Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19-02-2024 02:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe
Resource
win7-20231215-en
General
-
Target
2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe
-
Size
9.6MB
-
MD5
cd52eee363f347b388150800c63e1611
-
SHA1
e6bdaa0e94b1e2fca5294d859480d65560828c47
-
SHA256
5e630ec0b4b2a9e5127a888d72c5b20e121a46a26026c29d8d314f77bf243a25
-
SHA512
749335fb88a8c8198f50cd7a22df3d3089fcd29f7313fd5cd04f4bfdd526f4662bdb180d51315766b570fa077cab1761359ded7917da3be057b996245f6442fa
-
SSDEEP
196608:4slZIyrQ1wsMbT3AjSsSAQVHd51YyABGNWPbEEfYyrJZGQg1r:ZncwskTwjSwyHd5qPb/wwZGV1
Malware Config
Extracted
stealc
http://185.172.128.24
-
url_path
/f993692117a3fda2.php
Extracted
smokeloader
pub3
Extracted
risepro
193.233.132.62
Extracted
djvu
http://habrafa.com/test2/get.php
-
extension
.lkfr
-
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
- payload_url
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0852ASdw
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
Detected Djvu ransomware 11 IoCs
Processes:
resource yara_rule behavioral2/memory/2084-318-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2084-323-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2084-325-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2464-312-0x0000000002270000-0x000000000238B000-memory.dmp family_djvu behavioral2/memory/2084-313-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2084-434-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2400-441-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2400-442-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2400-468-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2400-484-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2400-467-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/400-298-0x0000000002EC0000-0x00000000037AB000-memory.dmp family_glupteba behavioral2/memory/400-299-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/400-408-0x0000000002EC0000-0x00000000037AB000-memory.dmp family_glupteba behavioral2/memory/400-410-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/400-483-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detect binaries embedding considerable number of MFA browser extension IDs. 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4692-285-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs behavioral2/memory/4692-295-0x0000000000750000-0x0000000000850000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs behavioral2/memory/4692-407-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs behavioral2/memory/4692-487-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4692-285-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral2/memory/4692-295-0x0000000000750000-0x0000000000850000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral2/memory/4692-407-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral2/memory/4692-487-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects Windows executables referencing non-Windows User-Agents 3 IoCs
Processes:
resource yara_rule behavioral2/memory/400-299-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/400-410-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/400-483-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4692-285-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/4692-407-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/4692-487-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables Discord URL observed in first stage droppers 3 IoCs
Processes:
resource yara_rule behavioral2/memory/400-299-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/400-410-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/400-483-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables built or packed with MPress PE compressor 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3960-485-0x0000000000770000-0x0000000001239000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3960-488-0x0000000000770000-0x0000000001239000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3960-490-0x0000000000770000-0x0000000001239000-memory.dmp INDICATOR_EXE_Packed_MPress -
Detects executables containing URLs to raw contents of a Github gist 3 IoCs
Processes:
resource yara_rule behavioral2/memory/400-299-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/400-410-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/400-483-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 3 IoCs
Processes:
resource yara_rule behavioral2/memory/400-299-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/400-410-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/400-483-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables packed with VMProtect. 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1884-241-0x0000000000400000-0x00000000007E9000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3480-265-0x0000000000400000-0x00000000007E9000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/1884-253-0x0000000000400000-0x00000000007E9000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3480-340-0x0000000000400000-0x00000000007E9000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3480-346-0x0000000000400000-0x00000000007E9000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3480-470-0x0000000000400000-0x00000000007E9000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Detects executables packed with unregistered version of .NET Reactor 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1756-339-0x0000000005150000-0x0000000005328000-memory.dmp INDICATOR_EXE_Packed_DotNetReactor behavioral2/memory/1756-343-0x0000000004F70000-0x0000000005146000-memory.dmp INDICATOR_EXE_Packed_DotNetReactor -
Detects executables referencing many varying, potentially fake Windows User-Agents 3 IoCs
Processes:
resource yara_rule behavioral2/memory/400-299-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/400-410-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/400-483-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
7hPwKXVGbLuBuxEP1ly0pylG.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7hPwKXVGbLuBuxEP1ly0pylG.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7hPwKXVGbLuBuxEP1ly0pylG.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7hPwKXVGbLuBuxEP1ly0pylG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7hPwKXVGbLuBuxEP1ly0pylG.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Pk7JI9CaeC_pHZ0_62slrid9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation Pk7JI9CaeC_pHZ0_62slrid9.exe -
Executes dropped EXE 25 IoCs
Processes:
WW13_64.exeConhost.exeo4na_YhO7_2ub2zSjt0ITnhg.exe8Ikaj6vUn6V3OZd_3u53unU2.exe8Ikaj6vUn6V3OZd_3u53unU2.tmpgeklkyJb1RJIjxIFhgOAcuBY.exediskeject.exediskeject.exeFlPaJanW_MDDpcdoUt4mW4My.exevkhatfzAKrlpju9d6VodrldT.exed1vjVpWAF46uWXeME984fb8K.exeY44BOUYkt1YKhQyTCmbAD40W.exexef0OvFS46pt2atJmqhryMoc.exePk7JI9CaeC_pHZ0_62slrid9.exePk7JI9CaeC_pHZ0_62slrid9.exe8fdor5jGvAmVs43v58m3HWpJ.exePk7JI9CaeC_pHZ0_62slrid9.exePk7JI9CaeC_pHZ0_62slrid9.exe7hPwKXVGbLuBuxEP1ly0pylG.exeHXrcVT_ajDIPXBrmbd5wnksw.exeWuaqRhk7_2kPdYrA5k4wAYDz.exe7B0i9UF8dygAiGVKSt7YpXau.exeYpU6qj2eThxCVR1PQE568Mbn.exeSCx_AK26VfAhti6vdVI1640v.exe4D0OGlAF0yCanDA3Ml3POQKo.exepid process 3156 WW13_64.exe 824 Conhost.exe 4692 o4na_YhO7_2ub2zSjt0ITnhg.exe 2448 8Ikaj6vUn6V3OZd_3u53unU2.exe 4516 8Ikaj6vUn6V3OZd_3u53unU2.tmp 3684 geklkyJb1RJIjxIFhgOAcuBY.exe 1884 diskeject.exe 3480 diskeject.exe 3972 FlPaJanW_MDDpcdoUt4mW4My.exe 4152 vkhatfzAKrlpju9d6VodrldT.exe 4236 d1vjVpWAF46uWXeME984fb8K.exe 400 Y44BOUYkt1YKhQyTCmbAD40W.exe 3028 xef0OvFS46pt2atJmqhryMoc.exe 2464 Pk7JI9CaeC_pHZ0_62slrid9.exe 2084 Pk7JI9CaeC_pHZ0_62slrid9.exe 1756 8fdor5jGvAmVs43v58m3HWpJ.exe 3944 Pk7JI9CaeC_pHZ0_62slrid9.exe 2400 Pk7JI9CaeC_pHZ0_62slrid9.exe 3960 7hPwKXVGbLuBuxEP1ly0pylG.exe 2212 HXrcVT_ajDIPXBrmbd5wnksw.exe 3900 WuaqRhk7_2kPdYrA5k4wAYDz.exe 2120 7B0i9UF8dygAiGVKSt7YpXau.exe 3648 YpU6qj2eThxCVR1PQE568Mbn.exe 4768 SCx_AK26VfAhti6vdVI1640v.exe 1876 4D0OGlAF0yCanDA3Ml3POQKo.exe -
Loads dropped DLL 24 IoCs
Processes:
WW13_64.exe8Ikaj6vUn6V3OZd_3u53unU2.tmpo4na_YhO7_2ub2zSjt0ITnhg.exepid process 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 3156 WW13_64.exe 4516 8Ikaj6vUn6V3OZd_3u53unU2.tmp 4692 o4na_YhO7_2ub2zSjt0ITnhg.exe 4692 o4na_YhO7_2ub2zSjt0ITnhg.exe 4692 o4na_YhO7_2ub2zSjt0ITnhg.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Pk7JI9CaeC_pHZ0_62slrid9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\57cc9ce3-611b-4997-9b81-c5e8cb3be2c9\\Pk7JI9CaeC_pHZ0_62slrid9.exe\" --AutoStart" Pk7JI9CaeC_pHZ0_62slrid9.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
YpU6qj2eThxCVR1PQE568Mbn.exe7hPwKXVGbLuBuxEP1ly0pylG.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA YpU6qj2eThxCVR1PQE568Mbn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7hPwKXVGbLuBuxEP1ly0pylG.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ipinfo.io 16 ipinfo.io 86 api.2ip.ua 88 api.2ip.ua 101 api.2ip.ua 8 api.myip.com 9 api.myip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
d1vjVpWAF46uWXeME984fb8K.exe7hPwKXVGbLuBuxEP1ly0pylG.exepid process 4236 d1vjVpWAF46uWXeME984fb8K.exe 3960 7hPwKXVGbLuBuxEP1ly0pylG.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Pk7JI9CaeC_pHZ0_62slrid9.exe8fdor5jGvAmVs43v58m3HWpJ.exePk7JI9CaeC_pHZ0_62slrid9.exedescription pid process target process PID 2464 set thread context of 2084 2464 Pk7JI9CaeC_pHZ0_62slrid9.exe Pk7JI9CaeC_pHZ0_62slrid9.exe PID 1756 set thread context of 5064 1756 8fdor5jGvAmVs43v58m3HWpJ.exe RegAsm.exe PID 3944 set thread context of 2400 3944 Pk7JI9CaeC_pHZ0_62slrid9.exe Pk7JI9CaeC_pHZ0_62slrid9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2356 824 WerFault.exe yIg2NIrbMKONezGt8Zis12rj.exe 3060 824 WerFault.exe yIg2NIrbMKONezGt8Zis12rj.exe 4772 824 WerFault.exe yIg2NIrbMKONezGt8Zis12rj.exe 4860 824 WerFault.exe yIg2NIrbMKONezGt8Zis12rj.exe 2400 824 WerFault.exe yIg2NIrbMKONezGt8Zis12rj.exe 552 824 WerFault.exe yIg2NIrbMKONezGt8Zis12rj.exe 4432 824 WerFault.exe yIg2NIrbMKONezGt8Zis12rj.exe 4892 824 WerFault.exe yIg2NIrbMKONezGt8Zis12rj.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
FlPaJanW_MDDpcdoUt4mW4My.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FlPaJanW_MDDpcdoUt4mW4My.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FlPaJanW_MDDpcdoUt4mW4My.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FlPaJanW_MDDpcdoUt4mW4My.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
o4na_YhO7_2ub2zSjt0ITnhg.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 o4na_YhO7_2ub2zSjt0ITnhg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString o4na_YhO7_2ub2zSjt0ITnhg.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3636 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8Ikaj6vUn6V3OZd_3u53unU2.tmpo4na_YhO7_2ub2zSjt0ITnhg.exeFlPaJanW_MDDpcdoUt4mW4My.exed1vjVpWAF46uWXeME984fb8K.exePk7JI9CaeC_pHZ0_62slrid9.exepowershell.exePk7JI9CaeC_pHZ0_62slrid9.exepid process 4516 8Ikaj6vUn6V3OZd_3u53unU2.tmp 4516 8Ikaj6vUn6V3OZd_3u53unU2.tmp 4692 o4na_YhO7_2ub2zSjt0ITnhg.exe 4692 o4na_YhO7_2ub2zSjt0ITnhg.exe 3972 FlPaJanW_MDDpcdoUt4mW4My.exe 3972 FlPaJanW_MDDpcdoUt4mW4My.exe 4236 d1vjVpWAF46uWXeME984fb8K.exe 4236 d1vjVpWAF46uWXeME984fb8K.exe 3436 3436 3436 3436 3436 3436 3436 3436 2084 Pk7JI9CaeC_pHZ0_62slrid9.exe 2084 Pk7JI9CaeC_pHZ0_62slrid9.exe 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 1372 powershell.exe 1372 powershell.exe 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 1372 powershell.exe 3436 3436 3436 3436 2400 Pk7JI9CaeC_pHZ0_62slrid9.exe 2400 Pk7JI9CaeC_pHZ0_62slrid9.exe 3436 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
FlPaJanW_MDDpcdoUt4mW4My.exepid process 3972 FlPaJanW_MDDpcdoUt4mW4My.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
powershell.exetaskkill.exedescription pid process Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeDebugPrivilege 1372 powershell.exe Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeDebugPrivilege 3636 taskkill.exe Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
8Ikaj6vUn6V3OZd_3u53unU2.tmppid process 4516 8Ikaj6vUn6V3OZd_3u53unU2.tmp -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3436 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exeWW13_64.execmd.execmd.execmd.exe8Ikaj6vUn6V3OZd_3u53unU2.execmd.exe8Ikaj6vUn6V3OZd_3u53unU2.tmpcmd.execmd.execmd.execmd.execmd.execmd.exePk7JI9CaeC_pHZ0_62slrid9.exedescription pid process target process PID 1096 wrote to memory of 3156 1096 2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe WW13_64.exe PID 1096 wrote to memory of 3156 1096 2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe WW13_64.exe PID 3156 wrote to memory of 4572 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 4572 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 1020 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 1020 3156 WW13_64.exe cmd.exe PID 4572 wrote to memory of 824 4572 cmd.exe Conhost.exe PID 4572 wrote to memory of 824 4572 cmd.exe Conhost.exe PID 4572 wrote to memory of 824 4572 cmd.exe Conhost.exe PID 1020 wrote to memory of 4692 1020 cmd.exe o4na_YhO7_2ub2zSjt0ITnhg.exe PID 1020 wrote to memory of 4692 1020 cmd.exe o4na_YhO7_2ub2zSjt0ITnhg.exe PID 1020 wrote to memory of 4692 1020 cmd.exe o4na_YhO7_2ub2zSjt0ITnhg.exe PID 3156 wrote to memory of 1552 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 1552 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 2672 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 2672 3156 WW13_64.exe cmd.exe PID 1552 wrote to memory of 2448 1552 cmd.exe 8Ikaj6vUn6V3OZd_3u53unU2.exe PID 1552 wrote to memory of 2448 1552 cmd.exe 8Ikaj6vUn6V3OZd_3u53unU2.exe PID 1552 wrote to memory of 2448 1552 cmd.exe 8Ikaj6vUn6V3OZd_3u53unU2.exe PID 2448 wrote to memory of 4516 2448 8Ikaj6vUn6V3OZd_3u53unU2.exe 8Ikaj6vUn6V3OZd_3u53unU2.tmp PID 2448 wrote to memory of 4516 2448 8Ikaj6vUn6V3OZd_3u53unU2.exe 8Ikaj6vUn6V3OZd_3u53unU2.tmp PID 2448 wrote to memory of 4516 2448 8Ikaj6vUn6V3OZd_3u53unU2.exe 8Ikaj6vUn6V3OZd_3u53unU2.tmp PID 3156 wrote to memory of 2828 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 2828 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 856 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 856 3156 WW13_64.exe cmd.exe PID 2828 wrote to memory of 3684 2828 cmd.exe geklkyJb1RJIjxIFhgOAcuBY.exe PID 2828 wrote to memory of 3684 2828 cmd.exe geklkyJb1RJIjxIFhgOAcuBY.exe PID 2828 wrote to memory of 3684 2828 cmd.exe geklkyJb1RJIjxIFhgOAcuBY.exe PID 3156 wrote to memory of 2628 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 2628 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 1624 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 1624 3156 WW13_64.exe cmd.exe PID 4516 wrote to memory of 1884 4516 8Ikaj6vUn6V3OZd_3u53unU2.tmp diskeject.exe PID 4516 wrote to memory of 1884 4516 8Ikaj6vUn6V3OZd_3u53unU2.tmp diskeject.exe PID 4516 wrote to memory of 1884 4516 8Ikaj6vUn6V3OZd_3u53unU2.tmp diskeject.exe PID 3156 wrote to memory of 4900 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 4900 3156 WW13_64.exe cmd.exe PID 4516 wrote to memory of 3480 4516 8Ikaj6vUn6V3OZd_3u53unU2.tmp diskeject.exe PID 4516 wrote to memory of 3480 4516 8Ikaj6vUn6V3OZd_3u53unU2.tmp diskeject.exe PID 4516 wrote to memory of 3480 4516 8Ikaj6vUn6V3OZd_3u53unU2.tmp diskeject.exe PID 3156 wrote to memory of 4476 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 4476 3156 WW13_64.exe cmd.exe PID 856 wrote to memory of 3972 856 cmd.exe FlPaJanW_MDDpcdoUt4mW4My.exe PID 856 wrote to memory of 3972 856 cmd.exe FlPaJanW_MDDpcdoUt4mW4My.exe PID 856 wrote to memory of 3972 856 cmd.exe FlPaJanW_MDDpcdoUt4mW4My.exe PID 2628 wrote to memory of 4152 2628 cmd.exe vkhatfzAKrlpju9d6VodrldT.exe PID 2628 wrote to memory of 4152 2628 cmd.exe vkhatfzAKrlpju9d6VodrldT.exe PID 2628 wrote to memory of 4152 2628 cmd.exe vkhatfzAKrlpju9d6VodrldT.exe PID 1624 wrote to memory of 4236 1624 cmd.exe d1vjVpWAF46uWXeME984fb8K.exe PID 1624 wrote to memory of 4236 1624 cmd.exe d1vjVpWAF46uWXeME984fb8K.exe PID 1624 wrote to memory of 4236 1624 cmd.exe d1vjVpWAF46uWXeME984fb8K.exe PID 3156 wrote to memory of 3168 3156 WW13_64.exe cmd.exe PID 3156 wrote to memory of 3168 3156 WW13_64.exe cmd.exe PID 4900 wrote to memory of 400 4900 cmd.exe Y44BOUYkt1YKhQyTCmbAD40W.exe PID 4900 wrote to memory of 400 4900 cmd.exe Y44BOUYkt1YKhQyTCmbAD40W.exe PID 4900 wrote to memory of 400 4900 cmd.exe Y44BOUYkt1YKhQyTCmbAD40W.exe PID 4476 wrote to memory of 3028 4476 cmd.exe xef0OvFS46pt2atJmqhryMoc.exe PID 4476 wrote to memory of 3028 4476 cmd.exe xef0OvFS46pt2atJmqhryMoc.exe PID 4476 wrote to memory of 3028 4476 cmd.exe xef0OvFS46pt2atJmqhryMoc.exe PID 3168 wrote to memory of 2464 3168 cmd.exe Pk7JI9CaeC_pHZ0_62slrid9.exe PID 3168 wrote to memory of 2464 3168 cmd.exe Pk7JI9CaeC_pHZ0_62slrid9.exe PID 3168 wrote to memory of 2464 3168 cmd.exe Pk7JI9CaeC_pHZ0_62slrid9.exe PID 2464 wrote to memory of 2084 2464 Pk7JI9CaeC_pHZ0_62slrid9.exe Pk7JI9CaeC_pHZ0_62slrid9.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exe """3⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exeC:\Users\Admin/Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exe ""4⤵PID:824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 7365⤵
- Program crash
PID:2356 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 7445⤵
- Program crash
PID:3060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 7445⤵
- Program crash
PID:4772 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 7685⤵
- Program crash
PID:4860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 9565⤵
- Program crash
PID:2400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 9765⤵
- Program crash
PID:552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 13565⤵
- Program crash
PID:4432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "yIg2NIrbMKONezGt8Zis12rj.exe" /f & erase "C:\Users\Admin\Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exe" & exit5⤵PID:1400
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "yIg2NIrbMKONezGt8Zis12rj.exe" /f6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 14045⤵
- Program crash
PID:4892 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe """3⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exeC:\Users\Admin/Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe ""4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4692 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe """3⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exeC:\Users\Admin/Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe ""4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp"C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp" /SL5="$5006C,3944858,54272,C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe" ""5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe"C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe" -i6⤵
- Executes dropped EXE
PID:1884 -
C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe"C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe" -s6⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\DLGTS9hVeQ3fDVtpD6KZc1BJ.exe """3⤵PID:2672
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe """3⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exeC:\Users\Admin/Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe ""4⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe """3⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exeC:\Users\Admin/Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe ""4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3972 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe """3⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exeC:\Users\Admin/Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe ""4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4236 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe """3⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Users\Admin\Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exeC:\Users\Admin/Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe ""4⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe """3⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exeC:\Users\Admin/Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe ""4⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe """3⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exeC:\Users\Admin/Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe ""4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exeC:\Users\Admin/Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe ""5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2084 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\57cc9ce3-611b-4997-9b81-c5e8cb3be2c9" /deny *S-1-1-0:(OI)(CI)(DE,DC)6⤵
- Modifies file permissions
PID:3036 -
C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe"C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe" --Admin IsNotAutoStart IsNotTask6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3944 -
C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe"C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe" --Admin IsNotAutoStart IsNotTask7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2400 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe """3⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\8fdor5jGvAmVs43v58m3HWpJ.exe """3⤵PID:456
-
C:\Users\Admin\Documents\GuardFox\8fdor5jGvAmVs43v58m3HWpJ.exeC:\Users\Admin/Documents\GuardFox\8fdor5jGvAmVs43v58m3HWpJ.exe ""4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1756 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:5064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe """3⤵PID:4592
-
C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exeC:\Users\Admin/Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe ""4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3960 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\7B0i9UF8dygAiGVKSt7YpXau.exe """3⤵PID:4824
-
C:\Users\Admin\Documents\GuardFox\7B0i9UF8dygAiGVKSt7YpXau.exeC:\Users\Admin/Documents\GuardFox\7B0i9UF8dygAiGVKSt7YpXau.exe ""4⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\WuaqRhk7_2kPdYrA5k4wAYDz.exe """3⤵PID:4036
-
C:\Users\Admin\Documents\GuardFox\WuaqRhk7_2kPdYrA5k4wAYDz.exeC:\Users\Admin/Documents\GuardFox\WuaqRhk7_2kPdYrA5k4wAYDz.exe ""4⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\HXrcVT_ajDIPXBrmbd5wnksw.exe """3⤵PID:3844
-
C:\Users\Admin\Documents\GuardFox\HXrcVT_ajDIPXBrmbd5wnksw.exeC:\Users\Admin/Documents\GuardFox\HXrcVT_ajDIPXBrmbd5wnksw.exe ""4⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exe """3⤵PID:4316
-
C:\Users\Admin\Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exeC:\Users\Admin/Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exe ""4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3648 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\SCx_AK26VfAhti6vdVI1640v.exe """3⤵PID:2932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
PID:824 -
C:\Users\Admin\Documents\GuardFox\SCx_AK26VfAhti6vdVI1640v.exeC:\Users\Admin/Documents\GuardFox\SCx_AK26VfAhti6vdVI1640v.exe ""4⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\4D0OGlAF0yCanDA3Ml3POQKo.exe """3⤵PID:4068
-
C:\Users\Admin\Documents\GuardFox\4D0OGlAF0yCanDA3Ml3POQKo.exeC:\Users\Admin/Documents\GuardFox\4D0OGlAF0yCanDA3Ml3POQKo.exe ""4⤵
- Executes dropped EXE
PID:1876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 824 -ip 8241⤵PID:4008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 824 -ip 8241⤵PID:2820
-
C:\Users\Admin\Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exeC:\Users\Admin/Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe ""1⤵
- Executes dropped EXE
PID:4152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 824 -ip 8241⤵PID:1400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 824 -ip 8241⤵PID:3840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 824 -ip 8241⤵PID:1604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 824 -ip 8241⤵PID:920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 824 -ip 8241⤵PID:2776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 824 -ip 8241⤵PID:4940
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
1.1MB
MD5579a0fb769d745fffebe0785261f9386
SHA16f4d1cd9cb9115324fc3353b2395fe01d33889c8
SHA2562f09d5b1bb25d55ceecd97222994d40ca5825502106e08f7bafbc9088bd1251f
SHA512e3947c147107b789cac855e560fe11c9c956781ee8ecbde7d8ceb9ccf3363ec1d2d246d040761cd0baed66615fc8239266961ae17f3e59265a22251a4470d187
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
1.6MB
MD58fb2e718ed032a70e9f61075ee93b51d
SHA1adb8d88e1e42be01bd37279de91ad08ad96c4ff7
SHA2569427ae84f26283cf00820d1ccc89f3a34c6427ce19fc4476f0eaddabc7c4779e
SHA512d0c23df2a577277789e2296f15408aecfc90ea8e6a35803ef2fe43eaba78c8de9cb25e3c2fd6e963ba24748240b7a36a3a328102bfdd26d219157b57f133d344
-
Filesize
1024KB
MD50871f2113db791bc05e503e95f284a50
SHA165dce56912350cbabe26251abdadc7a3184616ab
SHA25689c0f787c4fa1e4573f367227eb6e16613b3a91aee3bf21ee2b70a41124d1f37
SHA512f0ce340d3e4bfb6cae4330eef0a0dbcb1da290ab24b57327a2e1d8db1c98d67b27cd01e149bb5a57eab3ad7b0ca9e9d3150369b13456b043b21086a2c0bfa206
-
Filesize
768KB
MD5ae1f9db87efd251c5b1aa2befb9c412f
SHA1c441902902c1ada6b552cecaeb6a062a96d5c642
SHA25618f0f3eb03ab85cf5b74ca51e666473e8ece4a75935f80053eaa8871909678de
SHA5126f6884b731c5d9de05fc65a14c409bac05530e4e26336ee391d9d9e34aa5bb7b5e3deb5cc7f09f6fad8c5caa6f6da3a3bd035283ea59733dec61a9a375de6abf
-
Filesize
120KB
MD5496dcf8821ffc12f476878775999a8f3
SHA16b89b8fdd7cd610c08e28c3a14b34f751580cffd
SHA256b59e103f8ec6c1190ded21eef27bea01579220909c3968eeec37d46d2ed39e80
SHA51207118f44b83d58f333bc4b853e9be66dffb3f7db8e65e0226975297bf5794ebdaa2c7a51ef84971faf4d4233a68a6b5e9ac02e737d16c0ac19a6cf65fad9443f
-
Filesize
63KB
MD51c88b53c50b5f2bb687b554a2fc7685d
SHA1bfe6fdb8377498bbefcaad1e6b8805473a4ccbf3
SHA25619dd3b5ebb840885543974a4cb6c8ea4539d76e3672be0f390a3a82443391778
SHA512a312b11c85aaa325ab801c728397d5c7049b55fa00f24d30f32bf5cc0ad160678b40f354d9d5ec34384634950b5d6eda601e21934c929b4bc7f6ef50f16e3f59
-
Filesize
155KB
MD5bc07d7ac5fdc92db1e23395fde3420f2
SHA1e89479381beeba40992d8eb306850977d3b95806
SHA256ab822f7e846d4388b6f435d788a028942096ba1344297e0b7005c9d50814981b
SHA512b6105333bb15e65afea3cf976b3c2a8a4c0ebb09ce9a7898a94c41669e666ccfa7dc14106992502abf62f1deb057e926e1fd3368f2a2817bbf6845eada80803d
-
Filesize
77KB
MD5290dbf92268aebde8b9507b157bef602
SHA1bea7221d7abbbc48840b46a19049217b27d3d13a
SHA256e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe
SHA5129ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5
-
Filesize
157KB
MD50a7eb5d67b14b983a38f82909472f380
SHA1596f94c4659a055d8c629bc21a719ce441d8b924
SHA2563bac94d8713a143095ef8e2f5d2b4a3765ebc530c8ca051080d415198cecf380
SHA5123b78fd4c03ee1b670e46822a7646e668fbaf1ef0f2d4cd53ccfcc4abc2399fcc74822f94e60af13b3cdcb522783c008096b0b265dc9588000b7a46c0ed5973e1
-
Filesize
275KB
MD578d9dd608305a97773574d1c0fb10b61
SHA19e177f31a3622ad71c3d403422c9a980e563fe32
SHA256794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf
SHA5120c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf
-
Filesize
1.1MB
MD52ab7e66dff1893fea6f124971221a2a9
SHA13be5864bc4176c552282f9da5fbd70cc1593eb02
SHA256a5db7900ecd5ea5ab1c06a8f94b2885f00dd2e1adf34bcb50c8a71691a97804f
SHA512985480fffcc7e1a25c0070f44492744c3820334a35b9a72b9147898395ab60c7a73ea8bbc761de5cc3b6f8799d07a96c2880a7b56953249230b05dd59a1390ad
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
689KB
MD5956fd09810c6edb78fa81f98b7c7ae0d
SHA194170850cacdcb1c46348bf28aa84e135b2abbab
SHA256b0f8ef03f6da9ade9149c1fde5233c5e0b6a29f2ff64e7506e96c79bbbf180be
SHA512de28d055c13aa0fbe2d514d26515f635b37b24f58496864cdd2e17d088fe7397a73577a6e82e540fa9058d971b7573c1f99eb4bcbd1977624a75fea85b299e4a
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
3.9MB
MD5b196713f13177e41d7ac4ca4ebd64e62
SHA1fc7acf5c9aba46eb87fc5c82a1c76d35b468e8f7
SHA25618fd9c1dba7d03ee76445aa57789373daba010272339c98f2715a3a9d6cf6d03
SHA512be7b421b848b96128abf32209bd456f2025726bb25553366a3bbd495ad21300f86959035057a39254a4d56e388553efa3d0f09b715a1e4e3c5e1d0da1f080454
-
Filesize
5.2MB
MD53ba8271395be382507883d87afa41cc6
SHA1dc3c24ecd4503ebc68f2838f7d8abe19e38a8f00
SHA256f2e582eee882d0272b1d788f958d2acc1e9385d8947e489b800ff1470a3e5705
SHA5125ad577dce50a8e7762714cd72dda3c9276bdb3ac70a54a8cc343a338c27f83ea0eaa7d72dd3e77e01c5f86e3c9dfa574aed563b297682382d6fdc240fcb7f6f0
-
Filesize
82KB
MD5a8a37ba5e81d967433809bf14d34e81d
SHA1e4d9265449950b5c5a665e8163f7dda2badd5c41
SHA25650e21ce62f8d9bab92f6a7e9b39a86406c32d2df18408bb52ffb3d245c644c7b
SHA512b50f4334acb54a6fba776fc77ca07de4940810da4378468b3ca6f35d69c45121ff17e1f9c236752686d2e269bd0b7bce31d16506d3896b9328671049857ed979
-
Filesize
31KB
MD5e0cc8c12f0b289ea87c436403bc357c1
SHA1e342a4a600ef9358b3072041e66f66096fae4da4
SHA2569517689d7d97816dee9e6c01ffd35844a3af6cde3ff98f3a709d52157b1abe03
SHA5124d93f23db10e8640cd33e860241e7ea6a533daf64c36c4184844e6cca7b9f4bd41db007164a549e30f5aa9f983345318ff02d72815d51271f38c2e8750df4d77
-
Filesize
10KB
MD525e5dd43a30808f30857c6e46e6bc8df
SHA1679cb7169813a9a0224f03624984645ea18aabe6
SHA25662639a735008dd068142c0efca7f3d0f96f4959a52278fcf70012946e8552974
SHA512904855da98f610a6ebe18ba76f7130a7f9a0ba5da0364fbc9ce79127728597c473aa85f8c0ccaf9f0af81da8f4e6ad7b722890839ee03f381e50177301661cc3
-
Filesize
110KB
MD5f4192b63f194d4b4e420e319f08fd398
SHA103e2f59492e05f899cb5399a4971b3ee700f00c1
SHA2560be6ce456259ec228b1e42b8406d6eecf4c9fc4c96b9c3dc6255695f539bfdca
SHA512447f4909a742e3f2abbe37c2f02d1e9106ded7be5c1d3c1bcbe3985d61791c2eac85bfc9870518fb6d99c7bd32a73c99e9961b797aeee95756f59bf0d2038009
-
Filesize
3.3MB
MD580b72c24c74d59ae32ba2b0ea5e7dad2
SHA175f892e361619e51578b312605201571bfb67ff8
SHA256eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d
SHA51208014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a
-
Filesize
37KB
MD5d86a9d75380fab7640bb950aeb05e50e
SHA11c61aaf9022cd1f09a959f7b2a65fb1372d187d7
SHA25668fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b
SHA51218437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f
-
Filesize
686KB
MD586f2d9cc8cc54bbb005b15cabf715e5d
SHA1396833cba6802cb83367f6313c6e3c67521c51ad
SHA256d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771
SHA5120013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb
-
Filesize
4.3MB
MD5236f0f8f9e66863d1f2ab8bfe68a084e
SHA1d907c7cbb18df84b5b38c76a0704edf6d6c3ceef
SHA2566f4da2b5620fed6bf81c1cefcd213f5d585e9a660111e414efb28e7fc376f964
SHA512fe081e0f2257084d634890403bb96aa5df60de8d5c6d777e16abb64b31d6fc3d86def37aa86e4e848011ea25f48f9ce892f74563b0aaa0fcb9aa3f8fe428549e
-
Filesize
4.5MB
MD5d48c701f2e8c722dc7d4324a48c8182a
SHA1056d6b10f631806a5e1094b1a2c0320ecd2cdd0a
SHA2564b2de451a3daa163bfac8af69954547263c6197900ec74a0deebc45762ac8dc9
SHA512bd17512bba106244bd9fb967d616f8fcb42883f262b889cb55a3692669c8d0440b478cc07941d7cdb3c239bb6ef5ba9165fba38ac81abd9d69bb1813ba297f46
-
Filesize
131KB
MD590b786dc6795d8ad0870e290349b5b52
SHA1592c54e67cf5d2d884339e7a8d7a21e003e6482f
SHA25689f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a
SHA512c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72
-
Filesize
29KB
MD54ac28414a1d101e94198ae0ac3bd1eb8
SHA1718fbf58ab92a2be2efdb84d26e4d37eb50ef825
SHA256b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5
SHA5122ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
48KB
MD5bba9680bc310d8d25e97b12463196c92
SHA19a480c0cf9d377a4caedd4ea60e90fa79001f03a
SHA256e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab
SHA5121575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739
-
Filesize
133KB
MD50007e4004ee357b3242e446aad090d27
SHA14a26e091ca095699e6d7ecc6a6bfbb52e8135059
SHA25610882e7945becf3e8f574b61d0209dd7442efd18ab33e95dceececc34148ab32
SHA512170fa5971f201a18183437fc9e97dcd5b11546909d2e47860a62c10bff513e2509cb4082b728e762f1357145df84dcee1797133225536bd15fc87b2345659858
-
Filesize
1.7MB
MD52a4592c9cb8724ad2635a3ce0a279b00
SHA1e890072667c76c0e08aaf7249c42ba5cfb37b750
SHA2565b0a20cabb3ce8cbb2219b05feef12f85ac86e4d0336f4e3dfbfc0a5af5b67a6
SHA512923c474f1516783befc5cb5559017c7497ca69dd412ead986997fa6eff9dedac897eeba111d9fb816c55e4429eebb0bbc84f8cf733ebaceebd3b9edb43c57793
-
Filesize
321KB
MD579f16592b6d173ed466c925f0f993c80
SHA1b3ccee0b9c94fa77cd557580a5f1423a88edf90b
SHA2560030a8277ec24f633189f2e9f037b529141044c141d3337ad50fcb2452bf8f53
SHA51277a6c66a496d566cab657809f23ca33943bc8f3f9c8b2674eea0e5963704926f178386a3f15219cd08001a89c03dbdb130f18d6a3b7d494da0cc0343f40b730f
-
Filesize
1.2MB
MD571369ca5f9f41bf02e2fa138a6f459bd
SHA1caf54a41e6baf79239889eb9fddd6a9ddf8864cb
SHA256df47533cfffa37dd58da9bf666ea9cecf2f7ecb03d4fb179e64e6a54576d4bc0
SHA512a1681cd1f3c4cb4d4ece24c4601688b428d6a2362aa3ee0d5387476d6655f33d5388c35a4291d5ef7133617bdf4fed35ce641edfc359c616974afa3683516363
-
Filesize
152KB
MD5029139679a1e6fbf22f0617286ecd356
SHA18cdd3591493e84b6b130af03a91065535ceb1890
SHA2566cd498c82768416078c6552229813120cfa11edbf06c123de39a9def8a019d4c
SHA512e33c2cb3876d69038d71e7fed457e5dd285e095137c13e842182242e042ec13e4df6939a8451d959be9f5f8794984faa219feec4106b17d8e7f5bdcd759941c4
-
Filesize
1.7MB
MD53e0eb2c034444b2dbe7ec7e53821dd49
SHA1f21740db8e5a2af19781566e0052910e54c128d4
SHA2565500d254228890f7823ee77eb1112f4224cade3460997e8c04b7a1a6fe1c872c
SHA512b4b862d475e9af063f1e3198f724738a3d4b5192d5b5acefe0d4e1b4376b55ee75e1d8b4f58fff78542a49aa6f6e1c979c9632259010fff9ae2814ee08494f53
-
Filesize
1.8MB
MD50c719aa00726d1875fee80e9034a150e
SHA15ff6e28f0e279260d0d14eaa873ebd768435301c
SHA256b79bb046c3bd503822a11dc1ec20ccdfc327e6895ec32ac2acc402cf561a24f9
SHA51224e55814bbec33430ab7b90c07be57ca361357906a614735f8c210193234e42587ca453ef3d273285aa4b986a6f5358294d3b4ac7edace3e47be1d066c72f562
-
Filesize
1.0MB
MD5ce42b3f356ec80a646a93353a5e5e9e6
SHA19382fbb91ef69a8396162e2dab25331d5cb86250
SHA256e179056e60c24f596f4badcb11473af4fc811ccefab89841c2b69297b7891440
SHA51253e2fa1ff1778c408968d7f52386770101196d0fdc253c331fd95735c8be7b99c4e6dfb1a1bf6845f2de30dd6264839cc067275a899e5ad4c2f88f47fd14c516
-
Filesize
243KB
MD5d4512d526ce5b4c0b06c8806b128931e
SHA149f7d704819052ac2f2d7dd1b025e9ecf1dfa1d0
SHA256951a4295ca6bcfbb4b96c898fdf2d1597422c77c18be02a85c298ee816d1e45d
SHA512daa0819ef49f825e7a717a1fedf190451ee68ff74666480302e5dced6c9776f365d9efe4563560c8a2e1a866e046bd575a1218c4da4768966866542355c81626
-
Filesize
116KB
MD598db1ccf5cf82b7917039e6c796c59a7
SHA1340b1194ebe6b18c2034430283bbbc3647afdf77
SHA2568b6fc239666d45099322783b2c2540cac961e0b7fd7992f41323ccdc40d5b681
SHA5127bf622f1c412e11e81f5602c30ba706a24b08eb490282ea6806d1babe708a66afa0ab5ba8a5d6e02f5432d24f721cb769dc73342f01694d269d24effb42ee1ea
-
Filesize
234KB
MD591279277b9cc7d43752c76dcaea5fce6
SHA15411e516c578887602f29e56294e841b854b8b7e
SHA25618d4c4325fa3930646e04f03a812ccc0c3b8907297db98317bde5a77fed7ea08
SHA5123f4fbd59734f694ce2079ac10769d34366ec3d376f166c406acda9dc71bfa203e1a958e96bd218c6b6c1f47c12600c4bfc137675b6b2d297eed2107c80064696
-
Filesize
1.6MB
MD55784afb380c6bf72e8cf58f245528883
SHA1b5c3f926de2ab331dac1a5d7adca9a9c7215b1a4
SHA2569d965eda03984ab27d4d9d438860a80666c6e324e2232a153bcc5bc5cbec02df
SHA512c6a61deb5bfd01043b3af35ff4d2567e5c40f7e674b7a67f8203662078e0e56fd1fb54adf6c9af78a6ece5a99f1c08e4fb186fa5046b362727e3c86f1b2adcc3
-
Filesize
793KB
MD58fd7f46e85795769df7e746b3869c7e3
SHA1acbe34e48fd2e7d580bfe5fb913473bfab41edd8
SHA25609ffa44302fb7674b294d26a01d11a0510251f66d23fd3626cba5a98e5453ba3
SHA5125acdba0b24b8bf068cc1c1b080fecce9d3f8dffe13f3605a2f46a6cd28fef4630ea2ee575af0d230a89ca3f137da5051655cd4a2138920c76bfe9d1027d0380f
-
Filesize
1.2MB
MD5a7c95606c6047218d78ea1ce15d342c8
SHA1680532e567ee20ff61c92ac696a1feebf5e22658
SHA256adfba1915986c71a7276a8d5aead9cb9f9b66cbcd5d1d630f9e09ccfd7163d1c
SHA512681dc330efdbe42ffd6cc4ca2771287ad9ea4d1598c4d1bd003e18de6bf7d21e9677d692ce92dda4113df012b41382de84b24804373b54cd95f3384681831315
-
Filesize
2.0MB
MD551c28761ace7ec8ac460c8dd43df85fd
SHA1bc175bced43b10474e450c21d6aa7c085e1ad975
SHA2560414dd8e438db4fc4ade1967a14911376ba0a6460747ab6379ac7f288f70f4ce
SHA5124ed95565879b2260107ac6e3fbd68acb13eacae9c8e2a2208f055ef1857ef5f1ee0439fcca6995e650e3c492cb78d3ca30f9931f1c31a96cd5dbe7f016119ed2
-
Filesize
922KB
MD5a7b1bf94d1cc0d4d7cc9a8adc0fd23b3
SHA1b0c18bbb0803d3c4bd433660cbe49c0613f764db
SHA256c7702dd40864d2760d5245998dcd35408e6cb6a4beef18c6b63f68965991673e
SHA5129170fdfea3e852f38be09c7a455b11fc0f174ee81ff59fa0002ff6b482ca9febd27e9ee7bddcb98e8024d25948d3e4f9d211ba88910059a66cf3c6e770570aac
-
Filesize
1.8MB
MD5a682c9962fa92d449eb49fda4272f571
SHA1ac243bbb7a37ecb111509fbc7cd85f46695ffbf3
SHA256f52f2ab5e9f0c169ba1cf8860dc2b03acc64eb274510a910cc79257b4f50c553
SHA512db4c852d53661dbe4589ca4319c689b87186329cc42ee49811629de17813d92c262c228f2eb7335cf7c13d79c28a37e5100a0b23195f0dcd7b506ceae5034789
-
Filesize
1.3MB
MD5eb58950924c6ac0cb91a8360fcb445fe
SHA1c04b6db5555ee5ddb660279c6b045779888bb80d
SHA25614e0ec49dc3a135fdd01aec1c64c8ed51496f2d8e288eb8bfd5719e1ae8390b2
SHA5121803ffc4b1c7ef72245f2762d2261b1b001baa52741f754bd3d3a4f86ff3ac41234a9920a3260602a9361068b83a1a2dd4eeab1c953811efe98c9cd307c5f42e
-
Filesize
1.7MB
MD5230e63c2deab217c08ade65aaf12aec8
SHA17897686c66d989833882879d3cd9c3ad2b464dff
SHA2562148c3be3402e459e221cf6c4242190233530a3687c3bb959a4c81118654cdcb
SHA512d6b069d71258019ee2bfe4ad524ffddc82422e590db06543847643ea4828dd136553ba76446bb0dd9d1e49d29c4c922120957cc1d5ac98bff56ff1443b8db140
-
Filesize
900KB
MD57497fdeba4aec1b75c8ceb591a4466c1
SHA126a060abf1b3713fe6f02066853ae5d75bd89702
SHA25648786fd905f84291bb549b52a20868a09e8b9df993d5bab8d723fe5ff890a10b
SHA51268b365e0d588f792474dd0af8f6df07add601ba88d9ff236fe2f275bd996c34c76218a8019ec949f36176846a2f41da206ca84ae80ba270305e326e788236329
-
Filesize
33KB
MD520a686fada79f8ef9e92e80febfb42a0
SHA1a9129265902ad4248f25891c59c7945715998771
SHA25672922eb704c0e300a20a943c2d28f4b51f11934c91487dc064c7b1f56e341489
SHA512fcb9663ad1fd175268e2d64c9ebcb38bd60a365d305143136bca4e0cfbd6436f10988827a2d68b8f675d4f23cde81f43a5fba4d6052714d6f9294fb1b9c90ca7
-
Filesize
202KB
MD509badb8acf8fe1c8d35791aa2593c118
SHA19c22f98c4d578b3f593b160362b10beb1a1ca901
SHA2568af7c3f82ad26852a76b872771b62edb87eaf52d3f38332daa06f577a2122850
SHA5129ace0b41912cc8b848fc619157423eb7ff118121202357c0831dbd7513a372e1c71ccb1ff8751ecb55709ed45fcec1c54583924d2555467c99823f2cbeffe955
-
Filesize
245KB
MD5b745bfd18f6232f090419de152ebebf0
SHA1a45beb47818aa3d5388ecbd55069a43601153973
SHA2560f5c2a1369d97d2a6cfdcf5186cb62818c41efec976fe9930a4f070f06c6dbff
SHA512d12d160448810ed54bcda7c38fdcaf6ca4f1c31ccc0732153f87c4999364fdd4376ae9ad5e11453fd2294c5540f3ca1b1256a3d8d0d5ed7e731b6b85f418e018
-
Filesize
231KB
MD51c32647a706fbef6faeac45a75201489
SHA19055c809cc813d8358bc465603165be70f9216b7
SHA256f60e23e0d5cbd44794977c641d07228f8c7a9255f469a1fe9b2ae4c4cc009edc
SHA512c8acb58b5686b5daf16de893a9a09c61429892b61195442c456982b14be16baef714b4cf1ad61705480afb880c48d82ace5f65a055ad3bad204a8e776971a3d0
-
Filesize
202KB
MD5a7373bba2722eef27389f5d94fe4e783
SHA123972e45424c696943f2ddf2d66e672c87e5be67
SHA256f426eef11c5054c02486f2280e8e97db372f9315eb6373d1bdbac64be4629ab3
SHA5127b9ad2b26a88bcaf4e3735b3c7ca928faf7b8852359853a2d792ea850965a2cb1703dabda09740a8be21420a44f467894655549bb9a5280d37d30d23cf4b232a
-
Filesize
259KB
MD59562c5e354c4d0d1d207ee38a1cf3785
SHA16267e562bc02a8fcf56a092113155e5cfb19abef
SHA256c2054e2d06bf0fd32c33e5a3ff8eb16f194648b7ae109c7db945afb332053c11
SHA512fec9866fad198af04818470d14076399e6c26be35025072b6fbcff5c72613fb3aab8c4cffe40fc3a6a604e785535e270a2c818efa1becfea77c95461d95f9505