8c27169d25af7810613c2ce04d5f5c37cd8d4b17e351e52e70ad282953e01ed8

Analysis

max time kernel
118s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
Size

354KB
MD5

1694d7bf0ad3f4ea1da3fde9d6940850
SHA1

8b3e0d75fc2affdec9e9291420f561d520ab678a
SHA256

8c27169d25af7810613c2ce04d5f5c37cd8d4b17e351e52e70ad282953e01ed8
SHA512

a0b867e51ee001849665dcfe70f6e8af3c5f93e82db7c6d7b376b0995068137f99d82d7f725c7816bce412fe6e9f05825cc4e94698ec409d1a20f279633eb317
SSDEEP

6144:0fp18znPaTavhPvnenut3drPAFl3oAOYk22zVstTtsOkz:0fp18wihPvncK3iYmkXqhsO

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

YandexPackSetup.exelite_installer.exeseederexe.exeYandex.exeYandex.exesender.exelite_installer.exe

pid process

936 YandexPackSetup.exe
2840 lite_installer.exe
1720 seederexe.exe
13948 Yandex.exe
13796 Yandex.exe
13620 sender.exe
2788 lite_installer.exe

Loads dropped DLL 17 IoCs

Processes:

1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exeMsiExec.exeseederexe.exeYandex.exeYandex.exe

pid	process
2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
984	MsiExec.exe
984	MsiExec.exe
984	MsiExec.exe
984	MsiExec.exe
984	MsiExec.exe
984	MsiExec.exe
984	MsiExec.exe
984	MsiExec.exe
984	MsiExec.exe
984	MsiExec.exe
984	MsiExec.exe
984	MsiExec.exe
1720	seederexe.exe
13948	Yandex.exe
13796	Yandex.exe
1720	seederexe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

16 1552 msiexec.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
16	1552	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIBA66.tmp	msiexec.exe
File created	C:\Windows\Installer\f76b3f7.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB7F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCF6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b3f7.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC265.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC2F3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC3BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC49A.tmp	msiexec.exe
File created	C:\Windows\Installer\f76b3f4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b3f4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBEAC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC1C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC585.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC79.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

seederexe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\URL = "https://yandex.ru/search/?win=647&clid=2668227-42&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconURLFallback = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\LinksBandEnabled = "1"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\NTTopResultURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "https://yandex.ru/search/?win=647&clid=2668216-42&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\FaviconURLFallback = "https://www.ya.ru/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\SuggestionsURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\NTURL = "https://yandex.ru/search/?win=647&clid=2668216-42&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Яндекс"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSON = "https://suggest.yandex.ru/suggest-ff.cgi?uil=ru&part={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\FaviconURLFallback = "http://www.bing.com/favicon.ico"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "https://yandex.ru/search/?win=647&clid=2668227-42&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\YaCreationDate = "2024-37-24"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "https://www.ya.ru/favicon.ico"	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\DisplayName = "Bing"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\ShowSearchSuggestionsInAddressGlobal = "1"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\DisplayName = "Bing"	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\DisplayName = "Яндекс"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\SuggestionsURL_JSON = "https://suggest.yandex.ru/suggest-ff.cgi?uil=ru&part={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\7f86f230-1a0d-11ef-8fa5-6e6327e9c5d7\YaCreationDate = "2024-37-24"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer	seederexe.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

seederexe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.ya.ru/?win=647&clid=2668207-42"	seederexe.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

YandexPackSetup.exemsiexec.exelite_installer.exeseederexe.exesender.exelite_installer.exe

pid	process
936	YandexPackSetup.exe
1552	msiexec.exe
1552	msiexec.exe
2840	lite_installer.exe
2840	lite_installer.exe
2840	lite_installer.exe
2840	lite_installer.exe
1720	seederexe.exe
1720	seederexe.exe
1720	seederexe.exe
1720	seederexe.exe
1720	seederexe.exe
13620	sender.exe
13620	sender.exe
2788	lite_installer.exe
2788	lite_installer.exe
2788	lite_installer.exe
2788	lite_installer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

YandexPackSetup.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	936	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	936	YandexPackSetup.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeSecurityPrivilege	1552	msiexec.exe
Token: SeCreateTokenPrivilege	936	YandexPackSetup.exe
Token: SeAssignPrimaryTokenPrivilege	936	YandexPackSetup.exe
Token: SeLockMemoryPrivilege	936	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	936	YandexPackSetup.exe
Token: SeMachineAccountPrivilege	936	YandexPackSetup.exe
Token: SeTcbPrivilege	936	YandexPackSetup.exe
Token: SeSecurityPrivilege	936	YandexPackSetup.exe
Token: SeTakeOwnershipPrivilege	936	YandexPackSetup.exe
Token: SeLoadDriverPrivilege	936	YandexPackSetup.exe
Token: SeSystemProfilePrivilege	936	YandexPackSetup.exe
Token: SeSystemtimePrivilege	936	YandexPackSetup.exe
Token: SeProfSingleProcessPrivilege	936	YandexPackSetup.exe
Token: SeIncBasePriorityPrivilege	936	YandexPackSetup.exe
Token: SeCreatePagefilePrivilege	936	YandexPackSetup.exe
Token: SeCreatePermanentPrivilege	936	YandexPackSetup.exe
Token: SeBackupPrivilege	936	YandexPackSetup.exe
Token: SeRestorePrivilege	936	YandexPackSetup.exe
Token: SeShutdownPrivilege	936	YandexPackSetup.exe
Token: SeDebugPrivilege	936	YandexPackSetup.exe
Token: SeAuditPrivilege	936	YandexPackSetup.exe
Token: SeSystemEnvironmentPrivilege	936	YandexPackSetup.exe
Token: SeChangeNotifyPrivilege	936	YandexPackSetup.exe
Token: SeRemoteShutdownPrivilege	936	YandexPackSetup.exe
Token: SeUndockPrivilege	936	YandexPackSetup.exe
Token: SeSyncAgentPrivilege	936	YandexPackSetup.exe
Token: SeEnableDelegationPrivilege	936	YandexPackSetup.exe
Token: SeManageVolumePrivilege	936	YandexPackSetup.exe
Token: SeImpersonatePrivilege	936	YandexPackSetup.exe
Token: SeCreateGlobalPrivilege	936	YandexPackSetup.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

YandexPackSetup.exe

pid process

936 YandexPackSetup.exe
936 YandexPackSetup.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exemsiexec.exeMsiExec.exeseederexe.exe

description	pid	process	target process
PID 2320 wrote to memory of 936	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	YandexPackSetup.exe
PID 2320 wrote to memory of 936	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	YandexPackSetup.exe
PID 2320 wrote to memory of 936	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	YandexPackSetup.exe
PID 2320 wrote to memory of 936	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	YandexPackSetup.exe
PID 2320 wrote to memory of 936	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	YandexPackSetup.exe
PID 2320 wrote to memory of 936	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	YandexPackSetup.exe
PID 2320 wrote to memory of 936	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	YandexPackSetup.exe
PID 2320 wrote to memory of 1728	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
PID 2320 wrote to memory of 1728	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
PID 2320 wrote to memory of 1728	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
PID 2320 wrote to memory of 1728	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
PID 2320 wrote to memory of 1728	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
PID 2320 wrote to memory of 1728	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
PID 2320 wrote to memory of 1728	2320	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe	1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
PID 1552 wrote to memory of 984	1552	msiexec.exe	MsiExec.exe
PID 1552 wrote to memory of 984	1552	msiexec.exe	MsiExec.exe
PID 1552 wrote to memory of 984	1552	msiexec.exe	MsiExec.exe
PID 1552 wrote to memory of 984	1552	msiexec.exe	MsiExec.exe
PID 1552 wrote to memory of 984	1552	msiexec.exe	MsiExec.exe
PID 1552 wrote to memory of 984	1552	msiexec.exe	MsiExec.exe
PID 1552 wrote to memory of 984	1552	msiexec.exe	MsiExec.exe
PID 984 wrote to memory of 2840	984	MsiExec.exe	lite_installer.exe
PID 984 wrote to memory of 2840	984	MsiExec.exe	lite_installer.exe
PID 984 wrote to memory of 2840	984	MsiExec.exe	lite_installer.exe
PID 984 wrote to memory of 2840	984	MsiExec.exe	lite_installer.exe
PID 984 wrote to memory of 2840	984	MsiExec.exe	lite_installer.exe
PID 984 wrote to memory of 2840	984	MsiExec.exe	lite_installer.exe
PID 984 wrote to memory of 2840	984	MsiExec.exe	lite_installer.exe
PID 984 wrote to memory of 1720	984	MsiExec.exe	seederexe.exe
PID 984 wrote to memory of 1720	984	MsiExec.exe	seederexe.exe
PID 984 wrote to memory of 1720	984	MsiExec.exe	seederexe.exe
PID 984 wrote to memory of 1720	984	MsiExec.exe	seederexe.exe
PID 1720 wrote to memory of 13948	1720	seederexe.exe	Yandex.exe
PID 1720 wrote to memory of 13948	1720	seederexe.exe	Yandex.exe
PID 1720 wrote to memory of 13948	1720	seederexe.exe	Yandex.exe
PID 1720 wrote to memory of 13948	1720	seederexe.exe	Yandex.exe
PID 1720 wrote to memory of 13796	1720	seederexe.exe	Yandex.exe
PID 1720 wrote to memory of 13796	1720	seederexe.exe	Yandex.exe
PID 1720 wrote to memory of 13796	1720	seederexe.exe	Yandex.exe
PID 1720 wrote to memory of 13796	1720	seederexe.exe	Yandex.exe
PID 1720 wrote to memory of 13620	1720	seederexe.exe	sender.exe
PID 1720 wrote to memory of 13620	1720	seederexe.exe	sender.exe
PID 1720 wrote to memory of 13620	1720	seederexe.exe	sender.exe
PID 1720 wrote to memory of 13620	1720	seederexe.exe	sender.exe

C:\Users\Admin\AppData\Local\Temp\1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
"C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /passive /msicl "VID=42 YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y "
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:936

C:\Users\Admin\AppData\Local\Temp\1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\1694d7bf0ad3f4ea1da3fde9d6940850_NeikiAnalytics.exe --stat dwnldr/p=87747/rid=44983b33-ada6-4259-bbda-7ace4cbdda9f/sbr=0-0/hrc=200-200/bd=267-10627744/gtpr=1-1-1-255-1/cdr=0-b7-b7-ff-b7/for=3-0/fole=255-0/fwle=255-0/vr=ff-800b0109/vle=ff-800b0109/hovr=ff-0/hovle=ff-0/shle=ff-0/vmajor=6/vminor=1/vbuild=7601/distr_type=landing/cnt=0/dt=2/ct=3/rt=0 --dh 1552 --st 1716583056
2⤵
PID:1728

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C129DC5E0F57DBB24927E92979710391
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Local\Temp\438E8ED5-153A-4E2C-B419-8E4BA3BD825E\lite_installer.exe
"C:\Users\Admin\AppData\Local\Temp\438E8ED5-153A-4E2C-B419-8E4BA3BD825E\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2840

C:\Users\Admin\AppData\Local\Temp\7CD65380-79DE-42DE-985E-BC2703ECFB82\seederexe.exe
"C:\Users\Admin\AppData\Local\Temp\7CD65380-79DE-42DE-985E-BC2703ECFB82\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\8C0AA9FF-E8CE-4956-9482-C2553D40A0E0\sender.exe" "--is_elevated=yes" "--ui_level=3" "--good_token=x" "--no_opera=n"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:13948

C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /website-path="C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Taskbar\Яндекс Маркет.website" /icon-path="C:\Users\Admin\AppData\Local\MICROS~1\INTERN~1\Services\MARKET~1.ICO" /site-id="2AE68B04.8A85F169"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:13796

C:\Users\Admin\AppData\Local\Temp\8C0AA9FF-E8CE-4956-9482-C2553D40A0E0\sender.exe
C:\Users\Admin\AppData\Local\Temp\8C0AA9FF-E8CE-4956-9482-C2553D40A0E0\sender.exe --send "/status.xml?clid=2668226-42&uuid=878ab237-E1DA-48A1-9AC2-DA4A20DB2f42&vnt=Windows 7x64&file-no=6%0A10%0A11%0A12%0A13%0A15%0A17%0A18%0A21%0A22%0A24%0A25%0A38%0A40%0A42%0A43%0A45%0A57%0A59%0A89%0A103%0A111%0A123%0A124%0A125%0A129%0A"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:13620

C:\Users\Admin\AppData\Local\Temp\438E8ED5-153A-4E2C-B419-8E4BA3BD825E\lite_installer.exe
"C:\Users\Admin\AppData\Local\Temp\438E8ED5-153A-4E2C-B419-8E4BA3BD825E\lite_installer.exe" --job-name=yBrowserDownloader-{175A0064-6FAD-45C1-AAD6-6DDC1F09CBEA} --send-statistics --local-path=C:\Users\Admin\AppData\Local\Temp\{B43D8AB4-B2AB-4E2E-B09B-1419878063BF}.exe --YABROWSER --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2668219-42&ui=878ab237-E1DA-48A1-9AC2-DA4A20DB2f42 --use-user-default-locale
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76b3f8.rbs
Filesize
911B

MD5
5536102bd26ccb2f4c13157af30d3698

SHA1
eb84351e9c475089ad4e2ebd0b875f149b26426a

SHA256
3b61a5056df40b93fe9b2e5d4867e38ef9a37c3e7d38b7688b26bae1d5fe8ebe

SHA512
66f66b7f6f7b438c7d85638e759e50669724c382ff8276162bb988f2a34c2db952ae501ba6bb7dd7559e0836cdb4109fb2610efb76e1f3804b3f7aa94a2021a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560
Filesize
1KB

MD5
e94fb54871208c00df70f708ac47085b

SHA1
4efc31460c619ecae59c1bce2c008036d94c84b8

SHA256
7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

SHA512
2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1926aa501bf21d8df958aa66bc6158fe

SHA1
ca0e3874038e3ccecc2f9d0bfda98af01f498c20

SHA256
05837fdfcd3ff655993a58fefc81874351ea62b6d25077f6f368b788919c74fc

SHA512
34299d31aaa7c9a75df1ced8a8d6cd7222339de05b57c1ffa7fec4d53733ed791dfd34218304cced9d3d6318fc640f5e4d2ccbf75227111a4e2fda6cc0da367a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7223a64a9771ac6f27b5fb6f75472fe9

SHA1
0756ecd15031cacdc35aa15a66c061f78e6a8973

SHA256
de0cf1696fd3fd817b1b0a2e58521b683b50cd1c61f2d0f40bc8f7815f67ce9d

SHA512
7d5db302a3427956c3fb0e10a37d6791ad65f0226f818927ac9a3fdcb05d11ec3bf8393b1b220d59fdbe527b9aaebe4804abed827104a8c51f96dab00a18a608

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a722c74f1b2921037c7073554c0fc32e

SHA1
a29b6ae97f4367dd30953502500773a98b79fff3

SHA256
9861a97e9509e9ffc0732d6719d1f6dc920d2c2164f9bee83b9b1007e0a30ee8

SHA512
b127f4292d28fcfdca89b965b6996e49023b6c177485c484a657a2e63c844e9cdca2042ee2a97ff1b784be8b595bc191c983f0314a08c6169e6d836c247c1a83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9b11e6c9234d6ac1d53f1d3177756e25

SHA1
0e0b381510a01e4eff8cebd76bcb535117b1a0e4

SHA256
1675e7da17081339149cbbcb9acf2fbc0e687cf0c7ad4d0316556606f2be74e5

SHA512
018042a4f7aab32f6c7d446e42cd3df2dcc493c334d9a039d52f130d9493a50de98ebac67845eee45f15fb9038537532ba87ee5eaea2e1094bc4c256f2afeffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
316ad22987c4fc7cc5446ee4da3d9e61

SHA1
e1779aeda3d1a4dda75a2c08a932ffdecb3aece5

SHA256
9fb907a160e17e4ad183813573a91fac9f929391c991c04daaa1611da11daba5

SHA512
01fab2a2a8a6e92f7e90d15c6dd17601b27e286e1dc61e6f548515a0c188db778a0754770568e4e6e5927d485ba90ca3f0b61158358ce44ebf823cb8429eb5fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cb2ee6b8debdcf1e54914538cfd6d0ef

SHA1
8d6fe924f346576cd5c5048f33da5720e74b3eab

SHA256
32187e611d4b6eab89868aa311ffa5524808ade8176b0cf73e21a56fe6f3d7b0

SHA512
c44c6b85a8139fce06a1e2d7ad84ec2c5f5bd2d5d7ccc668c8b769827516542bea8bbd8bbc6b61bf0f3235bf2cf68ae6f452a602245c7ef4308799a995432994

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560
Filesize
264B

MD5
4e8b65fdc296f13710e9d46c12dadbcb

SHA1
7419321a66b2d654ce4907912cc8258d5fe41e2a

SHA256
6bc91d27d24af5a8dd29331778619fdcc9152d0c28a9de5c2f33052ff8740755

SHA512
601ef724ec4dd1228d7d077109c9658d06eeb712e62b50a869df02a4f02f5a052a183023ca92e05171e606012b589b0877fa1817809c16696fd7b77c29275b3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Services\market.yandex.ru.ico
Filesize
9KB

MD5
037dcb9f2d8c769d7b9e362fedd36e84

SHA1
8019da23adf7b4baa2b4a0e615b9167f8d2aa984

SHA256
ac03c5b69ffe00e7937efa6917d2a4212ddb2f6e911aeba54461fe8c59de53f2

SHA512
c219b4c9c8077fe028fe863046f528ef389953878ec111f8cb9b00aaef74efc0ec428c930bdc5298bd5439afac81de5c9ec09c57a659f7e8ba263e509daed718

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Services\www.ya.ru.ico
Filesize
5KB

MD5
534409dface053e62660de921ddc600d

SHA1
bd3dcb399327b1d5a2d53ab24e0217d9f524ab62

SHA256
38a3749cdb839c84168f23a9ee46cfd73d482e923bf2c6b4339184b4c93f91fb

SHA512
f58d2192660472e7cfb3c139c145c37f52aba993e2035afebe729a4ba08cf000d18f58cf20d77239cfad3adc278843238307fd0fba96c387e3f4cbbe84cd6b95

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gdoevwuq.default-release\thumbnails\f14c98ef53c0806b8e335aad159ab351
Filesize
15KB

MD5
af80a936c10e18de168538a0722d6319

SHA1
9b1c84a1cf7330a698c89b9d7f33b17b4ba35536

SHA256
2435c0376fca765b21d43e897f4baa52daa0958a7015d04103488c606c99d1d3

SHA512
9a1325c8ce05806e5c161a4cf47239f62baad8f79650fbd713e74928fce8171ced10ba7f24fac46c548e1dbf3f64106270cb25ca88c836c870107f5dc1f97879

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
Filesize
10.1MB

MD5
1060b7bd67dcf76e18d40ac11dff9ea7

SHA1
2130015f7f4b49e2cda6995230ad64b8cc9eda5c

SHA256
2a01fd8ef6100129ca83e4cdf8847a3a98eea1af247ef4f103a01fce394a266e

SHA512
0d4c5eb66f6b266f76beb547c2b0f6d1aa1d83ce73b85e8837b79c1c2a3c9bd005aab749249a8e6c7a0f62e0c42d05cfe2a0d77d90e2241d76853a37e667242f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMNIJA~1.ZIP
Filesize
41.3MB

MD5
78a1fa63c858228c956ee62ecaba5c24

SHA1
1fb16301deb0c381b2e01fd2c0daf07896799681

SHA256
e12e758baae3c81e8b5f45d6ca389b10e0ec906cc3c3a8744fd1835cb7036458

SHA512
40a908704e3b406f4e8bf7bf9afb583bfe2dbf8d053d018a6a2798c9625281d9a6fe2bf7d973c02aa2dc49f75aeedb01ba7479d7b2ff1ed795db2275bc85eb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA77D.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log
Filesize
2KB

MD5
d2f04624a8599d2dd8dde21ca1cbc072

SHA1
e3c48603e4d44f5b6eb515891de6958107b2d3bd

SHA256
6263f92d1c5c5b4d4588bb1e615bc19244c5ab1c8c682df3ae4454886306d1b6

SHA512
ec7475a48cca58eed30b5d100c0b0a199cef36f0404278774fa9032936e673eb36e1ff1c290ffa4decea6b0a63c1b5244a990bbbb21a99b9b471e142c5280118

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml
Filesize
692B

MD5
9eea424c16e5c8ecd15ccaa3eb6a8350

SHA1
f4bec4fcb32e030e5d8198a45860c371aa942d5b

SHA256
a6aeffe1ddb6a3ad8af4f6685d78f144d67d8faa59e519b8bdf472b00bf282f4

SHA512
da2c662c0ddf213d8ad68bb20e9944e7dabf0fa137d71352591f87f8e0931603819a288d7c9b088ccad48e1be7122ce67a5940601f788cfbcfba1855adc98345

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml
Filesize
509B

MD5
63fb44fbd53fd42192b495e0eeab2bd7

SHA1
56d0d5326b6cb13b72ebf7bc2d096960e3c4018c

SHA256
1884cf1938428fcfb024aaa5ba8558a93e1097a3aa2e762c033ed2611196e786

SHA512
ba9c4bf43a119b5c7b0a6a6fce28a5e8084653b04f622e59c71c6f0b059d29007ebe5fd49ac6d7b339786cf4a36161a7c870c3a8ee24a296cee2c2b32b1fb28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
Filesize
9.8MB

MD5
571b78ef986f9a7f2a017a574a9ef41a

SHA1
92addf692dd84cce9faba085a3657636ad500d00

SHA256
73a883c94d7065f419e9ab8dd6b55b76f3624ecc811cccb6b0f260c94d8729a2

SHA512
207a111e77f96c4272b7e68d59a3f11af0eba86e4d5f69b62af9e65f584d7f2cebbfc2e5269466db2d04c7ad487b405da303513e92874bff4b32dc1e0992985b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B43D8AB4-B2AB-4E2E-B09B-1419878063BF}.exe
Filesize
10.4MB

MD5
2057c5a021e8eb2b813e38b28153263c

SHA1
0e23ac3402c1680164af7703a91da6b9ae2b5d73

SHA256
5441a9eb997cac6dbad0a262920704d58d7689f01596c7097026c494b2fc6b84

SHA512
8201d7db33d3097193177acf3e6722359b65aaa63a5ae8cd82bf15c6f7269f76b6e9f8ca1c04a2cb6c69a235639106953f4f4a7d1565ad2291d28c26eeea2b2a

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\2AE68B04.8A85F169\Яндекс Маркет.lnk
Filesize
2KB

MD5
e68f6089ceee97ed2a6d48a9c547383a

SHA1
cba36883fd9425ebf538abda3acc4d74cf393d9b

SHA256
b69a1c5b6acf93dd4ca669144b9e11b1178604335f5c3ccf42e6c1d9be46598c

SHA512
51b901a339327ccde531c9cc965452b1c0ad3abe6b7e89ec995f91f7c8bc83fe4b80e43071bf619e82382d372cb28f14172e136100a0ac1ef82f3dc7811c8c17

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
Filesize
397KB

MD5
1e64bdf002fa6dcae92e0b9ae4283867

SHA1
8db18047e35e77ca365a1da1648918fb710979c6

SHA256
dec6ed68c43845defcc2031c8e8da56fd6e2a476e2d5a2ea204c92b82d559bab

SHA512
b3207a4d10e07d97041bb471ba3f80e46dd70f2037ebc1a012b74943de4e78c5a5a2f5fb4c0a86615db34280b0d9f39a3f98f7b7734a7bf9fc29f41dd1bca1e2

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk
Filesize
1KB

MD5
2bb308c24c5defb0ae10921e948240ed

SHA1
7bf6c5291ae1c59b1b097c737bd4082c630ee54f

SHA256
4cd47280dc9d2cbe07c15a7114e4e5e432a119a73b3d595b419c3ed64e598800

SHA512
850a50dbed426960a20b045b2e43ced129c32ea4d7705e5d4b10e2948ae2688be60ec3a047b6c05b649603c3195eb7456ecbe0a9207aa3674e83957e0d127583

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Яндекс Маркет.website
Filesize
541B

MD5
6f30d9dc0a715dbb8646fce75b930f2f

SHA1
32a0fd1a7f89cf50b899556f80b03b69eccbbe43

SHA256
683ba7f3300f1cf7cc28bd38756fc1e9e4f2f008120408169fe133e182a7afd3

SHA512
a29bf03745e2831b2c12718660a768b92468c9d0f2f6aefa6dcfc6364844470aaa2160d959fe8ceca9af86f9dc83c76bc42f8d8c6b6620392a4aca14db7f94db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Яндекс.website
Filesize
514B

MD5
21c5f27e976dabc8c85a1a2df23cafc3

SHA1
07924dc8a787bd16f2ec532b5892eaf4f60f1191

SHA256
60dfa87c8b20255a93965a29b447e963e684b822e322c02a68b10b00a012e172

SHA512
7824d3449f7fcc335fef54f748a8e1aa41ec56d1b414efe86b81203c54e7b5281f2730c1ef13bb7b15590568e5f7a2cd61fe8e931003008e32be950b39bb789e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.Admin\places.sqlite-20240524203752.185800.backup
Filesize
68KB

MD5
314cb7ffb31e3cc676847e03108378ba

SHA1
3667d2ade77624e79d9efa08a2f1d33104ac6343

SHA256
b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1

SHA512
dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\extensions\staged\[email protected]
Filesize
1KB

MD5
5a40649cf7f6923e1e00e67a8e5fc6c8

SHA1
fc849b64b31f2b3d955f0cb205db6921eacc1b53

SHA256
6d432ba7096090837f9533a33a686c846ad67aed8ecc43af7ce8af42649cd51a

SHA512
0fc42a2cc61528b14478f4b9ae098ea90e6b05ddbe10f3a6cdd6326d0d8e6185b49d2b8143b76a9f329bdc277cf02b54d98f374edd65df68a1ffc41e1c817786

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\extensions\staged\[email protected]
Filesize
688KB

MD5
ab6d42f949df8d7e6a48c07e9b0d86e0

SHA1
1830399574b1973e2272e5dcc368c4c10dbbe06b

SHA256
205ebf52c47b42fa0ad1a734a1d882d96b567e15a32b19bdb907562db8ea09e2

SHA512
6c4f9bb726384c87b6523e08339f7821ad4ec8717b26db902ca51df74eb89b46e4ded1504a131683b07b2bba3e6e911a549a8a83b2aad3971047c0fe315a1ad5

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240524203754.853400.backup
Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences
Filesize
317B

MD5
fcd67a2e79cc90e0dde448704eca70a9

SHA1
97b3736db6d70edf47fe8651fd3eb170b9c33e0e

SHA256
89b9f5b4ce79fe3f8419d02e938fc874f8262b28c02d76de9544b8562ff3256f

SHA512
a3995a90ffceacab27592201fdf8be9192b48fbd2009fe8343063350d23f959e57b68870bd0c144bb902c84c8384f90b1aa51c89f21cecc0a3c4d8a281e4d4e0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240524203754.853400.backup
Filesize
313B

MD5
af006f1bcc57b11c3478be8babc036a8

SHA1
c3bb4fa8c905565ca6a1f218e39fe7494910891e

SHA256
ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c

SHA512
3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\clids-yabrowser.xml
Filesize
718B

MD5
c507235049203e9d2a402e6fa61bff29

SHA1
c1a3cb619dec8552b2f2b3babf806019cceb6ac3

SHA256
f508c94c6d0dbf611c83ce6023dd351a95ca6a06a85831c0b67054399409a136

SHA512
cd59258bd8aa92c2b81fb67f4619fb2338dea34be5a9bd7409075488d64b3552051f53465f3e3c6f87d1fec92684b56f478be2da824826fdec994a55b04816bd

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui
Filesize
36B

MD5
172530f0ac3aa08b5bc207ec4f380d71

SHA1
6c06348725d1f35e2fd282cde2751042a75b6cef

SHA256
76a30f245b41c9c4adc6f50e9e6fdcf2e7ee5ea47b95c78861ed82802f032904

SHA512
7ff42c3cf51da66b7474365aaa9464424a9a53e7061b96c3fe3c631ed66282361aa7515590a32b77d59e951e483df92ce1a287d4bc3ad91d205b5257769ec2e5

Download Submit
C:\Windows\Installer\MSIBA66.tmp
Filesize
181KB

MD5
b502c676e82cb196e20db36601a08ace

SHA1
391e219b99b9eccecfa8f866baa9bd09671c3a3e

SHA256
bca6f0bec828d4f1d9748e78de826c327a853bdceb3c432426f1d53994c0d88f

SHA512
7488451baccd548601a3c69105066842bf47e8e5dd2680b1a8caa50390a7fd6c8e666c603b7a9fef0ad5a0b41f8bd302f69c50f231e95c8ea6e8da98c3de7816

Download Submit
C:\Windows\Installer\MSIBCF6.tmp
Filesize
188KB

MD5
748143dd96f1e6e67e14384d2edf4daf

SHA1
06928cf9e39b00b654adec334709559ad4e01110

SHA256
ea551d91b1ddb00a266831438b7b0ba4119d479a38bd5fdc254d47bb520a04b9

SHA512
7c9d15ea8ba34a7a6492a83139def07489c236cca1372a5d66eff50b77b38ba8927a305bd460c75676b36ba0ff0f85b841fc835d102ee13b000068fd14e8bc9b

Download Submit
\Users\Admin\AppData\Local\Temp\438E8ED5-153A-4E2C-B419-8E4BA3BD825E\lite_installer.exe
Filesize
418KB

MD5
372dd1f1a276a02aa9fbc0435bc9081d

SHA1
258091e03a5eb6c10b242444aa9f8a449212861d

SHA256
5fe9db11665ab3877380a68e19b20e0567a8e2ce888f36c15c188d117ecdc59c

SHA512
640cd883835558a7dcd8c1d8eaf5b87f71341f9ddb2bae83c76d991a3d80b62782e454bf3db74cf16b3dd5952ced213202d8049d5a8efe860930eebd35de9ba9

Download Submit
\Users\Admin\AppData\Local\Temp\7CD65380-79DE-42DE-985E-BC2703ECFB82\seederexe.exe
Filesize
8.6MB

MD5
fb78961f07684303b0aec02666df3e0b

SHA1
208a69979a7af92736cda71c5762bf62fe9c32c4

SHA256
cd80b890380b4c8658c2ee752574a7872f14f07ef107e9f53394d6fd912157ce

SHA512
fb3f27fdcd14a450f5043ac49c6520a451b5acc76be15c4c5e22f69dad1e6b852e7dd07fcb9509bdb138ce17bc032801642eb9727c524ff078379d1c7fc139c1

Download Submit
\Users\Admin\AppData\Local\Temp\8C0AA9FF-E8CE-4956-9482-C2553D40A0E0\sender.exe
Filesize
259KB

MD5
e3057443a704b797124507b9cefdece8

SHA1
3fdc3be05efc7038023fa93544d675a2d5b9cbae

SHA256
393f94297e3a2e4ffd771323bcaf8b59ebb57cb29a773a18917e7c0c9a9ecf50

SHA512
62e608324bfc7d05ccb6025d39c96ac9328accd465a11e7fb636fffe7f1fe89c6f9a956778fafc97b70165058fcf903de5ae09847cc286ddc58a7aed6b2c2291

Download Submit