Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    29-03-2024 02:32

General

  • Target

    a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe

  • Size

    455KB

  • MD5

    c8d9593196962fa5d706a207c16674cd

  • SHA1

    686a8e674e6615d5cd91f7b2cba0c755054b3f69

  • SHA256

    a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d

  • SHA512

    5ddae80780c6091bfe0ab5e29bc63732c08ce34f677fc341366dcecf6db9e1bd2e0ed24cfe57eface0d19c6f46010f47eb2d74888b91a503dae00651c4a756bf

  • SSDEEP

    12288:XcTpGLwWpFGIWFfDtaY4S0LEy7w0iymL/:XOpEwiFYxsEyHiyK

Score
10/10

Malware Config

Extracted

Family

xworm

Version

5.1

C2

104.194.9.116:7000

Mutex

bUezpCDHVjUVS3W9

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot6330888131:AAE5ycZdHuNqV5SVYhHeCfRENn6GuCjwXjs/sendMessage?chat_id=1046049845

aes.plain

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Detects Windows executables referencing non-Windows User-Agents 5 IoCs
  • Detects executables packed with or use KoiVM 1 IoCs
  • Detects executables using Telegram Chat Bot 5 IoCs
  • Stops running service(s) 3 TTPs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 20 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
    "C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Users\Admin\AppData\Local\Temp\csocjo.exe
        "C:\Users\Admin\AppData\Local\Temp\csocjo.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
          4⤵
            PID:1712
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
            4⤵
              PID:2348
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
              4⤵
                PID:988
              • C:\Program Files\Windows Mail\wab.exe
                "C:\Program Files\Windows Mail\wab.exe"
                4⤵
                  PID:448
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
                  4⤵
                    PID:2220
                  • C:\Program Files\Windows Media Player\wmplayer.exe
                    "C:\Program Files\Windows Media Player\wmplayer.exe"
                    4⤵
                      PID:1228
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                      4⤵
                        PID:752
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe"
                        4⤵
                          PID:2996
                        • C:\Windows\explorer.exe
                          "C:\Windows\explorer.exe"
                          4⤵
                            PID:688
                          • C:\Windows\system32\WerFault.exe
                            C:\Windows\system32\WerFault.exe -u -p 2480 -s 2160
                            4⤵
                            • Loads dropped DLL
                            PID:1684
                        • C:\Users\Admin\AppData\Local\Temp\iltrhn.exe
                          "C:\Users\Admin\AppData\Local\Temp\iltrhn.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2548
                        • C:\Users\Admin\AppData\Local\Temp\vbmfxw.exe
                          "C:\Users\Admin\AppData\Local\Temp\vbmfxw.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:1568
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                            4⤵
                            • Drops file in System32 directory
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3060
                            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                              5⤵
                              • Drops file in System32 directory
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1752
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                              5⤵
                                PID:1448
                                • C:\Windows\system32\wusa.exe
                                  wusa /uninstall /kb:890830 /quiet /norestart
                                  6⤵
                                  • Drops file in Windows directory
                                  PID:2356
                              • C:\Windows\system32\sc.exe
                                C:\Windows\system32\sc.exe stop UsoSvc
                                5⤵
                                • Launches sc.exe
                                PID:1792
                              • C:\Windows\system32\sc.exe
                                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                5⤵
                                • Launches sc.exe
                                PID:1996
                              • C:\Windows\system32\sc.exe
                                C:\Windows\system32\sc.exe stop wuauserv
                                5⤵
                                • Launches sc.exe
                                PID:2128
                              • C:\Windows\system32\sc.exe
                                C:\Windows\system32\sc.exe stop bits
                                5⤵
                                • Launches sc.exe
                                PID:2768
                              • C:\Windows\system32\sc.exe
                                C:\Windows\system32\sc.exe stop dosvc
                                5⤵
                                • Launches sc.exe
                                PID:940
                              • C:\Windows\system32\powercfg.exe
                                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                5⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2208
                              • C:\Windows\system32\powercfg.exe
                                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                5⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2232
                              • C:\Windows\system32\powercfg.exe
                                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                5⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2216
                              • C:\Windows\system32\powercfg.exe
                                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                5⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2200
                              • C:\Windows\system32\dialer.exe
                                C:\Windows\system32\dialer.exe
                                5⤵
                                  PID:1968
                              • C:\Windows\system32\WerFault.exe
                                C:\Windows\system32\WerFault.exe -u -p 1568 -s 2108
                                4⤵
                                • Loads dropped DLL
                                PID:3048
                            • C:\Users\Admin\AppData\Local\Temp\griwpi.exe
                              "C:\Users\Admin\AppData\Local\Temp\griwpi.exe"
                              3⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              PID:2692
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                4⤵
                                  PID:1948
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "CasPol" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe"
                                    5⤵
                                    • Loads dropped DLL
                                    PID:2592
                                    • C:\Windows\SysWOW64\chcp.com
                                      chcp 65001
                                      6⤵
                                        PID:1208
                                      • C:\Windows\SysWOW64\PING.EXE
                                        ping 127.0.0.1
                                        6⤵
                                        • Runs ping.exe
                                        PID:620
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        schtasks /create /tn "CasPol" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe" /rl HIGHEST /f
                                        6⤵
                                        • Creates scheduled task(s)
                                        PID:2292
                                      • C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
                                        "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        PID:2384
                                  • C:\Windows\system32\WerFault.exe
                                    C:\Windows\system32\WerFault.exe -u -p 2692 -s 2104
                                    4⤵
                                    • Loads dropped DLL
                                    PID:2172
                              • C:\Windows\system32\WerFault.exe
                                C:\Windows\system32\WerFault.exe -u -p 2184 -s 732
                                2⤵
                                  PID:2600

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • \Users\Admin\AppData\Local\ServiceHub\CasPol.exe

                                Filesize

                                105KB

                                MD5

                                ac93f60717f1fee8c678e624f54852ee

                                SHA1

                                d9c9828396d19a7f2920af68a4692409f16beaa9

                                SHA256

                                1fa79bf14d80519f7965a44dcc1f69ec1d24e83eea2927b474c3545e65062f24

                                SHA512

                                9ff7dfe9c8bc2ae775a97227990f332d8b799fbb4235eea7c73756a5359841d355805d1b624b40fe8f7e864c997a604d3c10ad1fa1182deb5842ab77aad9b1b7

                              • \Users\Admin\AppData\Local\Temp\csocjo.exe

                                Filesize

                                756KB

                                MD5

                                d76027fe4cfd48c7f8999c796e50e731

                                SHA1

                                5026422e84bf445e2d141529e2b808187a30d9f6

                                SHA256

                                148da274864c690a7c01119e025bdc0ab94fa9c110c30afb42e51b1c990a2799

                                SHA512

                                2e2c4a5319a61555913648702ddcfb8b40d548dcfda1a536a2e85f9cb85d25d9a463743dc866f86b4de99fd10f9c402def424b9e8a203189518f45e924b89d2d

                              • \Users\Admin\AppData\Local\Temp\griwpi.exe

                                Filesize

                                393KB

                                MD5

                                3f3a51617811e9581aba50376599efa6

                                SHA1

                                9b26aa73f43a4db9b216b90d1aa3e2e4d602fde8

                                SHA256

                                5f3403e13e316d9320d46233e9f62b183623c46ec80c6c55139efdd72c5ada37

                                SHA512

                                9ad5cfb29281dd462b726c7ee239926f83050181fe4f6c3e9057e51df65ae7f850cecbf1cb453287720314275335df36bb8d5299d09a1f73329a5b9292db3ee3

                              • \Users\Admin\AppData\Local\Temp\iltrhn.exe

                                Filesize

                                16.5MB

                                MD5

                                d01b812c108576056594805b6e9e7064

                                SHA1

                                290fc3e50cf13a1595f1ba3357285153ac98834d

                                SHA256

                                9a6ac9acc3267fc22ecd8872e3e9d863dce608d609ee06fb0769b599ce669ec4

                                SHA512

                                d3709b4a6760e149bcd774f7648857a47161e7144530e3d1ae700b33861837d494d646bb8accd3980b3ccb955682c9c1ebe2c3f22371fb9566f669c48fb09be4

                              • \Users\Admin\AppData\Local\Temp\vbmfxw.exe

                                Filesize

                                3.1MB

                                MD5

                                86e00d529b3b454a84b942ac916211e3

                                SHA1

                                021c733e5448436b384bf0d3a0ba81f4d0d93f9a

                                SHA256

                                30e01b261cb5d7524a303cdbe9d177fc05d74279642e4a87b46ee70045e68d53

                                SHA512

                                9a08379b35a3bf1699b925c6dbfc6e85123f1155e567929eaff3683e5e9f196a16775e3a2f6a7585f7c0f0f201ef4be009cda5cf94b160742642145837c3de1e

                              • memory/1712-490-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1712-492-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1712-494-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1712-496-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1712-498-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1712-500-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2184-20-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/2184-21-0x000000001AE40000-0x000000001AEC0000-memory.dmp

                                Filesize

                                512KB

                              • memory/2184-0-0x00000000011D0000-0x00000000011E6000-memory.dmp

                                Filesize

                                88KB

                              • memory/2184-1-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/2184-2-0x000000001AE40000-0x000000001AEC0000-memory.dmp

                                Filesize

                                512KB

                              • memory/2184-3-0x0000000000B30000-0x0000000000B94000-memory.dmp

                                Filesize

                                400KB

                              • memory/2472-17-0x0000000000400000-0x000000000040E000-memory.dmp

                                Filesize

                                56KB

                              • memory/2472-19-0x0000000004920000-0x0000000004960000-memory.dmp

                                Filesize

                                256KB

                              • memory/2472-22-0x0000000074130000-0x000000007481E000-memory.dmp

                                Filesize

                                6.9MB

                              • memory/2472-8-0x0000000000400000-0x000000000040E000-memory.dmp

                                Filesize

                                56KB

                              • memory/2472-6-0x0000000000400000-0x000000000040E000-memory.dmp

                                Filesize

                                56KB

                              • memory/2472-4-0x0000000000400000-0x000000000040E000-memory.dmp

                                Filesize

                                56KB

                              • memory/2472-18-0x0000000074130000-0x000000007481E000-memory.dmp

                                Filesize

                                6.9MB

                              • memory/2472-10-0x0000000000400000-0x000000000040E000-memory.dmp

                                Filesize

                                56KB

                              • memory/2472-15-0x0000000000400000-0x000000000040E000-memory.dmp

                                Filesize

                                56KB

                              • memory/2472-13-0x0000000000400000-0x000000000040E000-memory.dmp

                                Filesize

                                56KB

                              • memory/2472-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                Filesize

                                4KB

                              • memory/2480-49-0x00000000020B0000-0x00000000020CA000-memory.dmp

                                Filesize

                                104KB

                              • memory/2480-64-0x000000001A890000-0x000000001A8B2000-memory.dmp

                                Filesize

                                136KB

                              • memory/2480-39-0x0000000000440000-0x0000000000454000-memory.dmp

                                Filesize

                                80KB

                              • memory/2480-40-0x00000000002F0000-0x0000000000300000-memory.dmp

                                Filesize

                                64KB

                              • memory/2480-41-0x0000000000300000-0x0000000000310000-memory.dmp

                                Filesize

                                64KB

                              • memory/2480-42-0x00000000002F0000-0x0000000000308000-memory.dmp

                                Filesize

                                96KB

                              • memory/2480-43-0x0000000000460000-0x0000000000478000-memory.dmp

                                Filesize

                                96KB

                              • memory/2480-44-0x000000001B990000-0x000000001BAEA000-memory.dmp

                                Filesize

                                1.4MB

                              • memory/2480-45-0x000000001BC00000-0x000000001BD5A000-memory.dmp

                                Filesize

                                1.4MB

                              • memory/2480-46-0x000000001B490000-0x000000001B534000-memory.dmp

                                Filesize

                                656KB

                              • memory/2480-48-0x00000000002F0000-0x000000000030A000-memory.dmp

                                Filesize

                                104KB

                              • memory/2480-47-0x000000001B5E0000-0x000000001B684000-memory.dmp

                                Filesize

                                656KB

                              • memory/2480-37-0x0000000000420000-0x000000000043C000-memory.dmp

                                Filesize

                                112KB

                              • memory/2480-50-0x000000001B990000-0x000000001BAB2000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/2480-51-0x000000001BD60000-0x000000001BE82000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/2480-52-0x00000000020B0000-0x00000000020F4000-memory.dmp

                                Filesize

                                272KB

                              • memory/2480-53-0x000000001A890000-0x000000001A8D4000-memory.dmp

                                Filesize

                                272KB

                              • memory/2480-54-0x000000001A890000-0x000000001A906000-memory.dmp

                                Filesize

                                472KB

                              • memory/2480-56-0x0000000000310000-0x0000000000320000-memory.dmp

                                Filesize

                                64KB

                              • memory/2480-55-0x000000001B490000-0x000000001B506000-memory.dmp

                                Filesize

                                472KB

                              • memory/2480-59-0x000000001A8C0000-0x000000001A8F0000-memory.dmp

                                Filesize

                                192KB

                              • memory/2480-58-0x000000001A890000-0x000000001A8C0000-memory.dmp

                                Filesize

                                192KB

                              • memory/2480-57-0x0000000000870000-0x0000000000880000-memory.dmp

                                Filesize

                                64KB

                              • memory/2480-61-0x000000001B990000-0x000000001BA4A000-memory.dmp

                                Filesize

                                744KB

                              • memory/2480-60-0x000000001B490000-0x000000001B54A000-memory.dmp

                                Filesize

                                744KB

                              • memory/2480-62-0x000000001A890000-0x000000001A8F0000-memory.dmp

                                Filesize

                                384KB

                              • memory/2480-63-0x000000001B490000-0x000000001B4F0000-memory.dmp

                                Filesize

                                384KB

                              • memory/2480-38-0x00000000002F0000-0x0000000000304000-memory.dmp

                                Filesize

                                80KB

                              • memory/2480-65-0x000000001A8C0000-0x000000001A8E2000-memory.dmp

                                Filesize

                                136KB

                              • memory/2480-66-0x000000001BE90000-0x000000001C255000-memory.dmp

                                Filesize

                                3.8MB

                              • memory/2480-67-0x000000001C260000-0x000000001C625000-memory.dmp

                                Filesize

                                3.8MB

                              • memory/2480-68-0x000000001A890000-0x000000001A8AE000-memory.dmp

                                Filesize

                                120KB

                              • memory/2480-69-0x000000001A8F0000-0x000000001A90E000-memory.dmp

                                Filesize

                                120KB

                              • memory/2480-70-0x000000001B490000-0x000000001B50C000-memory.dmp

                                Filesize

                                496KB

                              • memory/2480-71-0x000000001B690000-0x000000001B70C000-memory.dmp

                                Filesize

                                496KB

                              • memory/2480-72-0x000000001B490000-0x000000001B52C000-memory.dmp

                                Filesize

                                624KB

                              • memory/2480-75-0x000000001A890000-0x000000001A898000-memory.dmp

                                Filesize

                                32KB

                              • memory/2480-74-0x0000000002020000-0x0000000002028000-memory.dmp

                                Filesize

                                32KB

                              • memory/2480-73-0x000000001BA50000-0x000000001BAEC000-memory.dmp

                                Filesize

                                624KB

                              • memory/2480-76-0x0000000002020000-0x000000000202E000-memory.dmp

                                Filesize

                                56KB

                              • memory/2480-77-0x000000001A890000-0x000000001A89E000-memory.dmp

                                Filesize

                                56KB

                              • memory/2480-79-0x000000001A8A0000-0x000000001A8A8000-memory.dmp

                                Filesize

                                32KB

                              • memory/2480-78-0x0000000002020000-0x0000000002028000-memory.dmp

                                Filesize

                                32KB

                              • memory/2480-80-0x000000001AB10000-0x000000001AB32000-memory.dmp

                                Filesize

                                136KB

                              • memory/2480-81-0x000000001B310000-0x000000001B332000-memory.dmp

                                Filesize

                                136KB

                              • memory/2480-36-0x00000000002F0000-0x000000000030C000-memory.dmp

                                Filesize

                                112KB

                              • memory/2480-35-0x000000001B490000-0x000000001B50E000-memory.dmp

                                Filesize

                                504KB

                              • memory/2480-34-0x000000001A890000-0x000000001A90E000-memory.dmp

                                Filesize

                                504KB

                              • memory/2480-32-0x0000000000170000-0x000000000017A000-memory.dmp

                                Filesize

                                40KB

                              • memory/2480-33-0x0000000000190000-0x000000000019A000-memory.dmp

                                Filesize

                                40KB

                              • memory/2480-31-0x0000000002100000-0x0000000002180000-memory.dmp

                                Filesize

                                512KB

                              • memory/2480-29-0x0000000000140000-0x000000000014E000-memory.dmp

                                Filesize

                                56KB

                              • memory/2480-30-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/2480-83-0x000000001B1F0000-0x000000001B20A000-memory.dmp

                                Filesize

                                104KB

                              • memory/2480-82-0x000000001AB10000-0x000000001AB2A000-memory.dmp

                                Filesize

                                104KB