Analysis
-
max time kernel
118s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 01:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe
Resource
win7-20241010-en
windows7-x64
22 signatures
120 seconds
General
-
Target
a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe
-
Size
778KB
-
MD5
14b02e073563d5a340c982e3278162c0
-
SHA1
4884bc95366f7a92cc6688a4a3611e993b3a9b3b
-
SHA256
a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2
-
SHA512
d9a73dcd7b1fcf9c4a7527b09f82b026ad2b94ce0939f21b5905548537b659a9a920f9f34edb5a566d1a5607d878063598699166f6a630d83cce8e3e74536b81
-
SSDEEP
12288:G/Y60aUzs0gHCSL7FkTaSKYwN33QY9nDXruPHGtY59O:kl0gHCSdkTYwMzaG+59
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\U: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\V: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\H: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\L: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\P: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\X: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\J: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\O: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\T: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\W: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\R: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\S: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\I: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\K: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\M: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\N: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\Y: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\Z: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\E: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened (read-only) \??\G: a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened for modification F:\autorun.inf a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
resource yara_rule behavioral1/memory/2596-4-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-8-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-9-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-16-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-15-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-13-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-6-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-14-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-7-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-31-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-32-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-33-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-34-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-35-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-38-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-39-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-41-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-40-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-45-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-44-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-57-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-58-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-61-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-62-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-63-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-64-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-66-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-68-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-70-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-72-0x0000000002030000-0x00000000030BE000-memory.dmp upx behavioral1/memory/2596-74-0x0000000002030000-0x00000000030BE000-memory.dmp upx -
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7Z.EXE a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\UNINSTALL.EXE a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7ZG.EXE a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7ZFM.EXE a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
Modifies registry class 27 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 0001310000000000000000001700613231653364643661623035643663346264313462656133626430316533386437363136303939373632643439633739333233623963646438343138663164324e00b00008000400efbe00000000000000002a0000000000000000000000000000000000000000000000000061003200310065003300640064003600610062003000350064003600630034006200640031003400620065006100330062006400300031006500330038006400370036003100360030003900390037003600320064003400390063003700390033003200330062003900630064006400380034003100380066003100640032004e00000050000000 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000100054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
Suspicious behavior: MapViewOfSection 23 IoCs
pid Process 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Token: SeDebugPrivilege 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Token: SeDebugPrivilege 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Token: SeDebugPrivilege 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Token: SeDebugPrivilege 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Token: SeDebugPrivilege 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Token: SeDebugPrivilege 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe Token: SeDebugPrivilege 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2596 wrote to memory of 384 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 3 PID 2596 wrote to memory of 384 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 3 PID 2596 wrote to memory of 384 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 3 PID 2596 wrote to memory of 384 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 3 PID 2596 wrote to memory of 384 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 3 PID 2596 wrote to memory of 384 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 3 PID 2596 wrote to memory of 384 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 3 PID 2596 wrote to memory of 392 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 4 PID 2596 wrote to memory of 392 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 4 PID 2596 wrote to memory of 392 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 4 PID 2596 wrote to memory of 392 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 4 PID 2596 wrote to memory of 392 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 4 PID 2596 wrote to memory of 392 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 4 PID 2596 wrote to memory of 392 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 4 PID 2596 wrote to memory of 432 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 5 PID 2596 wrote to memory of 432 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 5 PID 2596 wrote to memory of 432 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 5 PID 2596 wrote to memory of 432 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 5 PID 2596 wrote to memory of 432 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 5 PID 2596 wrote to memory of 432 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 5 PID 2596 wrote to memory of 432 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 5 PID 2596 wrote to memory of 476 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 6 PID 2596 wrote to memory of 476 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 6 PID 2596 wrote to memory of 476 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 6 PID 2596 wrote to memory of 476 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 6 PID 2596 wrote to memory of 476 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 6 PID 2596 wrote to memory of 476 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 6 PID 2596 wrote to memory of 476 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 6 PID 2596 wrote to memory of 492 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 7 PID 2596 wrote to memory of 492 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 7 PID 2596 wrote to memory of 492 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 7 PID 2596 wrote to memory of 492 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 7 PID 2596 wrote to memory of 492 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 7 PID 2596 wrote to memory of 492 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 7 PID 2596 wrote to memory of 492 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 7 PID 2596 wrote to memory of 500 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 8 PID 2596 wrote to memory of 500 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 8 PID 2596 wrote to memory of 500 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 8 PID 2596 wrote to memory of 500 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 8 PID 2596 wrote to memory of 500 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 8 PID 2596 wrote to memory of 500 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 8 PID 2596 wrote to memory of 500 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 8 PID 2596 wrote to memory of 592 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 9 PID 2596 wrote to memory of 592 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 9 PID 2596 wrote to memory of 592 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 9 PID 2596 wrote to memory of 592 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 9 PID 2596 wrote to memory of 592 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 9 PID 2596 wrote to memory of 592 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 9 PID 2596 wrote to memory of 592 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 9 PID 2596 wrote to memory of 668 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 10 PID 2596 wrote to memory of 668 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 10 PID 2596 wrote to memory of 668 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 10 PID 2596 wrote to memory of 668 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 10 PID 2596 wrote to memory of 668 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 10 PID 2596 wrote to memory of 668 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 10 PID 2596 wrote to memory of 668 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 10 PID 2596 wrote to memory of 748 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 11 PID 2596 wrote to memory of 748 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 11 PID 2596 wrote to memory of 748 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 11 PID 2596 wrote to memory of 748 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 11 PID 2596 wrote to memory of 748 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 11 PID 2596 wrote to memory of 748 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 11 PID 2596 wrote to memory of 748 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 11 PID 2596 wrote to memory of 812 2596 a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe 12 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:844
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:316
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:668
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:748
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1152
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:852
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:112
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1008
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1044
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1108
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:324
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1912
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2276
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe"C:\Users\Admin\AppData\Local\Temp\a21e3dd6ab05d6c4bd14bea3bd01e38d7616099762d49c79323b9cdd8418f1d2N.exe"2⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2596
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD513faf6cd7b47c91cd7715de43d46dcb2
SHA1ac25761d457d3cda05c100c60252eef4ee74b6fd
SHA25629d4c109fadf891493ee65f9d709d00fdba8617c9704f13fad6049e7709aa858
SHA512c2828c9c7b716ff1d0be14f22233296edf6e1b7916d9aa91cd4652128a8ebabe8bafcd42cebe9f5e89e8373b4ef83dd8fb6a98ad36b6d4f81dfdad4ababdfa41