Analysis
-
max time kernel
94s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2024 17:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f346e84baa5b20e4b3807c9ac04f75704db01abea2e47b2f9ed38dddb567402N.dll
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
9f346e84baa5b20e4b3807c9ac04f75704db01abea2e47b2f9ed38dddb567402N.dll
-
Size
1.2MB
-
MD5
a5cab5f8f7b67680de7ec676189f5560
-
SHA1
3bb5d93e0ecf4386f11bf40e69b20bd1f5f07cc3
-
SHA256
9f346e84baa5b20e4b3807c9ac04f75704db01abea2e47b2f9ed38dddb567402
-
SHA512
177c0d50b2096100e8a5d998b0f99966423649b44142c8660dfd311693250afbf9ee99bec4a845b9d511d9202298bcaa2f7e6d92d8f5483f338df60bce4e038e
-
SSDEEP
24576:U8F+Pzr/Hfp4MIYwZckMQmeVgheBvriXR/:U88zrp4MwL7vi
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32mgr.exe -
Ramnit family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" rundll32mgr.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 4 IoCs
pid Process 4252 rundll32mgr.exe 1388 rundll32mgrmgr.exe 4144 WaterMark.exe 4968 WaterMark.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc rundll32mgr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe -
resource yara_rule behavioral2/memory/1388-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1388-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1388-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4252-17-0x0000000005920000-0x00000000069AE000-memory.dmp upx behavioral2/memory/1388-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4252-26-0x00000000034F0000-0x000000000451A000-memory.dmp upx behavioral2/memory/4252-15-0x00000000034F0000-0x000000000451A000-memory.dmp upx behavioral2/memory/4252-10-0x00000000034F0000-0x000000000451A000-memory.dmp upx behavioral2/memory/4252-61-0x0000000005920000-0x00000000069AE000-memory.dmp upx behavioral2/memory/4252-25-0x00000000034F0000-0x000000000451A000-memory.dmp upx behavioral2/memory/1388-44-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4252-55-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1388-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1388-40-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4252-34-0x0000000005920000-0x00000000069AE000-memory.dmp upx behavioral2/memory/4252-35-0x0000000005920000-0x00000000069AE000-memory.dmp upx behavioral2/memory/4252-50-0x0000000005920000-0x00000000069AE000-memory.dmp upx behavioral2/memory/4144-105-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4968-109-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px9172.tmp rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgrmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgrmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px924D.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI rundll32mgr.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgr.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BF8C8E20-C79C-11EF-A4B7-DEEFF298442C} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2482691562" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2485972812" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BF8CB530-C79C-11EF-A4B7-DEEFF298442C} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31153065" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153065" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442431127" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2482691562" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2485972812" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2482535317" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31153065" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2482535317" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2485972812" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2482378976" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153065" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31153065" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153065" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2482378976" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153065" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BF8EF091-C79C-11EF-A4B7-DEEFF298442C} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 4252 rundll32mgr.exe 4252 rundll32mgr.exe 4252 rundll32mgr.exe 4252 rundll32mgr.exe 4144 WaterMark.exe 4144 WaterMark.exe 4144 WaterMark.exe 4144 WaterMark.exe 4968 WaterMark.exe 4968 WaterMark.exe 4968 WaterMark.exe 4968 WaterMark.exe 4144 WaterMark.exe 4968 WaterMark.exe 4968 WaterMark.exe 4144 WaterMark.exe 4968 WaterMark.exe 4968 WaterMark.exe 4144 WaterMark.exe 4144 WaterMark.exe 4968 WaterMark.exe 4968 WaterMark.exe 4144 WaterMark.exe 4144 WaterMark.exe 4968 WaterMark.exe 4968 WaterMark.exe 4144 WaterMark.exe 4144 WaterMark.exe 4968 WaterMark.exe 4968 WaterMark.exe 4968 WaterMark.exe 4968 WaterMark.exe 4144 WaterMark.exe 4144 WaterMark.exe 4144 WaterMark.exe 4144 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe Token: SeDebugPrivilege 4252 rundll32mgr.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1020 iexplore.exe 1984 iexplore.exe 2800 iexplore.exe 3500 iexplore.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 1984 iexplore.exe 1984 iexplore.exe 3500 iexplore.exe 3500 iexplore.exe 2800 iexplore.exe 2800 iexplore.exe 1020 iexplore.exe 1020 iexplore.exe 2624 IEXPLORE.EXE 2624 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 808 IEXPLORE.EXE 808 IEXPLORE.EXE 628 IEXPLORE.EXE 628 IEXPLORE.EXE 2624 IEXPLORE.EXE 2624 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 4 IoCs
pid Process 1388 rundll32mgrmgr.exe 4252 rundll32mgr.exe 4144 WaterMark.exe 4968 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 64 wrote to memory of 4792 64 rundll32.exe 82 PID 64 wrote to memory of 4792 64 rundll32.exe 82 PID 64 wrote to memory of 4792 64 rundll32.exe 82 PID 4792 wrote to memory of 4252 4792 rundll32.exe 83 PID 4792 wrote to memory of 4252 4792 rundll32.exe 83 PID 4792 wrote to memory of 4252 4792 rundll32.exe 83 PID 4252 wrote to memory of 1388 4252 rundll32mgr.exe 84 PID 4252 wrote to memory of 1388 4252 rundll32mgr.exe 84 PID 4252 wrote to memory of 1388 4252 rundll32mgr.exe 84 PID 4252 wrote to memory of 788 4252 rundll32mgr.exe 9 PID 4252 wrote to memory of 796 4252 rundll32mgr.exe 10 PID 4252 wrote to memory of 316 4252 rundll32mgr.exe 13 PID 4252 wrote to memory of 2664 4252 rundll32mgr.exe 48 PID 4252 wrote to memory of 2756 4252 rundll32mgr.exe 50 PID 4252 wrote to memory of 3000 4252 rundll32mgr.exe 51 PID 4252 wrote to memory of 3464 4252 rundll32mgr.exe 56 PID 4252 wrote to memory of 3556 4252 rundll32mgr.exe 57 PID 4252 wrote to memory of 3816 4252 rundll32mgr.exe 58 PID 4252 wrote to memory of 3924 4252 rundll32mgr.exe 59 PID 4252 wrote to memory of 3988 4252 rundll32mgr.exe 60 PID 4252 wrote to memory of 4088 4252 rundll32mgr.exe 61 PID 4252 wrote to memory of 4280 4252 rundll32mgr.exe 62 PID 4252 wrote to memory of 4720 4252 rundll32mgr.exe 64 PID 4252 wrote to memory of 2200 4252 rundll32mgr.exe 76 PID 4252 wrote to memory of 1388 4252 rundll32mgr.exe 84 PID 4252 wrote to memory of 1388 4252 rundll32mgr.exe 84 PID 1388 wrote to memory of 4144 1388 rundll32mgrmgr.exe 85 PID 1388 wrote to memory of 4144 1388 rundll32mgrmgr.exe 85 PID 1388 wrote to memory of 4144 1388 rundll32mgrmgr.exe 85 PID 4252 wrote to memory of 4968 4252 rundll32mgr.exe 86 PID 4252 wrote to memory of 4968 4252 rundll32mgr.exe 86 PID 4252 wrote to memory of 4968 4252 rundll32mgr.exe 86 PID 4144 wrote to memory of 3872 4144 WaterMark.exe 87 PID 4144 wrote to memory of 3872 4144 WaterMark.exe 87 PID 4144 wrote to memory of 3872 4144 WaterMark.exe 87 PID 4144 wrote to memory of 3872 4144 WaterMark.exe 87 PID 4144 wrote to memory of 3872 4144 WaterMark.exe 87 PID 4144 wrote to memory of 3872 4144 WaterMark.exe 87 PID 4144 wrote to memory of 3872 4144 WaterMark.exe 87 PID 4144 wrote to memory of 3872 4144 WaterMark.exe 87 PID 4144 wrote to memory of 3872 4144 WaterMark.exe 87 PID 4968 wrote to memory of 1548 4968 WaterMark.exe 88 PID 4968 wrote to memory of 1548 4968 WaterMark.exe 88 PID 4968 wrote to memory of 1548 4968 WaterMark.exe 88 PID 4968 wrote to memory of 1548 4968 WaterMark.exe 88 PID 4968 wrote to memory of 1548 4968 WaterMark.exe 88 PID 4968 wrote to memory of 1548 4968 WaterMark.exe 88 PID 4968 wrote to memory of 1548 4968 WaterMark.exe 88 PID 4968 wrote to memory of 1548 4968 WaterMark.exe 88 PID 4968 wrote to memory of 1548 4968 WaterMark.exe 88 PID 4144 wrote to memory of 2800 4144 WaterMark.exe 89 PID 4144 wrote to memory of 2800 4144 WaterMark.exe 89 PID 4968 wrote to memory of 1020 4968 WaterMark.exe 90 PID 4968 wrote to memory of 1020 4968 WaterMark.exe 90 PID 4968 wrote to memory of 1984 4968 WaterMark.exe 91 PID 4968 wrote to memory of 1984 4968 WaterMark.exe 91 PID 4144 wrote to memory of 3500 4144 WaterMark.exe 92 PID 4144 wrote to memory of 3500 4144 WaterMark.exe 92 PID 1984 wrote to memory of 2764 1984 iexplore.exe 93 PID 1984 wrote to memory of 2764 1984 iexplore.exe 93 PID 1984 wrote to memory of 2764 1984 iexplore.exe 93 PID 3500 wrote to memory of 628 3500 iexplore.exe 94 PID 3500 wrote to memory of 628 3500 iexplore.exe 94 PID 3500 wrote to memory of 628 3500 iexplore.exe 94 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2756
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3000
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3464
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9f346e84baa5b20e4b3807c9ac04f75704db01abea2e47b2f9ed38dddb567402N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9f346e84baa5b20e4b3807c9ac04f75704db01abea2e47b2f9ed38dddb567402N.dll,#13⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4252 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵PID:3872
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2800 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:17410 /prefetch:28⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:808
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3500 CREDAT:17410 /prefetch:28⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:628
-
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:1548
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1020 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1020 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2624
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2764
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3816
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3988
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4280
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4720
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2200
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5febff5e5b64433316ee5f116c5c14309
SHA155a533777edeed0d18304f073d59d5ca1e5c7737
SHA256888dd735b3cf97e714243c7ecf44064128c4a97452b90ebbc66e317a113ef9a4
SHA512cbadeca5bbd2528b4af7ad6d053483adac27db83bfcd8b75312a5aa4b09302f729b67a04bbb9af840cb3abd78ec668b5a6c8746685ba0f15780b5e0ea3dd88d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD557a5f3471cd0a8a929ed9ea9929fe8f0
SHA19b7f2381e4e51d63e5c01b1d0b6d0ada617c32c9
SHA25616f3152608784aeb8cda7f09d754101406c9ccf4ec557061932e4c6c08563ca1
SHA5127fd583434d79720a43f6e259f2bd4a1f80815b447971c45199474958e5b2126305cd9abe701d815145faefd0d254e69e6d0c041dead04b82c2bc04597708dfd9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5d2ac608ea3210354c963770caa7b99ad
SHA1091d82cf28b126562a1d719204e72b82e845efb6
SHA256408e129570ac8ad65a80caf24af500f6bbf2ea5bb24b988b256b6d20da45eb93
SHA51230db9d4e769a01ca34c60d51bb6bd7ec1206ded3faa21f94a989b213f821c6f9a83083ac91fa88db1ab8b7439d6f5b37edc149d7ef462df4597b2be635a94af7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5a650d08e2e2d42c2b99da585ead5b57c
SHA1c0314147238b9a43882b0b5e5a089f549c0adad7
SHA256abe7d3061a00f98fbfebfc3deef78aebff6ff27bcdf68627a3b5bd04d7264592
SHA512e8a0327d848e91a363a8926738e8b49400b712da1c625b8ec9829686c0a0c0359d55ba74795f1f2273625a3e90a585495ca79f98645c13adfb8fd1ff9e68a997
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5a1b8e8818f952975ae61e4d76b1eb95a
SHA143c44b84717ee9339d1a80d63b1e16e9ba6f72ea
SHA2561b786677e419ed0af89e5b4c55b71b971c78eb2703ee889220d06355eeee768b
SHA5122077c11ed49331319ec1d56d7c5ec5975aafa433095d8fa81e4f5657d63cad12c45084d00667d9b0adce232b254e5504187f22b5c0b0bfdbc442ece0c712791f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BF8EF091-C79C-11EF-A4B7-DEEFF298442C}.dat
Filesize3KB
MD59071dbf9a35e2d01062561d50a94becb
SHA1b6693b4b7facbf34a63f496e78952e21f2428a9b
SHA2561942cada4cd529d243a870e1885fbb8b221f895cf4a1ef652012957f09255fa5
SHA512582476aa2311997516a54bfd32b029786a5172b18bad601dabf11247be37abb92d87254dfd5028900fa875d8f5de2d8038ab275fd1a02c0abad9ba5863770ae1
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BF8F17A1-C79C-11EF-A4B7-DEEFF298442C}.dat
Filesize5KB
MD5abcab12188a0fe42eb90eeb565a926b8
SHA1ecb1a401726a373f8a8ef4f439a5684b2c1d0d8d
SHA25653b10bc648bd94b8cc5bb2fd2b0218975845d9941e795c91c5108715ee2e33ac
SHA512458c85c403928599807583bccbe988cfd3f421709e108b07d0c020c6cf2bfcf56117d643fe7b2fbaca2421b9aefbfb133dd7ecd7cf1ef44ba07f949b90bf7f28
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BF8F17A1-C79C-11EF-A4B7-DEEFF298442C}.dat
Filesize3KB
MD5bb0153168f3c1dc8a614b60a0b6e95a6
SHA1a79373756e34fab4e54252f7f4b1cf5ff8bced29
SHA256ec7e156e2fcd6594f179406f7db506bf1e8ca5a283fe6edbe187d33b678f89ee
SHA512b91936e7af51a69d2d15619465b76f73abfab169b53a25e0611448ada70f01fda9dd3dc7fe88d3d76660f8995d5231e648726d70ed2b204869758d962b8521c4
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
810KB
MD5edce3981e4e65a056cdd5ee6a8560264
SHA1904eec1da309c9ade0c4f8f567f64d9593f3c1b2
SHA2562c6947b14268a8f69028f1597e81f80bcd1b5ce3a5fa99a343666bca064aa03d
SHA5123a7390909998679989383e42d0db172c28a1986ccc7e9de91f4a0aa0f805921e5c42a07d5f2e27c7ab0042c3cd42d445edc884d00465b73fe056e01ddb73b6fa
-
Filesize
404KB
MD53a51be334f3cedd7185130cd60047496
SHA15572a04718cffb848ae660713415b8ab95b3ec5c
SHA2563e6d0b2887dad2ea3845139a31dfc8b8a2923c3f58ae8ba241d1498e1cc7747b
SHA512ed2dda92f22f1d972508ede37cf6b8cf719e1d53271c2af988fe700e53f4ca0feb7e39712135e1c128f63ebf08ee6a555f35b555243c233afc943a22c9fe5783