Analysis
-
max time kernel
21s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2025, 11:32
Behavioral task
behavioral1
Sample
344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
120 seconds
Behavioral task
behavioral2
Sample
344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
26 signatures
120 seconds
General
-
Target
344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe
-
Size
1.4MB
-
MD5
6b00f6d824861317ec66502dce58904d
-
SHA1
74580a12cbfb253e126545139757a30ee4e079da
-
SHA256
344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e
-
SHA512
452fb86e9917945261929b83bcff47ebf39f006fc22629d4ce88dfaaeef4f9bc61668ffbdd3f2e7c5fc613d7fc831091233d470ad1715fb7818cc31988e2e70d
-
SSDEEP
24576:vnsJ39LyjbJkQFMhmC+6GR94dChNRASWgDxPWnP0LamWYC8Eud13:vnsHyjtk2MYC5GRadWHyzGd13
Malware Config
Extracted
Family
xred
C2
xred.mooo.com
Attributes
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Synaptics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Synaptics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Synaptics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Synaptics.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Synaptics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Synaptics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Synaptics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Synaptics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Synaptics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Synaptics.exe -
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 3804 ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 2968 Synaptics.exe 2144 ._cache_Synaptics.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Synaptics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Synaptics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Synaptics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Synaptics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Synaptics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Synaptics.exe -
Enumerates connected drives 3 TTPs 49 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: ._cache_Synaptics.exe File opened (read-only) \??\I: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\V: ._cache_Synaptics.exe File opened (read-only) \??\G: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\H: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\N: ._cache_Synaptics.exe File opened (read-only) \??\H: Synaptics.exe File opened (read-only) \??\B: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\J: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\T: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\B: ._cache_Synaptics.exe File opened (read-only) \??\G: ._cache_Synaptics.exe File opened (read-only) \??\L: ._cache_Synaptics.exe File opened (read-only) \??\Q: ._cache_Synaptics.exe File opened (read-only) \??\W: ._cache_Synaptics.exe File opened (read-only) \??\E: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\N: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\R: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\K: ._cache_Synaptics.exe File opened (read-only) \??\R: ._cache_Synaptics.exe File opened (read-only) \??\Z: ._cache_Synaptics.exe File opened (read-only) \??\M: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\P: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\S: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\X: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\Y: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\A: ._cache_Synaptics.exe File opened (read-only) \??\E: ._cache_Synaptics.exe File opened (read-only) \??\O: ._cache_Synaptics.exe File opened (read-only) \??\K: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\W: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\H: ._cache_Synaptics.exe File opened (read-only) \??\I: ._cache_Synaptics.exe File opened (read-only) \??\T: ._cache_Synaptics.exe File opened (read-only) \??\X: ._cache_Synaptics.exe File opened (read-only) \??\Y: ._cache_Synaptics.exe File opened (read-only) \??\E: Synaptics.exe File opened (read-only) \??\A: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\Q: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\U: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\V: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\Z: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\J: ._cache_Synaptics.exe File opened (read-only) \??\P: ._cache_Synaptics.exe File opened (read-only) \??\G: Synaptics.exe File opened (read-only) \??\L: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\O: ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened (read-only) \??\M: ._cache_Synaptics.exe File opened (read-only) \??\S: ._cache_Synaptics.exe -
resource yara_rule behavioral2/memory/3356-8-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/3356-5-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/3356-18-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/3356-10-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/3356-19-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/3356-9-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/3356-12-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/3356-4-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/3356-3-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/3356-1-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/3356-21-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/3356-121-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/3356-122-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/2968-152-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/2968-151-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/2968-153-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/2968-165-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/2968-154-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/2968-150-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/2968-149-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/2968-148-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/2968-144-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/2968-147-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/3356-127-0x0000000002550000-0x000000000360A000-memory.dmp upx behavioral2/memory/2968-207-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/2968-206-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/2968-210-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/2968-216-0x0000000002390000-0x000000000344A000-memory.dmp upx behavioral2/memory/2968-215-0x0000000002390000-0x000000000344A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5794ae 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File opened for modification C:\Windows\SYSTEM.INI 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe File created C:\Windows\e57b2d5 Synaptics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 916 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 2968 Synaptics.exe 2968 Synaptics.exe 2968 Synaptics.exe 2968 Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Token: SeDebugPrivilege 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3356 wrote to memory of 776 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 8 PID 3356 wrote to memory of 780 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 9 PID 3356 wrote to memory of 336 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 13 PID 3356 wrote to memory of 2688 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 44 PID 3356 wrote to memory of 2700 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 45 PID 3356 wrote to memory of 2892 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 51 PID 3356 wrote to memory of 3452 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 56 PID 3356 wrote to memory of 3600 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 57 PID 3356 wrote to memory of 3796 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 58 PID 3356 wrote to memory of 3888 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 59 PID 3356 wrote to memory of 3956 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 60 PID 3356 wrote to memory of 4040 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 61 PID 3356 wrote to memory of 4136 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 62 PID 3356 wrote to memory of 1512 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 75 PID 3356 wrote to memory of 3020 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 77 PID 3356 wrote to memory of 4588 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 81 PID 3356 wrote to memory of 5092 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 82 PID 3356 wrote to memory of 2936 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 84 PID 3356 wrote to memory of 3804 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 86 PID 3356 wrote to memory of 3804 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 86 PID 3356 wrote to memory of 3804 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 86 PID 3356 wrote to memory of 2968 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 87 PID 3356 wrote to memory of 2968 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 87 PID 3356 wrote to memory of 2968 3356 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe 87 PID 2968 wrote to memory of 776 2968 Synaptics.exe 8 PID 2968 wrote to memory of 780 2968 Synaptics.exe 9 PID 2968 wrote to memory of 336 2968 Synaptics.exe 13 PID 2968 wrote to memory of 2688 2968 Synaptics.exe 44 PID 2968 wrote to memory of 2700 2968 Synaptics.exe 45 PID 2968 wrote to memory of 2892 2968 Synaptics.exe 51 PID 2968 wrote to memory of 3452 2968 Synaptics.exe 56 PID 2968 wrote to memory of 3600 2968 Synaptics.exe 57 PID 2968 wrote to memory of 3796 2968 Synaptics.exe 58 PID 2968 wrote to memory of 3888 2968 Synaptics.exe 59 PID 2968 wrote to memory of 3956 2968 Synaptics.exe 60 PID 2968 wrote to memory of 4040 2968 Synaptics.exe 61 PID 2968 wrote to memory of 4136 2968 Synaptics.exe 62 PID 2968 wrote to memory of 1512 2968 Synaptics.exe 75 PID 2968 wrote to memory of 3020 2968 Synaptics.exe 77 PID 2968 wrote to memory of 4588 2968 Synaptics.exe 81 PID 2968 wrote to memory of 5092 2968 Synaptics.exe 82 PID 2968 wrote to memory of 3976 2968 Synaptics.exe 85 PID 2968 wrote to memory of 3804 2968 Synaptics.exe 86 PID 2968 wrote to memory of 3804 2968 Synaptics.exe 86 PID 2968 wrote to memory of 2056 2968 Synaptics.exe 88 PID 2968 wrote to memory of 2144 2968 Synaptics.exe 89 PID 2968 wrote to memory of 2144 2968 Synaptics.exe 89 PID 2968 wrote to memory of 2144 2968 Synaptics.exe 89 PID 2968 wrote to memory of 776 2968 Synaptics.exe 8 PID 2968 wrote to memory of 780 2968 Synaptics.exe 9 PID 2968 wrote to memory of 336 2968 Synaptics.exe 13 PID 2968 wrote to memory of 2688 2968 Synaptics.exe 44 PID 2968 wrote to memory of 2700 2968 Synaptics.exe 45 PID 2968 wrote to memory of 2892 2968 Synaptics.exe 51 PID 2968 wrote to memory of 3452 2968 Synaptics.exe 56 PID 2968 wrote to memory of 3600 2968 Synaptics.exe 57 PID 2968 wrote to memory of 3796 2968 Synaptics.exe 58 PID 2968 wrote to memory of 3888 2968 Synaptics.exe 59 PID 2968 wrote to memory of 3956 2968 Synaptics.exe 60 PID 2968 wrote to memory of 4040 2968 Synaptics.exe 61 PID 2968 wrote to memory of 4136 2968 Synaptics.exe 62 PID 2968 wrote to memory of 1512 2968 Synaptics.exe 75 PID 2968 wrote to memory of 3020 2968 Synaptics.exe 77 PID 2968 wrote to memory of 4588 2968 Synaptics.exe 81 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Synaptics.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2700
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2892
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe"C:\Users\Admin\AppData\Local\Temp\344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3356 -
C:\Users\Admin\AppData\Local\Temp\._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe"C:\Users\Admin\AppData\Local\Temp\._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:3804
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:2144
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3796
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3888
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3956
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4040
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4136
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1512
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3020
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4588
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5092
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:2936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2056
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:916
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:3216
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4196
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.6MB
MD567e6e37998718f746ba52eaf94c4c0a7
SHA183e7abe8c919c75660b4f7e327dae54a92064bb1
SHA2561dc68c7eb3fc39e118521c7425c47da841283a076cc422a480bf9ef637c43000
SHA51221521aac07b47a3386dd789a5ccdbe0175799dfbfe5758670a35a6b642b89578ecfaa4e0086dfe3b734bce1af317671339aa2f5650705ac317b182c01c193f3c
-
Filesize
1.4MB
MD56b00f6d824861317ec66502dce58904d
SHA174580a12cbfb253e126545139757a30ee4e079da
SHA256344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e
SHA512452fb86e9917945261929b83bcff47ebf39f006fc22629d4ce88dfaaeef4f9bc61668ffbdd3f2e7c5fc613d7fc831091233d470ad1715fb7818cc31988e2e70d
-
C:\Users\Admin\AppData\Local\Temp\._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe
Filesize636KB
MD514b1a90f6fe653e288cbe188a38ea760
SHA14507f58630bbf3869330715c81a5a1ede2be4686
SHA256abf8d7bce6d461f240c7f25d3d50bfd36d2a397e1842e289653792d56543da4a
SHA512670ae90404b95246d18e008ee2587ae4877be3ce0c376d6c42dde7841d7ed68115b945d1a1bd3384e59fd1c8a89c52a76fab6dd9bd1f77a5150b6ae7d7134cbf
-
Filesize
21KB
MD5d7096a6e908da4ed44fbe2b93304d8d7
SHA18b7611fcc2d0085141e646fccedb4abcae88ca98
SHA25698e09a8ab1fc33616cc8a0fe3656407246ffbdb9bfdbe952a5c2f7d3f8f86cf3
SHA5125279b1a8ea91c2a70e7b53c4bc44b94a6e89780b91063e1209462142fe2c6978db454354ee230cc5ff975bcf24fe5646de4fe1dbeb9426c814569ee4ef6480e2
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
257B
MD5d7064e94785dde7f028037e9f8276211
SHA1db2dfed8328016623961b590b443a6a5205d6341
SHA2569fa882b23cf4f0cbae57f112ed8f827918973abe44f0015a0f3d07bfa0d2b33c
SHA5125d4da7eae4956a819f5c9d9b8d895b051e0b1418b79f6cc727f1b70ae22e5f80c3ecea6e9d4fecbcd943b6d764d950ed9d42ffd35f13534c34393ad4330aec20
-
Filesize
97KB
MD58c48a39fefb4ebd411905069eca46184
SHA1fabbb4500d4959c69660efcdda9e15c988d15a20
SHA256110b41cd186d6f893bed2d1f43dc4c5c55fb879bbafbceb77127489ba5bdbbfb
SHA5125af786c14f9177743c37326656904209b09142e9a368b98177905ba436137af79bc44d53b41ab702cbadc369a58499749ed15a74d40b3e90a0e45e01b2789ad9