Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 09:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe
Resource
win7-20240704-en
windows7-x64
20 signatures
150 seconds
General
-
Target
0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe
-
Size
124KB
-
MD5
9a1ab17165e7479a824fff589f61ff4c
-
SHA1
3e113fde76fd0132f92ba18d8eca697925d1ded3
-
SHA256
0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05
-
SHA512
3af303a03dd9a63dd0efddbf8f56944c5654467ca440e67843253d2461458b9836c8dc678315c347a491b9fc901ec431e166c2ac9f7d40eb2e06e11ad89c86a8
-
SSDEEP
1536:A3SHmLKarIpY/LcP50Gb8Tfp804Xel9hx5r6XOcCaWuG3rgQSw8O:AkF3p8LchVYW0Uel9hD6XvCduVQth
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Deletes itself 1 IoCs
pid Process 2748 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2424 Logo1_.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Loads dropped DLL 2 IoCs
pid Process 2748 cmd.exe 2748 cmd.exe -
resource yara_rule behavioral1/memory/1324-35-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-37-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-38-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-65-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-66-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-67-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-68-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-69-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-70-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-76-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-80-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-81-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-82-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-83-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-84-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-86-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-87-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-89-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-91-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-99-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-101-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-103-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-107-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-111-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/1324-139-0x0000000000980000-0x0000000001A3A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\H: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\J: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\G: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\O: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\V: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\Z: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\M: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\S: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\T: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\X: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\N: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\R: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\I: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\L: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\W: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\P: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\U: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\Y: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\K: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened for modification F:\autorun.inf 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe Logo1_.exe File created C:\Program Files\MSBuild\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini Logo1_.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File created C:\Windows\Logo1_.exe 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\f767687 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened for modification C:\Windows\SYSTEM.INI 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2424 Logo1_.exe 2424 Logo1_.exe 2424 Logo1_.exe 2424 Logo1_.exe 2424 Logo1_.exe 2424 Logo1_.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 2424 Logo1_.exe 2424 Logo1_.exe 2424 Logo1_.exe 2424 Logo1_.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2748 2708 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 30 PID 2708 wrote to memory of 2748 2708 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 30 PID 2708 wrote to memory of 2748 2708 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 30 PID 2708 wrote to memory of 2748 2708 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 30 PID 2708 wrote to memory of 2424 2708 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 32 PID 2708 wrote to memory of 2424 2708 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 32 PID 2708 wrote to memory of 2424 2708 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 32 PID 2708 wrote to memory of 2424 2708 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 32 PID 2424 wrote to memory of 2900 2424 Logo1_.exe 33 PID 2424 wrote to memory of 2900 2424 Logo1_.exe 33 PID 2424 wrote to memory of 2900 2424 Logo1_.exe 33 PID 2424 wrote to memory of 2900 2424 Logo1_.exe 33 PID 2748 wrote to memory of 1324 2748 cmd.exe 36 PID 2748 wrote to memory of 1324 2748 cmd.exe 36 PID 2748 wrote to memory of 1324 2748 cmd.exe 36 PID 2748 wrote to memory of 1324 2748 cmd.exe 36 PID 2900 wrote to memory of 2712 2900 net.exe 35 PID 2900 wrote to memory of 2712 2900 net.exe 35 PID 2900 wrote to memory of 2712 2900 net.exe 35 PID 2900 wrote to memory of 2712 2900 net.exe 35 PID 1324 wrote to memory of 1116 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 19 PID 1324 wrote to memory of 1172 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 20 PID 1324 wrote to memory of 1208 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 21 PID 1324 wrote to memory of 848 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 25 PID 1324 wrote to memory of 2748 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 30 PID 1324 wrote to memory of 2748 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 30 PID 1324 wrote to memory of 2724 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 31 PID 1324 wrote to memory of 2424 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 32 PID 1324 wrote to memory of 2424 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 32 PID 2424 wrote to memory of 1208 2424 Logo1_.exe 21 PID 2424 wrote to memory of 1208 2424 Logo1_.exe 21 PID 1324 wrote to memory of 1116 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 19 PID 1324 wrote to memory of 1172 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 20 PID 1324 wrote to memory of 1208 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 21 PID 1324 wrote to memory of 848 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 25 PID 1324 wrote to memory of 2724 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 31 PID 1324 wrote to memory of 1116 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 19 PID 1324 wrote to memory of 1172 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 20 PID 1324 wrote to memory of 1208 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 21 PID 1324 wrote to memory of 848 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 25 PID 1324 wrote to memory of 2724 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 31 PID 1324 wrote to memory of 1116 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 19 PID 1324 wrote to memory of 1172 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 20 PID 1324 wrote to memory of 1208 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 21 PID 1324 wrote to memory of 848 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 25 PID 1324 wrote to memory of 2724 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 31 PID 1324 wrote to memory of 1116 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 19 PID 1324 wrote to memory of 1172 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 20 PID 1324 wrote to memory of 1208 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 21 PID 1324 wrote to memory of 848 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 25 PID 1324 wrote to memory of 2724 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 31 PID 1324 wrote to memory of 1116 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 19 PID 1324 wrote to memory of 1172 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 20 PID 1324 wrote to memory of 1208 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 21 PID 1324 wrote to memory of 848 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 25 PID 1324 wrote to memory of 2724 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 31 PID 1324 wrote to memory of 1116 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 19 PID 1324 wrote to memory of 1172 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 20 PID 1324 wrote to memory of 1208 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 21 PID 1324 wrote to memory of 848 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 25 PID 1324 wrote to memory of 2724 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 31 PID 1324 wrote to memory of 1116 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 19 PID 1324 wrote to memory of 1172 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 20 PID 1324 wrote to memory of 1208 1324 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 21 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe"C:\Users\Admin\AppData\Local\Temp\0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a754F.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe"C:\Users\Admin\AppData\Local\Temp\0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1324
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2712
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:848
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1286549379-5854605411942578434-783410810-2026872515818333064-133925999816119696"1⤵PID:2724
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
244KB
MD59f8f669886f191f9bab2173ebe11a2c4
SHA1d11f16fa21132fe7376f13803a73b367baa5fc3b
SHA2563d568dedbf4be55e88de3a132711f535d90757735d3c913d6deb311a9616f80b
SHA5124823b9aaff42cf1071bbe47f0beec326d47a46a8e2c7d092a8844f56a0b0db43e32fdd1c2d6d02a2266cde98b4d79c4cf967843ec65ab74e944c790725dbccab
-
Filesize
1.1MB
MD58161aa853025349842e51400a271c43c
SHA1e1e870f39dc38e4ea3825f52cbe1366e45d5aa3b
SHA2568bf2ddce8410ee7fe8189e43152975c09e60a21f2f893e1345d0ebe2ecff5498
SHA512495789823f488bd6bbf90abc6a915b7552e605969449f233a13b6d3e8caeaab6e4cbffba110a0076e47764b793cbad25d853b9e5f00f04701311d871a7a16fd1
-
Filesize
1.9MB
MD5945605f7647118dce0d4e654f618a115
SHA1e9faff667b91113a32f0d1c9929646493e11875d
SHA256863bf8814bf929abddd16305ad87d5d38544c6926b976a505887c166269e1030
SHA5121b1315a06dd530341eae45ddd995514d7245ab8ebfaf4ac0c2a88a66499acb3198a0f6ecac969c312fcd68b0ab17681822c063df532a058be5fddf707a2e17b6
-
Filesize
627KB
MD5eaef6fd036e6d2db77b0e21791141ce2
SHA1cc198d2c5afcec5269c13dfa190a3b1a244a1391
SHA2565e9637a0214899171d942f15feebe9997d3a80cffb93dc2f7d6a572ca597621a
SHA5122b4ef0fc8a960787a997f716a12cabe3b1ef50d2223a0509bd8d0b266de2e78b652339bb8eaf58b312ceb11723df1bd5766e575b8c0cd255088f4c16c2b77dc5
-
Filesize
252KB
MD5667779f0573e09ee14120a39fa88225e
SHA12c937fd4db0b82599d153b705902ff373c67af41
SHA2561fc2b580c675acf35608bd23b13b90459c9421222d9be15812db36c16d4850f3
SHA512f3b6b7dac69e47b0cb201cabe4ce0ee7489de981c1b0cf6b57be64a0831473f844de8b5b36b0f2ac1ac13f69f367e388f96f1283f39ead23c3aabf4e7bc3fe99
-
Filesize
180KB
MD59c2924fc96c48c815172f24b1e6e9f12
SHA1350d1cfbf662d1ebbc509245249a62d4f55c8c7e
SHA2562523c647fe6356cc81778214cfbb9bf0a41d0bd6855b9b58f7481d549509eb2c
SHA5127df92fbb1e524dfd920ff1bf1ae7ad37de2d58cc895e4631c3e1af35cdee5bf11b5b2ec87f98c3552aac4046c9b768f4adc94151fbfdd0239d7838eb7df5241d
-
Filesize
472KB
MD588eb1bca8c399bc3f46e99cdde2f047e
SHA155fafbceb011e1af2edced978686a90971bd95f2
SHA25642fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428
SHA512149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728
-
Filesize
722B
MD5ced71abbe12b48f15f230f4df48c5b13
SHA15a1bad0418666d6318c615dfe62ed1aabea35922
SHA256f07e3b4b506e9fb1c3d401d21538111ae41e7ebc5b6751e6851f7080af1ad646
SHA51252d2f1c5da2b696ac93ce1754a56ab5166c395780718de4c1610c09baccf4db47af089f9b35b8e03b7e421813b2a6677dcfc641a162e1e9d5d45da35cd983c84
-
C:\Users\Admin\AppData\Local\Temp\0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe.exe
Filesize97KB
MD546556ee3036ad5f36d9e11c707732357
SHA1c29cda7b177901a11b78e2aed416c17086c332e8
SHA256a9703618fd528863b15123b95e24f46fdc9cd1968634c1bff2dfffb40ff12746
SHA5125081dbd9f14dcea8dc9889213d23fea44460fac1c83ad9b8e97fc669b6ab641b545f084f7cffa3ab13752acd6a8e88601c2078232bb0450de1bd375294046bd1
-
Filesize
27KB
MD53992018359c15d0314fdd929a93f6de6
SHA1f555c42a2d4e15a428a549ac4a6efd625dca9f1d
SHA25629351c1cb276aa4bd87e3e0c7aed4808a2c80cad99b26b8be984350aeeee2b48
SHA512236360097d9fe4f693a17d4b7e9d08d4f017019eba021e17217ba1486a6ecaa1a1ad54c93a3819d84b5af2bbeb3096b81ef8e055fd973954323cfcd7107f7dc2
-
Filesize
9B
MD51368e4d784ef82633de86fa6bc6e37f9
SHA177c7384e886b27647bb4f2fd364e7947e7b6abc6
SHA25657507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772
SHA5123cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b
-
Filesize
97KB
MD571c4d7e44d3104b275662933281fbd2d
SHA170cb9735b37358fdda5c3611e45aae01000abfb9
SHA2566dc400b2ec641fadeee15b17804e20b598973059927870b435781bc31516db96
SHA512a84bb6bd11892e254491fecf2b9ddb2942affb89752d9003684af97493eb515999b54da1829a81969fa0cb934cd08acb4342db632db47c365bef83437f894297