Analysis
-
max time kernel
74s -
max time network
1189s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06-09-2024 01:47
Static task
static1
Behavioral task
behavioral1
Sample
daisy's destruction.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
daisy's destruction.exe
Resource
win10v2004-20240802-en
General
-
Target
daisy's destruction.exe
-
Size
848.3MB
-
MD5
68deeac4494153376a00405a6333a40f
-
SHA1
e602da2a9ced7d14c454a29adb7885b71b84402b
-
SHA256
bc8b44b994c5f3d431be21ef9bcad73c672c17dfe01731b1bf78fe7067039a52
-
SHA512
95b9129f1cbc795c5e8f7403deb4e810f3659755a6353c67934020a8dff158e9c92e52ed099c49efd35eb0938d7e6d84c34397f28f8d58c142afa38dc5e473a0
-
SSDEEP
393216:KO/V30PM/IJglhHZNRLRBPjVoGgzKkrFbvvepwW24OcwMVG1:DSPqIJArD7SmEKpwW244
Malware Config
Extracted
stealc
w9
http://45.152.113.10
-
url_path
/92335b4816f77e90.php
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
147.45.47.36:30035
Extracted
vidar
https://t.me/fneogr
https://t.me/edm0d
https://steamcommunity.com/profiles/76561199768374681
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Extracted
stealc
leva
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Detect Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2828-316-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2116-372-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Q6uUoZRtjMCMBcHsAt8oTiGd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Q6uUoZRtjMCMBcHsAt8oTiGd.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Q6uUoZRtjMCMBcHsAt8oTiGd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Q6uUoZRtjMCMBcHsAt8oTiGd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Q6uUoZRtjMCMBcHsAt8oTiGd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Saudi.pifdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\Geo\Nation Saudi.pif -
Drops startup file 1 IoCs
Processes:
oA1r8FbmsN73vh5_yNrppCZH.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk oA1r8FbmsN73vh5_yNrppCZH.exe -
Executes dropped EXE 17 IoCs
Processes:
Saudi.pifSaudi.pifvxbeCHaKnUJNTX7aBJ1sgrqH.exeQ6uUoZRtjMCMBcHsAt8oTiGd.exeBS4sZN70R0Aj5jy4XAy9HtX6.exe247bPHuhmOaxs6aFsKmwjRHN.exe92yaqUveSlGxIufvWHNlcK3i.exeWxoRi98pynMg6RUopktWn7gW.exeZxsDXXrM9OIe_zneFxLM655G.exeoA1r8FbmsN73vh5_yNrppCZH.exeYKJMM7p0zz7fCNq5BCqE0Kb7.exeqi866flZxG1ikcUHB9kpnJgi.exeAn3F1TbHnH_2dNMOncuz2wrt.exeZxsDXXrM9OIe_zneFxLM655G.tmpWxoRi98pynMg6RUopktWn7gW.exeoA1r8FbmsN73vh5_yNrppCZH.exeoA1r8FbmsN73vh5_yNrppCZH.exepid process 2996 Saudi.pif 2212 Saudi.pif 2128 vxbeCHaKnUJNTX7aBJ1sgrqH.exe 2532 Q6uUoZRtjMCMBcHsAt8oTiGd.exe 1596 BS4sZN70R0Aj5jy4XAy9HtX6.exe 1732 247bPHuhmOaxs6aFsKmwjRHN.exe 2692 92yaqUveSlGxIufvWHNlcK3i.exe 2608 WxoRi98pynMg6RUopktWn7gW.exe 1720 ZxsDXXrM9OIe_zneFxLM655G.exe 1088 oA1r8FbmsN73vh5_yNrppCZH.exe 2804 YKJMM7p0zz7fCNq5BCqE0Kb7.exe 2748 qi866flZxG1ikcUHB9kpnJgi.exe 2720 An3F1TbHnH_2dNMOncuz2wrt.exe 2980 ZxsDXXrM9OIe_zneFxLM655G.tmp 632 WxoRi98pynMg6RUopktWn7gW.exe 560 oA1r8FbmsN73vh5_yNrppCZH.exe 1556 oA1r8FbmsN73vh5_yNrppCZH.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Q6uUoZRtjMCMBcHsAt8oTiGd.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine Q6uUoZRtjMCMBcHsAt8oTiGd.exe -
Loads dropped DLL 21 IoCs
Processes:
cmd.exeSaudi.pifSaudi.pifZxsDXXrM9OIe_zneFxLM655G.exeZxsDXXrM9OIe_zneFxLM655G.tmppid process 2400 cmd.exe 2996 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 2212 Saudi.pif 1720 ZxsDXXrM9OIe_zneFxLM655G.exe 2980 ZxsDXXrM9OIe_zneFxLM655G.tmp 2980 ZxsDXXrM9OIe_zneFxLM655G.tmp 2980 ZxsDXXrM9OIe_zneFxLM655G.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
oA1r8FbmsN73vh5_yNrppCZH.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" oA1r8FbmsN73vh5_yNrppCZH.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api64.ipify.org 8 ipinfo.io 9 ipinfo.io 13 api.myip.com 14 api.myip.com 5 api64.ipify.org -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 1704 powercfg.exe 1364 powercfg.exe 1860 powercfg.exe 992 powercfg.exe 884 powercfg.exe 828 powercfg.exe 1612 powercfg.exe 2176 powercfg.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2752 tasklist.exe 2956 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Q6uUoZRtjMCMBcHsAt8oTiGd.exepid process 2532 Q6uUoZRtjMCMBcHsAt8oTiGd.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
Saudi.pif247bPHuhmOaxs6aFsKmwjRHN.exe92yaqUveSlGxIufvWHNlcK3i.exeBS4sZN70R0Aj5jy4XAy9HtX6.exeYKJMM7p0zz7fCNq5BCqE0Kb7.exeWxoRi98pynMg6RUopktWn7gW.exeoA1r8FbmsN73vh5_yNrppCZH.exedescription pid process target process PID 2996 set thread context of 2212 2996 Saudi.pif Saudi.pif PID 1732 set thread context of 1340 1732 247bPHuhmOaxs6aFsKmwjRHN.exe RegAsm.exe PID 2692 set thread context of 2828 2692 92yaqUveSlGxIufvWHNlcK3i.exe RegAsm.exe PID 1596 set thread context of 2116 1596 BS4sZN70R0Aj5jy4XAy9HtX6.exe RegAsm.exe PID 2804 set thread context of 1736 2804 YKJMM7p0zz7fCNq5BCqE0Kb7.exe RegAsm.exe PID 2608 set thread context of 632 2608 WxoRi98pynMg6RUopktWn7gW.exe WxoRi98pynMg6RUopktWn7gW.exe PID 1088 set thread context of 1556 1088 oA1r8FbmsN73vh5_yNrppCZH.exe oA1r8FbmsN73vh5_yNrppCZH.exe -
Drops file in Windows directory 6 IoCs
Processes:
daisy's destruction.exedescription ioc process File opened for modification C:\Windows\SourcesShowing daisy's destruction.exe File opened for modification C:\Windows\BehaviourVibrator daisy's destruction.exe File opened for modification C:\Windows\AtomBoobs daisy's destruction.exe File opened for modification C:\Windows\AntarcticaTucson daisy's destruction.exe File opened for modification C:\Windows\WonderAvailable daisy's destruction.exe File opened for modification C:\Windows\DecreaseHands daisy's destruction.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2952 sc.exe 1748 sc.exe 1476 sc.exe 2376 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
daisy's destruction.exefindstr.exeSaudi.piftasklist.execmd.exe247bPHuhmOaxs6aFsKmwjRHN.exeQ6uUoZRtjMCMBcHsAt8oTiGd.exetasklist.exefindstr.exeSaudi.pifoA1r8FbmsN73vh5_yNrppCZH.exeRegAsm.exeRegAsm.exeschtasks.exefindstr.exeZxsDXXrM9OIe_zneFxLM655G.tmpvxbeCHaKnUJNTX7aBJ1sgrqH.exeWxoRi98pynMg6RUopktWn7gW.exeoA1r8FbmsN73vh5_yNrppCZH.execmd.exechoice.exeZxsDXXrM9OIe_zneFxLM655G.exeYKJMM7p0zz7fCNq5BCqE0Kb7.exeBS4sZN70R0Aj5jy4XAy9HtX6.exeRegAsm.exeschtasks.execmd.exe92yaqUveSlGxIufvWHNlcK3i.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daisy's destruction.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Saudi.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 247bPHuhmOaxs6aFsKmwjRHN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Q6uUoZRtjMCMBcHsAt8oTiGd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Saudi.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oA1r8FbmsN73vh5_yNrppCZH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZxsDXXrM9OIe_zneFxLM655G.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxbeCHaKnUJNTX7aBJ1sgrqH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WxoRi98pynMg6RUopktWn7gW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oA1r8FbmsN73vh5_yNrppCZH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZxsDXXrM9OIe_zneFxLM655G.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YKJMM7p0zz7fCNq5BCqE0Kb7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BS4sZN70R0Aj5jy4XAy9HtX6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92yaqUveSlGxIufvWHNlcK3i.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 948 timeout.exe -
Processes:
RegAsm.exeRegAsm.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RegAsm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1600 schtasks.exe 2464 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
Saudi.pifvxbeCHaKnUJNTX7aBJ1sgrqH.exeQ6uUoZRtjMCMBcHsAt8oTiGd.exeAn3F1TbHnH_2dNMOncuz2wrt.exeRegAsm.exeoA1r8FbmsN73vh5_yNrppCZH.exeRegAsm.exeRegAsm.exepid process 2996 Saudi.pif 2996 Saudi.pif 2996 Saudi.pif 2996 Saudi.pif 2996 Saudi.pif 2128 vxbeCHaKnUJNTX7aBJ1sgrqH.exe 2532 Q6uUoZRtjMCMBcHsAt8oTiGd.exe 2720 An3F1TbHnH_2dNMOncuz2wrt.exe 2828 RegAsm.exe 1088 oA1r8FbmsN73vh5_yNrppCZH.exe 1088 oA1r8FbmsN73vh5_yNrppCZH.exe 1340 RegAsm.exe 1736 RegAsm.exe 2828 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
tasklist.exetasklist.exeoA1r8FbmsN73vh5_yNrppCZH.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2752 tasklist.exe Token: SeDebugPrivilege 2956 tasklist.exe Token: SeDebugPrivilege 1088 oA1r8FbmsN73vh5_yNrppCZH.exe Token: SeDebugPrivilege 1736 RegAsm.exe Token: SeBackupPrivilege 1736 RegAsm.exe Token: SeSecurityPrivilege 1736 RegAsm.exe Token: SeSecurityPrivilege 1736 RegAsm.exe Token: SeSecurityPrivilege 1736 RegAsm.exe Token: SeSecurityPrivilege 1736 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Saudi.pifpid process 2996 Saudi.pif 2996 Saudi.pif 2996 Saudi.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Saudi.pifpid process 2996 Saudi.pif 2996 Saudi.pif 2996 Saudi.pif -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
daisy's destruction.execmd.exeSaudi.pifSaudi.pifdescription pid process target process PID 2908 wrote to memory of 2400 2908 daisy's destruction.exe cmd.exe PID 2908 wrote to memory of 2400 2908 daisy's destruction.exe cmd.exe PID 2908 wrote to memory of 2400 2908 daisy's destruction.exe cmd.exe PID 2908 wrote to memory of 2400 2908 daisy's destruction.exe cmd.exe PID 2400 wrote to memory of 2752 2400 cmd.exe tasklist.exe PID 2400 wrote to memory of 2752 2400 cmd.exe tasklist.exe PID 2400 wrote to memory of 2752 2400 cmd.exe tasklist.exe PID 2400 wrote to memory of 2752 2400 cmd.exe tasklist.exe PID 2400 wrote to memory of 2748 2400 cmd.exe findstr.exe PID 2400 wrote to memory of 2748 2400 cmd.exe findstr.exe PID 2400 wrote to memory of 2748 2400 cmd.exe findstr.exe PID 2400 wrote to memory of 2748 2400 cmd.exe findstr.exe PID 2400 wrote to memory of 2956 2400 cmd.exe tasklist.exe PID 2400 wrote to memory of 2956 2400 cmd.exe tasklist.exe PID 2400 wrote to memory of 2956 2400 cmd.exe tasklist.exe PID 2400 wrote to memory of 2956 2400 cmd.exe tasklist.exe PID 2400 wrote to memory of 2628 2400 cmd.exe findstr.exe PID 2400 wrote to memory of 2628 2400 cmd.exe findstr.exe PID 2400 wrote to memory of 2628 2400 cmd.exe findstr.exe PID 2400 wrote to memory of 2628 2400 cmd.exe findstr.exe PID 2400 wrote to memory of 2764 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 2764 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 2764 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 2764 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 2712 2400 cmd.exe findstr.exe PID 2400 wrote to memory of 2712 2400 cmd.exe findstr.exe PID 2400 wrote to memory of 2712 2400 cmd.exe findstr.exe PID 2400 wrote to memory of 2712 2400 cmd.exe findstr.exe PID 2400 wrote to memory of 2612 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 2612 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 2612 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 2612 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 2996 2400 cmd.exe Saudi.pif PID 2400 wrote to memory of 2996 2400 cmd.exe Saudi.pif PID 2400 wrote to memory of 2996 2400 cmd.exe Saudi.pif PID 2400 wrote to memory of 2996 2400 cmd.exe Saudi.pif PID 2400 wrote to memory of 2324 2400 cmd.exe choice.exe PID 2400 wrote to memory of 2324 2400 cmd.exe choice.exe PID 2400 wrote to memory of 2324 2400 cmd.exe choice.exe PID 2400 wrote to memory of 2324 2400 cmd.exe choice.exe PID 2996 wrote to memory of 2212 2996 Saudi.pif Saudi.pif PID 2996 wrote to memory of 2212 2996 Saudi.pif Saudi.pif PID 2996 wrote to memory of 2212 2996 Saudi.pif Saudi.pif PID 2996 wrote to memory of 2212 2996 Saudi.pif Saudi.pif PID 2996 wrote to memory of 2212 2996 Saudi.pif Saudi.pif PID 2996 wrote to memory of 2212 2996 Saudi.pif Saudi.pif PID 2212 wrote to memory of 2532 2212 Saudi.pif Q6uUoZRtjMCMBcHsAt8oTiGd.exe PID 2212 wrote to memory of 2532 2212 Saudi.pif Q6uUoZRtjMCMBcHsAt8oTiGd.exe PID 2212 wrote to memory of 2532 2212 Saudi.pif Q6uUoZRtjMCMBcHsAt8oTiGd.exe PID 2212 wrote to memory of 2532 2212 Saudi.pif Q6uUoZRtjMCMBcHsAt8oTiGd.exe PID 2212 wrote to memory of 2128 2212 Saudi.pif vxbeCHaKnUJNTX7aBJ1sgrqH.exe PID 2212 wrote to memory of 2128 2212 Saudi.pif vxbeCHaKnUJNTX7aBJ1sgrqH.exe PID 2212 wrote to memory of 2128 2212 Saudi.pif vxbeCHaKnUJNTX7aBJ1sgrqH.exe PID 2212 wrote to memory of 2128 2212 Saudi.pif vxbeCHaKnUJNTX7aBJ1sgrqH.exe PID 2212 wrote to memory of 1596 2212 Saudi.pif BS4sZN70R0Aj5jy4XAy9HtX6.exe PID 2212 wrote to memory of 1596 2212 Saudi.pif BS4sZN70R0Aj5jy4XAy9HtX6.exe PID 2212 wrote to memory of 1596 2212 Saudi.pif BS4sZN70R0Aj5jy4XAy9HtX6.exe PID 2212 wrote to memory of 1596 2212 Saudi.pif BS4sZN70R0Aj5jy4XAy9HtX6.exe PID 2212 wrote to memory of 1088 2212 Saudi.pif oA1r8FbmsN73vh5_yNrppCZH.exe PID 2212 wrote to memory of 1088 2212 Saudi.pif oA1r8FbmsN73vh5_yNrppCZH.exe PID 2212 wrote to memory of 1088 2212 Saudi.pif oA1r8FbmsN73vh5_yNrppCZH.exe PID 2212 wrote to memory of 1088 2212 Saudi.pif oA1r8FbmsN73vh5_yNrppCZH.exe PID 2212 wrote to memory of 1720 2212 Saudi.pif ZxsDXXrM9OIe_zneFxLM655G.exe PID 2212 wrote to memory of 1720 2212 Saudi.pif ZxsDXXrM9OIe_zneFxLM655G.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe"C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Desktop Desktop.bat & Desktop.bat & exit2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2752 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\cmd.execmd /c md 7992753⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\findstr.exefindstr /V "TransformationComponentBrideInvasion" Calculate3⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Evaluations + ..\Kansas + ..\Monkey + ..\Cookies + ..\Frontpage + ..\Ownership + ..\Thu + ..\Momentum + ..\Nvidia + ..\Kits + ..\Take + ..\Statements + ..\Earlier + ..\Presentations + ..\Runs + ..\Deviant + ..\Indicate + ..\Award + ..\Engineer + ..\Ty + ..\Feb + ..\Ads + ..\Sounds + ..\M + ..\Logan + ..\Pixel + ..\Atm + ..\Ports + ..\Ireland + ..\Chance + ..\Stewart + ..\Puzzle + ..\Milf + ..\Basics + ..\Invitations O3⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pifSaudi.pif O3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pifC:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exeC:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2128 -
C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exeC:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2532 -
C:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exeC:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2116 -
C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exeC:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\is-VUQ9H.tmp\ZxsDXXrM9OIe_zneFxLM655G.tmp"C:\Users\Admin\AppData\Local\Temp\is-VUQ9H.tmp\ZxsDXXrM9OIe_zneFxLM655G.tmp" /SL5="$90122,3387544,54272,C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Users\Admin\Documents\iofolko5\247bPHuhmOaxs6aFsKmwjRHN.exeC:\Users\Admin\Documents\iofolko5\247bPHuhmOaxs6aFsKmwjRHN.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAEGHCFIDAK.exe"7⤵PID:2176
-
C:\Users\AdminAEGHCFIDAK.exe"C:\Users\AdminAEGHCFIDAK.exe"8⤵PID:2704
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵PID:2672
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCBGCBGCAFI.exe"7⤵PID:2748
-
C:\Users\AdminCBGCBGCAFI.exe"C:\Users\AdminCBGCBGCAFI.exe"8⤵PID:1920
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵PID:2124
-
C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exeC:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe"C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe"6⤵
- Executes dropped EXE
PID:560 -
C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe"C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe"6⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1600 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2464 -
C:\Users\Admin\Documents\iofolko5\92yaqUveSlGxIufvWHNlcK3i.exeC:\Users\Admin\Documents\iofolko5\92yaqUveSlGxIufvWHNlcK3i.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2828 -
C:\Users\Admin\Documents\iofolko5\YKJMM7p0zz7fCNq5BCqE0Kb7.exeC:\Users\Admin\Documents\iofolko5\YKJMM7p0zz7fCNq5BCqE0Kb7.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736 -
C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exeC:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe"C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe"6⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe" & rd /s /q "C:\ProgramData\EBFHJEGDAFHI" & exit7⤵PID:2820
-
C:\Windows\SysWOW64\timeout.exetimeout /t 108⤵
- Delays execution with timeout.exe
PID:948 -
C:\Users\Admin\Documents\iofolko5\qi866flZxG1ikcUHB9kpnJgi.exeC:\Users\Admin\Documents\iofolko5\qi866flZxG1ikcUHB9kpnJgi.exe5⤵
- Executes dropped EXE
PID:2748 -
C:\Users\Admin\Documents\iofolko5\An3F1TbHnH_2dNMOncuz2wrt.exeC:\Users\Admin\Documents\iofolko5\An3F1TbHnH_2dNMOncuz2wrt.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2720 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
PID:1364 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
PID:992 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
PID:1860 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
PID:884 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "VIFLJRPW"6⤵
- Launches sc.exe
PID:1748 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"6⤵
- Launches sc.exe
PID:1476 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
PID:2952 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "VIFLJRPW"6⤵
- Launches sc.exe
PID:2376 -
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:2324
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1484
-
C:\ProgramData\xprfjygruytr\etzpikspwykg.exeC:\ProgramData\xprfjygruytr\etzpikspwykg.exe1⤵PID:2528
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:828 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:1704 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:2176 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:1612 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:572
-
C:\Windows\system32\svchost.exesvchost.exe2⤵PID:848
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
2.5MB
MD524f255fd8532d15d5b371acecb54ee5e
SHA1e818d75277b108a6715af7aabf4151c6fe219dce
SHA256c0e7af5284a6f6928e46b2d35bd2f3e258227fed21284396df570b94c9aefdf9
SHA5124af6c424851c95fb17834558b7be61907415e312cbdcc1bc42cae4c739e5181aab5a49eeed4c41420dac6d8fb1d65dccab85677e6a349d56849f2685921bc11c
-
Filesize
61KB
MD5a39632492bdd563525ff001f1b86f0e4
SHA12f2adcb9e9c3d113cc0423ed3d6c5a92c87b6663
SHA256318f36657f1cd378d54e0076449141abd81b9342ed71069295f0b76286a97bf7
SHA5127182b63e5544c1176d71fd60e469fd8a4c4b32806ac8acc9405a4c06227dee52b86adfd7219f3a52179f42aa84fe7ff9bbcbea3c6503a543cb9c6498e0c48c0c
-
Filesize
99KB
MD5a6f61d79975cb2b509719c66141b6585
SHA11be912e6a4ccb6ff68534c928d189d40f753da29
SHA25634f21e76ff95e314d32f4c57c02b9f1e127c60f5713ac90ff6b83ca89e722152
SHA5127c22142ef2d2da4cf54a74840a44437bd8fbdb0651210dd7a07785a7ccef5e743d4a5ca7032890f5c0ff04c02c75ed19076cf250c8789d4ab0e8bd3ea0259d5c
-
Filesize
63KB
MD59ea019a50d3f99eda1ac5a023f5bfb3f
SHA1c2bcdb92b5591a8f81a58199752283bba61fe27b
SHA256f9b572b644728ae7766826fb9e23e4b697ed2410eba03932e38581a2b15a482a
SHA51286a7287dcfa4309ca28804e4ab469758804dba43709465f8d7a341ef45be6df10e57d9851430c2864675fabded8244737223d6061a98ab03ee2e61b26a864de4
-
Filesize
87KB
MD57aba05f59455b446e95576b9a5db9cef
SHA115913d78c6f4acfca103781b90c4ddda5e8748ee
SHA2565379782cd93b84b6e0783423b774b3fea7397fb10190f3424da8d40d479a11ed
SHA51210594d23452b38c99da659a1e6d1f4cb6e880ca499a209816457404e96c9d4cd529800f060529654d7acf9b37aff95739e650e33545dc48534cb1abb95269166
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
2KB
MD520db8abb0b58bfce2d12ff899e819402
SHA175deb5a682ba679460c177cf1e01d3a8d0306770
SHA256d4f1f749b022682097ac05deef61b6a78d78bd7aa8829209fb0b057f082cbd03
SHA512bfb2e8579ab90ae5a46f9246048ecba231150fccaa4107afc9bfa243d1a43b2ceb8baf85d5a88cd338b5986b8f4c6141eb5777c9f7299371f8a73a9fbf5dc246
-
Filesize
52KB
MD5350486fb745a1f810f0a28a53f0dddc5
SHA1580b192862da85a1a3ba1266f4d502298d5baf4f
SHA256270ecffb55583dd2f0daf3d2d81e6e99a70926be93591295bb630deed46b15ae
SHA51225747d567e6eb39a7b564b66839f9c7560e9fe052db73cc34f1212dc40a5164cc56fc906c084ce1731239484740b6935386aa10e02876ac03d5b79fc338fde1c
-
Filesize
50KB
MD5c8f43801d3fea6fa84b15e661eb57de8
SHA1748e0ee1c29144374e89b7912134e1c9511962ba
SHA256e0d1ee2e3cffccc5f3732e19557959c0d39603d011f8cbcbbb56f0d9dc7ff30f
SHA5123b51abd920843e33d702f7104a42b738e3605f7d65b0c5cebd6649563ddd4ff451d050f5b1acb5118f25066cde3cc6d44a472ae59edfb7daa1b64f705f90a5fc
-
Filesize
15KB
MD5c02234632af315d6f7836aa9384a0c73
SHA1ac31913f0d0a359447bbe3f2975137662c38f980
SHA2565cdce3385e52af077cda84889bf670ecae40075017493c7c5fc949b4c5872bd5
SHA5120b65fc6f024a67984f6cd48710ef2ceddf8a9c49c2d9d9d42c95b46f77d8e9f72b41b75d213cb4f38ea0f64bcfd346c3eb5641b48629eb6141a8870e0c613496
-
Filesize
56KB
MD5e48388dd9e0aedd98363a8ee899d31c0
SHA14d08a1c34c2f83371c2324997f4d5d5c2b4f6f46
SHA2567f222b2266e5661b511c38253a06785cdeb4960d1ac50b8a2d2b44b3fd6ff783
SHA51252ad9ceef3d67b7a8abf450a208d166413a54c63d659b2f983c2beaf5b6f89e9dfd490a8569d1febb9e8e708c979bf247c9d14973b710a6b9c3fe8a05bce12be
-
Filesize
58KB
MD5b91d435bbaffb5687bfe3058658285bd
SHA1ea435f4c116ded230376706c569d8daa900bbd89
SHA256b35b27d72e588627174ca07464955396575af36e24e4e546d78309fc7add3b5e
SHA5122d97ee33e25517f1d9c1a6d1a6894d077a9e8c9e2696ebc4b5b9ec68825e9c84c7f01e115dbc930829759038da7121e3fd56aa67b00d9cca300ecf7a86a077de
-
Filesize
69KB
MD5ff1d4e381695d48100a92e77680e3bac
SHA1ce7158b1618f1a4c4ce17f8e20500b038484120f
SHA2568b6cdaec997e5d31133e0df353ff0f9f3171c81d61094fb368c3454680f9367c
SHA512482f180801140f345726efcdddde9dc77ce695a48a27b3811fc8a043c450c4eef9364fc6b60e9a7675e0d7f16b511f2de54c649e22b716c5a4abdb4077922040
-
Filesize
54KB
MD53d738ac6cfcadcdacceb6a1f7339e48b
SHA13340454640e8900a07dedaed6d92de5e560bb098
SHA256c490ec35c8d09289bbe6f81df6abb99317d63ba950f36fccd96a122045e24e91
SHA512a89daf894e21a31d7f0c63b4ba86b1f92f7b3a37dba37283d203c20ea2f34a6ee9a23716d442e8b70da234236d4b8fd4a29b6dc99c3285fc4071a3f6add807b0
-
Filesize
91KB
MD555698cca8dba864e09d9464c67a38029
SHA1725f70b0e0c7fcdb2102351919206969274b6e66
SHA25637e40f3163834d1d135d24420c2b470a5d7ac0c7454ed5f3bcd47493dd843fe5
SHA512cfee11b90e1d6f6f160a4323ce500d5683cc9c31ad1f107e20cab3ebd3f6e7d77e2c9b52b9ad854ea553cf67d261bfa85de2d82fe82b5c25f709f12a1120dca2
-
Filesize
71KB
MD5aa6a8c0dae15c0f592500bd8facad795
SHA1a3464148458fa47000a922610613ec4566251632
SHA25623404b7a1724c8c224fada5a0c7429cdd0a62f3b17e5c45a913ae1b0b1a77f65
SHA512c617859708e14b35ef4280c57a814ea6e0765b3499e32d4a014d871092f5d62ad8c416a308cd07475642fc1656d24839fba094ad4c7e604feafd276487207e32
-
Filesize
869KB
MD5d4f9f9bddbc23ec4b089e8c8b9552141
SHA1087a35fad96b427ad23eb86fcaca77270477b754
SHA256b3733786e1a273f7da72579b4a26c10a8b569219c765c09ca5a4170e4b83321a
SHA5129eea0909dac7fd0fdaee5864ff247844f4a9b690057e5ab82fcac98959b03af75229c622e46a97b4fd916055c0f65f6ca1610c4d4f396a83815977d85b9102e9
-
Filesize
93KB
MD5616e36dba3e3e214ed1aee198167a4a6
SHA12b0febf3b291c157ca3190aefc35722094da1532
SHA256946ea516a4ccf57c61daf07a0e68d12ff8c78c85265c87e0deef81bdf8f78c12
SHA5123b6e4fad2da9ef68f026f8489a459d56985c5591476a2f36d5d4c83c3b110a6e95b1d6401f29a6b45d7ee1dad4e18340e0792d6e3bd788bbbe4cadb276c6f198
-
Filesize
70KB
MD5327f5bdcd4541496d30a05f9a6fe842b
SHA19120d2cee8214f0d5ede22a7c65f99cd5f1183c3
SHA256235670fab1d55058a0cc9eac2ff09b047769095e22bd18ba43bb9319b6c20bac
SHA5123b4de8192878451c7293803f30ff4452a7dbc2993860e7cfdda48556b062a84e5de8de44700d8d7bdd7c41f7ed96733f8425794bbd9b9de9fcf2b72d0cd4301d
-
Filesize
90KB
MD5a443cc49cc739f07a01f812c6df56bf1
SHA139a16793a3bc225f4452ccd8d0aba365ee593278
SHA25607c18c7636b6fc4feab3263d4544a04fc8ac51162bee1ce9a8fcf08c3a22bb5c
SHA5120fa9295754730beb47cb7e7a668ce67c5408eafab18151031046e5f814057c86da72d575925fb4b4634fc68a6fba50b3a298ec7cb4db4a9cc7d7049376d671bc
-
Filesize
64KB
MD5e5863b510e4b784dd5c92aaec8bc6cd4
SHA17cc1404717757a2f729f71ca010072ef403d370e
SHA25658288091bddbde712eae66ecf92c078dad75d19892055c6de942fdecec26eaf9
SHA512366bc746917db2141f8fb6e00f6528c0026710ec42c4e9c6e1d3dd170a1b05a18814a5a10df7a565355b3515eea404a71c82aa77db164b114b15dcfd969df3cf
-
Filesize
66KB
MD5f30d40c6dc021747ec711cec5c540c67
SHA13a59f151d44058c609b987847d192509df506abe
SHA256da25e600fb5b831ba7e9ea97922aa93e39e48918ff1ef73bbcc8fc9637811a05
SHA512a4ec445f8776cead5a23ae85932dd21f56d394323455e4be28a78c12fefe7d7e3b8859dafd7e1a7aeb5abab5cc53de249ff1b9597244a98215a0b267feb0bd80
-
Filesize
78KB
MD5cc16c91de5771b6bb13b0b0d3d1b36ed
SHA16153fce28df72327bb47fefc62881bf2fe2a8f04
SHA2566d0109dc4ac50969a74455ab3470e9ab1e1e9db36fba806086cde963c92deb05
SHA5129a5c6c11500cb30208392b32a4434ed8a6ef6a0016bb78c7fecd64bfcc7da3b1c5cce5e1c8148da122e2077de7a2f0e0466c2a74a3edfd678442d0f5bc6e55f0
-
Filesize
91KB
MD513c53091b190c9b9df321d61659721d7
SHA1183767c89c56082a91457774033a983e8821db63
SHA256bc02e43d1e838339185c837c651861ec01cfa7da7195fe6fdc42fcb14ad08a4d
SHA5127122035aa3f19c9f0a8a87db1ad3b20484f88cc681be9f9540813ab5e859b1fe9a39ab4aa3b8b1acc05b8ab5483170f31f0cc305ffb637c72b68505b0107d49f
-
Filesize
56KB
MD51166cd50a320b6a52ca5660cd3ef4940
SHA1ec1ccbeeb4bd5e74d3254fe476f5caf8225d9d6d
SHA256f5297af98bce02876a971da5a312e0d659c43368bc8ca7bb4b6cc5a4469cd140
SHA512d9e06782c54699776bb766a86c239d1a5b7c68c238241c9bae9023346ce20e509dd5f4a5c0ea3f6febe0db26ebb8d4f16d24c452b2b48452b727c589ff62c114
-
Filesize
79KB
MD598eff6fdbaf188ff8bb9c230612e7ab9
SHA14c55318bcc31980134c5455b7f736522481e7865
SHA256bf06e2f8f8e360f5e8fd7cd39ee631cf2156d7d67e45c54e6ac3638117c30c84
SHA5129b928a550ab978609323b41b0da1f8018a980c3fa50658fd3ce74ce888a2fb6880a480e844c7c9be3921f478fc06cc0e4a6e87c5cfbda6d5cd2ddcb5331eafd8
-
Filesize
54KB
MD5366da4e20f6973a658850d0cb0560140
SHA17463be54871d0a728a36d955b5e4b4935f832539
SHA2562fdc969a47a50f3260018e708fde26e93c2b8b9b56a5f2d1e75d8ba2fcc0dbec
SHA512fa733e99ee72c39b643f9db1594c73f4928b9aa7a1f0b543409a16de7fb7ecfff26c3e2f0070a1c386f3ede03c214371fcc968231f6c969b23c063257eed4e83
-
Filesize
55KB
MD5ca2b98b4b4bdfcc2ffb39176fc62faed
SHA144b13597a8c63849fc318ea82b612a3b48714514
SHA2566d0392db8f087952b0e8f81a6beec3b6d888272b4ebf0d55b6736d04c4d2b0bf
SHA5125c7b466a4bf02882566a05294acc9d8057340ff420f62a08d509e9d229765b3735e425268ae16147d6ca64e65e0285701f3edef6fcfabbd87b4a6973157d78be
-
Filesize
69KB
MD52720a96bfc6c052ffbee90eddd29b91c
SHA1b707906e1c6327d91da83b2637de9b526ce8421d
SHA25697bf82b8f22ce2f8ca3fb29a5a8039e9b679655c62077cd1465bd0dd4baaa061
SHA5129a7817a69f7240e0d8db0447ea0382ed6d0c9741471b4e242fb92447a6bc447bdecfc672664ed924128f3d632821f03a05798c3ca74d91268a955e0e5a228d4a
-
Filesize
93KB
MD5b870a2f983186cda64ca0a0443fdbebf
SHA170cd2505beca64a15454723c8fb185562dfbb594
SHA2565d8b919ef4f7ba8aee86a32d1b5e23f1c3e67d8b16a5b75e0f6d68735d03af95
SHA512bbd130c726fd439993673d2d577df8d79f938c914c17ecbfcec41341fca60d0afceb1d67d27b52d9c43490fc4213dd37f0353f901af99ca9db46016a5e386b45
-
Filesize
97KB
MD5fa483b9a86de25df5b733f502e92fe7d
SHA167ade79afed62eaf24b814f4c1436fadbce363e3
SHA256c02e0aa3ad116a6ec3d7ebc0572500135339beab871783efb8ce8f02fbeef7c2
SHA5124df99695dab8d8e0571d8a6d1bba5fce17c8d5bb6ce44e4151e99141589dba9e4715dbb72fce470dd386c6768863cca98ed4b0e79d53ce3f738b2a6e11a028ed
-
Filesize
53KB
MD567757b0d30bede0af4631b56ff072809
SHA1eb6735867fe0f5f9ffeb42a2372799cdf1e364bb
SHA256860014b58934b74971388c4fa01f3bc0eb90c424e689f4df009521d162bd5924
SHA512b82c3fdaa1906b57d92286ba345bdf0a84aa56d5e9c59f79f16d6167cb8accb37001f5223f712d39321fad70cb26b71da34cc9703df4082aa80d679afb541df2
-
Filesize
82KB
MD58b88132864173b12be49544e452ea4b5
SHA1299d8a3805f9a10c7f0c78b7674bba340b784711
SHA2560b6dc43385223928d54f5d840d36c91564a36e7dc835fed0379f41fd4e646262
SHA512352ed7c2ededc87dae45708698d4b1e8d803fe9cbd740b0744be71e48d0a6e0612babaf0a688e90003173a433f787cbae7220495d23d42916fbb6a6130b7901f
-
Filesize
96KB
MD535f48790b74e042b3edb9b34e3a5f8fd
SHA18006268733957ac11d3af06856388ee6b84739ba
SHA2563d98ae96420747ce126d7fe2f1e9b210de27ad38f4802e9a42b390429a1697dd
SHA51263a0514bac44b9d5ca60602cf8ea80fdfffa6733ec7ba13fee81736748050bb12d747b35368c7ed2a5364b34bd669281abf8c9444dbf36b092bf45605596be4b
-
Filesize
58KB
MD535451d20e34907863dc1efc7caa019fc
SHA1c15a690db71ac5f21fbf2186939c36c6caf87dff
SHA25605586615c257451ffd0730829d376be051c505ea5e73525c9a3e539d5c1145ef
SHA512de3552af3ca3d90a846107cc7596d9f29ed75dcbe4308aa636952d662162d36b3b5e5b0c19739554fa68a3c39405dcbf07c5f28bfcdfb4bb50829048322f66e6
-
Filesize
63KB
MD58f7b991c8211319025ab7a549f997d41
SHA128f6af2157090dddf26ac677410409904e3e4c21
SHA25621297aa5fab44bb0d2a1fd086b7c1bb9540147ac886d961ad194d1658da94431
SHA51284c641f39b28fa8fcc4a7066aef3bacbba9aa6d1fd77610a1db17ed89fab77532e1eaf9336fe9509ac2fc1dadb7c8a2804b6ef8967daba9100379e0d11d1ab75
-
Filesize
88KB
MD5eb8f36865f16229dc775e9c00a4ec3f1
SHA1824c6711705c7a75ce0a6904a38eabe7ddc6c7b4
SHA256c3e3cf04f4501eeb37db51b7be288db941bc8f4497067a552af7b19aae1b17a3
SHA512701d8bce6354780e52abca6772fa43c55888d2bbd983a13dc7c95935d52f874903767a5b2eb12bb97fd58460099b6b52f25336f47f4ff0849d081c7c3a1d3940
-
Filesize
65KB
MD557668416f8e93c60f4abb89d1c517ce4
SHA16d2b23395aecfc9ee45cbd69469e946b77eaf3a2
SHA2560e8cb087ea27ae4af9360c478822260600d9af234ca0e9521f5b05904142705f
SHA512da7e61d9cd89886fcfae4f406e983622d2ecb5714b9398776e65da24f7c91d43915aa1e6e8a45a9713d3865a8be0f15ff2bb34dc45643158c3cf8c7e0395f354
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
74KB
MD53f9e5757f9c3ef75e75310416c72c35f
SHA1ae7449c0c4f3f0ca5480ad391219ba989d2e0dbe
SHA256f656b202b7682064680a2b3b7e4305ef8b378aea601ae7530db148bb6f9a6400
SHA512ecaefaa239cf44306134b4618e1d82b80e6ade1f58583c9098a0ed3fa219fe6a87b9af977062d3f654dca1618256a132c80d7aad579b66affa6836c2be64c8df
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
75KB
MD53260fe976c04ac1cdb493cd611b08005
SHA1ebe4cc15f418825da444be729091c472e5b51c73
SHA2565494bb02fb31b7008904ae3398ae33e15a6fc8444fe4d7d06279b88e1b466e02
SHA5129959f975feceb743553f1daf8c6814181e361877d2aabc80127628e45c11c70b3fb5d55567c392e13c16626099b18411a99dc2f86fdec0556fa34e0072f521c5
-
Filesize
217KB
MD5b81ac0bd6737adc5d296e9d86491d9f4
SHA1d03ebb99ec66922afde8db9d215951cdc0efb4e1
SHA25667e2d5803b527df56d0c9cede90c29aeecfd0b3910d45fbd46c26e6cbf0e8a89
SHA5125894b140ec2e40b070a5d116d8d021aab9e675f1280924b9b6d9545d8b2c2dfeb96b6cc8ad60b396ebf6ef4b946aa76addbd2d15cf97e5248976394b8d6068ba
-
Filesize
294KB
MD520c0e4911043acdf83cd6f5818060b6d
SHA1b38d5071947e729ea05caa84958b515b53da5db6
SHA256656c58153302a82bdc4994a170163628f1aedd101b0efe6471b5af0d4173c1f5
SHA512aece9c46c5274e3660016d2795ccc0eae9578fa40ec39679e8385398675fcfbc2d08d7ed105cbafb75ced2224ee8e76720e2bf41d2c25f4a7992fa245b71543b
-
Filesize
10.4MB
MD5025ebe0a476fe1a27749e6da0eea724f
SHA1fe844380280463b927b9368f9eace55eb97baab7
SHA2562a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2
SHA5125f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799
-
Filesize
324KB
MD5e600b6015b0312b52214f459fcc6f3c2
SHA10e763e33524e467b46d27e5f0603cd2165c47fed
SHA25665bb6281d63ad091f8b6b4d0c460d9d6c1631fe141fe15b23dc6d23a41e094ad
SHA512b1c1a68128c2cd75df9cb1d890358fd6bb85d9a62288468a19db3295cc25e6cb97c05fa0b5bc3b1dd2b88bd39b343ce5cd1494ca8ab56352c1e375e88fe7e464
-
Filesize
1.7MB
MD558d17a7cb2bcd54c13cf1449ddfb0416
SHA1025ceeafaa89fe4cf0f23d4786ec2b75202c1848
SHA25623de941b07e247e342a4828471f23379f7df9e8e0a3361bd5f4ba50bcc612f7a
SHA512090fca739aa8ed3658dd805e72f86e2be4e534ca0a7864f0fa5652d6908d547add2bc1e8f30b599cf9474b6ab3f4972ac2de80a736f42df23380096bc171444b
-
Filesize
3.4MB
MD5c4d092354c3f964ee1d9671f2517a6c9
SHA1838f3a4d426ea72c2f5cf8164f8ff4fc9e694a1b
SHA2561814f8b1c1223b93e9b6ae699f7f8f25fb543ad511e349f39219a4ec222f4f05
SHA512c162ff7f53b3a095e779369fb00546dc62dcadb4e394593b40522369add2532274232bad920f5a65ab07636ed544bfce239a42d959dfea01c7c19e2bbfedd5ee
-
Filesize
501KB
MD5f10161c3acde4b7dadcd1eeddcf937f1
SHA1ebf47c2e0916fbc430ddc8a90cdd1fe98112f979
SHA256445a933766bf381ebe8530e0795e22ab2bccace28291388aba99808e101e8230
SHA5125024f57f0bff356120598e7faa472c956d843d36a6d83d953c9a7345aee36a14d216f1bde61524a62a0dba4cb4fae4a67dcefaa0b2e8fa5526dfc9a218e985d9
-
Filesize
3.5MB
MD5c883436a51137626711481fed4be79c8
SHA157c7e6907219e8aae747f64343066963b57508b0
SHA2567e33a3b6de352650c44163c2ff989cad764017c508e13b240f783c08c736f2c5
SHA5128b6c00183876d0bd712e616fcb6db3f7d5ffae4eeeb25fbf6c0a17b725b44f82cf7e2e810404560ab2373cbaf053d7baa89aa999e6c0c59161cf1bf9ab1098b9
-
Filesize
8.3MB
MD5b5887a19fe50bfa32b524aaad0a453bc
SHA1cd1f3905959cd596c83730a5b03ceef4e9f2a877
SHA256fce5cbeec1eb5274fc3afa55e57fb2f724688cb9d4661a8a86716011493564c7
SHA5125b9914c94101b53314b14335e687552e5da0a4085afb826ae94f45769e9b1e66a35624b6e6b60257514f4adf2acc5c9e048bfa3a24aafb891d203e3011c02538
-
Filesize
399KB
MD5f7ae445081e10267d2cec9b6b0e2d375
SHA1e12892ea4d092e4b959617c6d00356ee23da0797
SHA256569edae4e4c7f5df590c7ee0a96210942e2be22be73beda9bc1528addca234f4
SHA512194a260edb0ce0d6c9b74484b55d64e8d593c990ca647acf4c24dd4b58abee0e586485fb06970557d83cc97159933b55a9fa3cc9316f52c28d86552aa039ab04
-
Filesize
4.4MB
MD5a79fa370fdeecbb187f96558a76534b5
SHA15ef78b7d2c21882cec551528c697f12abb1f8b23
SHA2568ed135aff12b760792f13be121120dcbedad95c2f927289bcb8ae73bc338bda1
SHA512e9388634726560299fc31b1e181c5308ac94b31c0656c9d49e5042ca7ff5996b7068b6faf5d09da8b4f4ff3d9d287f54fa3ff79589d6975a161d855c9d9d4846
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558