5c2da70eb09a300a356c5d066fa63cd5f5e599a7802d4ab4722f5bd78bef962f

Analysis

max time kernel
192s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb2ce32c9b9c307eda65a2f13415d6a01c7e9f1261a1872d4c588ac1c599bed5.msi
Size

142.3MB
MD5

d54ab89f2e4dde5633b7fbdf00dbbbe9
SHA1

379709f077da51a5c7ebcbb8fc0a0a0895c20933
SHA256

bb2ce32c9b9c307eda65a2f13415d6a01c7e9f1261a1872d4c588ac1c599bed5
SHA512

c4dc7e0b50419d0b8b660526d83a940c5627e4244b4542322e1d46cf5ad25a702cc5a77bde3653e59561d14596f89966201634dff5a33c1efe79d5b560933189
SSDEEP

3145728:wLva3lK/CCB9nyGp49Hy0+Xb6SQvhS4Y0Cr5pyicNlSuVG/aSWGeW6p:wLvq8nggcvhY0C/yLP/Vaabfp

Score

6^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
7	3592	msiexec.exe
10	3592	msiexec.exe
14	3592	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	wscript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57d85e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d85e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{575F8743-E380-426E-B41E-B72C0697E25F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFE0.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d860.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
380	node.exe
4980	dbeaver.exe

Loads dropped DLL 6 IoCs

pid	Process
4980	dbeaver.exe
4980	dbeaver.exe
4980	dbeaver.exe
4980	dbeaver.exe
4980	dbeaver.exe
4980	dbeaver.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3592	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	node.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbeaver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000bf081c85bb6cd1e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000bf081c850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900bf081c85000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dbf081c85000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000bf081c8500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dbeaver\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\DBeaver\\dbeaver.exe -nosplash -f \"%1\""	dbeaver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dbeaver	dbeaver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dbeaver\DefaultIcon	dbeaver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dbeaver\shell	dbeaver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dbeaver\shell\open	dbeaver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dbeaver\shell\open\command	dbeaver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dbeaver\ = "DBeaver"	dbeaver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dbeaver\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\DBeaver\\dbeaver.exe,0"	dbeaver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dbeaver\shell\ = "open"	dbeaver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dbeaver\shell\open\ = "Open SQL file in DBeaver Community"	dbeaver.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3508	msiexec.exe
3508	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3592	msiexec.exe
Token: SeSecurityPrivilege	3508	msiexec.exe
Token: SeCreateTokenPrivilege	3592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3592	msiexec.exe
Token: SeLockMemoryPrivilege	3592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3592	msiexec.exe
Token: SeMachineAccountPrivilege	3592	msiexec.exe
Token: SeTcbPrivilege	3592	msiexec.exe
Token: SeSecurityPrivilege	3592	msiexec.exe
Token: SeTakeOwnershipPrivilege	3592	msiexec.exe
Token: SeLoadDriverPrivilege	3592	msiexec.exe
Token: SeSystemProfilePrivilege	3592	msiexec.exe
Token: SeSystemtimePrivilege	3592	msiexec.exe
Token: SeProfSingleProcessPrivilege	3592	msiexec.exe
Token: SeIncBasePriorityPrivilege	3592	msiexec.exe
Token: SeCreatePagefilePrivilege	3592	msiexec.exe
Token: SeCreatePermanentPrivilege	3592	msiexec.exe
Token: SeBackupPrivilege	3592	msiexec.exe
Token: SeRestorePrivilege	3592	msiexec.exe
Token: SeShutdownPrivilege	3592	msiexec.exe
Token: SeDebugPrivilege	3592	msiexec.exe
Token: SeAuditPrivilege	3592	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3592	msiexec.exe
Token: SeChangeNotifyPrivilege	3592	msiexec.exe
Token: SeRemoteShutdownPrivilege	3592	msiexec.exe
Token: SeUndockPrivilege	3592	msiexec.exe
Token: SeSyncAgentPrivilege	3592	msiexec.exe
Token: SeEnableDelegationPrivilege	3592	msiexec.exe
Token: SeManageVolumePrivilege	3592	msiexec.exe
Token: SeImpersonatePrivilege	3592	msiexec.exe
Token: SeCreateGlobalPrivilege	3592	msiexec.exe
Token: SeBackupPrivilege	4364	vssvc.exe
Token: SeRestorePrivilege	4364	vssvc.exe
Token: SeAuditPrivilege	4364	vssvc.exe
Token: SeBackupPrivilege	3508	msiexec.exe
Token: SeRestorePrivilege	3508	msiexec.exe
Token: SeRestorePrivilege	3508	msiexec.exe
Token: SeTakeOwnershipPrivilege	3508	msiexec.exe
Token: SeBackupPrivilege	4780	srtasks.exe
Token: SeRestorePrivilege	4780	srtasks.exe
Token: SeSecurityPrivilege	4780	srtasks.exe
Token: SeTakeOwnershipPrivilege	4780	srtasks.exe
Token: SeBackupPrivilege	4780	srtasks.exe
Token: SeRestorePrivilege	4780	srtasks.exe
Token: SeSecurityPrivilege	4780	srtasks.exe
Token: SeTakeOwnershipPrivilege	4780	srtasks.exe
Token: SeRestorePrivilege	3508	msiexec.exe
Token: SeTakeOwnershipPrivilege	3508	msiexec.exe
Token: SeRestorePrivilege	3508	msiexec.exe
Token: SeTakeOwnershipPrivilege	3508	msiexec.exe
Token: SeRestorePrivilege	3508	msiexec.exe
Token: SeTakeOwnershipPrivilege	3508	msiexec.exe
Token: SeRestorePrivilege	3508	msiexec.exe
Token: SeTakeOwnershipPrivilege	3508	msiexec.exe
Token: SeRestorePrivilege	3508	msiexec.exe
Token: SeTakeOwnershipPrivilege	3508	msiexec.exe
Token: SeRestorePrivilege	3508	msiexec.exe
Token: SeTakeOwnershipPrivilege	3508	msiexec.exe
Token: SeRestorePrivilege	3508	msiexec.exe
Token: SeTakeOwnershipPrivilege	3508	msiexec.exe
Token: SeRestorePrivilege	3508	msiexec.exe
Token: SeTakeOwnershipPrivilege	3508	msiexec.exe
Token: SeRestorePrivilege	3508	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3592	msiexec.exe
3592	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4780	3508	msiexec.exe	92
PID 3508 wrote to memory of 4780	3508	msiexec.exe	92
PID 3508 wrote to memory of 452	3508	msiexec.exe	97
PID 3508 wrote to memory of 452	3508	msiexec.exe	97
PID 452 wrote to memory of 380	452	wscript.exe	98
PID 452 wrote to memory of 380	452	wscript.exe	98
PID 452 wrote to memory of 380	452	wscript.exe	98
PID 3508 wrote to memory of 4980	3508	msiexec.exe	96
PID 3508 wrote to memory of 4980	3508	msiexec.exe	96
PID 3508 wrote to memory of 4980	3508	msiexec.exe	96
PID 380 wrote to memory of 2412	380	node.exe	100
PID 380 wrote to memory of 2412	380	node.exe	100
PID 380 wrote to memory of 2412	380	node.exe	100
PID 380 wrote to memory of 4700	380	node.exe	101
PID 380 wrote to memory of 4700	380	node.exe	101
PID 380 wrote to memory of 4700	380	node.exe	101
PID 380 wrote to memory of 1996	380	node.exe	103
PID 380 wrote to memory of 1996	380	node.exe	103
PID 380 wrote to memory of 1996	380	node.exe	103
PID 380 wrote to memory of 1792	380	node.exe	105
PID 380 wrote to memory of 1792	380	node.exe	105
PID 380 wrote to memory of 1792	380	node.exe	105
PID 380 wrote to memory of 900	380	node.exe	106
PID 380 wrote to memory of 900	380	node.exe	106
PID 380 wrote to memory of 900	380	node.exe	106
PID 380 wrote to memory of 3652	380	node.exe	107
PID 380 wrote to memory of 3652	380	node.exe	107
PID 380 wrote to memory of 3652	380	node.exe	107
PID 380 wrote to memory of 2252	380	node.exe	108
PID 380 wrote to memory of 2252	380	node.exe	108
PID 380 wrote to memory of 2252	380	node.exe	108
PID 380 wrote to memory of 4496	380	node.exe	109
PID 380 wrote to memory of 4496	380	node.exe	109
PID 380 wrote to memory of 4496	380	node.exe	109
PID 380 wrote to memory of 4528	380	node.exe	110
PID 380 wrote to memory of 4528	380	node.exe	110
PID 380 wrote to memory of 4528	380	node.exe	110
PID 380 wrote to memory of 4036	380	node.exe	112
PID 380 wrote to memory of 4036	380	node.exe	112
PID 380 wrote to memory of 4036	380	node.exe	112
PID 380 wrote to memory of 4496	380	node.exe	113
PID 380 wrote to memory of 4496	380	node.exe	113
PID 380 wrote to memory of 4496	380	node.exe	113
PID 380 wrote to memory of 4360	380	node.exe	115
PID 380 wrote to memory of 4360	380	node.exe	115
PID 380 wrote to memory of 4360	380	node.exe	115
PID 380 wrote to memory of 2448	380	node.exe	116
PID 380 wrote to memory of 2448	380	node.exe	116
PID 380 wrote to memory of 2448	380	node.exe	116
PID 380 wrote to memory of 4496	380	node.exe	117
PID 380 wrote to memory of 4496	380	node.exe	117
PID 380 wrote to memory of 4496	380	node.exe	117
PID 380 wrote to memory of 1396	380	node.exe	118
PID 380 wrote to memory of 1396	380	node.exe	118
PID 380 wrote to memory of 1396	380	node.exe	118
PID 380 wrote to memory of 5100	380	node.exe	119
PID 380 wrote to memory of 5100	380	node.exe	119
PID 380 wrote to memory of 5100	380	node.exe	119
PID 380 wrote to memory of 3572	380	node.exe	120
PID 380 wrote to memory of 3572	380	node.exe	120
PID 380 wrote to memory of 3572	380	node.exe	120
PID 380 wrote to memory of 3640	380	node.exe	121
PID 380 wrote to memory of 3640	380	node.exe	121
PID 380 wrote to memory of 3640	380	node.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bb2ce32c9b9c307eda65a2f13415d6a01c7e9f1261a1872d4c588ac1c599bed5.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3592

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\ProgramData\jvb\dbeaver.exe
  "C:\ProgramData\jvb\dbeaver.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4980
- C:\Windows\system32\wscript.exe
  "wscript.exe" "9.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\ProgramData\jvb\node.exe
    "C:\ProgramData\jvb\node.exe" C:/ProgramData/jvb/node.js
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d85f.rbs

Filesize
10KB

MD5
dbc74140a6d28039df2fc0921d62dffd

SHA1
774a105c92c9a7ba8542d6928564450d55bc1839

SHA256
2e23f7cb0a07b83d448d88c5a0b2d8ff9d208ef045570c81860c934fdbe610fc

SHA512
dc3f3339bea0b020e883bf1f447b5114d435da58c7b77d6de871877a54f3d8b142853e3565c4bbaf6cd06bede8fa9e420a05f7882f6a1254a8db8d99b8d16abc

Download Submit
C:\ProgramData\jvb\9.js

Filesize
112B

MD5
23578f94ff3058c385394a252b27044f

SHA1
ffa1adb01394d91628b10025d6a6dcda89853f24

SHA256
1dcbcccce710038721185bbcc21f5909c1857d7d755a0ddb9a7d1ccd91143b90

SHA512
b3d365e911a17f78230198ef7872ddfe5ac1692ca35f46ac2fb35463210a1cec00ee64087b6117eefcdf4192b729557b6b49f3d79f901f9da385a8a183026562

Download Submit
C:\ProgramData\jvb\node.js

Filesize
1KB

MD5
e8b3d3fd49f75efffdcd3a4d56fd0b01

SHA1
bcd44072b4cf7c412c8b6b2f15cad5ea366c2635

SHA256
35ccf40fb23232612b6735a658f8c79ad8c5c07816772512deeae36b3d30d4e8

SHA512
3cdca1ccbdf8ca883f89b00661f249429732abb5818be8146b5ceeb940b184638a3e7657fa1eef8ebc5361bafafae7539c8f689b2e89edcb69dd5e3484646c75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_D29921725D6699AE382CD53FA763AA48

Filesize
1KB

MD5
6561b45e8e9ce9e2645a291d98327160

SHA1
73554e6eafacb7b29aa12fa9fa2a0d116ec0d2d0

SHA256
3ff8aca23489a1ca0d60e4e40577d1a2faccd9a741e7112d4447ab9906c1d703

SHA512
6746b736fe2b8ec75669f4959d9f8028a40e9d48aab9feb80fdba64dc7c90647efc483561b9df0028138ad397582d00e502b7b5ec3bb9fe27c95c144ee5a4afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
27a377f64efb2d5b9f1db57cf6beb406

SHA1
2739f8d82beb4cfb46aa5d75f806e28d1e8070fd

SHA256
3a23a305d0eb6938a2119066191d77afddd0401158ecd18c5c53d00b91c769f1

SHA512
059a8a3221f9ff6782a53ba6d3f23fc1efef7ef28c67fd185a1d2b5aef032bd660aa6d526a139ffd2f298b6dac22f013d6ea1b0e78d14496618fb18576cfdc48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_D29921725D6699AE382CD53FA763AA48

Filesize
536B

MD5
eddea28be5ce7aa6e4ea5da2e5566d37

SHA1
267d4ab022c76134837ff097184d1e9088422dbd

SHA256
e25935d788a813d318a7dcb5a37d9f748de636d95c71cf264b46be271f01a1cf

SHA512
c07a602bbdcae5fae2919ca7df41c5f9f52831f876e49cf67bb5416ffa42636ca076e8291975ba50596ed33b45078c45190c73a5a846b04025a93373fb70274f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
009cd1bc410ea50add75c5042e8ab9f8

SHA1
8e2b12c76a53bfb04e671a01e39e4ecc58ae8cd2

SHA256
1a007cc4c851557f348836846d0ba312a5fcbeebbed8f6d4302dcfa982a4c204

SHA512
ac85057cf26136d0ba44c41708ce554bc2876dcb9238ea47779f289b38c03b82ae218cf9e3678fd9d20a39e6ba916ab183aabfe7bc46ef5cb97df2367c929835

Download Submit
C:\Users\Admin\AppData\Local\DBeaver\Uninstall.exe

Filesize
365KB

MD5
a7e34e78d11326c700d6a7f9f96a8819

SHA1
6f001e35fb737411c51b0dd5e00edb7c961f3b35

SHA256
76422afc4aefca46c97cc72020ca4309ed072fb2187ecceef16c92adc3421f35

SHA512
14df827da079c3988c7167b76d6060f9ee6ba014bd7e77429e55149c0826efce559eeea4ed6d5a53c8abcc2682447180973a5020f1de97cd82941ef94781100d

Download Submit
C:\Users\Admin\AppData\Local\DBeaver\dbeaver.exe

Filesize
520KB

MD5
818dbc331a283c689516dd0e291dafbb

SHA1
25b1d30640c86748f4516a2ef4da318cf8651f0c

SHA256
9604cbde72989fc6eabdc6a7d4d688188c73bec565d4e514eeec174ac0ea9c85

SHA512
6d8fea82a5a3be444c0825f4122c1ec4c69b0e801e02e2fc4cb673d66227be5c5cc63b8e225faf8c6afe9b24d7a56354480ccacc6fa3786e3aba008568a9fd65

Download Submit
C:\Users\Admin\AppData\Local\DBeaver\features\org.eclipse.ecf.filetransfer.httpclient5.feature_1.1.702.v20231114-1017\epl-2.0.html

Filesize
16KB

MD5
84283fa8859daf213bdda5a9f8d1be1d

SHA1
0cbef63aebcfcd4cd201ebeb48ce294e377a6321

SHA256
928c4a6af7e9cf82589e560f98ffbb6ade7385b59fec8cb4ef36a6bb91cf7018

SHA512
f4eb2bb38fa8c40b44c714e05b518ded3641529d689552b131613a40a64940d0369263f3afde03a7d289dd88e38c50975527103fc43eb32984e84e8236ab9feb

Download Submit
C:\Users\Admin\AppData\Local\DBeaver\features\org.eclipse.ecf.filetransfer.httpclient5.feature_1.1.702.v20231114-1017\license.html

Filesize
9KB

MD5
618d2440fc58e15450a9416cd6804477

SHA1
c501b7ce0b1ee46ad86fff436bcb7dc2cd549dc2

SHA256
0efe4d6eb579f748857a93c5a781c3000f70f339074b29d15b914213e14b1d53

SHA512
7b48c3911305756ad7d7bf65e5254c5151f619fdd16cd80be01208a8e868f02066a91a872c17824537e6173d9e0cb81c1c5b0081cea6c1cd585c91bcddf6438a

Download Submit
C:\Users\Admin\AppData\Local\DBeaver\features\org.eclipse.emf.common_2.30.0.v20230916-0637\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
40fa6729dc1faddf00261da43b73e007

SHA1
78150af306cbcb578535589509eac393b8b0b24a

SHA256
e794b7c7c7e77ed5a0dc26437a72d12e258e05cd489b4befbbec7422cd0a11f2

SHA512
486e7138b5b40ed0e4007c2dd83ce94ca447aee94c968bc4c384fe6d6f2b69fa351cd3106ce88ee2e4ef120db9bb6c4e8990fa9c104da2903c97b7f2f8270078

Download Submit
C:\Users\Admin\AppData\Local\DBeaver\jre\legal\java.management\ADDITIONAL_LICENSE_INFO

Filesize
49B

MD5
19c9d1d2aad61ce9cb8fb7f20ef1ca98

SHA1
2db86ab706d9b73feeb51a904be03b63bee92baf

SHA256
ebf9777bd307ed789ceabf282a9aca168c391c7f48e15a60939352efb3ea33f9

SHA512
7ec63b59d8f87a42689f544c2e8e7700da5d8720b37b41216cbd1372c47b1bc3b892020f0dd3a44a05f2a7c07471ff484e4165427f1a9cad0d2393840cd94e5b

Download Submit
C:\Users\Admin\AppData\Local\DBeaver\jre\legal\java.management\ASSEMBLY_EXCEPTION

Filesize
44B

MD5
7caf4cdbb99569deb047c20f1aad47c4

SHA1
24e7497426d27fe3c17774242883ccbed8f54b4d

SHA256
b998cda101e5a1ebcfb5ff9cddd76ed43a2f2169676592d428b7c0d780665f2a

SHA512
a1435e6f1e4e9285476a0e7bc3b4f645bbafb01b41798a2450390e16b18b242531f346373e01d568f6cc052932a3256e491a65e8b94b118069853f2b0c8cd619

Download Submit
C:\Users\Admin\AppData\Local\DBeaver\jre\legal\java.management\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Users\Admin\AppData\Local\DBeaver\plugins\org.jkiss.bundle.jfreechart_1.0.23\LICENSE.md

Filesize
11KB

MD5
14b2c87457eab0f575b762a5f9101569

SHA1
3302887523950842157f53ee738851be96317c6e

SHA256
fc5837b36a5b94ca9d6833afdc9f634832acc21995df0cacc8cb4313329bacaf

SHA512
2ccc2e6cf6db9512a04eee60408fca191dcbb480edf72a04364643501e79978518a79dffaa6bd5b0d6c873165720b5effbcc1eee50c8d8ae8f3f38c99ed02eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE8CB.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE8CB.tmp\StartMenu.dll

Filesize
7KB

MD5
d070f3275df715bf3708beff2c6c307d

SHA1
93d3725801e07303e9727c4369e19fd139e69023

SHA256
42dd4dda3249a94e32e20f76eaffae784a5475ed00c60ef0197c8a2c1ccd2fb7

SHA512
fcaf625dac4684dad33d12e3a942b38489ecc90649eee885d823a932e70db63c1edb8614b9fa8904d1710e9b820e82c5a37aeb8403cf21cf1e3692f76438664d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE8CB.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE8CB.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE8CB.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE8CB.tmp\modern-wizard.bmp

Filesize
150KB

MD5
4336cb6ad378840f8fa1d180b152b2a8

SHA1
01cb79ec8164a2b8342dec6ec19cb032dc7230d5

SHA256
84944e08bccee7b5d6c910f8fb5665342b3a238409acc76ff564e31f0204d0c6

SHA512
92f2cc95284134d801b3c88407bee7d25090a07de3cff218f4f3eabfc14df270a97d15f8c89158b6e35eb054b89817cd0f6b6042f115d56cd7eb4376ce9bc28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE8CB.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
8e3902e95f5a6d4ecbfb1341f99a9b16

SHA1
761c570e5f29f33d683daa5bcd396dbf3656a34b

SHA256
800409f3b6f891a260e8e75c5f78c56f415c715bd6abc55d89fa9b06e449e4e6

SHA512
02026ba5eb5d7e3e3de71e5aadd60ad7217edbe9ca294dedcaf210a2edb7039a345532ac3470d268a0ed28340dd43324edba8cdcd37f8ca6d295c9835eccfd57

Download Submit
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{76aa9350-f2e0-4131-b1c8-a6e239dd6a37}_OnDiskSnapshotProp

Filesize
6KB

MD5
1eb4a4d189e168887b2fba97ae29b34c

SHA1
8f5012f19187833491b0b5ec0b1f9081fa3f7b23

SHA256
d9b4c2bf321e7143afd6ecf8b256ae3bce9ff74f0e89931c7ad7623d39a92cfd

SHA512
5ae2ab0a6eecc43550f17823378b99516b66e0d38f21e351d14f7e63b475eecf8633f44dafb015d2e1dbfa0c8c8dd2b3db951e75befe48575992e3a7bdec62fd

Download Submit