Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/10/2024, 12:52
Static task
static1
Behavioral task
behavioral1
Sample
f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe
Resource
win10v2004-20241007-en
General
-
Target
f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe
-
Size
2.6MB
-
MD5
b405feb91870f682d15560c84e2eee13
-
SHA1
02b02649b78f92fba4ffe9ead97be3621d6a9458
-
SHA256
f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a
-
SHA512
c40ad6fc166f4f7dd7ade49836fb6c96f77574435e07b580e140c9a542ede832674ee27448fddc62011d2502440a3f4bbcf51d7fd2dedf25d925e8e1eb850522
-
SSDEEP
49152:wgwR3ifu1DBgutBPNozkquwVOYJU66zpXpY2+2rW+Dc2v+f9D+:wgwR3vguPP+oqhZJ/4HY2LW+wvVK
Malware Config
Signatures
-
Detects Mimic ransomware 1 IoCs
resource yara_rule behavioral1/files/0x00080000000174c3-29.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3" DC.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2000 bcdedit.exe 944 bcdedit.exe -
Renames multiple (6331) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1632 wbadmin.exe -
pid Process 1352 wbadmin.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bengien.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdhost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isqlplussvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-opt.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iisadmin.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-opt.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vxmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msexchangesa.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msexchangesa.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\axlbridge.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlbrowser.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\raw_agent_svc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe -
Deletes itself 1 IoCs
pid Process 1320 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2860 7za.exe 2696 7za.exe 2596 3kn.exe 2948 YOURDATA.exe 1064 DC.exe 1832 YOURDATA.exe 1268 YOURDATA.exe 340 YOURDATA.exe 2228 Everything.exe 2092 Everything.exe 2440 Everything.exe -
Loads dropped DLL 21 IoCs
pid Process 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 2596 3kn.exe 2596 3kn.exe 2948 YOURDATA.exe 1264 cmd.exe 1832 YOURDATA.exe 1268 YOURDATA.exe 340 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 2228 Everything.exe 2228 Everything.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\exefile\shell\open\command 3kn.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\exefile\shell\open 3kn.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 3kn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 3kn.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\exefile\shell 3kn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" 3kn.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection DC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOURDATA = "\"C:\\Users\\Admin\\AppData\\Local\\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\\YOURDATA.exe\" " 3kn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\X: Everything.exe -
Power Settings 1 TTPs 15 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 1172 powercfg.exe 1584 powercfg.exe 344 powercfg.exe 1708 powercfg.exe 1812 powercfg.exe 1572 powercfg.exe 1816 powercfg.exe 1744 powercfg.exe 960 powercfg.exe 1756 powercfg.exe 1464 powercfg.exe 1048 powercfg.exe 1664 powercfg.exe 2996 powercfg.exe 328 powercfg.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol DC.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini DC.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Issue [email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\[email protected] YOURDATA.exe File opened for modification C:\Program Files\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre7\lib\security\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\[email protected] YOURDATA.exe File opened for modification C:\Program Files\7-Zip\Lang\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\[email protected] YOURDATA.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\[email protected] YOURDATA.exe File opened for modification C:\Program Files\7-Zip\Lang\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Common Files\System\ado\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe -
pid Process 2344 powershell.exe 2496 powershell.exe 1768 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOURDATA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOURDATA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3kn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOURDATA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOURDATA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\----Read-Me-----.txt\"" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\.3000DOLLARS YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 3kn.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\exefile\shell\open\command YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.3000DOLLARS\ = "mimicfile" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 3kn.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\exefile\shell 3kn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" 3kn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command YOURDATA.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\exefile\shell\open\command 3kn.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\exefile 3kn.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\exefile\shell\open 3kn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1064 DC.exe 1064 DC.exe 1064 DC.exe 1064 DC.exe 1268 YOURDATA.exe 340 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2948 YOURDATA.exe 2496 powershell.exe 2344 powershell.exe 1768 powershell.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe 1268 YOURDATA.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2860 7za.exe Token: 35 2860 7za.exe Token: SeRestorePrivilege 2696 7za.exe Token: 35 2696 7za.exe Token: SeSecurityPrivilege 2696 7za.exe Token: SeSecurityPrivilege 2696 7za.exe Token: SeIncreaseQuotaPrivilege 2596 3kn.exe Token: SeSecurityPrivilege 2596 3kn.exe Token: SeTakeOwnershipPrivilege 2596 3kn.exe Token: SeLoadDriverPrivilege 2596 3kn.exe Token: SeSystemProfilePrivilege 2596 3kn.exe Token: SeSystemtimePrivilege 2596 3kn.exe Token: SeProfSingleProcessPrivilege 2596 3kn.exe Token: SeIncBasePriorityPrivilege 2596 3kn.exe Token: SeCreatePagefilePrivilege 2596 3kn.exe Token: SeBackupPrivilege 2596 3kn.exe Token: SeRestorePrivilege 2596 3kn.exe Token: SeShutdownPrivilege 2596 3kn.exe Token: SeDebugPrivilege 2596 3kn.exe Token: SeSystemEnvironmentPrivilege 2596 3kn.exe Token: SeChangeNotifyPrivilege 2596 3kn.exe Token: SeRemoteShutdownPrivilege 2596 3kn.exe Token: SeUndockPrivilege 2596 3kn.exe Token: SeManageVolumePrivilege 2596 3kn.exe Token: SeImpersonatePrivilege 2596 3kn.exe Token: SeCreateGlobalPrivilege 2596 3kn.exe Token: 33 2596 3kn.exe Token: 34 2596 3kn.exe Token: 35 2596 3kn.exe Token: SeIncreaseQuotaPrivilege 2948 YOURDATA.exe Token: SeSecurityPrivilege 2948 YOURDATA.exe Token: SeTakeOwnershipPrivilege 2948 YOURDATA.exe Token: SeLoadDriverPrivilege 2948 YOURDATA.exe Token: SeSystemProfilePrivilege 2948 YOURDATA.exe Token: SeSystemtimePrivilege 2948 YOURDATA.exe Token: SeProfSingleProcessPrivilege 2948 YOURDATA.exe Token: SeIncBasePriorityPrivilege 2948 YOURDATA.exe Token: SeCreatePagefilePrivilege 2948 YOURDATA.exe Token: SeBackupPrivilege 2948 YOURDATA.exe Token: SeRestorePrivilege 2948 YOURDATA.exe Token: SeShutdownPrivilege 2948 YOURDATA.exe Token: SeDebugPrivilege 2948 YOURDATA.exe Token: SeSystemEnvironmentPrivilege 2948 YOURDATA.exe Token: SeChangeNotifyPrivilege 2948 YOURDATA.exe Token: SeRemoteShutdownPrivilege 2948 YOURDATA.exe Token: SeUndockPrivilege 2948 YOURDATA.exe Token: SeManageVolumePrivilege 2948 YOURDATA.exe Token: SeImpersonatePrivilege 2948 YOURDATA.exe Token: SeCreateGlobalPrivilege 2948 YOURDATA.exe Token: 33 2948 YOURDATA.exe Token: 34 2948 YOURDATA.exe Token: 35 2948 YOURDATA.exe Token: SeDebugPrivilege 1064 DC.exe Token: SeAssignPrimaryTokenPrivilege 1064 DC.exe Token: SeIncreaseQuotaPrivilege 1064 DC.exe Token: 0 1064 DC.exe Token: SeIncreaseQuotaPrivilege 1832 YOURDATA.exe Token: SeSecurityPrivilege 1832 YOURDATA.exe Token: SeTakeOwnershipPrivilege 1832 YOURDATA.exe Token: SeLoadDriverPrivilege 1832 YOURDATA.exe Token: SeSystemProfilePrivilege 1832 YOURDATA.exe Token: SeSystemtimePrivilege 1832 YOURDATA.exe Token: SeProfSingleProcessPrivilege 1832 YOURDATA.exe Token: SeIncBasePriorityPrivilege 1832 YOURDATA.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2228 Everything.exe 2440 Everything.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2860 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 31 PID 2148 wrote to memory of 2860 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 31 PID 2148 wrote to memory of 2860 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 31 PID 2148 wrote to memory of 2860 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 31 PID 2148 wrote to memory of 2696 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 33 PID 2148 wrote to memory of 2696 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 33 PID 2148 wrote to memory of 2696 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 33 PID 2148 wrote to memory of 2696 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 33 PID 2148 wrote to memory of 2596 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 35 PID 2148 wrote to memory of 2596 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 35 PID 2148 wrote to memory of 2596 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 35 PID 2148 wrote to memory of 2596 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 35 PID 2596 wrote to memory of 2948 2596 3kn.exe 36 PID 2596 wrote to memory of 2948 2596 3kn.exe 36 PID 2596 wrote to memory of 2948 2596 3kn.exe 36 PID 2596 wrote to memory of 2948 2596 3kn.exe 36 PID 2948 wrote to memory of 1264 2948 YOURDATA.exe 37 PID 2948 wrote to memory of 1264 2948 YOURDATA.exe 37 PID 2948 wrote to memory of 1264 2948 YOURDATA.exe 37 PID 2948 wrote to memory of 1264 2948 YOURDATA.exe 37 PID 1264 wrote to memory of 1064 1264 cmd.exe 39 PID 1264 wrote to memory of 1064 1264 cmd.exe 39 PID 1264 wrote to memory of 1064 1264 cmd.exe 39 PID 1264 wrote to memory of 1064 1264 cmd.exe 39 PID 2948 wrote to memory of 1832 2948 YOURDATA.exe 41 PID 2948 wrote to memory of 1832 2948 YOURDATA.exe 41 PID 2948 wrote to memory of 1832 2948 YOURDATA.exe 41 PID 2948 wrote to memory of 1832 2948 YOURDATA.exe 41 PID 2948 wrote to memory of 1268 2948 YOURDATA.exe 42 PID 2948 wrote to memory of 1268 2948 YOURDATA.exe 42 PID 2948 wrote to memory of 1268 2948 YOURDATA.exe 42 PID 2948 wrote to memory of 1268 2948 YOURDATA.exe 42 PID 2948 wrote to memory of 340 2948 YOURDATA.exe 43 PID 2948 wrote to memory of 340 2948 YOURDATA.exe 43 PID 2948 wrote to memory of 340 2948 YOURDATA.exe 43 PID 2948 wrote to memory of 340 2948 YOURDATA.exe 43 PID 2948 wrote to memory of 2228 2948 YOURDATA.exe 44 PID 2948 wrote to memory of 2228 2948 YOURDATA.exe 44 PID 2948 wrote to memory of 2228 2948 YOURDATA.exe 44 PID 2948 wrote to memory of 2228 2948 YOURDATA.exe 44 PID 2148 wrote to memory of 1320 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 45 PID 2148 wrote to memory of 1320 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 45 PID 2148 wrote to memory of 1320 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 45 PID 2148 wrote to memory of 1320 2148 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 45 PID 2948 wrote to memory of 960 2948 YOURDATA.exe 47 PID 2948 wrote to memory of 960 2948 YOURDATA.exe 47 PID 2948 wrote to memory of 960 2948 YOURDATA.exe 47 PID 2948 wrote to memory of 960 2948 YOURDATA.exe 47 PID 2948 wrote to memory of 344 2948 YOURDATA.exe 48 PID 2948 wrote to memory of 344 2948 YOURDATA.exe 48 PID 2948 wrote to memory of 344 2948 YOURDATA.exe 48 PID 2948 wrote to memory of 344 2948 YOURDATA.exe 48 PID 2948 wrote to memory of 328 2948 YOURDATA.exe 51 PID 2948 wrote to memory of 328 2948 YOURDATA.exe 51 PID 2948 wrote to memory of 328 2948 YOURDATA.exe 51 PID 2948 wrote to memory of 328 2948 YOURDATA.exe 51 PID 2948 wrote to memory of 1048 2948 YOURDATA.exe 52 PID 2948 wrote to memory of 1048 2948 YOURDATA.exe 52 PID 2948 wrote to memory of 1048 2948 YOURDATA.exe 52 PID 2948 wrote to memory of 1048 2948 YOURDATA.exe 52 PID 2948 wrote to memory of 1812 2948 YOURDATA.exe 53 PID 2948 wrote to memory of 1812 2948 YOURDATA.exe 53 PID 2948 wrote to memory of 1812 2948 YOURDATA.exe 53 PID 2948 wrote to memory of 1812 2948 YOURDATA.exe 53 -
System policy modification 1 TTPs 11 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\System YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" YOURDATA.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe"C:\Users\Admin\AppData\Local\Temp\f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p259441286182422003 Everything64.dll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3kn.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3kn.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe"3⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2948 -
C:\Windows\SysWOW64\cmd.execmd.exe /c DC.exe /D4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\DC.exeDC.exe /D5⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
-
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe" -e watch -pid 2948 -!4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe" -e ul14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1268
-
-
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe" -e ul24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:340
-
-
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe"C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe" -startup4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2228 -
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe"C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe" -app-data5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092
-
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -H off4⤵
- Power Settings
PID:960
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:344
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:328
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:1048
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:1812
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:1708
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:1584
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:1572
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:1816
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:1172
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:1464
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:1756
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:1664
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c4⤵
- Power Settings
PID:1744
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb614⤵
- Power Settings
PID:2996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1768
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2000
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:944
-
-
C:\Windows\system32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP4⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1632
-
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet4⤵
- Deletes backup catalog
PID:1352
-
-
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe"C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2440
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1320
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2072
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2124
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:1392
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1768
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1736
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53d4f7d8c774565727bd5aa8e96d4c71d
SHA1c70e1d08a4a52c61499f34b5cc974b228eb36b13
SHA2563989800e58ab5671965062f66ea49516ecad071d09e319ff38ee473674897436
SHA5120d00442a57c801f543a006cd4af2d850c2f2cf8454baf885f534ad1ea8a6d3752dfe52ee61f819449c4715db265600279f71298c3a966a37d349c950a129d245
-
Filesize
9.3MB
MD5442a1c0a4d7fc01a1ba813cf7f6e1b90
SHA149968bf141f8930711f53ce9522e4361f8435b2f
SHA256dff77aaeca12ced1b908e1f7518a6593eb335180ccae7d244ef4e6193a262952
SHA5126bbe0be8283cdf08844756f1b3875d831100cb3e60164a475ae836cdcd55a59e1d5a4beace178c9ac113cacb0df63cc0121dbbf68a91eb66c029f0a5ccd1530a
-
Filesize
300B
MD5b544278eabdac52cfc43de42babfd5a1
SHA1c5188db9b94daff7624dc4b23b08737dea1434bf
SHA2569cecba59bc812193c90de6bab13ee2ca86f1b3cebeaa994df087010b72e00b86
SHA512ae9fa11ea4f9c9b6cf1026c1ff339bbcf3716d4b004d6f66487f874bdd288a191d0693939f47cc8977604a3e4880f9cae0567f2c33ccb44f07d3093850d6735f
-
Filesize
2.3MB
MD521db18d71c45b82cc91f2a08f345c1f4
SHA1d0114a9e5ad6a693f03b08569b00fff984a9609a
SHA25663a1b530949154dfa7ad62917aca747193a4d4205b4c0a3953a6154b2c14fea1
SHA5121ef865a4065c96692cfc25093f7e95a7f478667b7befdabae351303626b2b9d9a75799e1c7b18179f6d1a9bd6c46c3f224a85185b525544904bb8c2543cb3c0a
-
Filesize
802KB
MD5ac34ba84a5054cd701efad5dd14645c9
SHA1dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a
-
Filesize
1.7MB
MD5c44487ce1827ce26ac4699432d15b42a
SHA18434080fad778057a50607364fee8b481f0feef8
SHA2564c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
SHA512a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808
-
Filesize
548B
MD5742c2400f2de964d0cce4a8dabadd708
SHA1c452d8d4c3a82af4bc57ca8a76e4407aaf90deca
SHA2562fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01
SHA51263a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4
-
Filesize
550B
MD551014c0c06acdd80f9ae4469e7d30a9e
SHA1204e6a57c44242fad874377851b13099dfe60176
SHA25689ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5
SHA51279b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
1.7MB
MD532e57eddfcb3d2bbd1242a892a8744a6
SHA1554b1e5ff39e64bc494fa4112433cc9358d50bc5
SHA25611b9e357a8c2e08ed09f4b305a1f8328ed4537382bb62a2d9fb35540976dbe46
SHA51286da9974ac1cb9d17e916996d6f90fe4a741bc8b95bcf4e2b37c610a797366f86fb5fd380dd93df6dbcb1e6b080820ee5f107a4a3eacd517e9ecc2667462e8fb
-
Filesize
350KB
MD5803df907d936e08fbbd06020c411be93
SHA14aa4b498ae037a2b0479659374a5c3af5f6b8d97
SHA256e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c
SHA5125b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532
-
Filesize
9.3MB
MD55b65cca8f9ff2a0f1c4d894cb9401089
SHA1dca445d52541becaf65fa6b25c5b6223407211a9
SHA2563145f29d097807c0cbdbd9c2c9e8a01dab68188d536f4027c3ad6be3d20b565a
SHA512ef01cc87689d4d5197eab909fef2e9e8ac252265055eb68c12455ab755dc2d5305c3da0a35fc8f450eca1639bf28dda34a53759e808c9fbb8108045628471ecd
-
Filesize
20KB
MD583da2aa2c97aeb7292cf5128071d0273
SHA1fb5d059a4cd93322384d13c5c2754b1aa99a3b2e
SHA256fa9a42b7186ddfd75067f205845e212da4eb81705646a74273f1bba42fa9df92
SHA5123c7328c59acc591c5f7cbd70afa8b28077478147f198cfa71b8b00200a38796b3fae2217196f4f8c1b913f5165e822bd082af83823c27a8934e100d0e4676528
-
Filesize
215B
MD5d1f6937ee22c4c2a33cdc7c76f4a5ab6
SHA1eda5a1e7ec1036ae9805567bb36e4fbe57b5c262
SHA256905fbc87bb075de3106631b4cc6973110b175bd607e728ca28e637232d438e75
SHA512a8f7ccc6d6deed765dedccbd81bfedfca1d0c8ce4085d484ea98c432a7096a0f5ad08d2e934f6f8d28f35a55c879cb3e6e35a7127149f82ae7061c174ecc59c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD542661c1a4066e498119598b2d049a949
SHA172810565b210de631eddca287db3c408032c8a48
SHA256a403838fc31df53bbdb68878058890bbb85c4159c29f5bb339e1c45729037c4f
SHA51252010bbde30d2fb3d68bd12e1120a6bca90925eee601cb34e8dc8f0612fd29e507b173c3e833e5b3d9b07b9375d38e2cabe53c260765530abf70a41e2a3e9ad9
-
Filesize
233B
MD5cd4326a6fd01cd3ca77cfd8d0f53821b
SHA1a1030414d1f8e5d5a6e89d5a309921b8920856f9
SHA2561c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c
SHA51229ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67
-
Filesize
32KB
MD5e5f9b50368df9dcfc9630dd502acada0
SHA16dc8198549400c0ee6c514d8868de51ab47b7c18
SHA2563f19cb020c238b6b44159ea6ec57b7b50f462719361b27f8b1c35990da74a90c
SHA512f2e765e28e94c71dba92a793a8e01478ef1370a20031c0016fdf1799071a355424199118739832ed3ba9085ca4ebb8f5be79609660a4c483505e763314764ece
-
Filesize
32B
MD52a37eb95aa019f56d40d0a1e392cd12f
SHA15f4a56858c11133bbf24a3e7be28a087f26bfb69
SHA2563c2debdc29901af8abe4b9672b5f996ab3a18137e78dcece39766a2eca5e66c3
SHA512850875f1025367512e637041dba3734fb9cdf3eb974ace90f64a38771d9a202f27b289e8b82c0138efb7adb56344720c0d459b0833a0fb37204e3e385467ccb1
-
Filesize
772KB
MD5b93eb0a48c91a53bda6a1a074a4b431e
SHA1ac693a14c697b1a8ee80318e260e817b8ee2aa86
SHA256ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142
SHA512732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5