Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-11-2024 15:32
General
-
Target
6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe
-
Size
6.1MB
-
MD5
02bec9d86e4839199a60b334dd650e60
-
SHA1
8f86b49725abfae4c201654f3aa43ec0041cea39
-
SHA256
6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82
-
SHA512
660d932f4b2fe56d175ba3c2823a0501d13e29876766a57bd4df5b345177887b48fb9eedcf0c3929cca509f49a2bb189395e82c2418fa6e8834e0a2f79425243
-
SSDEEP
196608:iLmGZT4llVN1apVkFGT5KSPNOe7mBuyQzh:iyST4TlIGWK+N0BnQzh
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies security service 2 TTPs 53 IoCs
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Disables RegEdit via registry modification 4 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 17 IoCs
-
Sets service image path in registry 2 TTPs 30 IoCs
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 64 IoCs
-
Impair Defenses: Safe Mode Boot 1 TTPs 20 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies system executable filetype association 2 TTPs 46 IoCs
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Drops desktop.ini file(s) 3 IoCs
-
Indicator Removal: Clear Persistence 1 TTPs 64 IoCs
remove IFEO.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 20 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies Control Panel 1 IoCs
-
Modifies data under HKEY_USERS 26 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Runs regedit.exe 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 14 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 4 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"C:\Users\Admin\AppData\Local\Temp\6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops desktop.ini file(s)
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\ERUNT.3XE"C:\32788R22FWJFW\ERUNT.3XE" "C:\Windows\erdnt\Hiv-backup" SYSREG CURUSER OTHERUSERS /NOCONFIRMDELETE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\32788R22FWJFW\PEV.3XEC:\32788R22FWJFW\PEV.3XE RIMPORT C:\32788R22FWJFW\EXE.reg3⤵
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Indicator Removal: Clear Persistence
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
-
-
C:\32788R22FWJFW\EN-US\iexplore.exeC:\32788R22FWJFW\EN-US\iexplore.exe /w C:\32788R22FWJFW\PEV.3XE RIMPORT C:\32788R22FWJFW\EXE.reg3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\PEV.3XEC:\32788R22FWJFW\PEV.3XE RIMPORT C:\32788R22FWJFW\EXE.reg4⤵
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Indicator Removal: Clear Persistence
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
-
-
-
C:\32788R22FWJFW\iexplore.exeC:\32788R22FWJFW\iexplore.exe Script C:\32788R22FWJFW\Nirscript.dat3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\License\iexplore.exeC:\32788R22FWJFW\License\iexplore.exe -s450000-1400000 -t!k -t!o -t!g -k C:\*.exe and not { "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" or C:\32788R22FWJFW\* }4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\32788R22FWJFW\License\iexplore.exeC:\32788R22FWJFW\License\iexplore.exe -k { "C:\ProgramData\*" or "C:\Users\Admin\*" } not { "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" or C:\32788R22FWJFW\* }4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\32788R22FWJFW\License\iexplore.exeC:\32788R22FWJFW\License\iexplore.exe -k "C:\Users\Admin\AppData\Local\Temp\*" not { "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" or C:\32788R22FWJFW\* }4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\32788R22FWJFW\License\iexplore.exeC:\32788R22FWJFW\License\iexplore.exe -rk { "C:\Program Files (x86)\*" OR "C:\Program Files (x86)\Common Files\*" } not { "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" or C:\32788R22FWJFW\* }4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\32788R22FWJFW\License\iexplore.exeC:\32788R22FWJFW\License\iexplore.exe -loadline:C:\32788R22FWJFW\License\UnxUtilsDist.pif and not { "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" or C:\32788R22FWJFW\* }4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\32788R22FWJFW\License\iexplore.exeC:\32788R22FWJFW\License\iexplore.exe -loadline:C:\32788R22FWJFW\License\UnxUtilsDist.com and not { "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" or C:\32788R22FWJFW\* }4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C C:\Windows\SysNative\cmd.exe /c C:\32788R22FWJFW\fl0.bat3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\SysNative\cmd.exe /c C:\32788R22FWJFW\fl0.bat4⤵
-
C:\32788R22FWJFW\swxcacls.3XESWXCACLS "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\32788R22FWJFW\gsar.3XEGSAR -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" cmd.3XE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /DA:R /Q5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /RESET /Q5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Command Processor" /RESET /Q5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /RESET /Q5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\32788R22FWJFW\swsc.3XESWSC QUERY BFE5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fsq "STATE : 4 RUNNING"5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\32788R22FWJFW\pev.3XEPEV -tx40000 -t!g -rtf -tpmz -c##y#b#z# \Services.exe5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\32788R22FWJFW\sed.3XESED -r "/(0x0.*)\t\1/d"5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\32788R22FWJFW\grep.3XEGREP .5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\32788R22FWJFW\pev.3XEPEV -tf -tpmz -t!o C:\Windows\Installer\*000*.? -preg"C:\\Windows\\Installer\\\{[^\\]*\}\\U\\[^\\]*\..$"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\32788R22FWJFW\setpath.3XESETPATH5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\32788R22FWJFW\grep.3XEGREP -sq . ZAFldr00.dat5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
-
-
C:\32788R22FWJFW\Hidec.3XEC:\32788R22FWJFW\Hidec.3XE C:\Windows\Sysnative\cmd.exe /c REGEDIT.EXE /S C:\32788R22FWJFW\W7Reg.dat3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /c REGEDIT.EXE /S C:\32788R22FWJFW\W7Reg.dat4⤵
-
C:\Windows\regedit.exeREGEDIT.EXE /S C:\32788R22FWJFW\W7Reg.dat5⤵
- Modifies security service
- Event Triggered Execution: Image File Execution Options Injection
- Server Software Component: Terminal Services DLL
- Sets service image path in registry
- Modifies system executable filetype association
- Indicator Removal: Clear Persistence
- Modifies data under HKEY_USERS
- Modifies registry class
- Runs regedit.exe
-
-
-
-
C:\32788R22FWJFW\Hidec.3XEC:\32788R22FWJFW\Hidec.3XE C:\32788R22FWJFW\cmd.3XE /C C:\32788R22FWJFW\p.cmd3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\32788R22FWJFW\cmd.3XEC:\32788R22FWJFW\cmd.3XE /C C:\32788R22FWJFW\p.cmd4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\32788R22FWJFW\pev.3XEPEV.3XE RIMPORT C:\32788R22FWJFW\EXE.reg5⤵
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Indicator Removal: Clear Persistence
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
-
-
C:\32788R22FWJFW\swreg.3XESWREG.3XE QUERY "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control" /v ActiveService5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\swreg.3XESWREG.3XE QUERY "HKLM\SYSTEM\CurrentControlSet\Enum\Root"5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\grep.3XEGREP.3XE -Eix "HKEY_.*\\root\\\*PNP[^\\]*" PNP296_005⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\NirCmd.3XENIRCMD.3XE WIN CLOSE CLASS "#32770"5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\swreg.3XESWREG.3XE QUERY "HKLM\System\Currentcontrolset\Control\ProductOptions" /v ProductType5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\grep.3XEGREP.3XE -isq "ProductType.*WinNT" WinNT005⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\pev.3XEPEV -c##g# "C:\Windows\system32\kernel32.dll"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exeFINDSTR -B "6.1.760" CurVer5⤵
-
-
C:\32788R22FWJFW\hidec.3XEHIDEC SWSC START CryptSvc5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\pev.3XEPEV -rtd C:\Windows\Sysnative5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\grep.3XEGREP -isq "processorArchitecture=.amd64." "C:\Windows\SysNative\csrss.exe"5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\NirCmd.3XENIRCMD CMDWAIT 6000 EXEC HIDE PEV -k CSCRIPT.exe5⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cscript.exeCSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:05 "C:\32788R22FWJFW\ksvchost.vbs"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\pev.3XEPEV -k NIRCMD.3XE5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\swreg.3XESWREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys /D Driver5⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys /D Driver5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RESET /Q5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RO:F /RA:F /Q5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\swsc.3XESWSC QUERY BFE5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fsq "STATE : 4 RUNNING"5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /V "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" /T REG_DWORD /D 15⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "HKCU\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages"5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "HKCU\Control Panel\International" /v LocaleName5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\sed.3XESED.3XE -r "/.* /!d; s///; s/(\\0)*$//; s/\\0/\n/g" MUI005⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\sed.3XESED.3XE -r -n "G; s/\n/&&/; /^([ -~]*\n).*\n\1/d; s/\n//; h; P"5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\grep.3XEGREP.3XE -Fsqix en-US MUI5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\pev.3XEPEV -limit1 -rtf -sasize "C:\32788R22FWJFW\en-US\*.3XE.mui"5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\pev.3XEPEV UZIP License\pv_5_2_2.zip .\5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "HKLM\Software\Swearware" /V LastDir5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\sed.3XESED -r "/.* (.:\\[^\\]*)$/!d; s//\1/"5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\pev.3XEPEV -outputtemp00 -rtf -c:##5# .\* and { License.exe or 32788R22FWJFW.exe or WinNT.exe or N_.exe }5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "HKCU\Console_combofixbackup"5⤵
- Executes dropped EXE
-
-
C:\32788R22FWJFW\swreg.3XESWREG COPY "HKCU\Console" "HKCU\Console_combofixbackup" /s5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD "HKCU\Console" /v "QuickEdit" /T REG_DWORD /D 05⤵
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD "HKCU\Console" /V "InsertMode" /T REG_DWORD /D 15⤵
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Nls\CodePage" /V ACP5⤵
-
-
C:\32788R22FWJFW\sed.3XESED "/.* /!d; s//@CHCP.com /" NlsCodePageACP005⤵
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD HKCU\Console /V CodePage /T REG_DWORD /D "1252"5⤵
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD HKU\S-1-5-18\Console /V CodePage /T REG_DWORD /D "1252"5⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\chcp.comCHCP.com 12525⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY HKLM\System\CurrentControlSet\Control\NLS\Language /V Default5⤵
-
-
C:\32788R22FWJFW\sed.3XESED "/.* /!d; s///" NlsLanguage005⤵
-
-
C:\32788R22FWJFW\grep.3XEGREP -isq "09$" NlsLanguageDefault5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY hklm\system\currentcontrolset\enum\root\system5⤵
-
-
C:\32788R22FWJFW\swsc.3XESWSC DELETE MBR5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\rmbr.3XERMBR -u5⤵
-
-
C:\32788R22FWJFW\handle.3XEHANDLE -p System5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\32788R22FWJFW\handle64.exeHANDLE -p System6⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
-
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fic "C:\Windows\SysWow64\drivers\volsnap.sys" temp005⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\grep.3XEGREP -E "^[5-9]$|.."5⤵
-
-
C:\32788R22FWJFW\pev.3XEPEV -tx50000 -tf -files:files.pif -c:##5#b#f# -output:mdCheck00.dat5⤵
-
-
C:\32788R22FWJFW\grep.3XEGREP -vs "^!" mdCheck00.dat5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fvf md5sum.pif mdCheck0a.dat5⤵
-
-
C:\32788R22FWJFW\grep.3XEGREP -sq . mdCheck01.dat5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /RESET /Q5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /RESET /Q5⤵
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "hklm\software\microsoft\windows\currentversion\app paths\combofix.exe" /ve5⤵
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD "hklm\software\microsoft\windows\currentversion\app paths\combofix.exe" /ve /d "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"5⤵
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit5⤵
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fi "C:\Windows\system32\userinit.exe" Userinit005⤵
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\Windows\system32\userinit.exe,"5⤵
- Modifies WinLogon for persistence
-
-
C:\32788R22FWJFW\sed.3XESED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) *//; s/(\x22[^\x22]*\x22)/\n\1\n/g" SET005⤵
-
-
C:\32788R22FWJFW\sed.3XESED -r "/./!d; /^\x22/!{s/\x22(\S+)\x22/\1/; s_\s+(/\S+)\s+_ \x22\1\x22 _g; s_\s+(/\S+)\s+_ \x22\1\x22 _g; s_\x22\s+(/\S*)$_\x22 \x22\1\x22_; s_^(/\S+)\s+_\x22\1\x22 _; }" temp005⤵
-
-
C:\32788R22FWJFW\sed.3XESED -r ":a; $!N;s/\n *\x22/ \x22/;ta; s/./@SET SfxCmd=&/; s/^(@SET SfxCmd=)([^\x22]\S*)$/\1\x22\2\x22/" temp015⤵
-
-
C:\32788R22FWJFW\swxcacls.3XESWXCACLS C:\Windows\SysNative\ATTRIB.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q5⤵
-
-
C:\32788R22FWJFW\swxcacls.3XESWXCACLS C:\Windows\SysNative\CSCRIPT.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q5⤵
-
-
C:\32788R22FWJFW\swxcacls.3XESWXCACLS C:\Windows\SysNative\PING.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\32788R22FWJFW\swxcacls.3XESWXCACLS C:\Windows\SysNative\ROUTE.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q5⤵
-
-
C:\32788R22FWJFW\grep.3XEGREP -Ei "\\(wscntfy|winlogon|wininit|nvsvc|lsm|lsass|iexplore|svchost|spoolsv|smss|slsvc|services|explorer|ctfmon|csrss|alg)\.....$" MSName005⤵
-
-
C:\32788R22FWJFW\grep.3XEGREP -Ei "\\uninstall\.....$" MSName005⤵
-
-
C:\32788R22FWJFW\grep.3XEGREP -Ei "\\NoMbr\.....$" MSName005⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\grep.3XEGREP -Ei "\\iexplore\.exe.$" MSName005⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\sed.3XESED -r "/.*\\CF@C([1-9][0-9])M([1-9])\.....$/I!d; s//\1\t\2/" MSName005⤵
-
-
C:\32788R22FWJFW\grep.3XEGREP .5⤵
-
-
C:\32788R22FWJFW\pev.3XEPEV -tf -tpmz -t!o C:\Windows\Installer\*000*.? -preg"C:\\Windows\\Installer\\\{[^\\]*\}\\U\\[^\\]*\..$"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\swxcacls.3XESWXCACLS C:\$RECYCLE.bin\* /GA:F /S /Q5⤵
-
-
C:\32788R22FWJFW\pev.3XEPEV -tf -tpmz -t!o C:\$RECYCLE.bin\*000*.? -preg"\\U\\[^\\]*\..$"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\ATTRIB.3XEATTRIB +R "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"5⤵
-
-
C:\32788R22FWJFW\grep.3XEGREP "=.*[a-z]" sfx.cmd5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\grep.3XEGREP -Eisq "=.\/NoMbr| .\/NoMbr. | .\/NoMbr.$" sfx.cmd5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\grep.3XEGREP -Eisq "\\CFScript[^:\/\\]*$" sfx.cmd5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\NirCmd.3XENIRCMD CMDWAIT 9000 EXEC HIDE PEV -k CSCRIPT.3XE5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\CSCRIPT.3XECSCRIPT //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs5⤵
-
-
C:\32788R22FWJFW\pev.3XEPEV -k NIRCMD.3XE5⤵
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RESET /Q5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RO:F /RA:F /Q5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fsf AVBlack resident.txt5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fivf AVWhite resident.txt5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\grep.3XEGREP -E "^(AV|SP): .*\*Enabled/"5⤵
-
-
C:\32788R22FWJFW\pev.3XEPEV -k * -preg"\\((ntvdm|teatimer[^\\]*|ad-watch[^\\]*|SZServer|StopZilla[^\\]*|userinit|procmon|txp1atform|SonndMan|ANDRE|TOLO|jalang|jalangkung|jantungan|DOSEN|C3W3K4MPUS)\.exe)$"5⤵
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fx "REGEDIT4" Fin.dat5⤵
-
-
C:\32788R22FWJFW\grep.3XEGREP -ix "FileName=[-[:alnum:]@_.]*" FileName5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\grep.3XEGREP -ivx ComboFix DirName005⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fisqx "._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82" DirName015⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\pev.3XEPEV UZIP "License\streamtools.zip" License5⤵
-
-
C:\32788R22FWJFW\grep.3XEGREP -Eisq "=.\/uninstall| .\/uninstall. | .\/uninstall.$" sfx.cmd5⤵
- System Location Discovery: System Language Discovery
-
-
C:\32788R22FWJFW\pev.3XEPEV -rtf -s=0 "C:\Windows\erdnt\Hiv-backup\*"5⤵
-
-
C:\32788R22FWJFW\pev.3XEPEV -k SWSC.3XE5⤵
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD "HKLM\Software\Swearware" /V LastDir /D "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82"5⤵
-
-
C:\32788R22FWJFW\hidec.3XEHIDEC "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30854.3XE" /F:OFF /D /C C:\Start_.cmd5⤵
- System Location Discovery: System Language Discovery
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30854.3XE"C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30854.3XE" /F:OFF /D /C C:\Start_.cmd6⤵
-
C:\Windows\system32\attrib.exeATTRIB -H -S "C:\32788R22FWJFW\*"7⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30854.3XE"C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30854.3XE" /k c.bat7⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
-
C:\Windows\system32\chcp.comCHCP.com 12528⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\pev.3XEPEV RIMPORT EXE.reg8⤵
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Indicator Removal: Clear Persistence
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG QUERY "hklm\system\select" /v "current"8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\sed.3XESED -r "/.* /!d; s//00/; s/^[0-9]*(...) .*/@SET ControlSet=ControlSet\1\nSET CS000=HKEY_LOCAL_MACHINE\\system\\ControlSet\1\\Services/"8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\ATTRIB.3XEATTRIB +S "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82"8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -sqx "REGEDIT4" Fin.dat8⤵
- System Location Discovery: System Language Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\ATTRIB.3XEATTRIB +R *.3XE8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\NirCmdC.3XENIRCMDC EXEC SHOW "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30854.3XE" /C " ECHO.&&ECHO.-------- ~%CurrDate.yyyy-MM-dd% - ~%CurrTime.HH:mm:ss% -------------&&ECHO."8⤵
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30854.3XE"C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30854.3XE" /C " ECHO.&&ECHO.-------- 2024-11-19 - 15:33:38 -------------&&ECHO."9⤵
-
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG QUERY "HKCU\Console_combofixbackup"8⤵
-
-
C:\Windows\system32\chcp.comCHCP.com 12528⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -isq "09$" NlsLanguageDefault8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -Eisq "=.\/uninstall.| .\/uninstall. | .\/uninstall.$" sfx.cmd8⤵
- System Location Discovery: System Language Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swxcacls.3XESWXCACLS PV.3XE /P /GE:F /Q8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\PV.3XEPV -m CF30854.3XE8⤵
- System Location Discovery: System Language Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\sed.3XESED -R "1,3d; /[4-9]\S{7}\s*\d* .:\\|\\detoured.dll$/Id; /.*(.:\\.*)/I!d; s//\1/" ForeignC008⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -Fixvf ForeignWht ForeignC018⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG QUERY HKLM\Software\Swearware /V "CF_Update"8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG DELETE HKLM\Software\Swearware /V "CF_Update"8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\hidec.3XEHIDEC PING -n 1 -w 250 127.0.0.18⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.exePING -n 1 -w 250 127.0.0.19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\PV.3XEPV -d2000 -xa PING.3XE8⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\PV.3XEPV -m PING.3XE8⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\sed.3XESED -R "1,3d; /((10|4)00000|[4-9]\S{7})\s*\d* .:\\/d; /C:\\Windows\\SysWow64\\(xpsp2res|Normaliz|urlmon|odbcint|imon)\.dll/Id; /\)|\\/I!d; s/.*(.:\\)/\1/" pingtest008⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -Fixf ForeignWht pingtest018⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\pev.3XEPEV -k PING.3XE8⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\PING.3XEPING -n 2 -w 500 google.com8⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG QUERY "HKLM\SOFTWARE\swearware\Backup\Winsock2"8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG ACL "HKLM\SOFTWARE\swearware" /RESET8⤵
- System Location Discovery: System Language Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG COPY "HKLM\SYSTEM\CurrentControlSet\Services\WinSock2" "HKLM\SOFTWARE\swearware\Backup\Winsock2" /s8⤵
-
-
C:\Windows\system32\sort.exeSORT /M 65536 Mirrors00 /O Mirrors8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\ComboFix-Download.3XEComboFix-Download -s --connect-timeout 5 -A "cfcurl/7.15.3 (i586-pc-mingw32msvc) libcurl/7.15.3 zlib/1.2.2" -H "Host: download.bleepingcomputer.com" http://208.43.120.24/sUBs/version.txt8⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP "^[0-9][0-9].* [0-9]"8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\ComboFix-Download.3XEComboFix-Download -s --connect-timeout 5 -A "cfcurl/7.15.3 (i586-pc-mingw32msvc) libcurl/7.15.3 zlib/1.2.2" -H "Host: www.compendiate.net" http://69.6.236.82/sUBs/ComboFix.exe/version.txt8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP "^[0-9][0-9].* [0-9]"8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG QUERY HKLM\Software\Swearware /v 44617465204572726F728⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\pev.3XEPEV -rtf -dg15 .\md5sum.pif8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG ADD "HKLM\Software\Swearware" /v 44617465204572726F72 /d "idk"8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\NircmdB.exeNircmdB.exe QBOXCOMTOP "Current date is ~%CurrDate.yyyy-MM-dd%. ComboFix has expired~n~nClick 'Yes' to run in REDUCED FUNCTIONALITY mode~n~nClick 'No' to exit" "Version_18-08-08.01" "" FILLDELETE ABORTB8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\pev.3XEPEV -rtf -dl10 .\md5sum.pif8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -sq "FIXLSP.bat" "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"8⤵
- System Location Discovery: System Language Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\pev.3XEPEV -k C:\Windows\* and { SWXCACLS.exe or SWSC.exe or PEV.exe or sed.exe or grep.exe or zip.exe or mbr.exe } or C:\Windows\system32\SWSC.exe8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -Esq "FIXLSP.bat|C.o.m.b.o.F.i.x" "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"8⤵
- System Location Discovery: System Language Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\NirCmd.3XENIRCMD WIN HIDE TITLE .8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\NirCmd.3XENIRCMD WIN HIDE ITITLE ": ."8⤵
- System Location Discovery: System Language Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\PEV.exePEV.exe -k { *.3XE or NIRCMD.exe } and not C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30854.3XE8⤵
-
-
C:\Windows\regedit.exeC:\Windows\regedit.exe /s "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\fin.dat"8⤵
- Impair Defenses: Safe Mode Boot
- Modifies registry class
- Runs regedit.exe
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG copy "hkcu\control panel\international_combofixbackup" "hkcu\control panel\international" /s8⤵
- Modifies Control Panel
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG copy "hku\.default\control panel\international_combofixbackup" "hku\.default\control panel\international" /s8⤵
- Modifies data under HKEY_USERS
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG COPY "hkcu\console_combofixbackup" "hkcu\console" /s8⤵
- System Location Discovery: System Language Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /RESET /Q8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG DELETE "hkcu\console_combofixbackup"8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\NircmdB.exeNircmdB.exe SYSREFRESH INTL8⤵
- System Location Discovery: System Language Discovery
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RESET /Q8⤵
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RO:F /RA:F /Q8⤵
-
-
C:\Windows\NIRCMD.exeNIRCMD.exe CMDWAIT 5000 EXECMD DEL /A/F C:\Windows\NIRCMD.exe8⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c DEL /A/F C:\Windows\NIRCMD.exe9⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\NIRCMD.exeNIRCMD.exe EXECMD "RD /S/Q "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\"8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "RD /S/Q "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\"9⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\NIRCMD.exeNIRCMD.exe WIN CLOSE CLASS #327708⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\32788R22FWJFW\pev.3XEPEV WAIT 20005⤵
-
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Safe Mode Boot
1Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94B
MD5fddb66186804dc1a836ee7b288aec224
SHA11570fd4102cb3d5940e8527e2efaa23c7367cd8e
SHA25664ae6e396d7c15f8101e74d99009e3301898105d4082392415a3afb824298c7c
SHA5127edc20e77458f0ffe5a6ff4cb4a214ef3f64218de6c07a3ee0d6b6f9a66fff57598f6b35c66b4cdd8b71b4053c781e90ece626187dd6f6adf1da56756a3dfd31
-
Filesize
24B
MD579c644256de6427ed74aa9225299685e
SHA199bd5a2cec702cc8f0d38828bee63739ee4718dc
SHA256d76c2daf80bc9550db8285aa715c787ee2238f2d96777fdf52f3dc96c07ef55c
SHA512a13f8178160689ad18a1bdb1704dd5ea9cd173e2d2e52ea081d0063d95425e54f83f7f0018fb57e6e9a65aedbee6547670d4a4e3035469b31252a5e1c3c77e3e
-
Filesize
66B
MD5955de0e7ae154a12e0eb81dc30ed0905
SHA1136138d125ccd2cf5529b40e207d673f78b159c3
SHA25687eebb19c6607ebbe65b6b307c06ce4c8464ee0aa7f0e1bc7335e374a4a6b9c6
SHA5124cd99739def158c2f30440e644961395cbf4b754d618d21df4d856682aee0fe2487d3ac35d7b699e57f6ca5debbdd5469535a358ab692bca53b936852cb341d1
-
Filesize
9KB
MD55b5d34c87292116639cfa3451fb6e0d9
SHA1a62b1a486f27fcabe7497f61772d68f75d4c5cc2
SHA256468469b56310fc8bb26e9ec0b3ae7c0b30f7c25470f9948d46323cfc901907e3
SHA512b9bdf0270aadf74fe667ab987f15ec72aa61f951a7dfca535c07f19f0e21e82097983b59a8e424364d7762b192e632390fd8d832cffa7eaad496aab7d3b7597a
-
Filesize
44KB
MD5f3a500fb9c16ddf7af12cf3eff0716e2
SHA135dead0077a4fc25612d90f95776af81c3d96dc3
SHA25612434c2df267a3e4d348c3e823d89c212de4d398447668bb3544f270f669864a
SHA512c0438a60f8a5dc6df0cc1ed19262b3fd9869a661bec7e7aaf7befa04c2192476765be4bdc84ed8668ad04f8fceb20361afb070c68a1f6eacfc8ba9d83219f5a2
-
Filesize
12KB
MD53274f791d4cc2cfe4dec805403ad10e3
SHA199dfdd6b292efd86b5810e6354182b2db0c78f41
SHA25678d9c7e42a14f2c5b377394ceedf7f9a77d16df43434eaecc0ac5cfc01cbc121
SHA512e6ed28767307160b43695276b4347a2c7064e838ca2038aad4dd6fe5d2bf3007489e514d73aa70a8a9012e2a851d183c72f753ff1c6e64e0cf30f915d3efcb0a
-
Filesize
19B
MD5d875037251b54bfeb674f591350d3b23
SHA1973b66e72611b62f6d106c7f729605f0a30eb408
SHA25614e50a7afb6646e7c82a3b3beae6d490be5adcaa7b9fda58779e2314da38d6d6
SHA512a660e1e8ec7b9fc56f034541a58c7a873c12b40f7aa62d987f9d7030365f13a57b4420589eb7a0a56f4d23112b7003e9647866329d62516aad95e823560c9b1e
-
Filesize
152KB
MD5791af7743252d0cd10a30d61e5bc1f8e
SHA170096a77e202cf9f30c064956f36d14bcbd8f7bb
SHA256e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15
SHA512d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb
-
Filesize
128KB
MD584fa403e67ccf1a031faeb39a091a7c0
SHA1e22bd0cc50f20d0b1e4f0283f8cf9d54a8ca99a8
SHA2566aaf47281e52b184d6e58cac0822dae59eb719f2af63360ecf645e1255e8644b
SHA512d47ded5cb06b6bae3a83432f2353059a97b2c0c4b161c150bdb510c7744b55b0686738d4d37861aa4d0acce697ee5cabf521ce7f926399b046b42cc4e8494827
-
Filesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
Filesize
159KB
MD589afdd29832aa923926bdd4b5f5243d5
SHA14ee93ef072559c5184236718fe07485bc5ddbe2d
SHA256a559f249fc0e56bc925609773f6cc9cd1826bf70916be1d6370ce4707a6dfd84
SHA512289e9be8566e7b1713c4ed0fa9be509b7d7dd6fe5bab6a7cee7a338f2aeab040419f1fbd032ba97b984691144b54ee8089a6e964ea8633bfa56539010e29a812
-
Filesize
2KB
MD5f9650a5c954d2a9f8844de99e8577f93
SHA1791a85bf67f5dc3734453808bd3013a866b970ba
SHA2563c3ba112731c697b8700de546195c4a02f96f4fe28d39a75551f932985e0c15e
SHA5120b68eb79b37504586da9c7776594c6ebb0251539b7172a2d631d9cacf54d00445693bcacc7f6f15c9902f79fd3bc22a2274575df9d4db129ee0d856b41ed8ba2
-
Filesize
3KB
MD5388d865d44ee8069df8bd12efedadb3e
SHA1e59a20c9c5de1164a16b23014fc3b6a6cf385d14
SHA2569bdfefd45997b94cfe323d4ce4209941a08061ea364bb969a9d3afb418b6fe61
SHA512e3db6a26c55ce3f141565afc5831a2ee7a63741838b084dcf8cadf500b2b2fbeaccf0e417c996c7a10a4de78ae4d2f423d3043c37025049b8cf154cded4623cd
-
Filesize
3KB
MD502187b1b6f37b3d0030791c802a6174c
SHA1b0f8330dcca6d6f4426dcce8fe8705d12f06df1d
SHA256fb96fb9575fad8df03df5e48b7ec0bd9a151ebabc9dd949867b087ea925f33da
SHA512b8da90647afa78c7649a198556529567f65d59206e686d64c98e13496295a75580e89dbc18c92eb9ef36ab2bcc414d35af9b2cfb35417f7f4afd622fc7f248d2
-
Filesize
17KB
MD56029d80d8e934047f4680d425878f8df
SHA162cbc0902c2159f453776c634e8137bd9da756b5
SHA256dac913a8c06902546d4ebb264b293dcf0fbeb566657b5fb769c9f22448d77847
SHA51238450b14163805f2385fa9ed2a7aff49c81fdfa8c5a41b16862d7d498e1f8bbeeecc977dd2b94c8e4f621ad6d5619b49d7b9c0dd24fd8662b928df5128d0f822
-
Filesize
8KB
MD543c7228b35d17db840f2254b92e00d8b
SHA1888325a0429e5b7b8229daa058c7cdacf7db2c0d
SHA2568ca7e8f9dc2906b78842c61a52b0a95fd744fa2e76de470588f821cb88e21e45
SHA512f9fbc9a9cf73a226f08ff112c8959419bb1893300e5e81110b63d4926628aa4bbe88d1f6a2b1e6a3ee04e9b903d66c8664c98c9e46aa2ddb8117bfdc8eefdeeb
-
Filesize
144B
MD5306c4a0f4ecea81cd27076b35b2b0ceb
SHA19f1f11b86d04f43ad0cc41b46795071efd579d40
SHA256778eaf3129c871b4ff32eba227166711a47fca8b458f34f9198adbb70ee3404e
SHA512223c53f24de764ad98de9b651a0eaeb01ebde1ebcc16c2c59bd803d751c5fa2acd1395e3cd259f9f215d8ce9a26159391e6dba356fde9360d7cf67aaa3262873
-
Filesize
388B
MD5128128e7a82b1cf02e92d2166a37e000
SHA18bddc1272c15f9f9560ed8cd13d91b9e2b040201
SHA25618daa45bf4a05e023dcbb3e5c7c410be4750f7ff81d181ff59a080cd3af6e92f
SHA51274df10f7593dbe0e86b21936c8ee47ee278672865d73ff33c529e4dc4e846a8b2a02ff51504ca5d4bdc65525542ee20406e98dcedb3ffa47f708531fd4ce2274
-
Filesize
1KB
MD5ee0eede328eab3072e18d2836f0b5733
SHA1f7f0d25e92e3d334ae709ec86fe3e038ec397647
SHA256b8af13a08015ab1b267d6b6b6b0b317355c6288457b5d9ef7f9995937a666b17
SHA5125a0317bb3c9d0d82c25aacbfe591e96d0d666879ce13ec6b55c016afa2573caf343da5108a62bcf1c2890f7f4f06966bac4ecbebb6eb03dd34ab39dc11bb3190
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
1KB
MD575b33a3d7d7eaba0dc6d13f8ba6f825e
SHA167644b09419b002ae121680689bbb2fe81aea2b8
SHA2564d3d7317f2f032264dafa4f2a7a83cb7c6543fa2e2ed2c6d95e1a3ff6c1dd666
SHA51216dc56acafc7bb6456a743979de309c5c0651edce0efc17fcdc814bc928a7f17760ce2fa664b4b49e1d9a30efb218eefa985d7ece2e68b843ef17dc1b1b59c7e
-
Filesize
6B
MD5486da0e231191ae975f6d2b4d14f9d39
SHA193884c615df1514c050d52104a7dfd045f8b6760
SHA25603db0edf70b6e6a3601107fa8f4fa1b1044fc83f65927c0b3b3374c041826b61
SHA5126fea149031c39c9a2a17e05e6f6f21d20e8cf0e384e975448566295b81d95b7d5cc448cd9e56e809c85d3f709237f616e329e469c482559f4c606cd4b961651a
-
Filesize
10KB
MD57d1dc643c3f97f6e396331035b704ab6
SHA19adfe7d1c195ab984a9cefdeec49bd39c68d084c
SHA256ddc809fba49b8ec969850027d265f6c5aa6d195385f8ed3fe38a66fe0bbbaad4
SHA51256a85cbfaf4ef41854633853a0e7af4ed7a754c9ed36b94be92d41c690b9d8d73704a92e3becc083130d92aea0591c5eb67242c1348c19e14fd693b8584260d2
-
Filesize
78KB
MD59e05a9c264c8a908a8e79450fcbff047
SHA1363b2ee171de15aeea793bd7fdffd68d0feb8ba4
SHA256c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1
SHA512712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa
-
Filesize
15KB
MD5d6a005f8facff88e260688ddb7ae00c1
SHA14e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA2560ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA5127e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7
-
Filesize
2KB
MD55b4f9947085428bdafd5f5f13fc61e5b
SHA10a097d99dd988407be0b0b0776ec5c029a47a27c
SHA256a6b85f67b1ff30eaf6893e757ffbba785de0e859afc4362eee9318b63c240cdf
SHA512c61badeafddb9fe8411dc7130c905b615333de8ed576874300dafac9144771d099fe59e33e642987e1621d18f8a0dccd69e763451d33a609d0a8f325b5908c77
-
Filesize
14B
MD5954a44456e60a31dba59ec10e0868f5c
SHA17a3101cf946e0d72c3c247547dcc4694d9717260
SHA256a67745e34ed24fc8f769632758dc152c058a81ab7d171ac9c0d8f4a47dd569b9
SHA51282799111dec1bee2bd526f743eda584d23691728dd474800e682938ddaa1765d3a016ca44864bb21ce1739ef17ceea7106e1a19607a10943e34301ac8ba9ce32
-
Filesize
506KB
MD5a46842c9b0c567a5a9584e83a163560c
SHA17c01e92196c1fa584f05b40e0ad7952525b00686
SHA256715c24bf2bfdfb50c5b9bff41b7cc2728d6986af97edeeb1f1df0c35d673ad98
SHA512b439d97731b364922a2816739389443cee9137dad99556498d68fe2b617f7070a2c9ab00ec59f388fc6b72faba489605688ea3a180899690b42c50b17952e956
-
Filesize
397KB
MD50297c72529807322b152f517fdb0a9fc
SHA12e818e096dded6e01413ff10b5ba0ddb43920b77
SHA256c4d17d7b6c42bca40a313212422add7581192283eb489af9af1b8b6d9cee67e0
SHA512634b4a41bc71a5be39b6962198f19baa63c89887897c2ea47aaf150f27c375ec69d24e61e891442ca9b675ca4bdfd7f5ee0056d99ceb4b8ca6beaaa3f8f2acee
-
Filesize
207KB
MD5b1a9cf0b6f80611d31987c247ec630b4
SHA17299b3c370254e1e4bade26dc5fec818989d836a
SHA256933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef
SHA512152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1
-
Filesize
6.1MB
MD502bec9d86e4839199a60b334dd650e60
SHA18f86b49725abfae4c201654f3aa43ec0041cea39
SHA2566346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82
SHA512660d932f4b2fe56d175ba3c2823a0501d13e29876766a57bd4df5b345177887b48fb9eedcf0c3929cca509f49a2bb189395e82c2418fa6e8834e0a2f79425243
-
Filesize
17KB
MD5af4d37aad8b34471da588360a43e768a
SHA183ed64667d4e68ea531b8bcf58aab3ed4a5ca998
SHA256e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1
SHA51274f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf
-
Filesize
385KB
MD55a43a009414d356a018de0f9d3637f3a
SHA11ab32ff6729c7aea5f3fe37c6f3ee8a1f3ef55f9
SHA256a29dff95b99fb1fb997ebb9baeac450e69348e2fa9b0ebf3b3585fd2f44cd2f8
SHA51297545c4d482a60cb278a24bb80a6f2a5f15716d507203c83beef66dab31554ec9264497609c12461fa77bc1a765062d513a417048027f064b5da9d95a9231a1b
-
Filesize
59KB
MD5753bc16326fee4a421acb636ccd602f4
SHA19cca347a4659301f89105a5433539e9cad150c69
SHA25624ca5ceb560f68b37c7cd4e548303a3617bb230c3b7478fe61ae804b8f128e4a
SHA512b7924b660dc5e786bcd5cc5df160c29aaf48c88365940a9fbb60c77aa559e60bd5a7033e5edce4577fbad02f52582d65afbdbd22223cbe13df13cfbd9e4241ee
-
Filesize
250KB
MD5f042ee4c8d66248d9b86dcf52abae416
SHA14cd785c7c3e40c42e3d126086d986c4d4d940bb2
SHA256ae0f5cc54e4b133df66a54572a7ce52faff11f8fd0caeab088aad3699d6ec924
SHA512a8a5f1191dfa212e029c79f1e44866513c29b54a3ec25fd4badc65c80e65dafe7194a4ab597bd14d33bfd077dd8d58c07f29aeb2eed1ba8a065d3a4ad165340d
-
Filesize
5.4MB
MD59c181b1351af9d8574df0aaeb0e278de
SHA116010baa64a7d21fe9c435abac13798ccfedd0cd
SHA2563e4de6797fb83963bf660c2da8fd0fd523130e6b48b7834ba48d3f635d4e1ece
SHA512a1b09027b8e5f1ddd2bc4952ed73b708791e10e7a80fe8d726d238cfbca3a539559776fdce26f0e454ebfa2826a0ef3897a27283341ce2ed2ca28a1d24d827f7
-
Filesize
4KB
MD5b9380b0bea8854fd9f93cc1fda0dfeac
SHA1edb8d58074e098f7b5f0d158abedc7fc53638618
SHA2561f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
SHA51245c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c
-
Filesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
Filesize
4KB
MD5031ec9b12afb1fafc9fc397f3b90f29c
SHA1de26ddfe3ef452f8205bfbd5520a8eff6328619f
SHA2562dc320488b636b9dce9581a95e5a833a07500622c1a64fc05023ba6482d2a6e1
SHA512cbebded4e3a87234899e2b67121f898c9060671d25088b7de29bbcbda90a5410dd3afd110417caa6c46ba656e1a863da39127e15c2122fedaa5054f4d43b90a6
-
Filesize
6KB
MD514f5984b926208de2aafb55dd9971d4a
SHA1e5afe0b80568135d3e259c73f93947d758a7b980
SHA256030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1
SHA512e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27
-
Filesize
14KB
MD586b723938b48dc670de8f1016c2fe603
SHA1ff432e1f5d2b8423872719520e9df4da401755c3
SHA256a238cb788e8077442358626fee022d0eb72fc228a5b11c101ab568662db27798
SHA5120a291d76fd950b6f4c725ba377aef42dd2ecfa2a2e7837cf6c98dfba8f4e6f30985a0d0028900d0528501b38f92ccca6353ab20acda2d3349db30021e78a2a5d
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
544KB
-
Filesize
92KB
-
Filesize
64KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
208KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
8KB
-
Filesize
92KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
8KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
544KB
-
Filesize
436KB
-
Filesize
132KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
92KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
544KB
-
Filesize
544KB
-
Filesize
248KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
544KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
544KB
-
Filesize
544KB
-
Filesize
840KB
-
Filesize
544KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
6.2MB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
404KB
-
Filesize
92KB
-
Filesize
840KB
-
Filesize
132KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
544KB
-
Filesize
840KB
-
Filesize
544KB
-
Filesize
544KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
840KB
-
Filesize
544KB
-
Filesize
132KB
-
Filesize
544KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
208KB
-
Filesize
6.2MB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
544KB
-
Filesize
544KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
544KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
544KB
-
Filesize
544KB
-
Filesize
208KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
840KB
-
Filesize
208KB
-
Filesize
8KB
-
Filesize
92KB
-
Filesize
840KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
544KB
-
Filesize
544KB
-
Filesize
840KB
-
Filesize
544KB
-
Filesize
544KB
-
Filesize
436KB
-
Filesize
840KB
-
Filesize
840KB