Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 11:37
Behavioral task
behavioral1
Sample
dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe
-
Size
255KB
-
MD5
7b70c7453354aff2e69fe0b5638bae2a
-
SHA1
1a099a1a8c9a390876ff3a4bd3ea767c1c7d1624
-
SHA256
dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc
-
SHA512
c0a1353413058ad33d2cd108e41465f03331c5ede1b5c3e4e2b9d34291d08f37442d12457422180bd55293f1bfecd3bc5d6d6e966f422d5b57070e001c19e606
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJc:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIP
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ztyarijuzm.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ztyarijuzm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ztyarijuzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ztyarijuzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ztyarijuzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ztyarijuzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ztyarijuzm.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ztyarijuzm.exe -
Executes dropped EXE 5 IoCs
pid Process 532 ztyarijuzm.exe 1376 lacmjypqbqsadry.exe 1284 xfueyvhp.exe 4420 mkqpijtyydwyu.exe 4284 xfueyvhp.exe -
resource yara_rule behavioral2/memory/4940-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000022ddb-134.dat upx behavioral2/files/0x0003000000022de6-137.dat upx behavioral2/files/0x0003000000022de6-138.dat upx behavioral2/files/0x0003000000022de7-141.dat upx behavioral2/files/0x0003000000022de7-140.dat upx behavioral2/files/0x0003000000022ddb-135.dat upx behavioral2/files/0x0002000000022de8-144.dat upx behavioral2/files/0x0002000000022de8-143.dat upx behavioral2/memory/532-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1376-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1284-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4420-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000022de7-150.dat upx behavioral2/memory/4940-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4284-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000022ddf-159.dat upx behavioral2/files/0x0002000000022de9-160.dat upx behavioral2/memory/532-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1376-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1284-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4420-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4284-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000300000001e5b4-170.dat upx behavioral2/files/0x000300000001e5b4-169.dat upx behavioral2/files/0x000300000001e6d5-171.dat upx behavioral2/files/0x000300000001e6d5-172.dat upx behavioral2/files/0x000200000001e78f-174.dat upx behavioral2/files/0x000200000001e78f-173.dat upx behavioral2/files/0x000200000001e78f-175.dat upx behavioral2/files/0x000200000001e78f-176.dat upx behavioral2/files/0x000200000001e78f-177.dat upx behavioral2/memory/1284-184-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4284-183-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ztyarijuzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ztyarijuzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ztyarijuzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ztyarijuzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ztyarijuzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ztyarijuzm.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\shuyzcdh = "ztyarijuzm.exe" lacmjypqbqsadry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aajqvfno = "lacmjypqbqsadry.exe" lacmjypqbqsadry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mkqpijtyydwyu.exe" lacmjypqbqsadry.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run lacmjypqbqsadry.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: xfueyvhp.exe File opened (read-only) \??\x: xfueyvhp.exe File opened (read-only) \??\j: ztyarijuzm.exe File opened (read-only) \??\z: ztyarijuzm.exe File opened (read-only) \??\t: xfueyvhp.exe File opened (read-only) \??\s: xfueyvhp.exe File opened (read-only) \??\e: ztyarijuzm.exe File opened (read-only) \??\g: ztyarijuzm.exe File opened (read-only) \??\h: ztyarijuzm.exe File opened (read-only) \??\j: xfueyvhp.exe File opened (read-only) \??\n: xfueyvhp.exe File opened (read-only) \??\k: xfueyvhp.exe File opened (read-only) \??\t: xfueyvhp.exe File opened (read-only) \??\b: ztyarijuzm.exe File opened (read-only) \??\z: xfueyvhp.exe File opened (read-only) \??\e: xfueyvhp.exe File opened (read-only) \??\t: ztyarijuzm.exe File opened (read-only) \??\u: ztyarijuzm.exe File opened (read-only) \??\p: xfueyvhp.exe File opened (read-only) \??\l: xfueyvhp.exe File opened (read-only) \??\a: xfueyvhp.exe File opened (read-only) \??\b: xfueyvhp.exe File opened (read-only) \??\r: xfueyvhp.exe File opened (read-only) \??\v: xfueyvhp.exe File opened (read-only) \??\w: xfueyvhp.exe File opened (read-only) \??\j: xfueyvhp.exe File opened (read-only) \??\l: xfueyvhp.exe File opened (read-only) \??\p: xfueyvhp.exe File opened (read-only) \??\l: ztyarijuzm.exe File opened (read-only) \??\q: xfueyvhp.exe File opened (read-only) \??\y: ztyarijuzm.exe File opened (read-only) \??\g: xfueyvhp.exe File opened (read-only) \??\y: xfueyvhp.exe File opened (read-only) \??\v: ztyarijuzm.exe File opened (read-only) \??\w: ztyarijuzm.exe File opened (read-only) \??\i: xfueyvhp.exe File opened (read-only) \??\y: xfueyvhp.exe File opened (read-only) \??\i: ztyarijuzm.exe File opened (read-only) \??\o: xfueyvhp.exe File opened (read-only) \??\u: xfueyvhp.exe File opened (read-only) \??\s: xfueyvhp.exe File opened (read-only) \??\u: xfueyvhp.exe File opened (read-only) \??\m: ztyarijuzm.exe File opened (read-only) \??\s: ztyarijuzm.exe File opened (read-only) \??\m: xfueyvhp.exe File opened (read-only) \??\g: xfueyvhp.exe File opened (read-only) \??\a: ztyarijuzm.exe File opened (read-only) \??\o: ztyarijuzm.exe File opened (read-only) \??\x: ztyarijuzm.exe File opened (read-only) \??\h: xfueyvhp.exe File opened (read-only) \??\r: xfueyvhp.exe File opened (read-only) \??\w: xfueyvhp.exe File opened (read-only) \??\m: xfueyvhp.exe File opened (read-only) \??\z: xfueyvhp.exe File opened (read-only) \??\q: ztyarijuzm.exe File opened (read-only) \??\r: ztyarijuzm.exe File opened (read-only) \??\b: xfueyvhp.exe File opened (read-only) \??\k: ztyarijuzm.exe File opened (read-only) \??\p: ztyarijuzm.exe File opened (read-only) \??\a: xfueyvhp.exe File opened (read-only) \??\f: xfueyvhp.exe File opened (read-only) \??\h: xfueyvhp.exe File opened (read-only) \??\n: xfueyvhp.exe File opened (read-only) \??\q: xfueyvhp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ztyarijuzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ztyarijuzm.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/532-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1376-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1284-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4420-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4940-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4284-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/532-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1376-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1284-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4420-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4284-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1284-184-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4284-183-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\mkqpijtyydwyu.exe dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe File opened for modification C:\Windows\SysWOW64\mkqpijtyydwyu.exe dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ztyarijuzm.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xfueyvhp.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xfueyvhp.exe File created C:\Windows\SysWOW64\ztyarijuzm.exe dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe File created C:\Windows\SysWOW64\xfueyvhp.exe dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe File opened for modification C:\Windows\SysWOW64\xfueyvhp.exe dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xfueyvhp.exe File opened for modification C:\Windows\SysWOW64\ztyarijuzm.exe dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe File created C:\Windows\SysWOW64\lacmjypqbqsadry.exe dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe File opened for modification C:\Windows\SysWOW64\lacmjypqbqsadry.exe dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfueyvhp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xfueyvhp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfueyvhp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xfueyvhp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfueyvhp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfueyvhp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfueyvhp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfueyvhp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xfueyvhp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfueyvhp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xfueyvhp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfueyvhp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfueyvhp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfueyvhp.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xfueyvhp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xfueyvhp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xfueyvhp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xfueyvhp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xfueyvhp.exe File opened for modification C:\Windows\mydoc.rtf dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xfueyvhp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xfueyvhp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xfueyvhp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xfueyvhp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xfueyvhp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xfueyvhp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xfueyvhp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xfueyvhp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xfueyvhp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xfueyvhp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xfueyvhp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ztyarijuzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ztyarijuzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C6091591DBC5B9B97CE2ED9034C6" dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ztyarijuzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ztyarijuzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ztyarijuzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ztyarijuzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ztyarijuzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ztyarijuzm.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FACCF911F194837A3A31819B3E90B08D038A42120338E1CA459B09A3" dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B12C4492399852BEB9D4329DD4BF" dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ztyarijuzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D7C9D2083276D3E76A070552DDB7C8464AF" dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ztyarijuzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ztyarijuzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFF8C4F58826A9131D72D7E91BCE4E640594366406237D691" dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BC4FF1822D1D17AD0D48A7D9162" dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ztyarijuzm.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2260 WINWORD.EXE 2260 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 532 ztyarijuzm.exe 532 ztyarijuzm.exe 532 ztyarijuzm.exe 532 ztyarijuzm.exe 532 ztyarijuzm.exe 532 ztyarijuzm.exe 532 ztyarijuzm.exe 532 ztyarijuzm.exe 532 ztyarijuzm.exe 532 ztyarijuzm.exe 1376 lacmjypqbqsadry.exe 1376 lacmjypqbqsadry.exe 1376 lacmjypqbqsadry.exe 1284 xfueyvhp.exe 1376 lacmjypqbqsadry.exe 1284 xfueyvhp.exe 1376 lacmjypqbqsadry.exe 1376 lacmjypqbqsadry.exe 1284 xfueyvhp.exe 1376 lacmjypqbqsadry.exe 1284 xfueyvhp.exe 1376 lacmjypqbqsadry.exe 1284 xfueyvhp.exe 1284 xfueyvhp.exe 1284 xfueyvhp.exe 1284 xfueyvhp.exe 1376 lacmjypqbqsadry.exe 1376 lacmjypqbqsadry.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 1376 lacmjypqbqsadry.exe 1376 lacmjypqbqsadry.exe 4284 xfueyvhp.exe 4284 xfueyvhp.exe 4284 xfueyvhp.exe 4284 xfueyvhp.exe 4284 xfueyvhp.exe 4284 xfueyvhp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 532 ztyarijuzm.exe 532 ztyarijuzm.exe 532 ztyarijuzm.exe 1376 lacmjypqbqsadry.exe 1376 lacmjypqbqsadry.exe 1376 lacmjypqbqsadry.exe 1284 xfueyvhp.exe 1284 xfueyvhp.exe 1284 xfueyvhp.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4284 xfueyvhp.exe 4284 xfueyvhp.exe 4284 xfueyvhp.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 532 ztyarijuzm.exe 532 ztyarijuzm.exe 532 ztyarijuzm.exe 1376 lacmjypqbqsadry.exe 1376 lacmjypqbqsadry.exe 1376 lacmjypqbqsadry.exe 1284 xfueyvhp.exe 1284 xfueyvhp.exe 1284 xfueyvhp.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4420 mkqpijtyydwyu.exe 4284 xfueyvhp.exe 4284 xfueyvhp.exe 4284 xfueyvhp.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2260 WINWORD.EXE 2260 WINWORD.EXE 2260 WINWORD.EXE 2260 WINWORD.EXE 2260 WINWORD.EXE 2260 WINWORD.EXE 2260 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4940 wrote to memory of 532 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 83 PID 4940 wrote to memory of 532 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 83 PID 4940 wrote to memory of 532 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 83 PID 4940 wrote to memory of 1376 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 84 PID 4940 wrote to memory of 1376 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 84 PID 4940 wrote to memory of 1376 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 84 PID 4940 wrote to memory of 1284 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 85 PID 4940 wrote to memory of 1284 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 85 PID 4940 wrote to memory of 1284 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 85 PID 4940 wrote to memory of 4420 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 86 PID 4940 wrote to memory of 4420 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 86 PID 4940 wrote to memory of 4420 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 86 PID 532 wrote to memory of 4284 532 ztyarijuzm.exe 87 PID 532 wrote to memory of 4284 532 ztyarijuzm.exe 87 PID 532 wrote to memory of 4284 532 ztyarijuzm.exe 87 PID 4940 wrote to memory of 2260 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 88 PID 4940 wrote to memory of 2260 4940 dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe"C:\Users\Admin\AppData\Local\Temp\dfb844e66a20a7f7c2a56e996f3976caff50ab8fa4d331037f5b9243ab2cf3cc.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\ztyarijuzm.exeztyarijuzm.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\xfueyvhp.exeC:\Windows\system32\xfueyvhp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4284
-
-
-
C:\Windows\SysWOW64\lacmjypqbqsadry.exelacmjypqbqsadry.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1376
-
-
C:\Windows\SysWOW64\xfueyvhp.exexfueyvhp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1284
-
-
C:\Windows\SysWOW64\mkqpijtyydwyu.exemkqpijtyydwyu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4420
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2260
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD59f65e6c47026c1c4a216583e379cfa2f
SHA12c6f94d4041b3c333c1784362ebf27859f13de25
SHA25640fc1c5f0abf46f44fc6fb727538551a186b6b0dd99b9077a0fb46d0f11f0aaf
SHA512388c0bda156d14e63dcf1461ad316fc14b6f8a09de903c9c493729ee08e2ee67b252a7bdf84345700b01d79ed2d251660a963141e0bfce338503835baa7e1b1e
-
Filesize
255KB
MD58beeb64516184d4844c9537773e06464
SHA1f6a7a0495e42f64874e5b516d63860ece5fbe065
SHA2567ece3ff87b9afba00aa7e94ce4c540f84e8da1c9cf312d4e6542a3928ee14aa1
SHA512be33d066522ad3fe3858456bf3e934b73d641b5ff2549ddc655e1e4d1533576e5160ed871fe783e3b5be68b44520ee58b5c3a50127a66ad1c6a1e9761de2f56c
-
Filesize
255KB
MD57b055800b606e3be65f6e7b63425f95f
SHA1cde7e595fc935d826149af452dfc47394b9dbedd
SHA2561d3ce62b635a5cfb839fda5be8abf866eb1e37ff702f9c54fa53f4af30d16207
SHA512867e21be390cda84d4f748aa1bb44bd02c22bcfdfec0fc89935f1014174759a2eaea882eda96572f98da0b0aae091be2981f10a37da3f9786f2e653fa1a00f9c
-
Filesize
255KB
MD55bf792610e74c18486c7c73f5458e128
SHA1d8a7b847e7199d8152b6b504c2924c11dd4e7059
SHA256da748b8f6f0deb29a51ef6357337a38de4d19cb77fc1cf1c29fd469668ba587f
SHA51286b1d097b977873b90e231798db2c2ba36acaa88ce45b953e8b78afcdd50f78bb97ab6bdd146db931f5b5c449aadc411a14c8243fd9a4def9fde253b3c478446
-
Filesize
255KB
MD530af9aae91ab0a20335966dfd6e9719c
SHA1027d5d8b5bb7a632e217a3532cd97dbde697faf8
SHA2568cdb825c3b3058eb3e634af6cdfe3dfd5bdb1ee4899abc1cb09e1e4f56cafbb1
SHA5125cb2a82e3ff1b662ad362010da4f20c9ee54a8a2120bec7d962b19eef5127dc6103b3f798332199ef95aa511bc69001625194059e608053a601d0c51b4f73da4
-
Filesize
255KB
MD530af9aae91ab0a20335966dfd6e9719c
SHA1027d5d8b5bb7a632e217a3532cd97dbde697faf8
SHA2568cdb825c3b3058eb3e634af6cdfe3dfd5bdb1ee4899abc1cb09e1e4f56cafbb1
SHA5125cb2a82e3ff1b662ad362010da4f20c9ee54a8a2120bec7d962b19eef5127dc6103b3f798332199ef95aa511bc69001625194059e608053a601d0c51b4f73da4
-
Filesize
255KB
MD5f2e942b8cc2b075a95e6188423cddc99
SHA1c7a181b92b457555cad82da51fea2d921ee01b5d
SHA2563d55d1a5c9c7c707ac8a97489e7c7a5f2ceea2dd53346bd649273bff0ba15f7f
SHA51222db29361d84b66d3ed1db8303d83903a31c265156d92d8c071c6977e8a83b2933005dc8ee8df2d3357b853618e4b6324a75543c934b3dc4df7d7b2357a6c524
-
Filesize
255KB
MD5f2e942b8cc2b075a95e6188423cddc99
SHA1c7a181b92b457555cad82da51fea2d921ee01b5d
SHA2563d55d1a5c9c7c707ac8a97489e7c7a5f2ceea2dd53346bd649273bff0ba15f7f
SHA51222db29361d84b66d3ed1db8303d83903a31c265156d92d8c071c6977e8a83b2933005dc8ee8df2d3357b853618e4b6324a75543c934b3dc4df7d7b2357a6c524
-
Filesize
255KB
MD50e063917ec64ff8f5533f42ae7cee78f
SHA1b62d0fe5f154c55435294c6749f01e367927bcce
SHA2563f26a278be311a1dc4ae135e4431818b81b27223f620e1ef3d3d50f250198c31
SHA512ddf3446c95c0b4b2dd96f44451cee3d1970f047a771761d2add494c667f3694c4aad1c9592f980141ce6ba52780ee24b32d643fc039b165def75bc20be4603f0
-
Filesize
255KB
MD50e063917ec64ff8f5533f42ae7cee78f
SHA1b62d0fe5f154c55435294c6749f01e367927bcce
SHA2563f26a278be311a1dc4ae135e4431818b81b27223f620e1ef3d3d50f250198c31
SHA512ddf3446c95c0b4b2dd96f44451cee3d1970f047a771761d2add494c667f3694c4aad1c9592f980141ce6ba52780ee24b32d643fc039b165def75bc20be4603f0
-
Filesize
255KB
MD50e063917ec64ff8f5533f42ae7cee78f
SHA1b62d0fe5f154c55435294c6749f01e367927bcce
SHA2563f26a278be311a1dc4ae135e4431818b81b27223f620e1ef3d3d50f250198c31
SHA512ddf3446c95c0b4b2dd96f44451cee3d1970f047a771761d2add494c667f3694c4aad1c9592f980141ce6ba52780ee24b32d643fc039b165def75bc20be4603f0
-
Filesize
255KB
MD54b998f1f25288121e9e1a87c1824a83a
SHA18d66c0bb0c31d19186086a1780cdb5f765302084
SHA256b074f9daecfedca8b609f229dd6c68a2de78fc7884dc32b6ed77c0a3616e5217
SHA512f99f28502694aa75221da04ec55ce144a76534015a2a778b3906bfdd7ef4b4021c9c87d41fccd5a1dbdb2cbb4e240634907a0fe2786fa0056c800eb32835de17
-
Filesize
255KB
MD54b998f1f25288121e9e1a87c1824a83a
SHA18d66c0bb0c31d19186086a1780cdb5f765302084
SHA256b074f9daecfedca8b609f229dd6c68a2de78fc7884dc32b6ed77c0a3616e5217
SHA512f99f28502694aa75221da04ec55ce144a76534015a2a778b3906bfdd7ef4b4021c9c87d41fccd5a1dbdb2cbb4e240634907a0fe2786fa0056c800eb32835de17
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD57b055800b606e3be65f6e7b63425f95f
SHA1cde7e595fc935d826149af452dfc47394b9dbedd
SHA2561d3ce62b635a5cfb839fda5be8abf866eb1e37ff702f9c54fa53f4af30d16207
SHA512867e21be390cda84d4f748aa1bb44bd02c22bcfdfec0fc89935f1014174759a2eaea882eda96572f98da0b0aae091be2981f10a37da3f9786f2e653fa1a00f9c
-
Filesize
255KB
MD55bf792610e74c18486c7c73f5458e128
SHA1d8a7b847e7199d8152b6b504c2924c11dd4e7059
SHA256da748b8f6f0deb29a51ef6357337a38de4d19cb77fc1cf1c29fd469668ba587f
SHA51286b1d097b977873b90e231798db2c2ba36acaa88ce45b953e8b78afcdd50f78bb97ab6bdd146db931f5b5c449aadc411a14c8243fd9a4def9fde253b3c478446
-
Filesize
255KB
MD50b6380a0752511ce6d2bc4b9134540e9
SHA105158395096e9e326c2c1c82380a071f89889fbc
SHA2565068c9451cb301d5dcb287bd065959f23a4578dd276879a09c7e861b08e3a64d
SHA5121b3616a47935a74242c8896aebad38c5c97c4daa414d217702edee168cab9711d008bdb2990bbff958b51ed0ed0a5b8d15a4839a2ee6f268a064090499d87296
-
Filesize
255KB
MD50b6380a0752511ce6d2bc4b9134540e9
SHA105158395096e9e326c2c1c82380a071f89889fbc
SHA2565068c9451cb301d5dcb287bd065959f23a4578dd276879a09c7e861b08e3a64d
SHA5121b3616a47935a74242c8896aebad38c5c97c4daa414d217702edee168cab9711d008bdb2990bbff958b51ed0ed0a5b8d15a4839a2ee6f268a064090499d87296
-
Filesize
255KB
MD50b6380a0752511ce6d2bc4b9134540e9
SHA105158395096e9e326c2c1c82380a071f89889fbc
SHA2565068c9451cb301d5dcb287bd065959f23a4578dd276879a09c7e861b08e3a64d
SHA5121b3616a47935a74242c8896aebad38c5c97c4daa414d217702edee168cab9711d008bdb2990bbff958b51ed0ed0a5b8d15a4839a2ee6f268a064090499d87296
-
Filesize
255KB
MD5793e2b86c1e49531f61ddd9057a7f6ad
SHA1cbdf8ec157e53c4292e44bbe4b7d7fcc590cef1c
SHA25617c0a7653de27b9a49d97ca8c9f0dcfeb8a48efdc844fbebb9b1ad2dcc3ffcc1
SHA5126427a6af6052e8778d25e1d66a5ba1440dc6a514db4945581d6dbbb14b50e6bed8b062c169fbd5902cf426b2b722313db620f6fda79566545eecd33c876c06d8
-
Filesize
255KB
MD5793e2b86c1e49531f61ddd9057a7f6ad
SHA1cbdf8ec157e53c4292e44bbe4b7d7fcc590cef1c
SHA25617c0a7653de27b9a49d97ca8c9f0dcfeb8a48efdc844fbebb9b1ad2dcc3ffcc1
SHA5126427a6af6052e8778d25e1d66a5ba1440dc6a514db4945581d6dbbb14b50e6bed8b062c169fbd5902cf426b2b722313db620f6fda79566545eecd33c876c06d8