Analysis
-
max time kernel
24s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 22:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
120 seconds
Behavioral task
behavioral2
Sample
581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
23 signatures
120 seconds
General
-
Target
581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe
-
Size
1020KB
-
MD5
f1153df2b31f0fb3b39f0d91f085e620
-
SHA1
7bee8c6d064d1437cef446bba061519b2f1c92d1
-
SHA256
581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5
-
SHA512
0be6e1e7dd0af76b5be42fb96c993fdd577cd46192204972b1840fa9c0814338b37c54a73e0a24d97466dc121644cf479f3a5334362610afa1131dbcbe96d4bd
-
SSDEEP
24576:HMWKyCGE3LRCzMeHhxSacpSqr70ftGi7t4T4LcaCrHPIXhEc+3:HvGRoUpfqj20L6HPIXhEcw
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1116 netsh.exe 4676 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe -
Deletes itself 1 IoCs
pid Process 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe -
Executes dropped EXE 1 IoCs
pid Process 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mc42.exe = "C:\\WINDOWS\\mc42.exe" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe -
resource yara_rule behavioral2/memory/4104-1-0x0000000002370000-0x00000000033A3000-memory.dmp upx behavioral2/memory/4104-13-0x0000000002370000-0x00000000033A3000-memory.dmp upx behavioral2/memory/4104-4-0x0000000002370000-0x00000000033A3000-memory.dmp upx behavioral2/memory/4104-32-0x0000000002370000-0x00000000033A3000-memory.dmp upx behavioral2/memory/4104-51-0x0000000002370000-0x00000000033A3000-memory.dmp upx behavioral2/memory/2556-74-0x000000000A5F0000-0x000000000B623000-memory.dmp upx behavioral2/memory/2556-64-0x000000000A5F0000-0x000000000B623000-memory.dmp upx behavioral2/memory/2556-67-0x000000000A5F0000-0x000000000B623000-memory.dmp upx behavioral2/memory/2556-76-0x000000000A5F0000-0x000000000B623000-memory.dmp upx behavioral2/memory/2556-77-0x000000000A5F0000-0x000000000B623000-memory.dmp upx behavioral2/memory/2556-91-0x000000000A5F0000-0x000000000B623000-memory.dmp upx behavioral2/memory/2556-96-0x000000000A5F0000-0x000000000B623000-memory.dmp upx behavioral2/memory/2556-100-0x000000000A5F0000-0x000000000B623000-memory.dmp upx -
Drops file in Program Files directory 19 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32 .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32 .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE .exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File created C:\WINDOWS\mc42.exe 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
NTFS ADS 14 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\ C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Token: SeDebugPrivilege 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 4104 wrote to memory of 760 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 8 PID 4104 wrote to memory of 768 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 9 PID 4104 wrote to memory of 60 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 13 PID 4104 wrote to memory of 2564 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 44 PID 4104 wrote to memory of 2588 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 45 PID 4104 wrote to memory of 2788 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 47 PID 4104 wrote to memory of 3524 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 56 PID 4104 wrote to memory of 3672 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 57 PID 4104 wrote to memory of 3848 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 58 PID 4104 wrote to memory of 3940 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 59 PID 4104 wrote to memory of 4004 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 60 PID 4104 wrote to memory of 4088 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 61 PID 4104 wrote to memory of 3700 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 62 PID 4104 wrote to memory of 2688 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 75 PID 4104 wrote to memory of 3220 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 76 PID 4104 wrote to memory of 1116 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 82 PID 4104 wrote to memory of 1116 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 82 PID 4104 wrote to memory of 1116 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 82 PID 4104 wrote to memory of 2556 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 84 PID 4104 wrote to memory of 2556 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 84 PID 4104 wrote to memory of 2556 4104 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe 84 PID 2556 wrote to memory of 760 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 8 PID 2556 wrote to memory of 768 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 9 PID 2556 wrote to memory of 60 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 13 PID 2556 wrote to memory of 4676 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 85 PID 2556 wrote to memory of 4676 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 85 PID 2556 wrote to memory of 4676 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 85 PID 2556 wrote to memory of 2564 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 44 PID 2556 wrote to memory of 2588 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 45 PID 2556 wrote to memory of 2788 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 47 PID 2556 wrote to memory of 3524 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 56 PID 2556 wrote to memory of 3672 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 57 PID 2556 wrote to memory of 3848 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 58 PID 2556 wrote to memory of 3940 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 59 PID 2556 wrote to memory of 4004 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 60 PID 2556 wrote to memory of 4088 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 61 PID 2556 wrote to memory of 3700 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 62 PID 2556 wrote to memory of 2688 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 75 PID 2556 wrote to memory of 3220 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 76 PID 2556 wrote to memory of 760 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 8 PID 2556 wrote to memory of 768 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 9 PID 2556 wrote to memory of 60 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 13 PID 2556 wrote to memory of 2564 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 44 PID 2556 wrote to memory of 2588 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 45 PID 2556 wrote to memory of 2788 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 47 PID 2556 wrote to memory of 3524 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 56 PID 2556 wrote to memory of 3672 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 57 PID 2556 wrote to memory of 3848 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 58 PID 2556 wrote to memory of 3940 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 59 PID 2556 wrote to memory of 4004 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 60 PID 2556 wrote to memory of 4088 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 61 PID 2556 wrote to memory of 3700 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 62 PID 2556 wrote to memory of 2688 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 75 PID 2556 wrote to memory of 3220 2556 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2588
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2788
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe"C:\Users\Admin\AppData\Local\Temp\581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4104 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1116
-
-
C:\Users\Admin\AppData\Local\Temp\581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe"C:\Users\Admin\AppData\Local\Temp\581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe"3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2556 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4676
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵PID:1352
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3672
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3700
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2688
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3220
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E579C5F_Rar\581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N.exe
Filesize948KB
MD5a62f4161fc58519789168c49a3a06881
SHA1bb30c49aa8b56a4a9e0df96fafe21f91cbd24b52
SHA256752af753b84910f8c8853703906d8bdcd252760571645e1d5c6867c9c9d1fc7d
SHA51261f56aeb8ffb932ed7eb5912c4e4817b523bd19cc420ea7cdc2709baebf474059afc6a9cd0a5df1c1da06e3c8cf09cd944d4ea7efeb54e6c4c8394bc9c022025
-
C:\Users\Admin\AppData\Local\Temp\581f0b4888d607698b78abd6359f6862fc189228973bb32a5cabd354f33a89c5N .exe
Filesize912KB
MD5cf3064582255132aaf515df006867a50
SHA12d57ade3f97bcb5bfd309b32929f343ccd08a0af
SHA256943c14b66c6330c29eddc4cf40d54a333be4fb4e6b21e1555bf91bd72d9b0893
SHA5120a82f0a613a08491b0c023b0e86ef1b1dc70c057d74274606c7e27b1682480e831f6c5ae93e4433bdb05a01447c95851ccc72a72163c1dc757e138478d10a39a
-
Filesize
112KB
MD5528132323bbdc6b900b403cf5ed72e35
SHA1e26bdbfe07436909473db2e26aa06adf4a9e42c6
SHA25637ccadd739dfe523825c40085a69b3c5f9fe42ac7bf82c5242ab02d4a93e313c
SHA5123a285328839ff6a394017af11681e6e8fc6e0c543a4fbc495df5c11514c602db090c03ef60c6417d63755d3fc151b2929b4cf88c30cf85f4e02b20a5cc44b0d4
-
Filesize
258B
MD5588526b5faea64f9bc6d6f0ae51a9d85
SHA1fe3f2cfc8ecc0d056a2613a4d5f6a9e8f6d4af88
SHA256b16f043c3bedc4de42cad75d88322d0d40bb37731add15d6689a22c52aed4bcb
SHA5122758ae58b5ae179a705b10cf51b3b810901e3e118357406092e5bb41eaf0fb310152ca23e2541f4142777a4ee86ccef6f3afb5ddf7d065cf08821741d1720245