Analysis
-
max time kernel
135s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2024, 12:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe
Resource
win7-20240903-en
windows7-x64
34 signatures
150 seconds
Behavioral task
behavioral2
Sample
f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
32 signatures
150 seconds
General
-
Target
f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe
-
Size
2.6MB
-
MD5
b405feb91870f682d15560c84e2eee13
-
SHA1
02b02649b78f92fba4ffe9ead97be3621d6a9458
-
SHA256
f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a
-
SHA512
c40ad6fc166f4f7dd7ade49836fb6c96f77574435e07b580e140c9a542ede832674ee27448fddc62011d2502440a3f4bbcf51d7fd2dedf25d925e8e1eb850522
-
SSDEEP
49152:wgwR3ifu1DBgutBPNozkquwVOYJU66zpXpY2+2rW+Dc2v+f9D+:wgwR3vguPP+oqhZJ/4HY2LW+wvVK
Malware Config
Signatures
-
Detects Mimic ransomware 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b6d-37.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2504 bcdedit.exe 732 bcdedit.exe -
Renames multiple (4503) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2832 wbadmin.exe -
pid Process 4588 wbadmin.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msexchangeadtopology.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CoreSync.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\raw_agent_svc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_x64.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bedbh.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvlsvr.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql-exchange.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-opt.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iisadmin.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-nt.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServer.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CoreSync.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\raw_agent_svc.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvlsvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpython.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vxmon.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vxmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe -
Executes dropped EXE 10 IoCs
pid Process 3932 7za.exe 1628 7za.exe 2700 3kn.exe 4576 YOURDATA.exe 4740 DC.exe 2428 YOURDATA.exe 2268 YOURDATA.exe 2848 YOURDATA.exe 2260 Everything.exe 1476 Everything.exe -
Loads dropped DLL 5 IoCs
pid Process 2700 3kn.exe 4576 YOURDATA.exe 2428 YOURDATA.exe 2268 YOURDATA.exe 2848 YOURDATA.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\exefile\shell\open 3kn.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" 3kn.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command YOURDATA.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 3kn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 3kn.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\exefile\shell\open\command 3kn.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\exefile\shell 3kn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOURDATA = "\"C:\\Users\\Admin\\AppData\\Local\\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\\YOURDATA.exe\" " 3kn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\J: Everything.exe -
Power Settings 1 TTPs 15 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2744 powercfg.exe 816 powercfg.exe 3804 powercfg.exe 3720 powercfg.exe 1700 powercfg.exe 3840 powercfg.exe 2136 powercfg.exe 5024 powercfg.exe 2436 powercfg.exe 1832 powercfg.exe 2056 powercfg.exe 3184 powercfg.exe 2008 powercfg.exe 452 powercfg.exe 1464 powercfg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\lib\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files\7-Zip\Lang\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.backmydata@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_en_135x40.svg.backmydata@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.backmydata@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\management\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.backmydata@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.backmydata@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_zh_tw_135x40.svg.backmydata@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.backmydata@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.backmydata@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.backmydata@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.backmydata@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.backmydata@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_tr_135x40.svg.backmydata@inbox.ru.3000DOLLARS YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\[email protected] YOURDATA.exe File opened for modification C:\Program Files\7-Zip\Lang\[email protected] YOURDATA.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
pid Process 1676 powershell.exe 3100 powershell.exe 3980 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOURDATA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOURDATA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3kn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOURDATA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOURDATA.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\----Read-Me-----.txt\"" YOURDATA.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\exefile 3kn.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\exefile\shell 3kn.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\exefile\shell\open 3kn.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" 3kn.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.3000DOLLARS\ = "mimicfile" YOURDATA.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\exefile\shell\open\command 3kn.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\exefile\shell\open\command YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 3kn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 3kn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\.3000DOLLARS YOURDATA.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2848 YOURDATA.exe 2268 YOURDATA.exe 2848 YOURDATA.exe 2268 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 4576 YOURDATA.exe 3100 powershell.exe 1676 powershell.exe 3980 powershell.exe 3100 powershell.exe 3980 powershell.exe 1676 powershell.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe 2268 YOURDATA.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 3932 7za.exe Token: 35 3932 7za.exe Token: SeRestorePrivilege 1628 7za.exe Token: 35 1628 7za.exe Token: SeSecurityPrivilege 1628 7za.exe Token: SeSecurityPrivilege 1628 7za.exe Token: SeIncreaseQuotaPrivilege 2700 3kn.exe Token: SeSecurityPrivilege 2700 3kn.exe Token: SeTakeOwnershipPrivilege 2700 3kn.exe Token: SeLoadDriverPrivilege 2700 3kn.exe Token: SeSystemProfilePrivilege 2700 3kn.exe Token: SeSystemtimePrivilege 2700 3kn.exe Token: SeProfSingleProcessPrivilege 2700 3kn.exe Token: SeIncBasePriorityPrivilege 2700 3kn.exe Token: SeCreatePagefilePrivilege 2700 3kn.exe Token: SeBackupPrivilege 2700 3kn.exe Token: SeRestorePrivilege 2700 3kn.exe Token: SeShutdownPrivilege 2700 3kn.exe Token: SeDebugPrivilege 2700 3kn.exe Token: SeSystemEnvironmentPrivilege 2700 3kn.exe Token: SeChangeNotifyPrivilege 2700 3kn.exe Token: SeRemoteShutdownPrivilege 2700 3kn.exe Token: SeUndockPrivilege 2700 3kn.exe Token: SeManageVolumePrivilege 2700 3kn.exe Token: SeImpersonatePrivilege 2700 3kn.exe Token: SeCreateGlobalPrivilege 2700 3kn.exe Token: 33 2700 3kn.exe Token: 34 2700 3kn.exe Token: 35 2700 3kn.exe Token: 36 2700 3kn.exe Token: SeIncreaseQuotaPrivilege 4576 YOURDATA.exe Token: SeSecurityPrivilege 4576 YOURDATA.exe Token: SeTakeOwnershipPrivilege 4576 YOURDATA.exe Token: SeLoadDriverPrivilege 4576 YOURDATA.exe Token: SeSystemProfilePrivilege 4576 YOURDATA.exe Token: SeSystemtimePrivilege 4576 YOURDATA.exe Token: SeProfSingleProcessPrivilege 4576 YOURDATA.exe Token: SeIncBasePriorityPrivilege 4576 YOURDATA.exe Token: SeCreatePagefilePrivilege 4576 YOURDATA.exe Token: SeBackupPrivilege 4576 YOURDATA.exe Token: SeRestorePrivilege 4576 YOURDATA.exe Token: SeShutdownPrivilege 4576 YOURDATA.exe Token: SeDebugPrivilege 4576 YOURDATA.exe Token: SeSystemEnvironmentPrivilege 4576 YOURDATA.exe Token: SeChangeNotifyPrivilege 4576 YOURDATA.exe Token: SeRemoteShutdownPrivilege 4576 YOURDATA.exe Token: SeUndockPrivilege 4576 YOURDATA.exe Token: SeManageVolumePrivilege 4576 YOURDATA.exe Token: SeImpersonatePrivilege 4576 YOURDATA.exe Token: SeCreateGlobalPrivilege 4576 YOURDATA.exe Token: 33 4576 YOURDATA.exe Token: 34 4576 YOURDATA.exe Token: 35 4576 YOURDATA.exe Token: 36 4576 YOURDATA.exe Token: SeIncreaseQuotaPrivilege 2428 YOURDATA.exe Token: SeSecurityPrivilege 2428 YOURDATA.exe Token: SeTakeOwnershipPrivilege 2428 YOURDATA.exe Token: SeLoadDriverPrivilege 2428 YOURDATA.exe Token: SeSystemProfilePrivilege 2428 YOURDATA.exe Token: SeSystemtimePrivilege 2428 YOURDATA.exe Token: SeProfSingleProcessPrivilege 2428 YOURDATA.exe Token: SeIncBasePriorityPrivilege 2428 YOURDATA.exe Token: SeCreatePagefilePrivilege 2428 YOURDATA.exe Token: SeBackupPrivilege 2428 YOURDATA.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2260 Everything.exe 1476 Everything.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4144 wrote to memory of 3932 4144 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 86 PID 4144 wrote to memory of 3932 4144 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 86 PID 4144 wrote to memory of 3932 4144 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 86 PID 4144 wrote to memory of 1628 4144 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 88 PID 4144 wrote to memory of 1628 4144 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 88 PID 4144 wrote to memory of 1628 4144 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 88 PID 4144 wrote to memory of 2700 4144 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 90 PID 4144 wrote to memory of 2700 4144 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 90 PID 4144 wrote to memory of 2700 4144 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 90 PID 2700 wrote to memory of 4576 2700 3kn.exe 91 PID 2700 wrote to memory of 4576 2700 3kn.exe 91 PID 2700 wrote to memory of 4576 2700 3kn.exe 91 PID 4576 wrote to memory of 4412 4576 YOURDATA.exe 92 PID 4576 wrote to memory of 4412 4576 YOURDATA.exe 92 PID 4576 wrote to memory of 4412 4576 YOURDATA.exe 92 PID 4412 wrote to memory of 4740 4412 cmd.exe 94 PID 4412 wrote to memory of 4740 4412 cmd.exe 94 PID 4412 wrote to memory of 4740 4412 cmd.exe 94 PID 4576 wrote to memory of 2428 4576 YOURDATA.exe 96 PID 4576 wrote to memory of 2428 4576 YOURDATA.exe 96 PID 4576 wrote to memory of 2428 4576 YOURDATA.exe 96 PID 4576 wrote to memory of 2268 4576 YOURDATA.exe 97 PID 4576 wrote to memory of 2268 4576 YOURDATA.exe 97 PID 4576 wrote to memory of 2268 4576 YOURDATA.exe 97 PID 4576 wrote to memory of 2848 4576 YOURDATA.exe 98 PID 4576 wrote to memory of 2848 4576 YOURDATA.exe 98 PID 4576 wrote to memory of 2848 4576 YOURDATA.exe 98 PID 4576 wrote to memory of 2260 4576 YOURDATA.exe 99 PID 4576 wrote to memory of 2260 4576 YOURDATA.exe 99 PID 4576 wrote to memory of 2260 4576 YOURDATA.exe 99 PID 4144 wrote to memory of 5116 4144 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 100 PID 4144 wrote to memory of 5116 4144 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 100 PID 4144 wrote to memory of 5116 4144 f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe 100 PID 4576 wrote to memory of 1700 4576 YOURDATA.exe 115 PID 4576 wrote to memory of 1700 4576 YOURDATA.exe 115 PID 4576 wrote to memory of 452 4576 YOURDATA.exe 116 PID 4576 wrote to memory of 452 4576 YOURDATA.exe 116 PID 4576 wrote to memory of 3720 4576 YOURDATA.exe 119 PID 4576 wrote to memory of 3720 4576 YOURDATA.exe 119 PID 4576 wrote to memory of 3840 4576 YOURDATA.exe 120 PID 4576 wrote to memory of 3840 4576 YOURDATA.exe 120 PID 4576 wrote to memory of 1464 4576 YOURDATA.exe 121 PID 4576 wrote to memory of 1464 4576 YOURDATA.exe 121 PID 4576 wrote to memory of 2436 4576 YOURDATA.exe 122 PID 4576 wrote to memory of 2436 4576 YOURDATA.exe 122 PID 4576 wrote to memory of 5024 4576 YOURDATA.exe 124 PID 4576 wrote to memory of 5024 4576 YOURDATA.exe 124 PID 4576 wrote to memory of 2008 4576 YOURDATA.exe 126 PID 4576 wrote to memory of 2008 4576 YOURDATA.exe 126 PID 4576 wrote to memory of 1832 4576 YOURDATA.exe 128 PID 4576 wrote to memory of 1832 4576 YOURDATA.exe 128 PID 4576 wrote to memory of 2744 4576 YOURDATA.exe 129 PID 4576 wrote to memory of 2744 4576 YOURDATA.exe 129 PID 4576 wrote to memory of 3804 4576 YOURDATA.exe 130 PID 4576 wrote to memory of 3804 4576 YOURDATA.exe 130 PID 4576 wrote to memory of 2136 4576 YOURDATA.exe 131 PID 4576 wrote to memory of 2136 4576 YOURDATA.exe 131 PID 4576 wrote to memory of 816 4576 YOURDATA.exe 132 PID 4576 wrote to memory of 816 4576 YOURDATA.exe 132 PID 4576 wrote to memory of 2056 4576 YOURDATA.exe 134 PID 4576 wrote to memory of 2056 4576 YOURDATA.exe 134 PID 4576 wrote to memory of 3184 4576 YOURDATA.exe 136 PID 4576 wrote to memory of 3184 4576 YOURDATA.exe 136 PID 4576 wrote to memory of 3980 4576 YOURDATA.exe 139 -
System policy modification 1 TTPs 11 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\System YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe"C:\Users\Admin\AppData\Local\Temp\f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p259441286182422003 Everything64.dll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3kn.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3kn.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe"3⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4576 -
C:\Windows\SysWOW64\cmd.execmd.exe /c DC.exe /D4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\DC.exeDC.exe /D5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4740
-
-
-
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe" -e watch -pid 4576 -!4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe" -e ul14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2268
-
-
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe" -e ul24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2848
-
-
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe"C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2260
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -H off4⤵
- Power Settings
PID:1700
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:452
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:3720
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:3840
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:1464
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:2436
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:5024
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:2008
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:1832
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:2744
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:3804
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:2136
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:816
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c4⤵
- Power Settings
PID:2056
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb614⤵
- Power Settings
PID:3184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2504
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:732
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP4⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2832
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe delete catalog -quiet4⤵
- Deletes backup catalog
PID:4588
-
-
C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe"C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1476
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- System Location Discovery: System Language Discovery
PID:5116
-
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4716
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:468
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4328
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3204
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1036
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3740
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2556
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2620
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2920
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2932
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1784
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3000
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2724
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:3032
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2164
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2528
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57be5e8a05222df0c5d78cdd9e1b7c4ed
SHA1d05d9fd5f90347cb3fdf2aeb6ecba04b3c5967a7
SHA256c7f6a55571871300debfa37726c11ff5ca528fedef8865b1cfd268f70bd5407b
SHA512463e5351e6682c7aa8ad162c6035bd9911077148b3147f2feffac17e9c80787c86c9f14b1aa75e44b1a3b353b77aabbcdf7b368c86399dd30a20098b860b97fb
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
1KB
MD5fb5eb8486decd5ee26d4a7216c2bab97
SHA17cb5457255f1b5135b3a16a93e81f97d40803615
SHA25688cb58071acf3f407762095429b8ebc25868b9826c29785981585c24ce2cd6e5
SHA51275e7b968ee81f10844ddd24cc446fe276979cbb6588dacee72f57dd9196abcd822745b6e4d95a7cf45650fb73b73e2ee03576b3d6cf4744a1eb6882b956dc714
-
Filesize
300B
MD5b544278eabdac52cfc43de42babfd5a1
SHA1c5188db9b94daff7624dc4b23b08737dea1434bf
SHA2569cecba59bc812193c90de6bab13ee2ca86f1b3cebeaa994df087010b72e00b86
SHA512ae9fa11ea4f9c9b6cf1026c1ff339bbcf3716d4b004d6f66487f874bdd288a191d0693939f47cc8977604a3e4880f9cae0567f2c33ccb44f07d3093850d6735f
-
Filesize
2.3MB
MD521db18d71c45b82cc91f2a08f345c1f4
SHA1d0114a9e5ad6a693f03b08569b00fff984a9609a
SHA25663a1b530949154dfa7ad62917aca747193a4d4205b4c0a3953a6154b2c14fea1
SHA5121ef865a4065c96692cfc25093f7e95a7f478667b7befdabae351303626b2b9d9a75799e1c7b18179f6d1a9bd6c46c3f224a85185b525544904bb8c2543cb3c0a
-
Filesize
772KB
MD5b93eb0a48c91a53bda6a1a074a4b431e
SHA1ac693a14c697b1a8ee80318e260e817b8ee2aa86
SHA256ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142
SHA512732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5
-
Filesize
802KB
MD5ac34ba84a5054cd701efad5dd14645c9
SHA1dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a
-
Filesize
1.7MB
MD5c44487ce1827ce26ac4699432d15b42a
SHA18434080fad778057a50607364fee8b481f0feef8
SHA2564c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
SHA512a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808
-
Filesize
548B
MD5742c2400f2de964d0cce4a8dabadd708
SHA1c452d8d4c3a82af4bc57ca8a76e4407aaf90deca
SHA2562fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01
SHA51263a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4
-
Filesize
550B
MD551014c0c06acdd80f9ae4469e7d30a9e
SHA1204e6a57c44242fad874377851b13099dfe60176
SHA25689ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5
SHA51279b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
1.7MB
MD532e57eddfcb3d2bbd1242a892a8744a6
SHA1554b1e5ff39e64bc494fa4112433cc9358d50bc5
SHA25611b9e357a8c2e08ed09f4b305a1f8328ed4537382bb62a2d9fb35540976dbe46
SHA51286da9974ac1cb9d17e916996d6f90fe4a741bc8b95bcf4e2b37c610a797366f86fb5fd380dd93df6dbcb1e6b080820ee5f107a4a3eacd517e9ecc2667462e8fb
-
Filesize
350KB
MD5803df907d936e08fbbd06020c411be93
SHA14aa4b498ae037a2b0479659374a5c3af5f6b8d97
SHA256e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c
SHA5125b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
13.3MB
MD59c12d4720a31d3d8f2830de47c50bb14
SHA17442c4d305423b4a3965a02b18e97b90d2fcdc79
SHA256acdc65821a9a8289afabbd328950fa62807d45dfcbda799875629609a53529cf
SHA5123df77ea74803af6a30ecc3a15511a335ab7672bb0ba13ead16793a925b3d74742e94b74eca4210ecf00a081e71b8338c6cc757b54e35609f962d75551ae1db33
-
Filesize
20KB
MD57ee99043293d9dd797a66d016a5672d7
SHA1a7f1aba19bc0fd71f19ed1991639cccd3d2e69f4
SHA2564438b2e6bcc67a3550782e38031cb7107105d1d3059dec28a12e39e48a9def98
SHA512b2380076d6fd1db58707f6f0826dbf87672678dda301efab0e20ee9d879ea66d69ab94ed8ea0ce122afd90d959533f9f359256d8e73163622e0e7eaecb61b4e0
-
Filesize
32B
MD5808642d39d4da3040f34b1fe41103436
SHA1648024d71ab87a608001d5bee5d722a8efb81cd6
SHA2566a4eb103234be750bce3853d723c2727f14639f67524f24237312b08421ace81
SHA5124329060fb9e7432b62ffe265418d813b279f1c3285c1f2c52478d08836a83004de619c6ce5d0efeadc1236cddfc35e344cb281eddb101460ca2fd7b239d73dc0
-
Filesize
33KB
MD53f2c27a9822ec9cc73dbb4fa10221a16
SHA10880d65459a9b56d129071f0be005496514bf27d
SHA2568a16e661c86670b255ae56d78fb6f31e36546ec2413966f4624a645859b1edd5
SHA51275f52528c6163765a721f3e1b7de6beaaa56dc96eec09f8ada4929b9ba64e621f7d976c4435eb4763987ad7c7e88e88a61fbc93e17bdc9f085a68ae3ba3d1cc3
-
Filesize
32KB
MD5940d61d04a4ee9e3f6cc6c35e1b1131a
SHA11f721d5bb5b133c440d8b58f965ec4839145f3d9
SHA256ca23be430d554d26ea39ce5d0ff391ecbce1bf1c5d9aa1402aeb7f1bb16b09c3
SHA512ce67ff44e5e35445a976723289ec96c1351ae1d5110a0e205655893aca53b74f04b32adfa5c278c6fb337ed4f9483d0a0d771f44e9ab87a427e1043ea9bb2110
-
Filesize
32KB
MD572d8ccadf7134e2f99d51175643d7309
SHA1b58287bc828b5e5942234ca6d0a625d6f57f9bfe
SHA2564069177b9d7eccf2262fedfb04fb59b6c3cd74e66237994722bb1796ce870bb2
SHA512630953dd4d28f4233fdec36c511a933dd4cb70db347a4945c12e52cdad528962944e72b1d57c4ef333db6d232165dcbab18dd739401984c399748f00c228ce77