Analysis
-
max time kernel
191s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28/10/2022, 18:40
Behavioral task
behavioral1
Sample
0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe
Resource
win7-20220812-en
General
-
Target
0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe
-
Size
255KB
-
MD5
0a4c8c0364ca55889b01f2e5f96640a9
-
SHA1
0f4378d08797b2151a8e6710bfdc7898689f3237
-
SHA256
0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139
-
SHA512
92623092213d9afdd3635c5d44af50f14b54d3a37280daf47f743224570e33ef3069aef8afef919cd48e61dc9efeb5b33ff1944a6ebeca9b493114ef5cfeb0ef
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ0:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI9
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" uskewmevme.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" uskewmevme.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uskewmevme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uskewmevme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" uskewmevme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uskewmevme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uskewmevme.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uskewmevme.exe -
Executes dropped EXE 5 IoCs
pid Process 1544 uskewmevme.exe 1416 vofyhfvqipsrbcu.exe 1732 krwodezn.exe 1932 pyaedxnpeagyp.exe 564 krwodezn.exe -
resource yara_rule behavioral1/memory/916-55-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00140000000054ab-56.dat upx behavioral1/files/0x00140000000054ab-58.dat upx behavioral1/files/0x00140000000054ab-60.dat upx behavioral1/files/0x0008000000014151-61.dat upx behavioral1/files/0x0007000000014248-64.dat upx behavioral1/files/0x0008000000014151-63.dat upx behavioral1/files/0x0007000000014248-67.dat upx behavioral1/files/0x0008000000014151-69.dat upx behavioral1/files/0x00060000000142d6-70.dat upx behavioral1/files/0x00060000000142d6-73.dat upx behavioral1/files/0x0007000000014248-72.dat upx behavioral1/files/0x00060000000142d6-75.dat upx behavioral1/files/0x0007000000014248-76.dat upx behavioral1/files/0x0007000000014248-78.dat upx behavioral1/memory/1544-81-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1416-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1732-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1932-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/564-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/916-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1416-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1544-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1732-98-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1932-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/564-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0006000000014f7f-104.dat upx behavioral1/files/0x00030000000001bf-107.dat upx behavioral1/files/0x00030000000001bf-108.dat upx -
Loads dropped DLL 5 IoCs
pid Process 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 1544 uskewmevme.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uskewmevme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uskewmevme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uskewmevme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" uskewmevme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uskewmevme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" uskewmevme.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pyaedxnpeagyp.exe" vofyhfvqipsrbcu.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run vofyhfvqipsrbcu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hutrsauj = "uskewmevme.exe" vofyhfvqipsrbcu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqyxoenq = "vofyhfvqipsrbcu.exe" vofyhfvqipsrbcu.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: uskewmevme.exe File opened (read-only) \??\v: uskewmevme.exe File opened (read-only) \??\e: krwodezn.exe File opened (read-only) \??\z: krwodezn.exe File opened (read-only) \??\e: krwodezn.exe File opened (read-only) \??\f: uskewmevme.exe File opened (read-only) \??\g: uskewmevme.exe File opened (read-only) \??\r: uskewmevme.exe File opened (read-only) \??\w: uskewmevme.exe File opened (read-only) \??\i: krwodezn.exe File opened (read-only) \??\t: krwodezn.exe File opened (read-only) \??\n: krwodezn.exe File opened (read-only) \??\t: krwodezn.exe File opened (read-only) \??\m: uskewmevme.exe File opened (read-only) \??\o: uskewmevme.exe File opened (read-only) \??\b: krwodezn.exe File opened (read-only) \??\m: krwodezn.exe File opened (read-only) \??\s: krwodezn.exe File opened (read-only) \??\y: krwodezn.exe File opened (read-only) \??\k: uskewmevme.exe File opened (read-only) \??\l: uskewmevme.exe File opened (read-only) \??\t: uskewmevme.exe File opened (read-only) \??\z: uskewmevme.exe File opened (read-only) \??\r: krwodezn.exe File opened (read-only) \??\u: uskewmevme.exe File opened (read-only) \??\l: krwodezn.exe File opened (read-only) \??\n: krwodezn.exe File opened (read-only) \??\y: krwodezn.exe File opened (read-only) \??\r: krwodezn.exe File opened (read-only) \??\w: krwodezn.exe File opened (read-only) \??\a: krwodezn.exe File opened (read-only) \??\f: krwodezn.exe File opened (read-only) \??\h: krwodezn.exe File opened (read-only) \??\p: krwodezn.exe File opened (read-only) \??\l: krwodezn.exe File opened (read-only) \??\a: uskewmevme.exe File opened (read-only) \??\b: uskewmevme.exe File opened (read-only) \??\f: krwodezn.exe File opened (read-only) \??\i: krwodezn.exe File opened (read-only) \??\k: krwodezn.exe File opened (read-only) \??\q: krwodezn.exe File opened (read-only) \??\s: krwodezn.exe File opened (read-only) \??\z: krwodezn.exe File opened (read-only) \??\a: krwodezn.exe File opened (read-only) \??\j: krwodezn.exe File opened (read-only) \??\x: krwodezn.exe File opened (read-only) \??\j: uskewmevme.exe File opened (read-only) \??\u: krwodezn.exe File opened (read-only) \??\v: krwodezn.exe File opened (read-only) \??\h: krwodezn.exe File opened (read-only) \??\v: krwodezn.exe File opened (read-only) \??\g: krwodezn.exe File opened (read-only) \??\m: krwodezn.exe File opened (read-only) \??\e: uskewmevme.exe File opened (read-only) \??\q: uskewmevme.exe File opened (read-only) \??\x: krwodezn.exe File opened (read-only) \??\b: krwodezn.exe File opened (read-only) \??\i: uskewmevme.exe File opened (read-only) \??\y: uskewmevme.exe File opened (read-only) \??\o: krwodezn.exe File opened (read-only) \??\u: krwodezn.exe File opened (read-only) \??\s: uskewmevme.exe File opened (read-only) \??\w: krwodezn.exe File opened (read-only) \??\g: krwodezn.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" uskewmevme.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" uskewmevme.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/916-55-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/916-80-0x0000000002300000-0x00000000023A0000-memory.dmp autoit_exe behavioral1/memory/1544-81-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1416-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1732-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1932-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/564-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/916-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1416-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1544-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1732-98-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1932-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/564-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\uskewmevme.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File opened for modification C:\Windows\SysWOW64\uskewmevme.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File opened for modification C:\Windows\SysWOW64\vofyhfvqipsrbcu.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File created C:\Windows\SysWOW64\krwodezn.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll uskewmevme.exe File created C:\Windows\SysWOW64\vofyhfvqipsrbcu.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File opened for modification C:\Windows\SysWOW64\krwodezn.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File created C:\Windows\SysWOW64\pyaedxnpeagyp.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File opened for modification C:\Windows\SysWOW64\pyaedxnpeagyp.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal krwodezn.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe krwodezn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe krwodezn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe krwodezn.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe krwodezn.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe krwodezn.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe krwodezn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal krwodezn.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe krwodezn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal krwodezn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe krwodezn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal krwodezn.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe krwodezn.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe krwodezn.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat uskewmevme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B028449039ED53CABAD7339FD7C8" 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh uskewmevme.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" uskewmevme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" uskewmevme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf uskewmevme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFABBF96BF29083783B47819D3E90B0FD038D4212023BE1CC429C09D6" 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" uskewmevme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs uskewmevme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 868 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 1544 uskewmevme.exe 1544 uskewmevme.exe 1544 uskewmevme.exe 1544 uskewmevme.exe 1544 uskewmevme.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 1416 vofyhfvqipsrbcu.exe 1416 vofyhfvqipsrbcu.exe 1416 vofyhfvqipsrbcu.exe 1416 vofyhfvqipsrbcu.exe 1416 vofyhfvqipsrbcu.exe 1732 krwodezn.exe 1732 krwodezn.exe 1732 krwodezn.exe 1732 krwodezn.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 564 krwodezn.exe 564 krwodezn.exe 564 krwodezn.exe 564 krwodezn.exe 1416 vofyhfvqipsrbcu.exe 1416 vofyhfvqipsrbcu.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1416 vofyhfvqipsrbcu.exe 1416 vofyhfvqipsrbcu.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1416 vofyhfvqipsrbcu.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1416 vofyhfvqipsrbcu.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1416 vofyhfvqipsrbcu.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1416 vofyhfvqipsrbcu.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1416 vofyhfvqipsrbcu.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1416 vofyhfvqipsrbcu.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1416 vofyhfvqipsrbcu.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1416 vofyhfvqipsrbcu.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 1544 uskewmevme.exe 1544 uskewmevme.exe 1544 uskewmevme.exe 1416 vofyhfvqipsrbcu.exe 1416 vofyhfvqipsrbcu.exe 1416 vofyhfvqipsrbcu.exe 1732 krwodezn.exe 1732 krwodezn.exe 1732 krwodezn.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 564 krwodezn.exe 564 krwodezn.exe 564 krwodezn.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 1544 uskewmevme.exe 1544 uskewmevme.exe 1544 uskewmevme.exe 1416 vofyhfvqipsrbcu.exe 1416 vofyhfvqipsrbcu.exe 1416 vofyhfvqipsrbcu.exe 1732 krwodezn.exe 1732 krwodezn.exe 1732 krwodezn.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 1932 pyaedxnpeagyp.exe 564 krwodezn.exe 564 krwodezn.exe 564 krwodezn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 868 WINWORD.EXE 868 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 916 wrote to memory of 1544 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 27 PID 916 wrote to memory of 1544 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 27 PID 916 wrote to memory of 1544 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 27 PID 916 wrote to memory of 1544 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 27 PID 916 wrote to memory of 1416 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 28 PID 916 wrote to memory of 1416 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 28 PID 916 wrote to memory of 1416 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 28 PID 916 wrote to memory of 1416 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 28 PID 916 wrote to memory of 1732 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 29 PID 916 wrote to memory of 1732 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 29 PID 916 wrote to memory of 1732 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 29 PID 916 wrote to memory of 1732 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 29 PID 916 wrote to memory of 1932 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 30 PID 916 wrote to memory of 1932 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 30 PID 916 wrote to memory of 1932 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 30 PID 916 wrote to memory of 1932 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 30 PID 1544 wrote to memory of 564 1544 uskewmevme.exe 31 PID 1544 wrote to memory of 564 1544 uskewmevme.exe 31 PID 1544 wrote to memory of 564 1544 uskewmevme.exe 31 PID 1544 wrote to memory of 564 1544 uskewmevme.exe 31 PID 916 wrote to memory of 868 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 32 PID 916 wrote to memory of 868 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 32 PID 916 wrote to memory of 868 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 32 PID 916 wrote to memory of 868 916 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 32 PID 868 wrote to memory of 1764 868 WINWORD.EXE 36 PID 868 wrote to memory of 1764 868 WINWORD.EXE 36 PID 868 wrote to memory of 1764 868 WINWORD.EXE 36 PID 868 wrote to memory of 1764 868 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe"C:\Users\Admin\AppData\Local\Temp\0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\uskewmevme.exeuskewmevme.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\krwodezn.exeC:\Windows\system32\krwodezn.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:564
-
-
-
C:\Windows\SysWOW64\vofyhfvqipsrbcu.exevofyhfvqipsrbcu.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1416
-
-
C:\Windows\SysWOW64\krwodezn.exekrwodezn.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732
-
-
C:\Windows\SysWOW64\pyaedxnpeagyp.exepyaedxnpeagyp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1932
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1764
-
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5ebc60940d056d839b643f5133b16bd46
SHA1198a88c5f96e9403bdee4a10217d9475af15a32c
SHA2563a8bf0601b39576ca3a721fe0aea0e2f7768c22f85da4fa0db4637df142c9e7c
SHA512da6792b4d03f1b3f53cd665590c7e72a591fb3c663d8d526021ed1c2997763be6cfaa6bbbbb7f8845c60232cfe1ca0c9db89fea2c3b7922a46da5484405f634e
-
Filesize
255KB
MD55a1cf40a213bb760060841f17d4d7178
SHA16924008400eb98febd6163f94c61563d2b5158b1
SHA2569477174ea173802e0919ef3d31c21e3f2506c1f7bef6d1ca0884c2cc9fe97f69
SHA512a3ac9ac1d366be89ea25220f71812d2995b89e48daf8e9f03ea20a2adc0c4c5365b331fcaaac751944ee4854bdfa109d227551cfa90af89f4093742420600e2d
-
Filesize
255KB
MD518d070d4158a7e9cbcea6e11ffc4106b
SHA182ffbd4ccd1d3d0d2a1d213a5a9001b2faf768f4
SHA2560bd44fc14573dad1fa434bbebe30a467007e0d504cc55bc88e44ef49f4b9817c
SHA512a075d4fc43fc8c3f3f5d1c3d80c0a19e455486b10258cf7ab4ed1e4889479cf63b6d6651864cd187563fcb23dabcf0613ba49701a1759d131d98b14bdb0f60dc
-
Filesize
255KB
MD518d070d4158a7e9cbcea6e11ffc4106b
SHA182ffbd4ccd1d3d0d2a1d213a5a9001b2faf768f4
SHA2560bd44fc14573dad1fa434bbebe30a467007e0d504cc55bc88e44ef49f4b9817c
SHA512a075d4fc43fc8c3f3f5d1c3d80c0a19e455486b10258cf7ab4ed1e4889479cf63b6d6651864cd187563fcb23dabcf0613ba49701a1759d131d98b14bdb0f60dc
-
Filesize
255KB
MD518d070d4158a7e9cbcea6e11ffc4106b
SHA182ffbd4ccd1d3d0d2a1d213a5a9001b2faf768f4
SHA2560bd44fc14573dad1fa434bbebe30a467007e0d504cc55bc88e44ef49f4b9817c
SHA512a075d4fc43fc8c3f3f5d1c3d80c0a19e455486b10258cf7ab4ed1e4889479cf63b6d6651864cd187563fcb23dabcf0613ba49701a1759d131d98b14bdb0f60dc
-
Filesize
255KB
MD572a50e09ec4e05a243ba63af8c09b416
SHA121129d54df96a3bcdb78e6bc7d6306f2fc4119f6
SHA256ec022fd89cc15b5d39530bdfff6af4ef49e2f29fb1c488fe605a5fe6a2f56ff0
SHA51250472edda70cc301e5715275e5e55477f5187966a146879af6f35fb6189afcf4aa561957f9592264cbc6ac035baa2a1c30bbd8845babb964cc425da8974ca088
-
Filesize
255KB
MD572a50e09ec4e05a243ba63af8c09b416
SHA121129d54df96a3bcdb78e6bc7d6306f2fc4119f6
SHA256ec022fd89cc15b5d39530bdfff6af4ef49e2f29fb1c488fe605a5fe6a2f56ff0
SHA51250472edda70cc301e5715275e5e55477f5187966a146879af6f35fb6189afcf4aa561957f9592264cbc6ac035baa2a1c30bbd8845babb964cc425da8974ca088
-
Filesize
255KB
MD537a882c6d807a1cb9aa57c30e2575808
SHA1c2f91bfac22aac320149d3f13c76af61cfb67375
SHA25629aa99ac5d404e0f7d341fb04b279bfc58d21fc01fd6f01a4edccf52dd2b0b4a
SHA51226dfded0ef0e6ed0817db35f1d290b00b20dbfaef6cb81956a64f4d3aa728e4b12ceedf392e66185d3386578cb0b6f811613f1f94fc405175e6b69af098f70fd
-
Filesize
255KB
MD537a882c6d807a1cb9aa57c30e2575808
SHA1c2f91bfac22aac320149d3f13c76af61cfb67375
SHA25629aa99ac5d404e0f7d341fb04b279bfc58d21fc01fd6f01a4edccf52dd2b0b4a
SHA51226dfded0ef0e6ed0817db35f1d290b00b20dbfaef6cb81956a64f4d3aa728e4b12ceedf392e66185d3386578cb0b6f811613f1f94fc405175e6b69af098f70fd
-
Filesize
255KB
MD593cadb560ec1a75e812587dd478b88de
SHA12036e51eeb0f7784b3d6cfe47d45ccbbdb9f6815
SHA256c93de1487e485379ab682b9d56f619bbd0f3a84ab471e979bba651aed40a0bd9
SHA512ef1ecda527e92f8a729ce3490626522580e48cf2cf22d21c3bba43933472d8f49b3bc1c68056d8586309423d237de05ef25bdde1f9845bb6c14b45f25bc9cd9f
-
Filesize
255KB
MD593cadb560ec1a75e812587dd478b88de
SHA12036e51eeb0f7784b3d6cfe47d45ccbbdb9f6815
SHA256c93de1487e485379ab682b9d56f619bbd0f3a84ab471e979bba651aed40a0bd9
SHA512ef1ecda527e92f8a729ce3490626522580e48cf2cf22d21c3bba43933472d8f49b3bc1c68056d8586309423d237de05ef25bdde1f9845bb6c14b45f25bc9cd9f
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD55a1cf40a213bb760060841f17d4d7178
SHA16924008400eb98febd6163f94c61563d2b5158b1
SHA2569477174ea173802e0919ef3d31c21e3f2506c1f7bef6d1ca0884c2cc9fe97f69
SHA512a3ac9ac1d366be89ea25220f71812d2995b89e48daf8e9f03ea20a2adc0c4c5365b331fcaaac751944ee4854bdfa109d227551cfa90af89f4093742420600e2d
-
Filesize
255KB
MD518d070d4158a7e9cbcea6e11ffc4106b
SHA182ffbd4ccd1d3d0d2a1d213a5a9001b2faf768f4
SHA2560bd44fc14573dad1fa434bbebe30a467007e0d504cc55bc88e44ef49f4b9817c
SHA512a075d4fc43fc8c3f3f5d1c3d80c0a19e455486b10258cf7ab4ed1e4889479cf63b6d6651864cd187563fcb23dabcf0613ba49701a1759d131d98b14bdb0f60dc
-
Filesize
255KB
MD518d070d4158a7e9cbcea6e11ffc4106b
SHA182ffbd4ccd1d3d0d2a1d213a5a9001b2faf768f4
SHA2560bd44fc14573dad1fa434bbebe30a467007e0d504cc55bc88e44ef49f4b9817c
SHA512a075d4fc43fc8c3f3f5d1c3d80c0a19e455486b10258cf7ab4ed1e4889479cf63b6d6651864cd187563fcb23dabcf0613ba49701a1759d131d98b14bdb0f60dc
-
Filesize
255KB
MD572a50e09ec4e05a243ba63af8c09b416
SHA121129d54df96a3bcdb78e6bc7d6306f2fc4119f6
SHA256ec022fd89cc15b5d39530bdfff6af4ef49e2f29fb1c488fe605a5fe6a2f56ff0
SHA51250472edda70cc301e5715275e5e55477f5187966a146879af6f35fb6189afcf4aa561957f9592264cbc6ac035baa2a1c30bbd8845babb964cc425da8974ca088
-
Filesize
255KB
MD537a882c6d807a1cb9aa57c30e2575808
SHA1c2f91bfac22aac320149d3f13c76af61cfb67375
SHA25629aa99ac5d404e0f7d341fb04b279bfc58d21fc01fd6f01a4edccf52dd2b0b4a
SHA51226dfded0ef0e6ed0817db35f1d290b00b20dbfaef6cb81956a64f4d3aa728e4b12ceedf392e66185d3386578cb0b6f811613f1f94fc405175e6b69af098f70fd
-
Filesize
255KB
MD593cadb560ec1a75e812587dd478b88de
SHA12036e51eeb0f7784b3d6cfe47d45ccbbdb9f6815
SHA256c93de1487e485379ab682b9d56f619bbd0f3a84ab471e979bba651aed40a0bd9
SHA512ef1ecda527e92f8a729ce3490626522580e48cf2cf22d21c3bba43933472d8f49b3bc1c68056d8586309423d237de05ef25bdde1f9845bb6c14b45f25bc9cd9f