token: SeIncreaseQuotaPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 560 msiexec.exe Token: SeTakeOwnershipPrivilege 560 msiexec.exe Token: SeSecurityPrivilege 560 msiexec.exe Token: SeCreateTokenPrivilege 2308 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2308 msiexec.exe Token: SeLockMemoryPrivilege 2308 msiexec.exe Token: SeIncreaseQuotaPrivilege 2308 msiexec.exe Token: SeMachineAccountPrivilege 2308 msiexec.exe Token: SeTcbPrivilege 2308 msiexec.exe Token: SeSecurityPrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeLoadDriverPrivilege 2308 msiexec.exe Token: SeSystemProfilePrivilege 2308 msiexec.exe Token: SeSystemtimePrivilege 2308 msiexec.exe Token: SeProfSingleProcessPrivilege 2308 msiexec.exe Token: SeIncBasePriorityPrivilege 2308 msiexec.exe Token: SeCreatePagefilePrivilege 2308 msiexec.exe Token: SeCreatePermanentPrivilege 2308 msiexec.exe Token: SeBackupPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeShutdownPrivilege 2308 msiexec.exe Token: SeDebugPrivilege 2308 msiexec.exe Token: SeAuditPrivilege 2308 msiexec.exe Token: SeSystemEnvironmentPrivilege 2308 msiexec.exe Token: SeChangeNotifyPrivilege 2308 msiexec.exe Token: SeRemoteShutdownPrivilege 2308 msiexec.exe Token: SeUndockPrivilege 2308 msiexec.exe Token: SeSyncAgentPrivilege 2308 msiexec.exe Token: SeEnableDelegationPrivilege 2308 msiexec.exe Token: SeManageVolumePrivilege 2308 msiexec.exe Token: SeImpersonatePrivilege 2308 msiexec.exe Token: SeCreateGlobalPrivilege 2308 msiexec.exe Token: SeBackupPrivilege 1492 vssvc.exe Token: SeRestorePrivilege 1492 vssvc.exe Token: SeAuditPrivilege 1492 vssvc.exe Token: SeBackupPrivilege 560 msiexec.exe Token: SeRestorePrivilege 560 msiexec.exe Token: SeRestorePrivilege 2584 DrvInst.exe Token: SeRestorePrivilege 2584 DrvInst.exe Token: SeRestorePrivilege 2584 DrvInst.exe Token: SeRestorePrivilege 2584 DrvInst.exe Token: SeRestorePrivilege 2584 DrvInst.exe Token: SeRestorePrivilege 2584 DrvInst.exe Token: SeRestorePrivilege 2584 DrvInst.exe Token: SeLoadDriverPrivilege 2584 DrvInst.exe Token: SeLoadDriverPrivilege 2584 DrvInst.exe Token: SeLoadDriverPrivilege 2584 DrvInst.exe Token: SeRestorePrivilege 560 msiexec.exe Token: SeTakeOwnershipPrivilege 560 msiexec.exe Token: SeRestorePrivilege 560 msiexec.exe Token: SeTakeOwnershipPrivilege 560 msiexec.exe Token: SeRestorePrivilege 560 msiexec.exe Token: SeTakeOwnershipPrivilege 560 msiexec.exe Token: SeRestorePrivilege 560 msiexec.exe Token: SeTakeOwnershipPrivilege 560 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2308 msiexec.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 2340 winlogon.exe 2536 AE 0124 BE.exe 1676 winlogon.exe 2668 winlogon.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2308 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 28 PID 2224 wrote to memory of 2308 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 28 PID 2224 wrote to memory of 2308 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 28 PID 2224 wrote to memory of 2308 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 28 PID 2224 wrote to memory of 2308 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 28 PID 2224 wrote to memory of 2308 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 28 PID 2224 wrote to memory of 2308 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 28 PID 2224 wrote to memory of 2340 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 29 PID 2224 wrote to memory of 2340 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 29 PID 2224 wrote to memory of 2340 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 29 PID 2224 wrote to memory of 2340 2224 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 29 PID 2340 wrote to memory of 2536 2340 winlogon.exe 30 PID 2340 wrote to memory of 2536 2340 winlogon.exe 30 PID 2340 wrote to memory of 2536 2340 winlogon.exe 30 PID 2340 wrote to memory of 2536 2340 winlogon.exe 30 PID 2536 wrote to memory of 1676 2536 AE 0124 BE.exe 31 PID 2536 wrote to memory of 1676 2536 AE 0124 BE.exe 31 PID 2536 wrote to memory of 1676 2536 AE 0124 BE.exe 31 PID 2536 wrote to memory of 1676 2536 AE 0124 BE.exe 31 PID 2340 wrote to memory of 2668 2340 winlogon.exe 32 PID 2340 wrote to memory of 2668 2340 winlogon.exe 32 PID 2340 wrote to memory of 2668 2340 winlogon.exe 32 PID 2340 wrote to memory of 2668 2340 winlogon.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe"C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"2⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2308
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1676
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2668
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000584" "00000000000005B0"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cba2426f2aafe31899569ace05e89796
SHA13bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1KB
MD5fc1193c6345ac35188aa3de0f824ceb7
SHA18fb5606f5380ac6ace7bb4e7c71b6750362e8c5f
SHA256bdfb8faff4c0c0a15c642890a5544bd32f930f55ca199470dbd4736a32d6e200
SHA512480a3ad52cf215db3cede6ad93293f8f031c2cb7a190c6f4cbcd0f3eb06f5c81c7f13d304a495945192e759ab5403245acef7be0149b8615ce2b194927f3dec4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5b8a58cd133572987e15e802c42d02f39
SHA1074ac74fef858a7a7aa5d827e61772fcb704845a
SHA256df018540d799eb444ea8d4067e916662f901ac5163af3cb0e3a6e1012987c7e7
SHA51208fcc89ecacc1eccbbdffe7c1f1f1bc2be745bfb81b98a350d6525207c4c4611d3f5f390b20139e80fed8ca0a914c2786b2d6825c745779dac094a1c638f48be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD535459eda750ee5ce6b9f99fc5b56f519
SHA1999f0f37ff67c731c9fa1c7ef5df0cba57b370fa
SHA256c2ac1469638581ae41b78f13d5dd6d508f471ac0ecacadc9302d85a120e48097
SHA512afd0836f6a79b1f19d76b1a898f2ec673ee11820c592eaf06a84d8951f8cb9b8b26f22cb5bc50e278717926335da4529bb3fb6411385313ff8becca3ae36710f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize252B
MD5ba73765ee919ddd61052f416cab82eff
SHA1c7f513591f11a4225a8a87ea4556c3ebf7beb4b8
SHA2563a664179a435ead5165cbfa77acb3081619a0d3cc61a95dcdb6fe4beed7c68ad
SHA512bc67614375414cde7cccf12f0c911d068b843d3e17beb28441420ded7b5060d6f48932f890b059a7765a3882b7d01b48f620eeb4015bc3a3b1c3517eb6acd94f
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
292KB
MD55509e489819927ce83d9cdb410aa17dc
SHA187dab44eb3da7d0b538593b1ca854712f41d6b8e
SHA2562a033498341bf9e3db3df3f46cf183c6fb5a9d86313cefb39271bfdd8b7dd834
SHA512d82198c6667522cbd3789ff7f723c5a0c708a161443692ba6f3662aae77a64ca7fbbe802a1690c555444d3e7a1e0bab9d75f1b0a139be7dd14e71c18d4a38c50
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b
-
Filesize
48KB
MD5833e9f4555d6dd92739f161eab2516a3
SHA1f946f93117471d4fff1350a8b024f03b46de4ccd
SHA256786d08a766f02b62f6a5886238867b73e0bb5fe28cf0c0bf31ed9c820444dbeb
SHA512618f0ba39f7e5b251fac5c135bdf182dfadbb086d63983ddbaf1726c02a19d562c5504bacf042dcd72a982257a2af958257b1ab9b82f7f19b41f094e0f84df0a
-
Filesize
16KB
MD5e1eeb7e26ab04075eecc7275239b20b3
SHA1ba62b37d4233b88948fdc2ffed08f3c82e8627f1
SHA256d6cdf961c6d2712fe1958815e51a30960d79fff1e97788b7741627dba972e8f7
SHA512dd64909c983794c8ac6c33b74711a89b3b33e4429bb5a3a2a2b4e38f5d74902b1589a97014a35fbaf97b469fa57a11314c02d68e1db0934de5244308699fc262