Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
197s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 14:42
Static task
static1
Behavioral task
behavioral1
Sample
f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe
Resource
win10v2004-20221111-en
General
-
Target
f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe
-
Size
488KB
-
MD5
e0968638796261d3bd533c7f452095c0
-
SHA1
60b9e96a5d6e5cbf71a01e0530b89115f051a960
-
SHA256
f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
-
SHA512
e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
SSDEEP
12288:Y+j2RX5IOHj2XY0uo7vKzB1/xmXke2ovXtf0RS2w3CD9:Y+jS5IOD2I0h7v0B1/Wke2atf0ZwyD
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 10 IoCs
resource yara_rule behavioral2/memory/4688-143-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/4688-145-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/4688-149-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/4688-150-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/4688-168-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/4688-178-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/4368-185-0x0000000000000000-mapping.dmp family_isrstealer behavioral2/memory/4368-192-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/4368-202-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/4368-215-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer -
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/212-176-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/212-177-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/212-208-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral2/memory/212-176-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/212-177-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/212-208-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
Executes dropped EXE 14 IoCs
pid Process 4352 winlogon.exe 3200 winlogon.exe 2292 winlogon.exe 4324 winlogon.exe 4192 winlogon.exe 4688 winlogon.exe 4784 winlogon.exe 1256 csrss.exe 212 winlogon.exe 388 winlogon.exe 4164 winlogon.exe 4368 winlogon.exe 4212 winlogon.exe 972 csrss.exe -
resource yara_rule behavioral2/memory/4688-151-0x00000000035A0000-0x000000000462E000-memory.dmp upx behavioral2/memory/4784-155-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4784-158-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4688-160-0x00000000035A0000-0x000000000462E000-memory.dmp upx behavioral2/memory/4784-159-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4784-161-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4688-169-0x00000000035A0000-0x000000000462E000-memory.dmp upx behavioral2/memory/212-172-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/212-175-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/212-176-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/212-177-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4688-179-0x00000000035A0000-0x000000000462E000-memory.dmp upx behavioral2/memory/4368-193-0x00000000037F0000-0x000000000487E000-memory.dmp upx behavioral2/memory/4212-203-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4212-204-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4212-206-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4368-205-0x00000000037F0000-0x000000000487E000-memory.dmp upx behavioral2/memory/212-208-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4368-216-0x00000000037F0000-0x000000000487E000-memory.dmp upx -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation winlogon.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\F: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\F: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\Y: winlogon.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf winlogon.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4352 set thread context of 4688 4352 winlogon.exe 87 PID 4688 set thread context of 4784 4688 winlogon.exe 91 PID 4688 set thread context of 212 4688 winlogon.exe 104 PID 388 set thread context of 4368 388 winlogon.exe 107 PID 4368 set thread context of 4212 4368 winlogon.exe 109 -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe winlogon.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe winlogon.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe winlogon.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe winlogon.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe winlogon.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe winlogon.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe winlogon.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe winlogon.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe winlogon.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe winlogon.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe winlogon.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4688 winlogon.exe 4688 winlogon.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 4688 winlogon.exe 4688 winlogon.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe 1256 csrss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe Token: SeDebugPrivilege 4688 winlogon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4688 winlogon.exe 4368 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 4352 2324 f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe 85 PID 2324 wrote to memory of 4352 2324 f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe 85 PID 2324 wrote to memory of 4352 2324 f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe 85 PID 4352 wrote to memory of 3200 4352 winlogon.exe 86 PID 4352 wrote to memory of 3200 4352 winlogon.exe 86 PID 4352 wrote to memory of 3200 4352 winlogon.exe 86 PID 4352 wrote to memory of 2292 4352 winlogon.exe 90 PID 4352 wrote to memory of 2292 4352 winlogon.exe 90 PID 4352 wrote to memory of 2292 4352 winlogon.exe 90 PID 4352 wrote to memory of 4192 4352 winlogon.exe 89 PID 4352 wrote to memory of 4192 4352 winlogon.exe 89 PID 4352 wrote to memory of 4192 4352 winlogon.exe 89 PID 4352 wrote to memory of 4324 4352 winlogon.exe 88 PID 4352 wrote to memory of 4324 4352 winlogon.exe 88 PID 4352 wrote to memory of 4324 4352 winlogon.exe 88 PID 4352 wrote to memory of 4688 4352 winlogon.exe 87 PID 4352 wrote to memory of 4688 4352 winlogon.exe 87 PID 4352 wrote to memory of 4688 4352 winlogon.exe 87 PID 4352 wrote to memory of 4688 4352 winlogon.exe 87 PID 4352 wrote to memory of 4688 4352 winlogon.exe 87 PID 4352 wrote to memory of 4688 4352 winlogon.exe 87 PID 4352 wrote to memory of 4688 4352 winlogon.exe 87 PID 4352 wrote to memory of 4688 4352 winlogon.exe 87 PID 4688 wrote to memory of 776 4688 winlogon.exe 79 PID 4688 wrote to memory of 784 4688 winlogon.exe 17 PID 4688 wrote to memory of 1004 4688 winlogon.exe 9 PID 4688 wrote to memory of 2768 4688 winlogon.exe 25 PID 4688 wrote to memory of 2856 4688 winlogon.exe 27 PID 4688 wrote to memory of 2920 4688 winlogon.exe 35 PID 4688 wrote to memory of 704 4688 winlogon.exe 34 PID 4688 wrote to memory of 3080 4688 winlogon.exe 33 PID 4688 wrote to memory of 3280 4688 winlogon.exe 29 PID 4688 wrote to memory of 3372 4688 winlogon.exe 31 PID 4688 wrote to memory of 3456 4688 winlogon.exe 30 PID 4688 wrote to memory of 3540 4688 winlogon.exe 32 PID 4688 wrote to memory of 3728 4688 winlogon.exe 36 PID 4688 wrote to memory of 4664 4688 winlogon.exe 43 PID 4688 wrote to memory of 4340 4688 winlogon.exe 61 PID 4688 wrote to memory of 1428 4688 winlogon.exe 60 PID 4688 wrote to memory of 4296 4688 winlogon.exe 84 PID 4688 wrote to memory of 4352 4688 winlogon.exe 85 PID 4688 wrote to memory of 4352 4688 winlogon.exe 85 PID 4688 wrote to memory of 4784 4688 winlogon.exe 91 PID 4688 wrote to memory of 4784 4688 winlogon.exe 91 PID 4688 wrote to memory of 4784 4688 winlogon.exe 91 PID 4688 wrote to memory of 4784 4688 winlogon.exe 91 PID 4688 wrote to memory of 4784 4688 winlogon.exe 91 PID 4688 wrote to memory of 4784 4688 winlogon.exe 91 PID 4688 wrote to memory of 4784 4688 winlogon.exe 91 PID 4688 wrote to memory of 4784 4688 winlogon.exe 91 PID 4352 wrote to memory of 1256 4352 winlogon.exe 94 PID 4352 wrote to memory of 1256 4352 winlogon.exe 94 PID 4352 wrote to memory of 1256 4352 winlogon.exe 94 PID 4688 wrote to memory of 776 4688 winlogon.exe 79 PID 4688 wrote to memory of 784 4688 winlogon.exe 17 PID 4688 wrote to memory of 1004 4688 winlogon.exe 9 PID 4688 wrote to memory of 2768 4688 winlogon.exe 25 PID 4688 wrote to memory of 2856 4688 winlogon.exe 27 PID 4688 wrote to memory of 2920 4688 winlogon.exe 35 PID 4688 wrote to memory of 704 4688 winlogon.exe 34 PID 4688 wrote to memory of 3080 4688 winlogon.exe 33 PID 4688 wrote to memory of 3280 4688 winlogon.exe 29 PID 4688 wrote to memory of 3372 4688 winlogon.exe 31 PID 4688 wrote to memory of 3456 4688 winlogon.exe 30 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1004
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2856
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3280
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3456
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3372
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3080
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe"C:\Users\Admin\AppData\Local\Temp\f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"4⤵
- Executes dropped EXE
PID:3200
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4688 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\TQpDx0GjNE.ini"5⤵
- Executes dropped EXE
PID:4784
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\hWog751Z2h.ini"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:212
-
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"4⤵
- Executes dropped EXE
PID:4324
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"4⤵
- Executes dropped EXE
PID:4192
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"4⤵
- Executes dropped EXE
PID:2292
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 4688 -proc 4688 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1256 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
PID:388 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"6⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4368 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\zS1sOXBO1M.ini"7⤵
- Executes dropped EXE
PID:4212
-
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"6⤵
- Executes dropped EXE
PID:4164
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 4368 -proc 4368 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe6⤵
- Executes dropped EXE
PID:972
-
-
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3728
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4664
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1428
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4340
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:4296
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2200
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3704
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408B
MD52d362531e18207d8e72a10ba27f12ca2
SHA142a3de9849915d1d25da086026dff1952d39ae3b
SHA256cf39cec2d65bcda74a7d8a7cb889455d9a7348f6a25180afb6f5121bafb8c56a
SHA512a36f09f1e957fcf4c8804c7a9328176ff19badd935c8bf1313e5d59e71e503a160b93052b23e19733b791b5e9f5282d6b498f8e2973ef8f7a303e38b22a64355
-
Filesize
408B
MD52d362531e18207d8e72a10ba27f12ca2
SHA142a3de9849915d1d25da086026dff1952d39ae3b
SHA256cf39cec2d65bcda74a7d8a7cb889455d9a7348f6a25180afb6f5121bafb8c56a
SHA512a36f09f1e957fcf4c8804c7a9328176ff19badd935c8bf1313e5d59e71e503a160b93052b23e19733b791b5e9f5282d6b498f8e2973ef8f7a303e38b22a64355
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
257B
MD59a99fdc6c8686c32ff82fa67d7b855e3
SHA1e1d24587143f301a927a406b4e28621c3e65fb7a
SHA2568b8d049ee2959b0fea05fd867a8529e88d99f325518167ee11d0c18be979eb22
SHA512b6503941b8ef81cc87634bdff81aadf1ce959ae32c1f491da49d67d542984326ca0c4ad818434c4399821995609992047e5d25325031640f6280b13da6ee1165