Overview
overview
6Static
static
3rcsetup154.exe
windows7-x64
6rcsetup154.exe
windows10-2004-x64
6$PLUGINSDI...nt.dll
windows7-x64
3$PLUGINSDI...nt.dll
windows10-2004-x64
3$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$_107_/$_1...UI.dll
windows7-x64
3$_107_/$_1...UI.dll
windows10-2004-x64
3$_108_/lang-1025.dll
windows7-x64
1$_108_/lang-1025.dll
windows10-2004-x64
1$_108_/lang-1026.dll
windows7-x64
1$_108_/lang-1026.dll
windows10-2004-x64
1$_108_/lang-1027.dll
windows7-x64
1$_108_/lang-1027.dll
windows10-2004-x64
1$_108_/lang-1028.dll
windows7-x64
1$_108_/lang-1028.dll
windows10-2004-x64
1$_108_/lang-1029.dll
windows7-x64
1$_108_/lang-1029.dll
windows10-2004-x64
1$_108_/lang-1030.dll
windows7-x64
1$_108_/lang-1030.dll
windows10-2004-x64
1$_108_/lang-1031.dll
windows7-x64
1$_108_/lang-1031.dll
windows10-2004-x64
1$_108_/lang-1032.dll
windows7-x64
1$_108_/lang-1032.dll
windows10-2004-x64
1Analysis
-
max time kernel
122s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 23:46
Static task
static1
Behavioral task
behavioral1
Sample
rcsetup154.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
rcsetup154.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ButtonEvent.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ButtonEvent.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/g/gcapi_dll.dll
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/g/gcapi_dll.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$_107_/$_107_/pfUI.dll
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
$_107_/$_107_/pfUI.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
$_108_/lang-1025.dll
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
$_108_/lang-1025.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$_108_/lang-1026.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$_108_/lang-1026.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
$_108_/lang-1027.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
$_108_/lang-1027.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
$_108_/lang-1028.dll
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
$_108_/lang-1028.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
$_108_/lang-1029.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
$_108_/lang-1029.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
$_108_/lang-1030.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
$_108_/lang-1030.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
$_108_/lang-1031.dll
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
$_108_/lang-1031.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
$_108_/lang-1032.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
$_108_/lang-1032.dll
Resource
win10v2004-20241007-en
General
-
Target
rcsetup154.exe
-
Size
25.3MB
-
MD5
990c04965d0069c6b30399bd7996d26e
-
SHA1
de2cf03a1dbdbe1b02327e92aeaef96a583280df
-
SHA256
dbf0895d886b428c8465ee57aea56a7e7b6e4c003efd04ca00d216a2d821eac9
-
SHA512
6cd56b81ca5e4850b24bf3ba76d3975430f672ea1692f511e1a74a4fdb9d83f1a37ec21a35c3b540a37cbd9259720a3d6686acdabe522c44d2cf3a5ac73cff6a
-
SSDEEP
393216:9XswzpKCszHe29+awN4Ac4Li2qtl5TtBgT2ef9su3OMJfS6uWuuJ3CCfTpTTofm:93zeBFwaf2OTtB3ahfSzuJ31Fvo
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rcsetup154.exe File opened for modification \??\PhysicalDrive0 recuva64.exe File opened for modification \??\PhysicalDrive0 recuva64.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 54 IoCs
description ioc Process File created C:\Program Files\Recuva\Lang\lang-1040.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-9999.dll rcsetup154.exe File created C:\Program Files\Recuva\recuva64.exe rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1063.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-2074.dll rcsetup154.exe File created C:\Program Files\Recuva\logs\error_log_20241015_234735_00000.txt rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1036.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1028.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1037.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-3098.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1043.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1046.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1071.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1044.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1035.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1062.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1057.dll rcsetup154.exe File created C:\Program Files\Recuva\lil.log.tmp.04595010-8081-4f37-8f0f-a9a261837aa8 recuva64.exe File created C:\Program Files\Recuva\Lang\lang-1067.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1079.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1030.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1052.dll rcsetup154.exe File created C:\Program Files\Recuva\recuva.exe rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1045.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1027.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1058.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1060.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1054.dll rcsetup154.exe File opened for modification C:\Program Files\Recuva\lil.log recuva64.exe File created C:\Program Files\Recuva\Lang\lang-5146.dll rcsetup154.exe File created C:\Program Files\Recuva\RecuvaShell64.dll.new rcsetup154.exe File created C:\Program Files\Recuva\SomeRandomTmpFile748329742893.tmp recuva64.exe File created C:\Program Files\Recuva\Lang\lang-1029.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1068.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1059.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1048.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1050.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1049.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-2052.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1032.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1061.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1066.dll rcsetup154.exe File created C:\Program Files\Recuva\uninst.exe rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1041.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1053.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1034.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1051.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1026.dll rcsetup154.exe File opened for modification C:\Program Files\Recuva\lil.log recuva64.exe File opened for modification C:\Program Files\Recuva\RecuvaShell64.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1038.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1025.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1031.dll rcsetup154.exe File created C:\Program Files\Recuva\Lang\lang-1055.dll rcsetup154.exe -
Executes dropped EXE 2 IoCs
pid Process 2220 recuva64.exe 1648 recuva64.exe -
Loads dropped DLL 64 IoCs
pid Process 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2496 regsvr32.exe 1200 Process not Found 2248 regsvr32.exe 1200 Process not Found 1200 Process not Found 1200 Process not Found 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2220 recuva64.exe 2380 rcsetup154.exe 1648 recuva64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2008 2380 WerFault.exe 29 -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rcsetup154.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 recuva64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz recuva64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 recuva64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz recuva64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rcsetup154.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rcsetup154.exe -
Modifies data under HKEY_USERS 19 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software rcsetup154.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\Recuva rcsetup154.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\Recuva\Language = "1033" rcsetup154.exe Key created \REGISTRY\USER\S-1-5-19 rcsetup154.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva\Language = "1033" rcsetup154.exe Key created \REGISTRY\USER\S-1-5-20\Software rcsetup154.exe Key created \REGISTRY\USER\.DEFAULT rcsetup154.exe Key created \REGISTRY\USER\S-1-5-19\Software rcsetup154.exe Key created \REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva rcsetup154.exe Key created \REGISTRY\USER\S-1-5-19 recuva64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Piriform\Recuva rcsetup154.exe Key created \REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva rcsetup154.exe Key created \REGISTRY\USER\S-1-5-19\Software\Piriform rcsetup154.exe Key created \REGISTRY\USER\S-1-5-20 rcsetup154.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform rcsetup154.exe Key created \REGISTRY\USER\S-1-5-20\Software\Piriform rcsetup154.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva\Language = "1033" rcsetup154.exe Key created \REGISTRY\USER\S-1-5-18 recuva64.exe Key created \REGISTRY\USER\S-1-5-20 recuva64.exe -
Modifies registry class 28 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Software\Piriform\Recuva rcsetup154.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\ = "RecuvaShellExt Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Software\Piriform rcsetup154.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RecuvaShellExt regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL\AppID = "{80109467-DE5A-42A1-9445-7E3952C80B6E}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Software\Piriform\Recuva\Language = "1033" rcsetup154.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E}\ = "RecuvaShell" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\ = "RecuvaShell 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR\ = "C:\\Program Files\\Recuva" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Software rcsetup154.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Software\Piriform\Recuva rcsetup154.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0 regsvr32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 rcsetup154.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde rcsetup154.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeManageVolumePrivilege 2380 rcsetup154.exe Token: SeManageVolumePrivilege 2380 rcsetup154.exe Token: SeRestorePrivilege 2380 rcsetup154.exe Token: SeRestorePrivilege 2220 recuva64.exe Token: SeBackupPrivilege 2220 recuva64.exe Token: SeRestorePrivilege 2220 recuva64.exe Token: SeBackupPrivilege 2220 recuva64.exe Token: SeRestorePrivilege 2220 recuva64.exe Token: SeBackupPrivilege 2220 recuva64.exe Token: SeRestorePrivilege 2220 recuva64.exe Token: SeBackupPrivilege 2220 recuva64.exe Token: SeRestorePrivilege 2220 recuva64.exe Token: SeBackupPrivilege 2220 recuva64.exe Token: SeRestorePrivilege 2220 recuva64.exe Token: SeBackupPrivilege 2220 recuva64.exe Token: SeRestorePrivilege 2220 recuva64.exe Token: SeBackupPrivilege 2220 recuva64.exe Token: SeRestorePrivilege 2220 recuva64.exe Token: SeBackupPrivilege 2220 recuva64.exe Token: SeRestorePrivilege 2220 recuva64.exe Token: SeBackupPrivilege 2220 recuva64.exe Token: SeRestorePrivilege 2220 recuva64.exe Token: SeBackupPrivilege 2220 recuva64.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe 2380 rcsetup154.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2496 2380 rcsetup154.exe 33 PID 2380 wrote to memory of 2496 2380 rcsetup154.exe 33 PID 2380 wrote to memory of 2496 2380 rcsetup154.exe 33 PID 2380 wrote to memory of 2496 2380 rcsetup154.exe 33 PID 2380 wrote to memory of 2496 2380 rcsetup154.exe 33 PID 2380 wrote to memory of 2496 2380 rcsetup154.exe 33 PID 2380 wrote to memory of 2496 2380 rcsetup154.exe 33 PID 2496 wrote to memory of 2248 2496 regsvr32.exe 35 PID 2496 wrote to memory of 2248 2496 regsvr32.exe 35 PID 2496 wrote to memory of 2248 2496 regsvr32.exe 35 PID 2496 wrote to memory of 2248 2496 regsvr32.exe 35 PID 2496 wrote to memory of 2248 2496 regsvr32.exe 35 PID 2496 wrote to memory of 2248 2496 regsvr32.exe 35 PID 2496 wrote to memory of 2248 2496 regsvr32.exe 35 PID 2380 wrote to memory of 2220 2380 rcsetup154.exe 36 PID 2380 wrote to memory of 2220 2380 rcsetup154.exe 36 PID 2380 wrote to memory of 2220 2380 rcsetup154.exe 36 PID 2380 wrote to memory of 2220 2380 rcsetup154.exe 36 PID 2380 wrote to memory of 1648 2380 rcsetup154.exe 37 PID 2380 wrote to memory of 1648 2380 rcsetup154.exe 37 PID 2380 wrote to memory of 1648 2380 rcsetup154.exe 37 PID 2380 wrote to memory of 1648 2380 rcsetup154.exe 37 PID 2380 wrote to memory of 2008 2380 rcsetup154.exe 38 PID 2380 wrote to memory of 2008 2380 rcsetup154.exe 38 PID 2380 wrote to memory of 2008 2380 rcsetup154.exe 38 PID 2380 wrote to memory of 2008 2380 rcsetup154.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe"C:\Users\Admin\AppData\Local\Temp\rcsetup154.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /I "C:\Program Files\Recuva\RecuvaShell64.dll" /s2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\regsvr32.exe/I "C:\Program Files\Recuva\RecuvaShell64.dll" /s3⤵
- Loads dropped DLL
- Modifies registry class
PID:2248
-
-
-
C:\Program Files\Recuva\recuva64.exe"C:\Program Files\Recuva\recuva64.exe" /installationComplete "bin|folders|allusers"2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Program Files\Recuva\recuva64.exe"C:\Program Files\Recuva\recuva64.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 7802⤵
- Program crash
PID:2008
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD58bac7d3eb37fba38aa06200dd23ae6ca
SHA10c5c89cc696aba1b7665cb0c0d6dc028370c233f
SHA2564b7d0341102e062077af9ce99a12412dc3c11044bbbc782194681f47146b6494
SHA512b14afa6b347a6505c4c66bd58b9482554ed64083dcbad3c1574f9e9a1233f21715ca14cac0bd305c8f615179924d48820864a614937aee2b571143da52006abe
-
Filesize
512KB
MD54e32fc7c3e01483647b99595897d77d9
SHA1733a6ba91df43fb833fa5687b4d976a6ab85089b
SHA25619ee777dcaef3c7b02b3f5c7fecd99ac2754826a91ffaf73cddb13de91b85d5d
SHA5125c123bfbd297aba66221fcc2b61a912d88c1c7f553bdea5776e01037a9b16618d0aee4ee2bdd35809949884adc2e2a1929d5c06fc8f9cbd1d340490cd8ea0640
-
Filesize
20.1MB
MD57e251887c6eb2f81ec29b7bd7c128947
SHA1a5a46a8c9e79227d4fb1c4815079d591b32e11d3
SHA256072f705935922dd49d0ef71b9eddbba5dd08507e3afbed8365077a28a5e2170a
SHA5126b41a6af4c76c5873ef479c75b891c3d6cd8991e7db60e7f05cd93df1a7d711882186191b30593f8de953375a3416325e83030ef53e57f98b8da01fc50f2f2d2
-
Filesize
3KB
MD5079cca30760cca3c01863b6b96e87848
SHA198c2ca01f248bc61817db7e5faea4a3d8310db50
SHA2568dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa
SHA5123e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8
-
Filesize
82KB
MD567f13e50fa75087ef8c2074a52cc8bb1
SHA18f31cf48fab91b9e263105289d17c146d088274b
SHA256044ec2d36e9f573d762fc8a43eb09f7b24eb30094a4e61b5d606fd96f72d391f
SHA51244ee943ae440d93d7ec78393749667680abbe379f9e21fb10244362c2c3f9df790170c541aa30a8487ef25952068c78e44dacd48def29aa84cee78d1c1ce63ae
-
Filesize
9KB
MD56a2e01749e591a1ce8216daed41b8721
SHA1a4aa31d936a33eb7d58e809b738184f6b2c7e1c2
SHA256f72782600989eff0aa13ff7c63875538c9042c32b77862475c899514f61c9290
SHA512262e6b6ed89fa30f954dc73c1bb329d9ea256fefa172e12b23610e7c1ab6dad3b698cbcdc010f8c16e90b0bdd6e96d60e8aba50b876d69f9fb1f2889ac14f0fe
-
Filesize
44KB
MD50d3d447c9970765f19bb7cd782756028
SHA1dd84e86a91cc362fd5e08eb4f1f3910edf0076ed
SHA2560dd80b0a75d09c587b54e4c527af5650ce0678d8dfb2627ff097439853b71a0a
SHA512c35514f6b1960122d0986c830fad03cad328cc7e690c4428d60b1645148b00a74eae4b837dcb8d1889ba7de5b6388da8370b04db1d019daa7d73da95fd2e919d
-
Filesize
46KB
MD571ecb94a15e9596a8bbcca5c4e3274dc
SHA1e869a7e6a47df81e390bc09e7fd4c7f3b62cd2b4
SHA25610b7e73b445eb063300f8d5b76cc8b91e3de63ee4084c4766a7d68000a5a52e6
SHA512c3c4cbac2f2ef6d7f167d1a1835d978d559911bb5245276cae42b9c82435f63def34c49b564c61f76a7647c68cee64267980842db6d12cb5ccd85e9780bebbce
-
Filesize
51KB
MD5b581c8a181139d70fc96d38634ff21b4
SHA1806aaa63ddfb0dd1ecb3d529c56d11631d833935
SHA2568156b27c1677ff3d5a0208aed2e01cec4d5e5b55e3390875329340d5f7972a27
SHA5125844e3dbe0af811e533012c0ff30bbd06716ae836af618c692b182864e9b736de5c40007aff6cb0dc32bd1999b8a55d7328f6306c2f38e0dc82510988781e2d6
-
Filesize
27KB
MD56fc9bcf180db0001a26175b15958f3aa
SHA10d0623371908b2ec26b7bd158c52e02d43ae0627
SHA25616b27a8f4cf64a56cfdb8fe84ac497c8fbdaac3385bc0975ae63c39820f311d3
SHA5129f3d80f4b6a61c5a587303876bdf1ad1e180485f62a032cf372e01a2c48a82b30d455bc8ce702d25fd6ee873ecf8fea15110c7cd882c11a06e3206f44e29d055
-
Filesize
46KB
MD5aa0a34b36afe2d138c34db2e78de8c0f
SHA13bc66cc08c2380c1cb9a59ba879e67163b5edd7e
SHA256bb648a873d5df48f1e2c3b7889c7ddbeddcfcc3d9ffdfdb5312a06e639fd7146
SHA51295e2ee106e9b93da124edb9e7ecad8ed5d990221643be3d6632cc6c9cc4b99fe6a110404c768f8a3c377f6df0b9eb5d66e5db1651cc85db9579e547cefff8aaf
-
Filesize
46KB
MD536805a518e09fd2c3c542658b7236685
SHA1ba348d4370cb8fab13c571ff901a99d0da2e1f9c
SHA25666be2616822511ddb956e352ed21beccfa5ae9299f5c925838161b26bba454ac
SHA5120a2a280745926cacb75830385ffae5250a29f61e211f77f9fd332e23b712370b7ba710477d4172968bc26b154f428df086626b6e3830057e1e5e8b688eef09cc
-
Filesize
49KB
MD57bc339dfcea7528971b93abcad36b81e
SHA1e2843316fca4d43cc64620ea74e3835a122e7445
SHA256e8c68e0bb516fd172c966c78fccb934fcc034e9b4cb909d3356b2f894ccf9177
SHA512afb8b2a99cff2bd12e4bc66f3a94850175ed58f572d66bdb6012a6414b3055f035244814b4d1881263385c77c88ad06d1ce9b9cd5e6a261138fb4f37069df26a
-
Filesize
52KB
MD560acdcb72ba110396610e2e1df7b1638
SHA11bef00663a3625ac19fb0d8c8a304674094f9b24
SHA25621bb1f597d5e6ec2835eb9065a11e8bd39ca865102f4de20cb676fbb1a331ac0
SHA512524bf6b53c053a6338a8f5479df2e69240de9d466de563f95da113f12e977e310571b4ae7bd7d6949da2c605444aaf8166b724751abfc6b25749b8197ba0e3e6
-
Filesize
52KB
MD53d8a9f4447d7f9c6de15d4f5323cf555
SHA1260beb6224190d275e03e4ce7dbb14ac2699e53a
SHA256d0a2939bdb56722b72b45a11c8d1b92de943b06ff6ab85b7119631ef7201bbbc
SHA512bed4808db9e948c62978c01d2e1ce2cbe02eccdf3c070cd99197c90c2d04d01fed3f370fe211188effc486d480ee1c96b11d34b16d085345f4cc34667d176edd
-
Filesize
48KB
MD5144fd9be97f093a4306b21a8955cedbb
SHA16f32e163b3d56690a0514f156bbd91608000d1b8
SHA25660be5324d22ab098bda84e94217de5a01841f282d9bd2222105500dc8cb05142
SHA5126a602c22dc5c4bb48c8f7e74a9f45ab533951faeb5f7cbdd40e22bca18e1620a683d985c87d5a295d72f0f23dffc6d7cf4c43927e8a4264351ac51911ca19b17
-
Filesize
52KB
MD5d0e8f5ddabed692709759ae273b02067
SHA17618f1b38ee416c09a506239917839e1ef51d36a
SHA256302c8535823e4680cd5be12882063dd38fea9ed8d06e191d4fb20f20bcc38e8b
SHA5126314c163a72f4be7faeff685eab790a4d0471f7be57a9ef90eaa8cfb1045524fea1264293fc82f3883e03275b4557a6bd6cd647f4dbdbdaa998ce6ffab7b180e
-
Filesize
40KB
MD53f18f8241914468072cbc7cb7feea5e5
SHA175461ee9e923251d5193cabf38632b504440eea9
SHA256cb72a05f8c33621781d777133de8e7c14d43d14598ca08c4af4bb756948568c0
SHA51278de99c109f9f505276759e6ff426c4fffced92816858c082e729d76fa2bde9cfb954beb4fc7ed0de3f23ca4a6540841ec9ed1caf5c83ab73539f6ff3091c128
-
Filesize
50KB
MD5a33f9c0db68d89309c0b406be609aa3c
SHA1793fe49282ce5c3027309286ff8071ab9e08451a
SHA25687ec0ce45b22f524ebbf497777cb17fdf4e4346915fa6a2b9f13be85ea05fbf7
SHA512eae5bf2cb55344f5b41cf84ea4a30885c506735c66262b18a6e9e71d2214c6debee13a1addc4d104f958027e384761781dce6d5c04b565af93c87dcf69e1ed86
-
Filesize
50KB
MD5a0a8770cf404c1d3e247a92afbd13c69
SHA1228f204a36cd5acbc7b7367b1d880755f3d0a9d2
SHA256116c74beb855d6715c83b664794f8bb3d3946f677c0b3befecc7cec8e1b6093f
SHA51285536d1239c5f660d1072dd136ae221f2f0ae15ce7dd7863b13321661090dc0af14b57ebc830a4819724a33e83c12227407f850876885dd66ab00630e965c59d
-
Filesize
32KB
MD5cbece409b25c16d629e2d10f533e3bda
SHA1949760246d3def76f61fd75a6ef20395eca6e897
SHA2562ff82dbbaabeb196aa0c070d7f2fd0eb40346e51d4e8ad5ac398ec56d96ac393
SHA5120318400513c46930270a4dcbe951c155b1e1f1513f3df3afd72c71d205efd71fdb65e9649aef5e9e78364e7e2b23d19dbbbb0928f84b91b3d555b446ef4bf7f0
-
Filesize
52KB
MD5e636190971396417c638d01fc791896b
SHA1ce8a1196c4d3d5dc2d19b62aea2a657ffec65436
SHA256cc3bafd490827c81a6e82f15695fbc3af988d491bdb0559c9c76ee60ba8deb2b
SHA51211549da87e4dea6eb9f70e7010dd20b7f5307e3a3d20a070e60f2535f06a15b473c60402963c4fdafd0f1c3c13697aa20b2e983830c2e9ee562953c305b87656
-
Filesize
46KB
MD500547e1c34a464106f945b4c2030348e
SHA1d01291685e44e73af5543f1325308ace114897d4
SHA256301d83c11f5a07cdc686d3d91d075cd69c38beae8d0aac3af1f4b825588d11a6
SHA512b105e1f091fc1b3f9eebe9a4aef59c8d9156aaeca73d22370c790e81c5270e464a47f80cbfd41a8c7e0ccf504c9f9ce4cf3d5210d660dcacf2512be10b390d93
-
Filesize
49KB
MD52f9eae30109a4ea38724cc80d4d2cd3e
SHA1b00eac5de9434bf7d8b3296a6be1d929343dc1be
SHA256a35b4506ea3694754ce1eb0d8e29f2f78b2365d96b7302e7c9c6fdf8a0266eb9
SHA512fc4f02d863ee9266477d20a9b177631d519e778887f4db531fb75c5712174ba6ff9e3c0d8b1d14a333f06be3776227130aefc6a8a2ccc8ab569400e17a6590df
-
Filesize
48KB
MD5d79062b2834f351b25778486d04587e6
SHA1c48f13f399e80d9fbe28df24d3c66cfa88ff20ba
SHA256e3c7fe920d284ef7974175c52f374ee412580f83707d58ef2dec51ae403159e6
SHA5123f604d7138022dad7f0fd9b27ed679691237f56bf851d2900502590df37c78df201d0c44264ec3f338ed7da86c1f0edbe2933c1ad079497a7ddbe17e625f7aa4
-
Filesize
47KB
MD5d3ccae022f330ee57be94aefa4d7b060
SHA1b735f8f3ebffd519850ba8d14013fe4d1ecee521
SHA256975aeb207d52e07a0aadeb934476536f8c6b7deec29d5d111baf89f3bac76fdc
SHA512be336a7a2f2ded9359800005e1c7b2eb025ba16b1b58ad198f569b6a72a1d419761365d7ab55a9673921e03a7b50abd11e050494940de4783296a00a711e46a8
-
Filesize
45KB
MD5c5c056c945f3c5c7f76cef938f338513
SHA10b147e88c65aacda1949acc116f95a0af4a7f2d8
SHA256222db72107c1452f141ea8d086473458c59f6675566b01177fc91265855ab067
SHA5122a4d888a565621e5c2cbf2775cb7299bc9c87de724af1f387f5e94abfb80e247d127248ebc8893cb0651f83c8611cc3cea2d7c64744dfb5fbf57a68a83047dfe
-
Filesize
375KB
MD5776f4c4ad3c85c1693a522bc2c60f33a
SHA15a4215e1221b3f8f1d7500e5902474707b1542e2
SHA2562b406578019ba9b6afcb08b26c56c4017c6fa6dea102129dd44dc47fc74a2cc4
SHA512baf5f2ba8db33f51fbb8bf81ee0c92a6f69a76224d80ccb3e17115c9247c891f155abfd358a9a435c6b8bbcbae3154ae49a939e8ea4c8bcc3671d4c8b60d19d5
-
Filesize
20.1MB
MD56f852ec18d167ff2abb2ab80f0d5a4fe
SHA157ac2fa10e510c9317b61c33d3a0116da0a57c6e
SHA256d42b70bb05ef00c09319a975e1df73c1a7d1a52b537c2f605dbf0b4dccf814fc
SHA512c4b8117d804943e615428b0784c3037e7ba6e367a74accf577fbc13cb8800fce356f9c6e8121a0edaf68a530176790b44d610e782e3d6f7d1819f34f766e17de
-
Filesize
5KB
MD5c24568a3b0d7c8d7761e684eb77252b5
SHA166db7f147cbc2309d8d78fdce54660041acbc60d
SHA256e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d
SHA5125d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443
-
Filesize
23KB
MD57760daf1b6a7f13f06b25b5a09137ca1
SHA1cc5a98ea3aa582de5428c819731e1faeccfcf33a
SHA2565233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079
SHA512d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
4KB
MD52f69afa9d17a5245ec9b5bb03d56f63c
SHA1e0a133222136b3d4783e965513a690c23826aec9
SHA256e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0
SHA512bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926
-
Filesize
348KB
MD52973af8515effd0a3bfc7a43b03b3fcc
SHA14209cded0caac7c5cb07bcb29f1ee0dc5ac211ee
SHA256d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0
SHA512b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e
-
Filesize
9KB
MD56c3f8c94d0727894d706940a8a980543
SHA10d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA25656b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA5122094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355
-
Filesize
12.9MB
MD58bfdb69444233a57163ba06a2a6cfcd1
SHA173090c37af9e2bd236102e172dadb159a00612ec
SHA2566aa7b6f12487c9740666d37a98b0c7b987b7e023a1640f8a6ab1b049a35f9374
SHA512a160efb1f04097be38bab5d93ea6cd13ed1f2a3a834c85a310ed9a1d58db9df48898788844524563c52c79e7c1f286a5d699f08ff079364b101ecb18b514c8ed
-
Filesize
18.2MB
MD57e36940483a62f7e3bdd30d95ef37b93
SHA15e5624afd2170a8f32fbc52bc296caf4a16e211d
SHA256a639f28eb67410b9d685ff7eb564eb8c1a45f1116a6c520321510c8c6eb89923
SHA51232d12fb13fed59b7801f32a2d65cc54739e99f289398fa62bdf3e952c5c3561819c8d75b35bf2f127967585c11a272a633470ca7325b16c06453d4f06eded663