Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2023 17:18
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230915-en
General
-
Target
file.exe
-
Size
231KB
-
MD5
8f1ef200b8af9e31236a1637ec7b07e4
-
SHA1
af7b92e815e4bb1904ca4b29b5df127f868c4b6f
-
SHA256
deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514
-
SHA512
787a0b59b000e49092f3e81121b7fc501e347b5935208f8853e4ecb5ca474c0cb2977d9f5766bdc1b0eb55fc799cd8cb8824745c2e6d10863a21e079d10b67ff
-
SSDEEP
3072:SPuAigfBVBqZM5lJ0+RCg0bdwv6NcIYc5XnYPU4Jo:OuAigxCMvgz7YW7
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/
Extracted
djvu
http://zexeq.com/raud/get.php
-
extension
.pthh
-
offline_id
43WPLl8Cnh3dZoiWhf8tP8Q9CrMBVUL2dwHB2Rt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dHFDYXqlkk Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0808ASUDr
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
146.59.161.13:39199
Extracted
amadey
3.87
http://79.137.192.18/9bDc8sQ/index.php
-
install_dir
577f58beff
-
install_file
yiueea.exe
-
strings_key
a5085075a537f09dec81cc154ec0af4d
Extracted
smokeloader
pub1
Signatures
-
Detected Djvu ransomware 11 IoCs
resource yara_rule behavioral2/memory/896-25-0x00000000049D0000-0x0000000004AEB000-memory.dmp family_djvu behavioral2/memory/2884-26-0x0000000000C70000-0x00000000013F0000-memory.dmp family_djvu behavioral2/memory/2744-28-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2744-30-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2744-34-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2744-43-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2744-106-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2744-148-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5008-156-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5008-160-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5008-162-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 6 IoCs
resource yara_rule behavioral2/memory/1084-73-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/1084-74-0x00000000052D0000-0x0000000005BBB000-memory.dmp family_glupteba behavioral2/memory/1084-141-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/1084-147-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/1084-163-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/1084-226-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/4288-49-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral2/memory/5012-212-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 45BF.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4748 netsh.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 45BF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 45BF.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation yiueea.exe Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation 432E.exe Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation 4D72.exe -
Executes dropped EXE 19 IoCs
pid Process 896 432E.exe 2884 45BF.exe 2744 432E.exe 2516 4737.exe 2784 4D72.exe 4988 51C9.exe 1084 57D4.exe 564 yiueea.exe 4184 6B10.exe 1304 432E.exe 5008 432E.exe 4952 yiueea.exe 3544 vrfwfde 4836 57D4.exe 1884 csrss.exe 4244 yiueea.exe 648 injector.exe 3872 windefender.exe 920 windefender.exe -
Loads dropped DLL 1 IoCs
pid Process 1128 regsvr32.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2300 icacls.exe -
resource yara_rule behavioral2/files/0x00070000000230b9-22.dat themida behavioral2/files/0x00070000000230b9-23.dat themida behavioral2/memory/2884-92-0x0000000000C70000-0x00000000013F0000-memory.dmp themida -
resource yara_rule behavioral2/files/0x000300000001e6c3-492.dat upx behavioral2/files/0x000300000001e6c3-494.dat upx behavioral2/files/0x000300000001e6c3-495.dat upx -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9192be61-fe87-4d49-82c8-2ac9d1ee2d71\\432E.exe\" --AutoStart" 432E.exe Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 57D4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 45BF.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 52 api.2ip.ua 53 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2884 45BF.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 896 set thread context of 2744 896 432E.exe 92 PID 2516 set thread context of 4288 2516 4737.exe 96 PID 1304 set thread context of 5008 1304 432E.exe 128 PID 2884 set thread context of 5012 2884 45BF.exe 136 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 57D4.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rss 57D4.exe File created C:\Windows\rss\csrss.exe 57D4.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4240 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 412 2516 WerFault.exe 93 4020 5008 WerFault.exe 128 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 51C9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vrfwfde Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 51C9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 51C9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vrfwfde Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vrfwfde Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4324 schtasks.exe 1968 schtasks.exe 4280 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" 57D4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" 57D4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" 57D4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" 57D4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" 57D4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" 57D4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" 57D4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" 57D4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" 57D4.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 57D4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" 57D4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 57D4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" 57D4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1144 file.exe 1144 file.exe 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3172 Process not Found -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1144 file.exe 4988 51C9.exe 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3544 vrfwfde -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeDebugPrivilege 2884 45BF.exe Token: SeDebugPrivilege 60 powershell.exe Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeDebugPrivilege 4288 AppLaunch.exe Token: SeDebugPrivilege 5012 AppLaunch.exe Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeDebugPrivilege 1084 57D4.exe Token: SeImpersonatePrivilege 1084 57D4.exe Token: SeDebugPrivilege 4456 powershell.exe Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeDebugPrivilege 4620 powershell.exe Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeDebugPrivilege 4208 powershell.exe Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeDebugPrivilege 3412 powershell.exe Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeDebugPrivilege 4720 powershell.exe Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeDebugPrivilege 2464 powershell.exe Token: SeShutdownPrivilege 3172 Process not Found Token: SeCreatePagefilePrivilege 3172 Process not Found Token: SeSystemEnvironmentPrivilege 1884 csrss.exe Token: SeSecurityPrivilege 4240 sc.exe Token: SeSecurityPrivilege 4240 sc.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3172 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3172 wrote to memory of 896 3172 Process not Found 89 PID 3172 wrote to memory of 896 3172 Process not Found 89 PID 3172 wrote to memory of 896 3172 Process not Found 89 PID 3172 wrote to memory of 2884 3172 Process not Found 90 PID 3172 wrote to memory of 2884 3172 Process not Found 90 PID 3172 wrote to memory of 2884 3172 Process not Found 90 PID 896 wrote to memory of 2744 896 432E.exe 92 PID 896 wrote to memory of 2744 896 432E.exe 92 PID 896 wrote to memory of 2744 896 432E.exe 92 PID 896 wrote to memory of 2744 896 432E.exe 92 PID 896 wrote to memory of 2744 896 432E.exe 92 PID 896 wrote to memory of 2744 896 432E.exe 92 PID 896 wrote to memory of 2744 896 432E.exe 92 PID 896 wrote to memory of 2744 896 432E.exe 92 PID 896 wrote to memory of 2744 896 432E.exe 92 PID 896 wrote to memory of 2744 896 432E.exe 92 PID 3172 wrote to memory of 2516 3172 Process not Found 93 PID 3172 wrote to memory of 2516 3172 Process not Found 93 PID 3172 wrote to memory of 2516 3172 Process not Found 93 PID 3172 wrote to memory of 2784 3172 Process not Found 100 PID 3172 wrote to memory of 2784 3172 Process not Found 100 PID 3172 wrote to memory of 2784 3172 Process not Found 100 PID 2516 wrote to memory of 1180 2516 4737.exe 99 PID 2516 wrote to memory of 1180 2516 4737.exe 99 PID 2516 wrote to memory of 1180 2516 4737.exe 99 PID 2516 wrote to memory of 2992 2516 4737.exe 95 PID 2516 wrote to memory of 2992 2516 4737.exe 95 PID 2516 wrote to memory of 2992 2516 4737.exe 95 PID 2516 wrote to memory of 3668 2516 4737.exe 98 PID 2516 wrote to memory of 3668 2516 4737.exe 98 PID 2516 wrote to memory of 3668 2516 4737.exe 98 PID 2516 wrote to memory of 4288 2516 4737.exe 96 PID 2516 wrote to memory of 4288 2516 4737.exe 96 PID 2516 wrote to memory of 4288 2516 4737.exe 96 PID 2516 wrote to memory of 4288 2516 4737.exe 96 PID 2516 wrote to memory of 4288 2516 4737.exe 96 PID 2516 wrote to memory of 4288 2516 4737.exe 96 PID 2516 wrote to memory of 4288 2516 4737.exe 96 PID 2516 wrote to memory of 4288 2516 4737.exe 96 PID 3172 wrote to memory of 4988 3172 Process not Found 102 PID 3172 wrote to memory of 4988 3172 Process not Found 102 PID 3172 wrote to memory of 4988 3172 Process not Found 102 PID 3172 wrote to memory of 1084 3172 Process not Found 105 PID 3172 wrote to memory of 1084 3172 Process not Found 105 PID 3172 wrote to memory of 1084 3172 Process not Found 105 PID 3172 wrote to memory of 3124 3172 Process not Found 106 PID 3172 wrote to memory of 3124 3172 Process not Found 106 PID 3124 wrote to memory of 1128 3124 regsvr32.exe 108 PID 3124 wrote to memory of 1128 3124 regsvr32.exe 108 PID 3124 wrote to memory of 1128 3124 regsvr32.exe 108 PID 2784 wrote to memory of 564 2784 4D72.exe 109 PID 2784 wrote to memory of 564 2784 4D72.exe 109 PID 2784 wrote to memory of 564 2784 4D72.exe 109 PID 3172 wrote to memory of 4184 3172 Process not Found 110 PID 3172 wrote to memory of 4184 3172 Process not Found 110 PID 564 wrote to memory of 4324 564 yiueea.exe 112 PID 564 wrote to memory of 4324 564 yiueea.exe 112 PID 564 wrote to memory of 4324 564 yiueea.exe 112 PID 3172 wrote to memory of 212 3172 Process not Found 111 PID 3172 wrote to memory of 212 3172 Process not Found 111 PID 3172 wrote to memory of 212 3172 Process not Found 111 PID 3172 wrote to memory of 212 3172 Process not Found 111 PID 2744 wrote to memory of 2300 2744 432E.exe 115 PID 2744 wrote to memory of 2300 2744 432E.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1144
-
C:\Users\Admin\AppData\Local\Temp\432E.exeC:\Users\Admin\AppData\Local\Temp\432E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\AppData\Local\Temp\432E.exeC:\Users\Admin\AppData\Local\Temp\432E.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\9192be61-fe87-4d49-82c8-2ac9d1ee2d71" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\432E.exe"C:\Users\Admin\AppData\Local\Temp\432E.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\432E.exe"C:\Users\Admin\AppData\Local\Temp\432E.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 5685⤵
- Program crash
PID:4020
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\45BF.exeC:\Users\Admin\AppData\Local\Temp\45BF.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:1784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Users\Admin\AppData\Local\Temp\4737.exeC:\Users\Admin\AppData\Local\Temp\4737.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:1180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 2962⤵
- Program crash
PID:412
-
-
C:\Users\Admin\AppData\Local\Temp\4D72.exeC:\Users\Admin\AppData\Local\Temp\4D72.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F3⤵
- Creates scheduled task(s)
PID:4324
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit3⤵PID:3980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:4388
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:N"4⤵PID:1680
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:R" /E4⤵PID:2416
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:N"4⤵PID:4176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:3036
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:R" /E4⤵PID:1664
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2516 -ip 25161⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\51C9.exeC:\Users\Admin\AppData\Local\Temp\51C9.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4988
-
C:\Users\Admin\AppData\Local\Temp\57D4.exeC:\Users\Admin\AppData\Local\Temp\57D4.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Users\Admin\AppData\Local\Temp\57D4.exe"C:\Users\Admin\AppData\Local\Temp\57D4.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:4328
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4748
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1968
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2116
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
PID:648
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4280
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:1664
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
-
-
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\5A56.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\5A56.dll2⤵
- Loads dropped DLL
PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\6B10.exeC:\Users\Admin\AppData\Local\Temp\6B10.exe1⤵
- Executes dropped EXE
PID:4184
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:212
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5008 -ip 50081⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:4952
-
C:\Users\Admin\AppData\Roaming\vrfwfdeC:\Users\Admin\AppData\Roaming\vrfwfde1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3544
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:4244
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
PID:920
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
2KB
MD5f57bf6e78035d7f9150292a466c1a82d
SHA158cce014a5e6a6c6d08f77b1de4ce48e31bc4331
SHA25625a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415
SHA512fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
2.6MB
MD5df26dcbc3c8289a50c8c1857a0640366
SHA1298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c
-
Filesize
2.6MB
MD5df26dcbc3c8289a50c8c1857a0640366
SHA1298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
230KB
MD5b34a1347aeef34e39c2936e969c9f0d5
SHA17e30999d290921dad4811e8e2017be8c1d0e9abd
SHA25623439192304985da6561b0d6f6ad4ece7a4eecf01ded84e9f73ac4ac6ab5cf9a
SHA512295ab21837bb0ab3101e9810265a0ca9694737f455fee78158951d606862787ee2e170f0c7dbf200e6bb344c5ed90975568f22dc3f2d40b0413c1252fb2df3b1
-
Filesize
230KB
MD5b34a1347aeef34e39c2936e969c9f0d5
SHA17e30999d290921dad4811e8e2017be8c1d0e9abd
SHA25623439192304985da6561b0d6f6ad4ece7a4eecf01ded84e9f73ac4ac6ab5cf9a
SHA512295ab21837bb0ab3101e9810265a0ca9694737f455fee78158951d606862787ee2e170f0c7dbf200e6bb344c5ed90975568f22dc3f2d40b0413c1252fb2df3b1
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060
-
Filesize
7.5MB
MD5ef5c1e67c5a2aea56c8afb7146bd7978
SHA15679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA51229ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6
-
Filesize
7.5MB
MD5ef5c1e67c5a2aea56c8afb7146bd7978
SHA15679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA51229ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
230KB
MD5b34a1347aeef34e39c2936e969c9f0d5
SHA17e30999d290921dad4811e8e2017be8c1d0e9abd
SHA25623439192304985da6561b0d6f6ad4ece7a4eecf01ded84e9f73ac4ac6ab5cf9a
SHA512295ab21837bb0ab3101e9810265a0ca9694737f455fee78158951d606862787ee2e170f0c7dbf200e6bb344c5ed90975568f22dc3f2d40b0413c1252fb2df3b1
-
Filesize
231KB
MD58f1ef200b8af9e31236a1637ec7b07e4
SHA1af7b92e815e4bb1904ca4b29b5df127f868c4b6f
SHA256deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514
SHA512787a0b59b000e49092f3e81121b7fc501e347b5935208f8853e4ecb5ca474c0cb2977d9f5766bdc1b0eb55fc799cd8cb8824745c2e6d10863a21e079d10b67ff
-
Filesize
231KB
MD58f1ef200b8af9e31236a1637ec7b07e4
SHA1af7b92e815e4bb1904ca4b29b5df127f868c4b6f
SHA256deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514
SHA512787a0b59b000e49092f3e81121b7fc501e347b5935208f8853e4ecb5ca474c0cb2977d9f5766bdc1b0eb55fc799cd8cb8824745c2e6d10863a21e079d10b67ff
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD58d805f846c727301b04658dbd79e3902
SHA16a2027a89818f89f2c0dbfa6e1c3f7ac72e08caf
SHA25692ceca2004bbd4f028a2fa3d99f3e1329d756b4132bd98e8ee3feba2b7d26cd2
SHA5125de63aabdea5df18e60b4f2e6f74b9d74367ab45a99e8523c32dfca6419647ef8c37f3d36fc0a655759d0aad61df3943a76257527b8476df297335aa95c2ac28
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5045ca435f63438d606421725a17facdb
SHA1e0f9b9c6777f8c19acd9d8f20b8aa2afd8107ecf
SHA256643785b4328f454b6dc52ae13ef9ebe98fc30c8c93d40dad67fb7f70fc6dbfd8
SHA51242e95af4dd29c73f8f4e4c4e8cb9666805c8e926ba849a8f315a09e85b5359ec3c330bdb40775923ec5439c4258ceac209bfecd14a19581ee9ec02e94c9c0fe1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD573f4943cf1a32c9377518bea3517ea64
SHA1b2a0c9e3e6470071065c57e8ab179ad391109ba5
SHA2568ed847644066de0755cae2675c2cac7ab81a8a8020e2864d000ed198f29cdd53
SHA512da996a32545678db6abec7d8cd43e09ca1fe29f4d74ff7dc3f9782b3d06e895e1f026c3a4d4d387beec361bf345c794a51c5cddb6bf2436defb8d32a2b87d608
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD58633730c7c9cdd5c44bb129069bff054
SHA1a2b597040b7d2754ce0e11b22437cb2674458f49
SHA2560dcbfc8c19392d6529302d032509c63204348880f678d0ebfe76cd2b6eb8a500
SHA51249229abd4d3cce447a3eb9ce36f930171b07d0bf62949965cded20432c737c67c638a04501ad8a08d80bc59532076f5213b345fab7a2c20e028d3d52e4f57395
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5781996e6be7d4676a65493fa80c9141d
SHA1fcf3b8f14642d9fcaf4abc3735c145953ffb92bd
SHA2568cfac914c80dbef31b40ff77f1b1635c5d50bcb673d6ac0fee67cca24d6194be
SHA512a574d17e42f31f2c1e6103826c18608abd00ebae8ff333480eb9d575dd13d97207108d05a298ada50dffcf117923ead01031935e3a1916db2faf3520b220e48c
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec