Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
177s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 16:21
Behavioral task
behavioral1
Sample
NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe
Resource
win7-20230831-en
windows7-x64
26 signatures
150 seconds
General
-
Target
NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe
-
Size
255KB
-
MD5
071b57fd7e88f760741f4d68c39510e0
-
SHA1
dbf9a7f669b35adebd305ac3b7bd6d49bf7b1230
-
SHA256
c4ef3c90f6ad73d8a57242e4d8918c912583c3cfd2838f52291063a81b93e262
-
SHA512
9c083aec2f1c4efec640c0d16654f3e7083bc617a45747d3aa3b9a3812ac29fa551963a8b256d0a8fee5693ee317d5c7eef9ffdcc4bf03b802d7e4ac216f2c92
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJR:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIa
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ssdzqxeyte.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ssdzqxeyte.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ssdzqxeyte.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ssdzqxeyte.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ssdzqxeyte.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ssdzqxeyte.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ssdzqxeyte.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ssdzqxeyte.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe -
Executes dropped EXE 5 IoCs
pid Process 3224 ssdzqxeyte.exe 2132 ttrzuzorykrjlem.exe 3884 xxznlyng.exe 568 vpcbsdlippmqs.exe 456 xxznlyng.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1756-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000a000000023117-5.dat upx behavioral2/files/0x0009000000023116-18.dat upx behavioral2/files/0x0009000000023116-19.dat upx behavioral2/files/0x000a000000023117-22.dat upx behavioral2/memory/2132-24-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00090000000231f8-30.dat upx behavioral2/memory/568-31-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00090000000231f8-29.dat upx behavioral2/memory/3884-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000e000000023118-28.dat upx behavioral2/files/0x000e000000023118-27.dat upx behavioral2/files/0x000a000000023117-21.dat upx behavioral2/memory/1756-33-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3224-34-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2132-35-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/568-36-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2132-38-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3884-39-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/568-40-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3884-41-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000e000000023118-43.dat upx behavioral2/memory/1756-44-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000600000002320a-65.dat upx behavioral2/files/0x0007000000023207-62.dat upx behavioral2/memory/3224-77-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2132-78-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/568-80-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3884-79-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/456-81-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/456-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3224-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2132-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3884-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/568-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/456-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3224-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2132-98-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3884-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/568-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/456-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3224-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2132-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3884-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/568-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/456-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3224-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2132-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3884-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/568-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/456-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3224-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2132-123-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3884-124-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/568-125-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/456-126-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3224-129-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2132-130-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3884-131-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/568-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/456-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3224-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2132-137-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3884-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ssdzqxeyte.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ssdzqxeyte.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ssdzqxeyte.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ssdzqxeyte.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ssdzqxeyte.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ssdzqxeyte.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dtupdqbk = "ssdzqxeyte.exe" ttrzuzorykrjlem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kzdpsmko = "ttrzuzorykrjlem.exe" ttrzuzorykrjlem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vpcbsdlippmqs.exe" ttrzuzorykrjlem.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: ssdzqxeyte.exe File opened (read-only) \??\t: xxznlyng.exe File opened (read-only) \??\x: xxznlyng.exe File opened (read-only) \??\x: xxznlyng.exe File opened (read-only) \??\g: ssdzqxeyte.exe File opened (read-only) \??\t: ssdzqxeyte.exe File opened (read-only) \??\x: ssdzqxeyte.exe File opened (read-only) \??\q: xxznlyng.exe File opened (read-only) \??\t: xxznlyng.exe File opened (read-only) \??\z: xxznlyng.exe File opened (read-only) \??\m: xxznlyng.exe File opened (read-only) \??\a: xxznlyng.exe File opened (read-only) \??\l: xxznlyng.exe File opened (read-only) \??\n: xxznlyng.exe File opened (read-only) \??\s: xxznlyng.exe File opened (read-only) \??\y: xxznlyng.exe File opened (read-only) \??\m: ssdzqxeyte.exe File opened (read-only) \??\p: ssdzqxeyte.exe File opened (read-only) \??\y: xxznlyng.exe File opened (read-only) \??\a: xxznlyng.exe File opened (read-only) \??\i: ssdzqxeyte.exe File opened (read-only) \??\i: xxznlyng.exe File opened (read-only) \??\s: xxznlyng.exe File opened (read-only) \??\i: xxznlyng.exe File opened (read-only) \??\b: xxznlyng.exe File opened (read-only) \??\p: xxznlyng.exe File opened (read-only) \??\j: xxznlyng.exe File opened (read-only) \??\r: xxznlyng.exe File opened (read-only) \??\v: xxznlyng.exe File opened (read-only) \??\u: xxznlyng.exe File opened (read-only) \??\a: ssdzqxeyte.exe File opened (read-only) \??\s: ssdzqxeyte.exe File opened (read-only) \??\w: ssdzqxeyte.exe File opened (read-only) \??\p: xxznlyng.exe File opened (read-only) \??\q: ssdzqxeyte.exe File opened (read-only) \??\u: xxznlyng.exe File opened (read-only) \??\n: xxznlyng.exe File opened (read-only) \??\w: xxznlyng.exe File opened (read-only) \??\u: ssdzqxeyte.exe File opened (read-only) \??\v: ssdzqxeyte.exe File opened (read-only) \??\r: xxznlyng.exe File opened (read-only) \??\w: xxznlyng.exe File opened (read-only) \??\l: ssdzqxeyte.exe File opened (read-only) \??\q: xxznlyng.exe File opened (read-only) \??\e: xxznlyng.exe File opened (read-only) \??\m: xxznlyng.exe File opened (read-only) \??\r: ssdzqxeyte.exe File opened (read-only) \??\o: xxznlyng.exe File opened (read-only) \??\k: xxznlyng.exe File opened (read-only) \??\b: xxznlyng.exe File opened (read-only) \??\k: xxznlyng.exe File opened (read-only) \??\e: xxznlyng.exe File opened (read-only) \??\g: xxznlyng.exe File opened (read-only) \??\g: xxznlyng.exe File opened (read-only) \??\h: ssdzqxeyte.exe File opened (read-only) \??\z: xxznlyng.exe File opened (read-only) \??\e: ssdzqxeyte.exe File opened (read-only) \??\j: ssdzqxeyte.exe File opened (read-only) \??\k: ssdzqxeyte.exe File opened (read-only) \??\h: xxznlyng.exe File opened (read-only) \??\h: xxznlyng.exe File opened (read-only) \??\l: xxznlyng.exe File opened (read-only) \??\o: xxznlyng.exe File opened (read-only) \??\v: xxznlyng.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ssdzqxeyte.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ssdzqxeyte.exe -
AutoIT Executable 63 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2132-24-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/568-31-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3884-32-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1756-33-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3224-34-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2132-35-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/568-36-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2132-38-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3884-39-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/568-40-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3884-41-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1756-44-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3224-77-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2132-78-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/568-80-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3884-79-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/456-81-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/456-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3224-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2132-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3884-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/568-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/456-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3224-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2132-98-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3884-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/568-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/456-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3224-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2132-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3884-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/568-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/456-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3224-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2132-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3884-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/568-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/456-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3224-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2132-123-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3884-124-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/568-125-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/456-126-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3224-129-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2132-130-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3884-131-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/568-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/456-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3224-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2132-137-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3884-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/568-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/456-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3224-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2132-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/568-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3884-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/456-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3224-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2132-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/568-160-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3884-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/456-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ttrzuzorykrjlem.exe NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe File created C:\Windows\SysWOW64\xxznlyng.exe NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe File created C:\Windows\SysWOW64\vpcbsdlippmqs.exe NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe File opened for modification C:\Windows\SysWOW64\vpcbsdlippmqs.exe NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe File created C:\Windows\SysWOW64\ssdzqxeyte.exe NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe File opened for modification C:\Windows\SysWOW64\ssdzqxeyte.exe NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe File created C:\Windows\SysWOW64\ttrzuzorykrjlem.exe NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe File opened for modification C:\Windows\SysWOW64\xxznlyng.exe NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ssdzqxeyte.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xxznlyng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xxznlyng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xxznlyng.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xxznlyng.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xxznlyng.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xxznlyng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xxznlyng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xxznlyng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xxznlyng.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xxznlyng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xxznlyng.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xxznlyng.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xxznlyng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xxznlyng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xxznlyng.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B05B44E439EC53B9B9A2329BD7BE" NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ssdzqxeyte.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ssdzqxeyte.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9B0FE16F29384753A4B86ED3E93B3FD02FF42110333E1B9429E08A7" NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC77B15E6DBC2B9BE7CE9ED9534C6" NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ssdzqxeyte.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ssdzqxeyte.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ssdzqxeyte.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402D7B9C2D82556D4677A770232DD77CF364DC" NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ssdzqxeyte.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ssdzqxeyte.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ssdzqxeyte.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ssdzqxeyte.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFCFE485A85139042D7587DE0BDE4E63258476733623FD6EE" NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F568B1FF1822D8D20FD1D68A7B9161" NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ssdzqxeyte.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ssdzqxeyte.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ssdzqxeyte.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4392 WINWORD.EXE 4392 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 3224 ssdzqxeyte.exe 3224 ssdzqxeyte.exe 3224 ssdzqxeyte.exe 3224 ssdzqxeyte.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 3224 ssdzqxeyte.exe 2132 ttrzuzorykrjlem.exe 3224 ssdzqxeyte.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 3224 ssdzqxeyte.exe 3224 ssdzqxeyte.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 3224 ssdzqxeyte.exe 3224 ssdzqxeyte.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 3884 xxznlyng.exe 3884 xxznlyng.exe 3884 xxznlyng.exe 568 vpcbsdlippmqs.exe 3884 xxznlyng.exe 568 vpcbsdlippmqs.exe 3884 xxznlyng.exe 3884 xxznlyng.exe 568 vpcbsdlippmqs.exe 568 vpcbsdlippmqs.exe 3884 xxznlyng.exe 3884 xxznlyng.exe 568 vpcbsdlippmqs.exe 568 vpcbsdlippmqs.exe 568 vpcbsdlippmqs.exe 568 vpcbsdlippmqs.exe 568 vpcbsdlippmqs.exe 568 vpcbsdlippmqs.exe 568 vpcbsdlippmqs.exe 568 vpcbsdlippmqs.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 3224 ssdzqxeyte.exe 3224 ssdzqxeyte.exe 3224 ssdzqxeyte.exe 3884 xxznlyng.exe 3884 xxznlyng.exe 3884 xxznlyng.exe 3884 xxznlyng.exe 568 vpcbsdlippmqs.exe 568 vpcbsdlippmqs.exe 568 vpcbsdlippmqs.exe 456 xxznlyng.exe 456 xxznlyng.exe 456 xxznlyng.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 2132 ttrzuzorykrjlem.exe 3224 ssdzqxeyte.exe 3224 ssdzqxeyte.exe 3224 ssdzqxeyte.exe 3884 xxznlyng.exe 3884 xxznlyng.exe 3884 xxznlyng.exe 3884 xxznlyng.exe 568 vpcbsdlippmqs.exe 568 vpcbsdlippmqs.exe 568 vpcbsdlippmqs.exe 456 xxznlyng.exe 456 xxznlyng.exe 456 xxznlyng.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4392 WINWORD.EXE 4392 WINWORD.EXE 4392 WINWORD.EXE 4392 WINWORD.EXE 4392 WINWORD.EXE 4392 WINWORD.EXE 4392 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1756 wrote to memory of 3224 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 85 PID 1756 wrote to memory of 3224 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 85 PID 1756 wrote to memory of 3224 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 85 PID 1756 wrote to memory of 2132 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 86 PID 1756 wrote to memory of 2132 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 86 PID 1756 wrote to memory of 2132 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 86 PID 1756 wrote to memory of 3884 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 89 PID 1756 wrote to memory of 3884 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 89 PID 1756 wrote to memory of 3884 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 89 PID 1756 wrote to memory of 568 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 87 PID 1756 wrote to memory of 568 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 87 PID 1756 wrote to memory of 568 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 87 PID 3224 wrote to memory of 456 3224 ssdzqxeyte.exe 90 PID 3224 wrote to memory of 456 3224 ssdzqxeyte.exe 90 PID 3224 wrote to memory of 456 3224 ssdzqxeyte.exe 90 PID 1756 wrote to memory of 4392 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 91 PID 1756 wrote to memory of 4392 1756 NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.071b57fd7e88f760741f4d68c39510e0_JC.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\ssdzqxeyte.exessdzqxeyte.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\xxznlyng.exeC:\Windows\system32\xxznlyng.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:456
-
-
-
C:\Windows\SysWOW64\ttrzuzorykrjlem.exettrzuzorykrjlem.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2132
-
-
C:\Windows\SysWOW64\vpcbsdlippmqs.exevpcbsdlippmqs.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:568
-
-
C:\Windows\SysWOW64\xxznlyng.exexxznlyng.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3884
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4392
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5c7a1362490a313a3905e4af2eebcf98f
SHA147c5f875e8fd1f6b713499cf59a2346609a7e0e6
SHA2565242110be8a16e7ef5dac8beb6ed1a26d956d705be5e28f2739dc3643b573d9f
SHA512e04c6b2465bf886d048db86897b1f5eb5e01e7eb0f3591a0a635d10bca0558a441dc62aa9b5ad5e0fcec1d7fe36391091a4ca75b84e6d6f6100e555f8d928414
-
Filesize
255KB
MD577aeb161218a02b807069d575c495c7e
SHA1ed029a8936ed27942961cf308f054644775ebd9f
SHA256eac30879c3a69ba5bdd2df3eac5c88f380112137cb1cdac42abaebbd5c0331ed
SHA5127526392df5221b7740245aab4368f7d46f672b76ef2850236a0a2e3c006ffb96257529a27b927e1dd44ad2847f47a9a77ddab126d0bb0682f6c678b29ff1c0f9
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD50805929e162dfb9eb5d6651682c3d406
SHA1fbce213ebb23d37926d849fd77fa08ca7846e773
SHA25647b9627a26cd1d2ca678b02cc462d01417d300d4872361be81692cdf79941525
SHA51280ec60323af886070280cd8798a49f319163546e29729f007c4ee28900ee9919cb4f0abd9cffaf4d86b69f486ea8b1020663124673e75807c0fd89b7b23e8488
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a5108f9f52a1f0b2090057e346b4e03a
SHA19254c6c004fbdd2cba46434004ab20ba244d518c
SHA256a88d7c5219cea29003b948c165f496e6417b19ce50e98795e41714d88ad6aa14
SHA5127450121136f7aae1d3a262dad8acd87cac0ec003d2e8400daf52d9d9ff5c376633b95b99c54542187ac621a38b28ae5350d7cecaf448caf7f0a9f7d34e4ff53a
-
Filesize
255KB
MD56ed134b9a6c1e493d1b85268b511d7d5
SHA166532be91484cd1df5ae185a49ad9cea808b527e
SHA2564836806f829adcaacea96787678278eaf430517f55eae8fc56c1ab5b57226bbf
SHA512ece1dfedbff8648b406a48e267dbc76479e8fcee869c24d522f2140cd30666c7debdfa6a996948fe059011c7616f6e16ef07d34c4f0aa126f0ad295bcca1af9e
-
Filesize
255KB
MD56ed134b9a6c1e493d1b85268b511d7d5
SHA166532be91484cd1df5ae185a49ad9cea808b527e
SHA2564836806f829adcaacea96787678278eaf430517f55eae8fc56c1ab5b57226bbf
SHA512ece1dfedbff8648b406a48e267dbc76479e8fcee869c24d522f2140cd30666c7debdfa6a996948fe059011c7616f6e16ef07d34c4f0aa126f0ad295bcca1af9e
-
Filesize
255KB
MD5b11d29e3b324764065c1aac134418440
SHA1caf930fbe65181b82192652c814e1c4bc21840e5
SHA256340469161a06c3e3d8e98787b0d89196b86f8a2337c21034e37c369ecc9d0b9e
SHA5121b33c0690a95610d61bf236bb52a1977b0bd2125ec9faba8b2b79ec9034f4f9fb4f03bda3914fd25d68036d3f4c430dcda20918a39751b1e8886afbf5fc2ea90
-
Filesize
255KB
MD5b11d29e3b324764065c1aac134418440
SHA1caf930fbe65181b82192652c814e1c4bc21840e5
SHA256340469161a06c3e3d8e98787b0d89196b86f8a2337c21034e37c369ecc9d0b9e
SHA5121b33c0690a95610d61bf236bb52a1977b0bd2125ec9faba8b2b79ec9034f4f9fb4f03bda3914fd25d68036d3f4c430dcda20918a39751b1e8886afbf5fc2ea90
-
Filesize
255KB
MD5b11d29e3b324764065c1aac134418440
SHA1caf930fbe65181b82192652c814e1c4bc21840e5
SHA256340469161a06c3e3d8e98787b0d89196b86f8a2337c21034e37c369ecc9d0b9e
SHA5121b33c0690a95610d61bf236bb52a1977b0bd2125ec9faba8b2b79ec9034f4f9fb4f03bda3914fd25d68036d3f4c430dcda20918a39751b1e8886afbf5fc2ea90
-
Filesize
255KB
MD5745b35578f12ddf217571e4d86a05bc4
SHA113e2f596f382f144b44204b4cdb00e721117a941
SHA256fd7e0f4719cdf87f2c5405ad20b4596228635e7f0e8f4a8f62ab83c1ab51c47e
SHA512d4dd7187536d35b121c1f0faa11c5330ba0e9b789741fdb25f8e237178239c29cc4c49866f5f000fb0f27d6c1acbc957fce2e41a59f394ab52a252097ef7240d
-
Filesize
255KB
MD5745b35578f12ddf217571e4d86a05bc4
SHA113e2f596f382f144b44204b4cdb00e721117a941
SHA256fd7e0f4719cdf87f2c5405ad20b4596228635e7f0e8f4a8f62ab83c1ab51c47e
SHA512d4dd7187536d35b121c1f0faa11c5330ba0e9b789741fdb25f8e237178239c29cc4c49866f5f000fb0f27d6c1acbc957fce2e41a59f394ab52a252097ef7240d
-
Filesize
255KB
MD58bd47225c47052f0e9cf54b5f596318b
SHA120cb9be9d6cbbc3e7cc1af0bca8d4f7877eb36ea
SHA256b547f9f0203a70d2dfd09de335b4083cc644d853b5544f700b7316492456bba7
SHA512c06273ea36c2dca3c1564b961107d771968ad09830c522268c145fc2902ada8b280e9fc4a7616a6c050907f97a009ea0b1e5aec86d56bbcbbeba6636e593ef62
-
Filesize
255KB
MD58bd47225c47052f0e9cf54b5f596318b
SHA120cb9be9d6cbbc3e7cc1af0bca8d4f7877eb36ea
SHA256b547f9f0203a70d2dfd09de335b4083cc644d853b5544f700b7316492456bba7
SHA512c06273ea36c2dca3c1564b961107d771968ad09830c522268c145fc2902ada8b280e9fc4a7616a6c050907f97a009ea0b1e5aec86d56bbcbbeba6636e593ef62
-
Filesize
255KB
MD58bd47225c47052f0e9cf54b5f596318b
SHA120cb9be9d6cbbc3e7cc1af0bca8d4f7877eb36ea
SHA256b547f9f0203a70d2dfd09de335b4083cc644d853b5544f700b7316492456bba7
SHA512c06273ea36c2dca3c1564b961107d771968ad09830c522268c145fc2902ada8b280e9fc4a7616a6c050907f97a009ea0b1e5aec86d56bbcbbeba6636e593ef62
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7