Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
10-10-2023 00:40
Behavioral task
behavioral1
Sample
7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe
Resource
win7-20230831-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe
-
Size
2.8MB
-
MD5
b4358bc395a84f175e3a04ac0eced298
-
SHA1
9b33ffd40b48b86c63fdc288091d5a1f7364841e
-
SHA256
7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d
-
SHA512
5dfa5e99108d7404274f353ad0c34dfcb20b9655e976bf78dca7431b3022374d405d4f8a7dd5ef196424fd43629fe97c47d58d581e704ed15589fb61286b941b
-
SSDEEP
49152:MTGkQd5QZuTtS0rQMYOQ+q8CEpTG4QrTGHQC9KFeM6:MKkuWsM0r1QnuK4aKHZ0FeX
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\tawOWEuw.sys rwinsta.exe -
Deletes itself 1 IoCs
pid Process 2300 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2856 212421fd 2508 TsWpfWrp.exe 1648 rwinsta.exe -
Loads dropped DLL 1 IoCs
pid Process 1260 Explorer.EXE -
resource yara_rule behavioral1/memory/2976-0-0x0000000000320000-0x00000000003A9000-memory.dmp upx behavioral1/files/0x00070000000120be-2.dat upx behavioral1/memory/2856-3-0x0000000000B10000-0x0000000000B99000-memory.dmp upx behavioral1/memory/2976-26-0x0000000000320000-0x00000000003A9000-memory.dmp upx behavioral1/memory/2856-42-0x0000000000B10000-0x0000000000B99000-memory.dmp upx behavioral1/memory/2976-128-0x0000000000320000-0x00000000003A9000-memory.dmp upx behavioral1/memory/2856-153-0x0000000000B10000-0x0000000000B99000-memory.dmp upx behavioral1/memory/2856-156-0x0000000000B10000-0x0000000000B99000-memory.dmp upx behavioral1/files/0x00070000000120be-157.dat upx behavioral1/memory/2976-176-0x0000000000320000-0x00000000003A9000-memory.dmp upx -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 114.114.114.114 -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4 212421fd File created C:\Windows\Syswow64\212421fd 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 212421fd File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A 212421fd File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A 212421fd File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4 212421fd File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E 212421fd File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E 212421fd File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 212421fd File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 212421fd File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 212421fd File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 212421fd File created C:\Windows\system32\ \Windows\System32\toxxg0VRD.sys rwinsta.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\TsWpfWrp.exe Explorer.EXE File opened for modification C:\Program Files\TsWpfWrp.exe Explorer.EXE -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\LpyRJ1.sys rwinsta.exe File opened for modification C:\Windows\30e550 212421fd File opened for modification C:\Windows\32f340 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe File created C:\Windows\Fonts\rwinsta.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
pid Process 1436 timeout.exe 2000 timeout.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com rwinsta.exe Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\New Windows\Allow rwinsta.exe -
Modifies data under HKEY_USERS 56 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 212421fd Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 212421fd Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 212421fd Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 212421fd Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 212421fd Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 212421fd Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust 212421fd Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 212421fd Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 212421fd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 212421fd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 212421fd -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 rwinsta.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde rwinsta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2856 212421fd 2856 212421fd 2856 212421fd 2856 212421fd 2856 212421fd 2856 212421fd 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 2856 212421fd 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1260 Explorer.EXE -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe Token: SeTcbPrivilege 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe Token: SeDebugPrivilege 2856 212421fd Token: SeTcbPrivilege 2856 212421fd Token: SeDebugPrivilege 2856 212421fd Token: SeDebugPrivilege 1260 Explorer.EXE Token: SeDebugPrivilege 1260 Explorer.EXE Token: SeDebugPrivilege 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe Token: SeDebugPrivilege 1260 Explorer.EXE Token: SeDebugPrivilege 1260 Explorer.EXE Token: SeDebugPrivilege 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe Token: SeDebugPrivilege 2856 212421fd Token: SeDebugPrivilege 1648 rwinsta.exe Token: SeDebugPrivilege 1648 rwinsta.exe Token: SeDebugPrivilege 1648 rwinsta.exe Token: SeIncBasePriorityPrivilege 2856 212421fd Token: SeDebugPrivilege 1648 rwinsta.exe Token: SeIncBasePriorityPrivilege 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe 1648 rwinsta.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1648 rwinsta.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2856 wrote to memory of 1260 2856 212421fd 19 PID 2856 wrote to memory of 1260 2856 212421fd 19 PID 2856 wrote to memory of 1260 2856 212421fd 19 PID 2856 wrote to memory of 1260 2856 212421fd 19 PID 2856 wrote to memory of 1260 2856 212421fd 19 PID 1260 wrote to memory of 2508 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2508 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2508 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2508 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2508 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2508 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2508 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2508 1260 Explorer.EXE 29 PID 2976 wrote to memory of 1260 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 19 PID 2976 wrote to memory of 1260 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 19 PID 2976 wrote to memory of 1260 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 19 PID 2976 wrote to memory of 1260 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 19 PID 2976 wrote to memory of 1260 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 19 PID 1260 wrote to memory of 1648 1260 Explorer.EXE 32 PID 1260 wrote to memory of 1648 1260 Explorer.EXE 32 PID 1260 wrote to memory of 1648 1260 Explorer.EXE 32 PID 1260 wrote to memory of 1648 1260 Explorer.EXE 32 PID 1260 wrote to memory of 1648 1260 Explorer.EXE 32 PID 1260 wrote to memory of 1648 1260 Explorer.EXE 32 PID 1260 wrote to memory of 1648 1260 Explorer.EXE 32 PID 1260 wrote to memory of 1648 1260 Explorer.EXE 32 PID 2976 wrote to memory of 420 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 2 PID 2976 wrote to memory of 420 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 2 PID 2976 wrote to memory of 420 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 2 PID 2976 wrote to memory of 420 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 2 PID 2976 wrote to memory of 420 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 2 PID 2856 wrote to memory of 420 2856 212421fd 2 PID 2856 wrote to memory of 420 2856 212421fd 2 PID 2856 wrote to memory of 420 2856 212421fd 2 PID 2856 wrote to memory of 420 2856 212421fd 2 PID 2856 wrote to memory of 420 2856 212421fd 2 PID 2856 wrote to memory of 3060 2856 212421fd 37 PID 2856 wrote to memory of 3060 2856 212421fd 37 PID 2856 wrote to memory of 3060 2856 212421fd 37 PID 2856 wrote to memory of 3060 2856 212421fd 37 PID 3060 wrote to memory of 1436 3060 cmd.exe 40 PID 3060 wrote to memory of 1436 3060 cmd.exe 40 PID 3060 wrote to memory of 1436 3060 cmd.exe 40 PID 3060 wrote to memory of 1436 3060 cmd.exe 40 PID 2976 wrote to memory of 2300 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 42 PID 2976 wrote to memory of 2300 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 42 PID 2976 wrote to memory of 2300 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 42 PID 2976 wrote to memory of 2300 2976 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 42 PID 2300 wrote to memory of 2000 2300 cmd.exe 43 PID 2300 wrote to memory of 2000 2300 cmd.exe 43 PID 2300 wrote to memory of 2000 2300 cmd.exe 43 PID 2300 wrote to memory of 2000 2300 cmd.exe 43 PID 1648 wrote to memory of 1260 1648 rwinsta.exe 19 PID 1648 wrote to memory of 1260 1648 rwinsta.exe 19 PID 1648 wrote to memory of 1260 1648 rwinsta.exe 19 PID 1648 wrote to memory of 1260 1648 rwinsta.exe 19 PID 1648 wrote to memory of 1260 1648 rwinsta.exe 19 PID 1648 wrote to memory of 1260 1648 rwinsta.exe 19 PID 1648 wrote to memory of 1260 1648 rwinsta.exe 19 PID 1648 wrote to memory of 1260 1648 rwinsta.exe 19 PID 1648 wrote to memory of 1260 1648 rwinsta.exe 19 PID 1648 wrote to memory of 1260 1648 rwinsta.exe 19 PID 1648 wrote to memory of 1260 1648 rwinsta.exe 19 PID 1648 wrote to memory of 1260 1648 rwinsta.exe 19
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe"C:\Users\Admin\AppData\Local\Temp\7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:2000
-
-
-
-
C:\Program Files\TsWpfWrp.exe"C:\Program Files\TsWpfWrp.exe"2⤵
- Executes dropped EXE
PID:2508
-
-
C:\Windows\Fonts\rwinsta.exe"C:\Windows\Fonts\rwinsta.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
-
-
C:\Windows\Syswow64\212421fdC:\Windows\Syswow64\212421fd1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\212421fd"2⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
PID:1436
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5f379859f7b4b8835a8e72cd6ff3ec961
SHA10438db1890a8c8a7b0ed04c889c801986f2f813a
SHA256e23075a3bcdc7118d299b381deab71c5fb3de4f7334e3ee082cb76f93b0ec586
SHA5127c88f80b53091d2a05c583529364b948ba8121a2af8b75f888cdcb0a39edac310c1b52412456feeac6d7973bf823e7a52956cb500798df8857fae06a40a207ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bd9573c0cbbdacc892f94a544b95f884
SHA1840d35017a11233dd6d83eb992a0ed4077151e15
SHA256f159b78f6ba38f2d3817a037790e83bdfdbc3e881b56c370fafb3109f1ab45f2
SHA51267468ba369a84ccc093a50d8364c23369e234e1b4f5aff1c83442ed50873b90e6ab3eb38a765d07340f77d11fcc1766f4fbefaed4877922f55843702ea5e180e
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
21KB
MD5c59dc915ffc4e1bcea09a2f9d1e0799d
SHA1c5aa1a243f47881e4d554f9a9bb7a66d4012d6c7
SHA25652cfac95d2090989011bfab453911713177539c925f83704657b12a8d7e4e240
SHA5125352977a250380ca2ef4eb7b51d512804ec0edf5bac599b5814504519034ce1ce5114948349a71e2a2443962d00235e042fb9c329cc770c3cef37c75187a3a92
-
Filesize
2.8MB
MD5810eada344b8bd11cd56dd6b0c0dbbfe
SHA17cf90caf437e392c8e505c78cd1eedd98f65773c
SHA2567469462ea18eb77d73969c5593dd0f154108bf4d8820e2055044305d9fe39569
SHA5125dbd0d1f35aa87cac0544673817596852d68100e4046cd9a60666c13cda66e45d696e66ac6ce636bfde5424d77a4e943743566896d8593f4ecd6480db8043e88
-
Filesize
2.8MB
MD5810eada344b8bd11cd56dd6b0c0dbbfe
SHA17cf90caf437e392c8e505c78cd1eedd98f65773c
SHA2567469462ea18eb77d73969c5593dd0f154108bf4d8820e2055044305d9fe39569
SHA5125dbd0d1f35aa87cac0544673817596852d68100e4046cd9a60666c13cda66e45d696e66ac6ce636bfde5424d77a4e943743566896d8593f4ecd6480db8043e88
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
21KB
MD5c59dc915ffc4e1bcea09a2f9d1e0799d
SHA1c5aa1a243f47881e4d554f9a9bb7a66d4012d6c7
SHA25652cfac95d2090989011bfab453911713177539c925f83704657b12a8d7e4e240
SHA5125352977a250380ca2ef4eb7b51d512804ec0edf5bac599b5814504519034ce1ce5114948349a71e2a2443962d00235e042fb9c329cc770c3cef37c75187a3a92