Analysis
-
max time kernel
144s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 05:55
Static task
static1
Behavioral task
behavioral1
Sample
0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi
Resource
win10v2004-20241007-en
General
-
Target
0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi
-
Size
44.6MB
-
MD5
a4d9f86c09bef236ea991b8801af8ebf
-
SHA1
dd7f0c051958471cd01005544f43a61323e7f108
-
SHA256
0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5
-
SHA512
75f31cb0b4b26b2c255f6029625928fed21170cf7e82e07b186f9978884659336d6201769d4cd345eb1c41c61eab884a16149d92bea5dec5e16dae1c4da4bb56
-
SSDEEP
786432:ozXyL7usprI6tyioiFbiOHwWNHwKlyU0yBtmFFfNGdzRAK1uJMXGkd9hCvytof/H:Ki2sUUWOHwWnv0yTmFdNG4KxxCKWX33
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1028 powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 Telegram.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 Telegram.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 Telegram.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 Telegram.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\Saved Games tsetup.tmp File opened for modification C:\Windows\SysWOW64\config\systemprofile\Saved Games\desktop.ini tsetup.tmp -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe MsiExec.exe File created C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ msiexec.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe File created C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe File created C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs ZhObbZwOavDN.exe File created C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe msiexec.exe File created C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe File created C:\Program Files\UpgradeValiantSupervisor\valibclang2d.dll msiexec.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe MsiExec.exe File created C:\Program Files\UpgradeValiantSupervisor\tsetup.exe msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\f76c207.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\f76c208.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76c207.msi msiexec.exe File created C:\Windows\Installer\f76c208.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC2D2.tmp msiexec.exe File created C:\Windows\Installer\f76c20a.msi msiexec.exe -
Executes dropped EXE 6 IoCs
pid Process 776 YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe 2016 YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe 2444 ZhObbZwOavDN.exe 2300 tsetup.exe 408 tsetup.tmp 2216 Telegram.exe -
Loads dropped DLL 10 IoCs
pid Process 2300 tsetup.exe 408 tsetup.tmp 408 tsetup.tmp 408 tsetup.tmp 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 2216 Telegram.exe 2216 Telegram.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2124 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsetup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZhObbZwOavDN.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2804 PING.EXE 680 cmd.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Telegram.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Telegram.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Telegram.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\RegisteredApplications Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates Telegram.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: App Path = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop" tsetup.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\URLInfoAbout = "https://desktop.telegram.org" tsetup.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\TelegramDesktop\Capabilities\ApplicationDescription = "Telegram Desktop" Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 tsetup.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1" tsetup.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs Telegram.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\URLUpdateInfo = "https://desktop.telegram.org" tsetup.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Language = "english" tsetup.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\MajorVersion = "5" tsetup.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\tg\ = "URL:Telegram Link" Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs Telegram.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0801efd2237db01 powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = 9801000020582c012337db01 tsetup.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMinor = "2" tsetup.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software tsetup.tmp Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 tsetup.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMajor = "5" tsetup.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs Telegram.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication" Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie Telegram.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities\UrlAssociations Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs Telegram.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\EstimatedSize = "163980" tsetup.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\UninstallString = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\unins000.exe\"" tsetup.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell\open\command Telegram.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1 tsetup.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\InstallDate = "20241115" tsetup.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates Telegram.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\TelegramDesktop\Capabilities\ApplicationName = "Telegram Desktop" Telegram.exe -
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\071CCAE94C770C94288B209269C7ED07 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Version = "34078724" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\PackageName = "0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\071CCAE94C770C94288B209269C7ED07\ProductFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\ProductName = "UpgradeValiantSupervisor" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AC14C41ED6CF2947B4F7ADE34E99984 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AC14C41ED6CF2947B4F7ADE34E99984\071CCAE94C770C94288B209269C7ED07 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\PackageCode = "B2FCB3C3AE4D29B4F88C48506EB40769" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Media\1 = ";" msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2804 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2216 Telegram.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 776 YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe 2016 YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2532 msiexec.exe 2532 msiexec.exe 1028 powershell.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 2444 ZhObbZwOavDN.exe 408 tsetup.tmp 408 tsetup.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2124 msiexec.exe Token: SeIncreaseQuotaPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeSecurityPrivilege 2532 msiexec.exe Token: SeCreateTokenPrivilege 2124 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2124 msiexec.exe Token: SeLockMemoryPrivilege 2124 msiexec.exe Token: SeIncreaseQuotaPrivilege 2124 msiexec.exe Token: SeMachineAccountPrivilege 2124 msiexec.exe Token: SeTcbPrivilege 2124 msiexec.exe Token: SeSecurityPrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeLoadDriverPrivilege 2124 msiexec.exe Token: SeSystemProfilePrivilege 2124 msiexec.exe Token: SeSystemtimePrivilege 2124 msiexec.exe Token: SeProfSingleProcessPrivilege 2124 msiexec.exe Token: SeIncBasePriorityPrivilege 2124 msiexec.exe Token: SeCreatePagefilePrivilege 2124 msiexec.exe Token: SeCreatePermanentPrivilege 2124 msiexec.exe Token: SeBackupPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeShutdownPrivilege 2124 msiexec.exe Token: SeDebugPrivilege 2124 msiexec.exe Token: SeAuditPrivilege 2124 msiexec.exe Token: SeSystemEnvironmentPrivilege 2124 msiexec.exe Token: SeChangeNotifyPrivilege 2124 msiexec.exe Token: SeRemoteShutdownPrivilege 2124 msiexec.exe Token: SeUndockPrivilege 2124 msiexec.exe Token: SeSyncAgentPrivilege 2124 msiexec.exe Token: SeEnableDelegationPrivilege 2124 msiexec.exe Token: SeManageVolumePrivilege 2124 msiexec.exe Token: SeImpersonatePrivilege 2124 msiexec.exe Token: SeCreateGlobalPrivilege 2124 msiexec.exe Token: SeBackupPrivilege 2396 vssvc.exe Token: SeRestorePrivilege 2396 vssvc.exe Token: SeAuditPrivilege 2396 vssvc.exe Token: SeBackupPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeRestorePrivilege 3056 DrvInst.exe Token: SeRestorePrivilege 3056 DrvInst.exe Token: SeRestorePrivilege 3056 DrvInst.exe Token: SeRestorePrivilege 3056 DrvInst.exe Token: SeRestorePrivilege 3056 DrvInst.exe Token: SeRestorePrivilege 3056 DrvInst.exe Token: SeRestorePrivilege 3056 DrvInst.exe Token: SeLoadDriverPrivilege 3056 DrvInst.exe Token: SeLoadDriverPrivilege 3056 DrvInst.exe Token: SeLoadDriverPrivilege 3056 DrvInst.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeRestorePrivilege 776 YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe Token: 35 776 YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe Token: SeSecurityPrivilege 776 YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe Token: SeSecurityPrivilege 776 YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe Token: SeRestorePrivilege 2016 YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe Token: 35 2016 YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe Token: SeSecurityPrivilege 2016 YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe Token: SeSecurityPrivilege 2016 YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 2124 msiexec.exe 2124 msiexec.exe 408 tsetup.tmp 2216 Telegram.exe 2216 Telegram.exe 2216 Telegram.exe 2216 Telegram.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2216 Telegram.exe 2216 Telegram.exe 2216 Telegram.exe 2216 Telegram.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2340 2532 msiexec.exe 34 PID 2532 wrote to memory of 2340 2532 msiexec.exe 34 PID 2532 wrote to memory of 2340 2532 msiexec.exe 34 PID 2532 wrote to memory of 2340 2532 msiexec.exe 34 PID 2532 wrote to memory of 2340 2532 msiexec.exe 34 PID 2340 wrote to memory of 1028 2340 MsiExec.exe 36 PID 2340 wrote to memory of 1028 2340 MsiExec.exe 36 PID 2340 wrote to memory of 1028 2340 MsiExec.exe 36 PID 2340 wrote to memory of 680 2340 MsiExec.exe 39 PID 2340 wrote to memory of 680 2340 MsiExec.exe 39 PID 2340 wrote to memory of 680 2340 MsiExec.exe 39 PID 680 wrote to memory of 776 680 cmd.exe 41 PID 680 wrote to memory of 776 680 cmd.exe 41 PID 680 wrote to memory of 776 680 cmd.exe 41 PID 680 wrote to memory of 776 680 cmd.exe 41 PID 680 wrote to memory of 2804 680 cmd.exe 42 PID 680 wrote to memory of 2804 680 cmd.exe 42 PID 680 wrote to memory of 2804 680 cmd.exe 42 PID 680 wrote to memory of 2016 680 cmd.exe 44 PID 680 wrote to memory of 2016 680 cmd.exe 44 PID 680 wrote to memory of 2016 680 cmd.exe 44 PID 680 wrote to memory of 2016 680 cmd.exe 44 PID 2340 wrote to memory of 2444 2340 MsiExec.exe 46 PID 2340 wrote to memory of 2444 2340 MsiExec.exe 46 PID 2340 wrote to memory of 2444 2340 MsiExec.exe 46 PID 2340 wrote to memory of 2444 2340 MsiExec.exe 46 PID 2340 wrote to memory of 2300 2340 MsiExec.exe 47 PID 2340 wrote to memory of 2300 2340 MsiExec.exe 47 PID 2340 wrote to memory of 2300 2340 MsiExec.exe 47 PID 2340 wrote to memory of 2300 2340 MsiExec.exe 47 PID 2340 wrote to memory of 2300 2340 MsiExec.exe 47 PID 2340 wrote to memory of 2300 2340 MsiExec.exe 47 PID 2340 wrote to memory of 2300 2340 MsiExec.exe 47 PID 2300 wrote to memory of 408 2300 tsetup.exe 49 PID 2300 wrote to memory of 408 2300 tsetup.exe 49 PID 2300 wrote to memory of 408 2300 tsetup.exe 49 PID 2300 wrote to memory of 408 2300 tsetup.exe 49 PID 2300 wrote to memory of 408 2300 tsetup.exe 49 PID 2300 wrote to memory of 408 2300 tsetup.exe 49 PID 2300 wrote to memory of 408 2300 tsetup.exe 49 PID 408 wrote to memory of 2216 408 tsetup.tmp 51 PID 408 wrote to memory of 2216 408 tsetup.tmp 51 PID 408 wrote to memory of 2216 408 tsetup.tmp 51 PID 408 wrote to memory of 2216 408 tsetup.tmp 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2124
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding A73CE193CF33C9120F535CD0860ED9B6 M Global\MSI00002⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor'3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe"C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2804
-
-
C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe"C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
-
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 293 -file file3 -mode mode33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2444
-
-
C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp" /SL5="$C01AE,44246395,814592,C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"4⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"5⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2216
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000394" "00000000000005E0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD500be8c3086a7a0addf66daab8d4414ab
SHA1830e12b0daffec8f3423302bfd2f25bbf7b4f549
SHA25683f5cc72523b19fc16d571b6d3349c0c6b48c72be159ffbaf89d20cecd52ecc7
SHA512637162c6598c1b861c2695813ac1650165294c9e1ad60a518de7d9622dca050434815927fc0dd72deccc4f4082ece98b7da5a699c7ab2576206aefc539c3cdaa
-
Filesize
2.1MB
MD52a9aa3a122ff15917a565ba28e77c533
SHA1698ba5909e1633fbd640e80c1804097a3d356628
SHA2567dc4adf24defbc98d5bbaa7a89d30dc87dfc7a0eb8606acaf73fb845f272ccd9
SHA512a3f6d10bc6f5652699f080a35e3af8794b315c70eb307f52a0e869d3de3f0a6302f421ce10aba34ec9fb6d2dc5a6f2460b8c97c403e75692e73f18d4b9870263
-
Filesize
1.5MB
MD56101e66d187d929fc28c617b17d9e8ab
SHA10b8e6f9340cdefdd74221a9b0ad0e570e2a5af3d
SHA256b4ba63b8872d6a4dadecef5fed82bff1ef01db274388a99d5cf358512c3c3d75
SHA512f748b6a05f3b6fe7587218d26e969f67e4ef79313333137e77860b20e71f02fc1c8163ba62b682aadabd568a442e99ef36a75aa5e374e6ef845f7e101376cde3
-
Filesize
577KB
MD5c31c4b04558396c6fabab64dcf366534
SHA1fa836d92edc577d6a17ded47641ba1938589b09a
SHA2569d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99
-
Filesize
1.5MB
MD55e0b75c71015883973f333fa502e8bf6
SHA177f442eeddd17e6815c7672c4db948cb62870dc1
SHA256be5db62a4a38dbd19c4a223a339692e8868a88a28f1b720585bc5bf6572ec0f6
SHA5128a85dab48d4a35998bd60212d18e56144dab4e4cacb56d86c7a16702af347dd0477421f59e5ac3f1934ba97ce05589f95f241969f73baf9d0cb5cb97ff115fc8
-
Filesize
43.1MB
MD58a53cf72375f6899082463c36422d411
SHA1161d9d3b21bf0d9a9790b92013ec76c6d839af06
SHA2561b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65
SHA512daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
1KB
MD5d87917dbb14a54190693a451515416f4
SHA163fab43c99cfb5cb25d396b96fda431a13e07791
SHA2567a650d67c7407dda4b8e5e3d99b02e115a29b453da6b4af0c6ffb43310eaa448
SHA5125742e52e7d2c5178b53d8952029313ee954c1a699c056cbdb2ce6822dc263a8fc22d8a860212471e39430517c23078e48e98b7af48802f71af6db49a681e157a
-
Filesize
4.7MB
MD5a7349236212b0e5cec2978f2cfa49a1a
SHA15abb08949162fd1985b89ffad40aaf5fc769017e
SHA256a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02
-
Filesize
44.6MB
MD5a4d9f86c09bef236ea991b8801af8ebf
SHA1dd7f0c051958471cd01005544f43a61323e7f108
SHA2560861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5
SHA51275f31cb0b4b26b2c255f6029625928fed21170cf7e82e07b186f9978884659336d6201769d4cd345eb1c41c61eab884a16149d92bea5dec5e16dae1c4da4bb56
-
Filesize
282B
MD5b441cf59b5a64f74ac3bed45be9fadfc
SHA13da72a52e451a26ca9a35611fa8716044a7c0bbc
SHA256e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311
SHA512fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3
-
Filesize
3.0MB
MD5d90927477dbf0725af0a10e151c184c4
SHA14cd69b23ee9c1efe9bd539f0fef841a09a4a773e
SHA25643182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029
SHA512bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98