Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03/01/2025, 16:40
Static task
static1
Behavioral task
behavioral1
Sample
4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe
Resource
win7-20240729-en
General
-
Target
4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe
-
Size
140KB
-
MD5
12de2869d5074ab3984e54fc70f940b0
-
SHA1
f5a6e64293a354a5cfd69f8a8ebd9818e1311a0e
-
SHA256
4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167
-
SHA512
da9b820f647b7a03b31473bc1b73da6ae1bfee496f83a36c3280bea16122814b40b12654079fdb98e31ff08b6d4e34b93a1651a48631d9297fbfbb665147c81e
-
SSDEEP
3072:XxbfwkAbfZ2lQBV+UdE+rECWp7hKuNSGi:XFytBV+UdvrEFp7hK1
Malware Config
Signatures
-
Floxif family
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M68262\\Ja280254bLay.com\"" EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O06170Z\\TuxO06170Z.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M68262\\Ja280254bLay.com\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O06170Z\\TuxO06170Z.exe\"" service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M68262\\Ja280254bLay.com\"" service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O06170Z\\TuxO06170Z.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M68262\\Ja280254bLay.com\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O06170Z\\TuxO06170Z.exe\"" EmangEloh.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" service.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" EmangEloh.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" EmangEloh.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" service.exe -
Detects Floxif payload 1 IoCs
resource yara_rule behavioral1/files/0x00080000000120fe-3.dat floxif -
Disables RegEdit via registry modification 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" EmangEloh.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" service.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" smss.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00080000000120fe-3.dat acprotect -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd winlogon.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd service.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd smss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd EmangEloh.exe -
Executes dropped EXE 4 IoCs
pid Process 2896 service.exe 2808 smss.exe 3040 EmangEloh.exe 2460 winlogon.exe -
Loads dropped DLL 18 IoCs
pid Process 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 2896 service.exe 2896 service.exe 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 2808 smss.exe 2808 smss.exe 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 3040 EmangEloh.exe 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 3040 EmangEloh.exe 2460 winlogon.exe 2460 winlogon.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T70Z516 = "C:\\Windows\\sa-188521.exe" EmangEloh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1682521TT4 = "C:\\Windows\\system32\\45162178306l.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T70Z516 = "C:\\Windows\\sa-188521.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1682521TT4 = "C:\\Windows\\system32\\45162178306l.exe" service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T70Z516 = "C:\\Windows\\sa-188521.exe" service.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1682521TT4 = "C:\\Windows\\system32\\45162178306l.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T70Z516 = "C:\\Windows\\sa-188521.exe" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1682521TT4 = "C:\\Windows\\system32\\45162178306l.exe" EmangEloh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: service.exe File opened (read-only) \??\e: service.exe File opened (read-only) \??\s: service.exe File opened (read-only) \??\v: service.exe File opened (read-only) \??\v: winlogon.exe File opened (read-only) \??\h: service.exe File opened (read-only) \??\k: service.exe File opened (read-only) \??\m: service.exe File opened (read-only) \??\l: smss.exe File opened (read-only) \??\k: EmangEloh.exe File opened (read-only) \??\N: EmangEloh.exe File opened (read-only) \??\x: winlogon.exe File opened (read-only) \??\i: service.exe File opened (read-only) \??\o: service.exe File opened (read-only) \??\t: smss.exe File opened (read-only) \??\m: EmangEloh.exe File opened (read-only) \??\o: winlogon.exe File opened (read-only) \??\g: winlogon.exe File opened (read-only) \??\k: winlogon.exe File opened (read-only) \??\l: winlogon.exe File opened (read-only) \??\m: smss.exe File opened (read-only) \??\o: EmangEloh.exe File opened (read-only) \??\z: EmangEloh.exe File opened (read-only) \??\w: winlogon.exe File opened (read-only) \??\y: winlogon.exe File opened (read-only) \??\q: service.exe File opened (read-only) \??\t: service.exe File opened (read-only) \??\p: smss.exe File opened (read-only) \??\j: EmangEloh.exe File opened (read-only) \??\p: winlogon.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\s: EmangEloh.exe File opened (read-only) \??\u: EmangEloh.exe File opened (read-only) \??\h: winlogon.exe File opened (read-only) \??\e: smss.exe File opened (read-only) \??\g: smss.exe File opened (read-only) \??\u: service.exe File opened (read-only) \??\r: EmangEloh.exe File opened (read-only) \??\w: EmangEloh.exe File opened (read-only) \??\m: winlogon.exe File opened (read-only) \??\l: service.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\v: smss.exe File opened (read-only) \??\h: EmangEloh.exe File opened (read-only) \??\v: EmangEloh.exe File opened (read-only) \??\u: winlogon.exe File opened (read-only) \??\j: service.exe File opened (read-only) \??\x: EmangEloh.exe File opened (read-only) \??\t: winlogon.exe File opened (read-only) \??\r: smss.exe File opened (read-only) \??\y: smss.exe File opened (read-only) \??\g: EmangEloh.exe File opened (read-only) \??\j: smss.exe File opened (read-only) \??\w: smss.exe File opened (read-only) \??\q: EmangEloh.exe File opened (read-only) \??\i: winlogon.exe File opened (read-only) \??\q: winlogon.exe File opened (read-only) \??\r: service.exe File opened (read-only) \??\s: smss.exe File opened (read-only) \??\x: smss.exe File opened (read-only) \??\i: EmangEloh.exe File opened (read-only) \??\k: smss.exe File opened (read-only) \??\y: EmangEloh.exe File opened (read-only) \??\p: service.exe -
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\IME\shared\THe Best Ungu .scr service.exe File created C:\Windows\SysWOW64\451621078306l.exe 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File opened for modification C:\Windows\SysWOW64\X84667go\Z451621cie.cmd service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\45162178306l.exe smss.exe File opened for modification C:\Windows\SysWOW64\X84667go\Z451621cie.cmd EmangEloh.exe File opened for modification C:\Windows\SysWOW64\45162178306l.exe winlogon.exe File created \??\c:\Windows\SysWOW64\IME\shared\THe Best Ungu .scr service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File created C:\Windows\SysWOW64\45162178306l.exe EmangEloh.exe File opened for modification C:\Windows\SysWOW64\X84667go\Z451621cie.cmd winlogon.exe File created C:\Windows\SysWOW64\45162178306l.exe winlogon.exe File created \??\c:\Windows\SysWOW64\IME\shared\RaHasIA .exe service.exe File opened for modification \??\c:\Windows\SysWOW64\IME\shared\RaHasIA .exe service.exe File opened for modification C:\Windows\SysWOW64\451621078306l.exe 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File created C:\Windows\SysWOW64\45162178306l.exe service.exe File opened for modification C:\Windows\SysWOW64\45162178306l.exe service.exe File opened for modification C:\Windows\SysWOW64\X84667go\Z451621cie.cmd smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll EmangEloh.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File created C:\Windows\SysWOW64\X84667go\Z451621cie.cmd 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll service.exe File opened for modification C:\Windows\SysWOW64\45162178306l.exe smss.exe File opened for modification C:\Windows\SysWOW64\45162178306l.exe EmangEloh.exe -
resource yara_rule behavioral1/memory/3052-5-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/files/0x00080000000120fe-3.dat upx behavioral1/memory/2896-66-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2808-79-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3052-78-0x0000000003150000-0x000000000316C000-memory.dmp upx behavioral1/memory/3052-77-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2896-126-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2808-133-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2460-142-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3052-139-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3040-129-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3040-257-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2460-292-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2808-319-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3040-321-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2896-317-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2460-351-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3040-349-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2808-347-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2896-345-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2896-401-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2808-403-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3040-405-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2460-407-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2896-433-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2808-435-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2460-463-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3040-461-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2896-489-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2808-491-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3040-493-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2460-495-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2896-542-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2808-544-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3040-546-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2460-548-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2808-574-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2460-578-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3040-576-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2896-572-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2896-625-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3040-629-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2808-627-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 16 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Norman virus Control 5.18 .exe service.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Shared Gadgets\New mp3 BaraT !! .exe service.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\Blink 182 .exe service.exe File created \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\THe Best Ungu .scr service.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\Windows Vista setup .scr service.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\THe Best Ungu .scr service.exe File created C:\Program Files\Common Files\System\symsrv.dll 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File created \??\c:\Program Files\DVD Maker\Shared\Titip Folder Jangan DiHapus .exe service.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Windows Vista setup .scr service.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\RaHasIA .exe service.exe File created \??\c:\program files\common files\system\symsrv.dll.000 smss.exe File created \??\c:\Program Files\Common Files\Microsoft Shared\Norman virus Control 5.18 .exe service.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\Titip Folder Jangan DiHapus .exe service.exe File created \??\c:\Program Files\Windows Sidebar\Shared Gadgets\New mp3 BaraT !! .exe service.exe File created \??\c:\Program Files (x86)\Google\Update\Download\RaHasIA .exe service.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\Blink 182 .exe service.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\sa-188521.exe EmangEloh.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\Windows Vista setup .scr service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\Blink 182 .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\RaHasIA .exe service.exe File opened for modification C:\Windows\system\msvbvm60.dll EmangEloh.exe File created \??\c:\Windows\Downloaded Program Files\Gallery .scr service.exe File created \??\c:\Windows\ServiceProfiles\LocalService\Downloads\New mp3 BaraT !! .exe service.exe File created \??\c:\Windows\ServiceProfiles\NetworkService\Downloads\Love Song .scr service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\Data DosenKu .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\Blink 182 .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\THe Best Ungu .scr service.exe File created \??\c:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\Gallery .scr service.exe File created C:\Windows\Ti078306ta.exe 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File created C:\Windows\M68262\EmangEloh.exe smss.exe File created C:\Windows\M68262\Ja280254bLay.com smss.exe File created C:\Windows\M68262\EmangEloh.exe EmangEloh.exe File opened for modification \??\c:\Windows\Downloaded Program Files\Gallery .scr service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\Love Song .scr service.exe File opened for modification C:\Windows\M68262 EmangEloh.exe File created C:\Windows\M68262\smss.exe EmangEloh.exe File opened for modification C:\Windows\Ti78306ta.exe EmangEloh.exe File created C:\Windows\M68262\smss.exe winlogon.exe File opened for modification C:\Windows\M68262\EmangEloh.exe winlogon.exe File opened for modification C:\Windows\sa-188521.exe 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\TutoriaL HAcking .exe service.exe File created C:\Windows\sa-188521.exe EmangEloh.exe File created C:\Windows\M68262\Ja280254bLay.com winlogon.exe File created \??\c:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\Love Song .scr service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\THe Best Ungu .scr service.exe File opened for modification C:\Windows\M68262 service.exe File opened for modification \??\c:\Windows\ServiceProfiles\LocalService\Downloads\New mp3 BaraT !! .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\New mp3 BaraT !! .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\THe Best Ungu .scr service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\Blink 182 .exe service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\Windows Vista setup .scr service.exe File opened for modification C:\Windows\[TheMoonlight].txt service.exe File created C:\Windows\Ti78306ta.exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\TutoriaL HAcking .exe service.exe File created C:\Windows\system\msvbvm60.dll 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\Titip Folder Jangan DiHapus .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\Norman virus Control 5.18 .exe service.exe File opened for modification C:\Windows\system\msvbvm60.dll service.exe File opened for modification C:\Windows\M68262\EmangEloh.exe service.exe File opened for modification C:\Windows\M68262\Ja280254bLay.com smss.exe File opened for modification C:\Windows\[TheMoonlight].txt winlogon.exe File created \??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\THe Best Ungu .scr service.exe File opened for modification C:\Windows\M68262\EmangEloh.exe 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File created \??\c:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\Gallery .scr service.exe File opened for modification C:\Windows\Ti078306ta.exe 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File opened for modification C:\Windows\M68262\Ja280254bLay.com 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File opened for modification C:\Windows\M68262 smss.exe File created C:\Windows\Ti78306ta.exe winlogon.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\Titip Folder Jangan DiHapus .exe service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\Windows Vista setup .scr service.exe File created \??\c:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\Blink 182 .exe service.exe File opened for modification C:\Windows\M68262 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File created C:\Windows\M68262\smss.exe 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe File opened for modification C:\Windows\sa-188521.exe smss.exe File created C:\Windows\[TheMoonlight].txt smss.exe File opened for modification \??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\THe Best Ungu .scr service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\Gallery .scr service.exe File created \??\c:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\Data DosenKu .exe service.exe File created \??\c:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\THe Best Ungu .scr service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\RaHasIA .exe service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EmangEloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" service.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2808 smss.exe 2808 smss.exe 2808 smss.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe Token: SeDebugPrivilege 2896 service.exe Token: SeDebugPrivilege 2808 smss.exe Token: SeDebugPrivilege 3040 EmangEloh.exe Token: SeDebugPrivilege 2460 winlogon.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 2896 service.exe 2808 smss.exe 3040 EmangEloh.exe 2460 winlogon.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2896 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 30 PID 3052 wrote to memory of 2896 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 30 PID 3052 wrote to memory of 2896 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 30 PID 3052 wrote to memory of 2896 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 30 PID 3052 wrote to memory of 2808 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 31 PID 3052 wrote to memory of 2808 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 31 PID 3052 wrote to memory of 2808 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 31 PID 3052 wrote to memory of 2808 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 31 PID 3052 wrote to memory of 3040 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 32 PID 3052 wrote to memory of 3040 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 32 PID 3052 wrote to memory of 3040 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 32 PID 3052 wrote to memory of 3040 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 32 PID 3052 wrote to memory of 2460 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 33 PID 3052 wrote to memory of 2460 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 33 PID 3052 wrote to memory of 2460 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 33 PID 3052 wrote to memory of 2460 3052 4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe"C:\Users\Admin\AppData\Local\Temp\4a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O06170Z\service.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O06170Z\service.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2896
-
-
C:\Windows\M68262\smss.exe"C:\Windows\M68262\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
C:\Windows\M68262\EmangEloh.exe"C:\Windows\M68262\EmangEloh.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3040
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O06170Z\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O06170Z\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2460
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2AppInit DLLs
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2AppInit DLLs
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD51130c911bf5db4b8f7cf9b6f4b457623
SHA148e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA51294e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0
-
Filesize
140KB
MD512de2869d5074ab3984e54fc70f940b0
SHA1f5a6e64293a354a5cfd69f8a8ebd9818e1311a0e
SHA2564a9f8c11487b8dc6a95cd72ce27a3f022c3fa5deefc981f1871b1bd9b2eea167
SHA512da9b820f647b7a03b31473bc1b73da6ae1bfee496f83a36c3280bea16122814b40b12654079fdb98e31ff08b6d4e34b93a1651a48631d9297fbfbb665147c81e
-
Filesize
109B
MD568c7836c8ff19e87ca33a7959a2bdff5
SHA1cc5d0205bb71c10bbed22fe47e59b1f6817daab7
SHA256883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec
SHA5123656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
64KB
MD5d0824d179d20045967001e30a65684e2
SHA1120be0c0bcb41b1b55d1e48aea7a14e8e807ae8a
SHA25611f04f6be74a26bf5612fe4fedbf220c262cc42450cbddeecd1ca60c1169fd86
SHA512e42ceebbb429a2b2a66483a563b037c2f3dd58bd2d3d07d5a3a5950eaec0a94042ef1455d9b65f952f779f131ae8aeab44f545411b499bc0737c7c8ce69358fa