Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
20/11/2022, 05:53
Static task
static1
Behavioral task
behavioral1
Sample
96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe
Resource
win10v2004-20220812-en
General
-
Target
96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe
-
Size
608KB
-
MD5
19a06eefb2d48107725ffe46843057af
-
SHA1
1a06f82c59fd546864c16e7c4b0e568ed8dbc594
-
SHA256
96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4
-
SHA512
04d0d2cbd36bdab719fca67dd1796889b5e0e454d9599804bc7a7f30ada8a675d3dd00e7eddafd4cb31316edd22e21266b8fb310785084e8126da5d101ade282
-
SSDEEP
12288:YBYDZJr1E+3JcdrXxE3Vq4Vcim38bJ6vKDn5gcPUbjC:YqF6+ydroLrJ6vKVgkUb
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 3nua.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" aUY5E15SY8.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yuoud.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 12 IoCs
pid Process 2008 aUY5E15SY8.exe 1028 yuoud.exe 336 2nua.exe 1576 2nua.exe 1552 2nua.exe 1128 2nua.exe 1892 2nua.exe 552 2nua.exe 1940 3nua.exe 1796 3nua.exe 1956 E052.tmp 1168 3nua.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
resource yara_rule behavioral1/memory/1552-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1552-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1552-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1552-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1552-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1892-108-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1892-112-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1892-110-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/552-121-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1892-120-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/552-118-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/552-123-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1892-117-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/552-129-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/552-130-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1552-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1892-136-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/552-137-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/552-138-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1940-145-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1552-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1796-166-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1168-181-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 1900 cmd.exe -
Loads dropped DLL 15 IoCs
pid Process 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 2008 aUY5E15SY8.exe 2008 aUY5E15SY8.exe 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1940 3nua.exe 1940 3nua.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /r" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /A" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /G" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /B" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /d" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /C" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /t" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /S" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /q" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /W" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /U" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /Y" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /M" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /l" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /j" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /y" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /E" aUY5E15SY8.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /Q" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /D" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /L" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /T" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /O" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /e" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /P" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /b" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /m" yuoud.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\A1A.exe = "C:\\Program Files (x86)\\LP\\CD14\\A1A.exe" 3nua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /p" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /V" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /z" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /u" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /H" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /I" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /n" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /f" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /E" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /X" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /g" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /Z" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /K" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /w" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /v" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /N" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /c" yuoud.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ aUY5E15SY8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /a" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /i" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /x" yuoud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /h" yuoud.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2nua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2nua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2nua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2nua.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 336 set thread context of 1576 336 2nua.exe 35 PID 336 set thread context of 1552 336 2nua.exe 36 PID 336 set thread context of 1128 336 2nua.exe 37 PID 336 set thread context of 1892 336 2nua.exe 38 PID 336 set thread context of 552 336 2nua.exe 39 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\LP\CD14\A1A.exe 3nua.exe File opened for modification C:\Program Files (x86)\LP\CD14\E052.tmp 3nua.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1524 1128 WerFault.exe 37 -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1680 tasklist.exe 1072 tasklist.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2008 aUY5E15SY8.exe 2008 aUY5E15SY8.exe 1552 2nua.exe 1128 2nua.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1552 2nua.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1940 3nua.exe 1940 3nua.exe 1940 3nua.exe 1940 3nua.exe 1940 3nua.exe 1940 3nua.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1940 3nua.exe 1940 3nua.exe 1940 3nua.exe 1940 3nua.exe 1940 3nua.exe 1940 3nua.exe 1940 3nua.exe 1940 3nua.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe 1028 yuoud.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1612 explorer.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 1680 tasklist.exe Token: SeRestorePrivilege 1876 msiexec.exe Token: SeTakeOwnershipPrivilege 1876 msiexec.exe Token: SeSecurityPrivilege 1876 msiexec.exe Token: SeDebugPrivilege 1072 tasklist.exe Token: SeShutdownPrivilege 1612 explorer.exe Token: SeShutdownPrivilege 1612 explorer.exe Token: SeShutdownPrivilege 1612 explorer.exe Token: SeShutdownPrivilege 1612 explorer.exe Token: SeShutdownPrivilege 1612 explorer.exe Token: SeShutdownPrivilege 1612 explorer.exe Token: SeShutdownPrivilege 1612 explorer.exe Token: SeShutdownPrivilege 1612 explorer.exe Token: SeShutdownPrivilege 1612 explorer.exe Token: SeShutdownPrivilege 1612 explorer.exe Token: SeShutdownPrivilege 1612 explorer.exe Token: SeShutdownPrivilege 1612 explorer.exe Token: 33 336 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 336 AUDIODG.EXE Token: 33 336 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 336 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 2008 aUY5E15SY8.exe 1028 yuoud.exe 336 2nua.exe 1892 2nua.exe 552 2nua.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 840 wrote to memory of 2008 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 28 PID 840 wrote to memory of 2008 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 28 PID 840 wrote to memory of 2008 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 28 PID 840 wrote to memory of 2008 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 28 PID 2008 wrote to memory of 1028 2008 aUY5E15SY8.exe 29 PID 2008 wrote to memory of 1028 2008 aUY5E15SY8.exe 29 PID 2008 wrote to memory of 1028 2008 aUY5E15SY8.exe 29 PID 2008 wrote to memory of 1028 2008 aUY5E15SY8.exe 29 PID 2008 wrote to memory of 580 2008 aUY5E15SY8.exe 30 PID 2008 wrote to memory of 580 2008 aUY5E15SY8.exe 30 PID 2008 wrote to memory of 580 2008 aUY5E15SY8.exe 30 PID 2008 wrote to memory of 580 2008 aUY5E15SY8.exe 30 PID 580 wrote to memory of 1680 580 cmd.exe 32 PID 580 wrote to memory of 1680 580 cmd.exe 32 PID 580 wrote to memory of 1680 580 cmd.exe 32 PID 580 wrote to memory of 1680 580 cmd.exe 32 PID 840 wrote to memory of 336 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 34 PID 840 wrote to memory of 336 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 34 PID 840 wrote to memory of 336 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 34 PID 840 wrote to memory of 336 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 34 PID 336 wrote to memory of 1576 336 2nua.exe 35 PID 336 wrote to memory of 1576 336 2nua.exe 35 PID 336 wrote to memory of 1576 336 2nua.exe 35 PID 336 wrote to memory of 1576 336 2nua.exe 35 PID 336 wrote to memory of 1576 336 2nua.exe 35 PID 336 wrote to memory of 1552 336 2nua.exe 36 PID 336 wrote to memory of 1552 336 2nua.exe 36 PID 336 wrote to memory of 1552 336 2nua.exe 36 PID 336 wrote to memory of 1552 336 2nua.exe 36 PID 336 wrote to memory of 1552 336 2nua.exe 36 PID 336 wrote to memory of 1552 336 2nua.exe 36 PID 336 wrote to memory of 1552 336 2nua.exe 36 PID 336 wrote to memory of 1552 336 2nua.exe 36 PID 336 wrote to memory of 1128 336 2nua.exe 37 PID 336 wrote to memory of 1128 336 2nua.exe 37 PID 336 wrote to memory of 1128 336 2nua.exe 37 PID 336 wrote to memory of 1128 336 2nua.exe 37 PID 336 wrote to memory of 1128 336 2nua.exe 37 PID 336 wrote to memory of 1128 336 2nua.exe 37 PID 336 wrote to memory of 1128 336 2nua.exe 37 PID 336 wrote to memory of 1128 336 2nua.exe 37 PID 336 wrote to memory of 1128 336 2nua.exe 37 PID 336 wrote to memory of 1128 336 2nua.exe 37 PID 336 wrote to memory of 1892 336 2nua.exe 38 PID 336 wrote to memory of 1892 336 2nua.exe 38 PID 336 wrote to memory of 1892 336 2nua.exe 38 PID 336 wrote to memory of 1892 336 2nua.exe 38 PID 336 wrote to memory of 1892 336 2nua.exe 38 PID 336 wrote to memory of 1892 336 2nua.exe 38 PID 336 wrote to memory of 1892 336 2nua.exe 38 PID 336 wrote to memory of 1892 336 2nua.exe 38 PID 336 wrote to memory of 552 336 2nua.exe 39 PID 336 wrote to memory of 552 336 2nua.exe 39 PID 336 wrote to memory of 552 336 2nua.exe 39 PID 336 wrote to memory of 552 336 2nua.exe 39 PID 336 wrote to memory of 552 336 2nua.exe 39 PID 336 wrote to memory of 552 336 2nua.exe 39 PID 336 wrote to memory of 552 336 2nua.exe 39 PID 336 wrote to memory of 552 336 2nua.exe 39 PID 840 wrote to memory of 1940 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 40 PID 840 wrote to memory of 1940 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 40 PID 840 wrote to memory of 1940 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 40 PID 840 wrote to memory of 1940 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 40 PID 840 wrote to memory of 1900 840 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe 42 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3nua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3nua.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe"C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\aUY5E15SY8.exeC:\Users\Admin\aUY5E15SY8.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\yuoud.exe"C:\Users\Admin\yuoud.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del aUY5E15SY8.exe3⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
-
-
C:\Users\Admin\2nua.exeC:\Users\Admin\2nua.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
PID:1576
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1552
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 5204⤵
- Loads dropped DLL
- Program crash
PID:1524
-
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1892
-
-
C:\Users\Admin\2nua.exe"C:\Users\Admin\2nua.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:552
-
-
-
C:\Users\Admin\3nua.exeC:\Users\Admin\3nua.exe2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1940 -
C:\Users\Admin\3nua.exeC:\Users\Admin\3nua.exe startC:\Users\Admin\AppData\Roaming\4637B\0FFCD.exe%C:\Users\Admin\AppData\Roaming\4637B3⤵
- Executes dropped EXE
PID:1796
-
-
C:\Program Files (x86)\LP\CD14\E052.tmp"C:\Program Files (x86)\LP\CD14\E052.tmp"3⤵
- Executes dropped EXE
PID:1956
-
-
C:\Users\Admin\3nua.exeC:\Users\Admin\3nua.exe startC:\Program Files (x86)\7B8A0\lvvm.exe%C:\Program Files (x86)\7B8A03⤵
- Executes dropped EXE
PID:1168
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe2⤵
- Deletes itself
PID:1900 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x57c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:336
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD529c0a1942c5efa556fcf06cdb27e6b43
SHA11f4897b7091c159f7402237f093dd66419ef801b
SHA2564f5a26e02022c8e480e3bba16fdbe3c9e19f95ccfded922fdb911403ef1ae0c4
SHA51254389f2ec50d6447f89b15268f4daa3b9a6a0f7c0609648754eaeb6bd6e159c800f1f29f759bd56f42ab6249b246a95081d1e0e9fdd43e56ff2104a7ce458168
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
273KB
MD50fcecac14065f03c4f83bf5ae6ac415b
SHA1f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA25679f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA51249195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003
-
Filesize
273KB
MD50fcecac14065f03c4f83bf5ae6ac415b
SHA1f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA25679f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA51249195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003
-
Filesize
273KB
MD50fcecac14065f03c4f83bf5ae6ac415b
SHA1f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA25679f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA51249195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003
-
Filesize
273KB
MD50fcecac14065f03c4f83bf5ae6ac415b
SHA1f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA25679f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA51249195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003
-
Filesize
208KB
MD5380575fdf47f22e24cc214c89f098f9d
SHA15d5584fab3dc5267ffacfd4c331555f4f7703fb6
SHA25604fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9
SHA51270ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2
-
Filesize
208KB
MD5380575fdf47f22e24cc214c89f098f9d
SHA15d5584fab3dc5267ffacfd4c331555f4f7703fb6
SHA25604fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9
SHA51270ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2
-
Filesize
208KB
MD56891a79892c5fdb0523844fd01a235d3
SHA1d11090ac3ac07bfab9ba708dcfd099137a34ca19
SHA256762db61e0b79bc2a4ef8e1c6051e0b1e3bdbfa95c396ad61497aeda883354b06
SHA512e62a5860fb13c5db2bd3bcb1f16ba3497870cf595ead941cbd43e24d347cb157315ffd92f490aaa92e0eff9d512016aa5e996f8b08457da775b41b47e66b7c1a
-
Filesize
208KB
MD56891a79892c5fdb0523844fd01a235d3
SHA1d11090ac3ac07bfab9ba708dcfd099137a34ca19
SHA256762db61e0b79bc2a4ef8e1c6051e0b1e3bdbfa95c396ad61497aeda883354b06
SHA512e62a5860fb13c5db2bd3bcb1f16ba3497870cf595ead941cbd43e24d347cb157315ffd92f490aaa92e0eff9d512016aa5e996f8b08457da775b41b47e66b7c1a
-
Filesize
97KB
MD529c0a1942c5efa556fcf06cdb27e6b43
SHA11f4897b7091c159f7402237f093dd66419ef801b
SHA2564f5a26e02022c8e480e3bba16fdbe3c9e19f95ccfded922fdb911403ef1ae0c4
SHA51254389f2ec50d6447f89b15268f4daa3b9a6a0f7c0609648754eaeb6bd6e159c800f1f29f759bd56f42ab6249b246a95081d1e0e9fdd43e56ff2104a7ce458168
-
Filesize
97KB
MD529c0a1942c5efa556fcf06cdb27e6b43
SHA11f4897b7091c159f7402237f093dd66419ef801b
SHA2564f5a26e02022c8e480e3bba16fdbe3c9e19f95ccfded922fdb911403ef1ae0c4
SHA51254389f2ec50d6447f89b15268f4daa3b9a6a0f7c0609648754eaeb6bd6e159c800f1f29f759bd56f42ab6249b246a95081d1e0e9fdd43e56ff2104a7ce458168
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
224KB
MD5b64185be04a7c3882871c07358450544
SHA16dd00c5f29490e210639ac155e732f7c33e746af
SHA256c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21
-
Filesize
273KB
MD50fcecac14065f03c4f83bf5ae6ac415b
SHA1f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA25679f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA51249195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003
-
Filesize
273KB
MD50fcecac14065f03c4f83bf5ae6ac415b
SHA1f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA25679f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA51249195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003
-
Filesize
208KB
MD5380575fdf47f22e24cc214c89f098f9d
SHA15d5584fab3dc5267ffacfd4c331555f4f7703fb6
SHA25604fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9
SHA51270ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2
-
Filesize
208KB
MD5380575fdf47f22e24cc214c89f098f9d
SHA15d5584fab3dc5267ffacfd4c331555f4f7703fb6
SHA25604fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9
SHA51270ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2
-
Filesize
208KB
MD56891a79892c5fdb0523844fd01a235d3
SHA1d11090ac3ac07bfab9ba708dcfd099137a34ca19
SHA256762db61e0b79bc2a4ef8e1c6051e0b1e3bdbfa95c396ad61497aeda883354b06
SHA512e62a5860fb13c5db2bd3bcb1f16ba3497870cf595ead941cbd43e24d347cb157315ffd92f490aaa92e0eff9d512016aa5e996f8b08457da775b41b47e66b7c1a
-
Filesize
208KB
MD56891a79892c5fdb0523844fd01a235d3
SHA1d11090ac3ac07bfab9ba708dcfd099137a34ca19
SHA256762db61e0b79bc2a4ef8e1c6051e0b1e3bdbfa95c396ad61497aeda883354b06
SHA512e62a5860fb13c5db2bd3bcb1f16ba3497870cf595ead941cbd43e24d347cb157315ffd92f490aaa92e0eff9d512016aa5e996f8b08457da775b41b47e66b7c1a