Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 23:55
Static task
static1
Behavioral task
behavioral1
Sample
7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe
Resource
win10v2004-20220812-en
General
-
Target
7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe
-
Size
320KB
-
MD5
71ee19737698f120d243e30eb5ee65e0
-
SHA1
cc81357948e6513fdb87c3fd174f5dc4d08316be
-
SHA256
7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034
-
SHA512
44b365e026863225d04c9d9764b81683a7f219f1cf689efd11591c725af7e1c8e79b9cd015439493e4d080a4e2d9c9999c829fbbe6209ea11c2533b5a6cd771f
-
SSDEEP
6144:sTw4o1IV3puaibGKFHi0mofhaH05kipz016580bHFMWu86JQPDHDdx/QtqR:SmgvmzFHi0mo5aH0qMzd5807FKPJQPDV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bakrp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bakrp.exe -
Adds policy Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bakrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmkfrtjfqjmxsddtood.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "mazvilczlfjvrdevrsiw.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bakrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqmfppdxgxyhajhvo.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "oaxrcdsnxprbvfetnm.exe" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bakrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqqnbfxvidivsfhzwypee.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "fqmfppdxgxyhajhvo.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bakrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oaxrcdsnxprbvfetnm.exe" bakrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bakrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqqnbfxvidivsfhzwypee.exe" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bakrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yidvedqjrhhphpmz.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "zmkfrtjfqjmxsddtood.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bakrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqqnbfxvidivsfhzwypee.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "bqqnbfxvidivsfhzwypee.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "yidvedqjrhhphpmz.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "oaxrcdsnxprbvfetnm.exe" bakrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "zmkfrtjfqjmxsddtood.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "bqqnbfxvidivsfhzwypee.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bakrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mazvilczlfjvrdevrsiw.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "oaxrcdsnxprbvfetnm.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bakrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mazvilczlfjvrdevrsiw.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bakrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmkfrtjfqjmxsddtood.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bakrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yidvedqjrhhphpmz.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bakrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mazvilczlfjvrdevrsiw.exe" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "yidvedqjrhhphpmz.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "yidvedqjrhhphpmz.exe" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "fqmfppdxgxyhajhvo.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqdnofkv = "mazvilczlfjvrdevrsiw.exe" bakrp.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bakrp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bakrp.exe -
Executes dropped EXE 2 IoCs
pid Process 876 bakrp.exe 4736 bakrp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yidvedqjrhhphpmz.exe ." bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmxfet = "fqmfppdxgxyhajhvo.exe" bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycrdgzgtvf = "zmkfrtjfqjmxsddtood.exe ." bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyobfzhvyje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqqnbfxvidivsfhzwypee.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqqnbfxvidivsfhzwypee.exe ." bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "bqqnbfxvidivsfhzwypee.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycrdgzgtvf = "zmkfrtjfqjmxsddtood.exe ." bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwnbgbkzdplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmkfrtjfqjmxsddtood.exe" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyobfzhvyje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yidvedqjrhhphpmz.exe ." bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyobfzhvyje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oaxrcdsnxprbvfetnm.exe ." 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bakrp.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "mazvilczlfjvrdevrsiw.exe ." 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "fqmfppdxgxyhajhvo.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqmfppdxgxyhajhvo.exe ." bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmxfet = "bqqnbfxvidivsfhzwypee.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyobfzhvyje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqmfppdxgxyhajhvo.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmkfrtjfqjmxsddtood.exe ." bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "mazvilczlfjvrdevrsiw.exe ." bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyobfzhvyje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmkfrtjfqjmxsddtood.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiwhjbhtu = "oaxrcdsnxprbvfetnm.exe" bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oaxrcdsnxprbvfetnm.exe ." bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwnbgbkzdplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oaxrcdsnxprbvfetnm.exe" bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiwhjbhtu = "fqmfppdxgxyhajhvo.exe" bakrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwnbgbkzdplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqmfppdxgxyhajhvo.exe" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycrdgzgtvf = "bqqnbfxvidivsfhzwypee.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycrdgzgtvf = "mazvilczlfjvrdevrsiw.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiwhjbhtu = "bqqnbfxvidivsfhzwypee.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmxfet = "zmkfrtjfqjmxsddtood.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "fqmfppdxgxyhajhvo.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycrdgzgtvf = "fqmfppdxgxyhajhvo.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmxfet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmkfrtjfqjmxsddtood.exe" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycrdgzgtvf = "zmkfrtjfqjmxsddtood.exe ." 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "bqqnbfxvidivsfhzwypee.exe ." bakrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oaxrcdsnxprbvfetnm.exe ." 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "yidvedqjrhhphpmz.exe ." 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwnbgbkzdplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yidvedqjrhhphpmz.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmxfet = "oaxrcdsnxprbvfetnm.exe" bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiwhjbhtu = "fqmfppdxgxyhajhvo.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyobfzhvyje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oaxrcdsnxprbvfetnm.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqmfppdxgxyhajhvo.exe ." 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmxfet = "yidvedqjrhhphpmz.exe" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmxfet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oaxrcdsnxprbvfetnm.exe" bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiwhjbhtu = "zmkfrtjfqjmxsddtood.exe" bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycrdgzgtvf = "oaxrcdsnxprbvfetnm.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycrdgzgtvf = "mazvilczlfjvrdevrsiw.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmxfet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oaxrcdsnxprbvfetnm.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyobfzhvyje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqmfppdxgxyhajhvo.exe ." bakrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "oaxrcdsnxprbvfetnm.exe ." bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyobfzhvyje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oaxrcdsnxprbvfetnm.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiwhjbhtu = "mazvilczlfjvrdevrsiw.exe" bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmxfet = "bqqnbfxvidivsfhzwypee.exe" bakrp.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycrdgzgtvf = "yidvedqjrhhphpmz.exe ." 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bakrp.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmkfrtjfqjmxsddtood.exe ." bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zamvvlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oaxrcdsnxprbvfetnm.exe ." bakrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmxfet = "yidvedqjrhhphpmz.exe" bakrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmxfet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqmfppdxgxyhajhvo.exe" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bakrp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bakrp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bakrp.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 56 whatismyip.everdot.org 12 whatismyip.everdot.org 33 whatismyip.everdot.org 43 www.showmyipaddress.com 54 whatismyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\qyrholwnthflbhcndyiqjzgdoflzxdtzufvq.ibr bakrp.exe File opened for modification C:\Windows\SysWOW64\liqvrddjehupupzzeonksxtff.gjw bakrp.exe File created C:\Windows\SysWOW64\liqvrddjehupupzzeonksxtff.gjw bakrp.exe File opened for modification C:\Windows\SysWOW64\qyrholwnthflbhcndyiqjzgdoflzxdtzufvq.ibr bakrp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\liqvrddjehupupzzeonksxtff.gjw bakrp.exe File created C:\Program Files (x86)\liqvrddjehupupzzeonksxtff.gjw bakrp.exe File opened for modification C:\Program Files (x86)\qyrholwnthflbhcndyiqjzgdoflzxdtzufvq.ibr bakrp.exe File created C:\Program Files (x86)\qyrholwnthflbhcndyiqjzgdoflzxdtzufvq.ibr bakrp.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\liqvrddjehupupzzeonksxtff.gjw bakrp.exe File created C:\Windows\liqvrddjehupupzzeonksxtff.gjw bakrp.exe File opened for modification C:\Windows\qyrholwnthflbhcndyiqjzgdoflzxdtzufvq.ibr bakrp.exe File created C:\Windows\qyrholwnthflbhcndyiqjzgdoflzxdtzufvq.ibr bakrp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings bakrp.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings bakrp.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe 876 bakrp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4736 bakrp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 876 bakrp.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4244 wrote to memory of 876 4244 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe 83 PID 4244 wrote to memory of 876 4244 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe 83 PID 4244 wrote to memory of 876 4244 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe 83 PID 4244 wrote to memory of 4736 4244 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe 84 PID 4244 wrote to memory of 4736 4244 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe 84 PID 4244 wrote to memory of 4736 4244 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe 84 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bakrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bakrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bakrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bakrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bakrp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe"C:\Users\Admin\AppData\Local\Temp\7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\bakrp.exe"C:\Users\Admin\AppData\Local\Temp\bakrp.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:876
-
-
C:\Users\Admin\AppData\Local\Temp\bakrp.exe"C:\Users\Admin\AppData\Local\Temp\bakrp.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:4736
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
712KB
MD53b76864908f47308661298ee3eeefcf1
SHA108df58285a5daa6276b7ffd2ba8df022e33fa2af
SHA2565dfcaa74500a9b534789ac2137622cd293d741e5f5ff9d1fb7e6c61953827fc2
SHA512f1f76c69de4d36ef5170c7bfc3fbb39aeb930ab7c6dead740086c8462c27d2b402acaed66bc2544fee8a638dd1054beeaca6203f470d50b8c36f8b6e71622aca
-
Filesize
712KB
MD53b76864908f47308661298ee3eeefcf1
SHA108df58285a5daa6276b7ffd2ba8df022e33fa2af
SHA2565dfcaa74500a9b534789ac2137622cd293d741e5f5ff9d1fb7e6c61953827fc2
SHA512f1f76c69de4d36ef5170c7bfc3fbb39aeb930ab7c6dead740086c8462c27d2b402acaed66bc2544fee8a638dd1054beeaca6203f470d50b8c36f8b6e71622aca
-
Filesize
712KB
MD53b76864908f47308661298ee3eeefcf1
SHA108df58285a5daa6276b7ffd2ba8df022e33fa2af
SHA2565dfcaa74500a9b534789ac2137622cd293d741e5f5ff9d1fb7e6c61953827fc2
SHA512f1f76c69de4d36ef5170c7bfc3fbb39aeb930ab7c6dead740086c8462c27d2b402acaed66bc2544fee8a638dd1054beeaca6203f470d50b8c36f8b6e71622aca