Analysis
-
max time kernel
151s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 03:25
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
02f18e506d9e63ffbb3ef187f661e6a1.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
02f18e506d9e63ffbb3ef187f661e6a1.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
02f18e506d9e63ffbb3ef187f661e6a1.exe
-
Size
512KB
-
MD5
02f18e506d9e63ffbb3ef187f661e6a1
-
SHA1
5ef2e7bb28554d980c70249014d535f773e79372
-
SHA256
db337e37a82ecebe90652441a031d92ad980911d3190f7d397e8b5cd2168f351
-
SHA512
6dde8eb7297c770eb77c094329563761a5deeac75f97fc7fd657add7e065017f7e2ab3de7a10bade4558730b1c3dd822b1dceec30d9f4c6f4a80d75624229501
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6X:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm52
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" xohsoffdud.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xohsoffdud.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xohsoffdud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xohsoffdud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xohsoffdud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xohsoffdud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" xohsoffdud.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xohsoffdud.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
pid Process 2704 xohsoffdud.exe 2780 dghfcncwaqwwbbf.exe 2328 vzwnuxvp.exe 2692 hjklelfboopcs.exe 2740 vzwnuxvp.exe -
Loads dropped DLL 5 IoCs
pid Process 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 2704 xohsoffdud.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" xohsoffdud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xohsoffdud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" xohsoffdud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xohsoffdud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xohsoffdud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xohsoffdud.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zagwiwic = "xohsoffdud.exe" dghfcncwaqwwbbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mdugypqd = "dghfcncwaqwwbbf.exe" dghfcncwaqwwbbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hjklelfboopcs.exe" dghfcncwaqwwbbf.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: vzwnuxvp.exe File opened (read-only) \??\g: xohsoffdud.exe File opened (read-only) \??\s: xohsoffdud.exe File opened (read-only) \??\t: xohsoffdud.exe File opened (read-only) \??\u: xohsoffdud.exe File opened (read-only) \??\y: xohsoffdud.exe File opened (read-only) \??\z: xohsoffdud.exe File opened (read-only) \??\a: vzwnuxvp.exe File opened (read-only) \??\o: vzwnuxvp.exe File opened (read-only) \??\k: vzwnuxvp.exe File opened (read-only) \??\u: vzwnuxvp.exe File opened (read-only) \??\i: xohsoffdud.exe File opened (read-only) \??\n: xohsoffdud.exe File opened (read-only) \??\i: vzwnuxvp.exe File opened (read-only) \??\m: vzwnuxvp.exe File opened (read-only) \??\q: vzwnuxvp.exe File opened (read-only) \??\v: vzwnuxvp.exe File opened (read-only) \??\z: vzwnuxvp.exe File opened (read-only) \??\e: xohsoffdud.exe File opened (read-only) \??\m: xohsoffdud.exe File opened (read-only) \??\i: vzwnuxvp.exe File opened (read-only) \??\j: vzwnuxvp.exe File opened (read-only) \??\w: vzwnuxvp.exe File opened (read-only) \??\x: vzwnuxvp.exe File opened (read-only) \??\t: vzwnuxvp.exe File opened (read-only) \??\k: xohsoffdud.exe File opened (read-only) \??\v: vzwnuxvp.exe File opened (read-only) \??\b: vzwnuxvp.exe File opened (read-only) \??\b: xohsoffdud.exe File opened (read-only) \??\j: xohsoffdud.exe File opened (read-only) \??\r: xohsoffdud.exe File opened (read-only) \??\x: vzwnuxvp.exe File opened (read-only) \??\o: vzwnuxvp.exe File opened (read-only) \??\p: vzwnuxvp.exe File opened (read-only) \??\g: vzwnuxvp.exe File opened (read-only) \??\k: vzwnuxvp.exe File opened (read-only) \??\s: vzwnuxvp.exe File opened (read-only) \??\m: vzwnuxvp.exe File opened (read-only) \??\q: xohsoffdud.exe File opened (read-only) \??\x: xohsoffdud.exe File opened (read-only) \??\z: vzwnuxvp.exe File opened (read-only) \??\n: vzwnuxvp.exe File opened (read-only) \??\b: vzwnuxvp.exe File opened (read-only) \??\l: vzwnuxvp.exe File opened (read-only) \??\w: xohsoffdud.exe File opened (read-only) \??\u: vzwnuxvp.exe File opened (read-only) \??\r: vzwnuxvp.exe File opened (read-only) \??\t: vzwnuxvp.exe File opened (read-only) \??\y: vzwnuxvp.exe File opened (read-only) \??\l: vzwnuxvp.exe File opened (read-only) \??\q: vzwnuxvp.exe File opened (read-only) \??\s: vzwnuxvp.exe File opened (read-only) \??\a: xohsoffdud.exe File opened (read-only) \??\v: xohsoffdud.exe File opened (read-only) \??\w: vzwnuxvp.exe File opened (read-only) \??\a: vzwnuxvp.exe File opened (read-only) \??\e: vzwnuxvp.exe File opened (read-only) \??\p: vzwnuxvp.exe File opened (read-only) \??\h: vzwnuxvp.exe File opened (read-only) \??\j: vzwnuxvp.exe File opened (read-only) \??\n: vzwnuxvp.exe File opened (read-only) \??\g: vzwnuxvp.exe File opened (read-only) \??\y: vzwnuxvp.exe File opened (read-only) \??\p: xohsoffdud.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" xohsoffdud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" xohsoffdud.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1992-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0031000000016caa-5.dat autoit_exe behavioral1/files/0x000a000000016577-17.dat autoit_exe behavioral1/files/0x0007000000016ced-28.dat autoit_exe behavioral1/files/0x0007000000016cf1-38.dat autoit_exe behavioral1/files/0x0002000000003d1e-50.dat autoit_exe behavioral1/files/0x0006000000018b72-75.dat autoit_exe behavioral1/files/0x0006000000018b88-81.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\xohsoffdud.exe 02f18e506d9e63ffbb3ef187f661e6a1.exe File opened for modification C:\Windows\SysWOW64\dghfcncwaqwwbbf.exe 02f18e506d9e63ffbb3ef187f661e6a1.exe File opened for modification C:\Windows\SysWOW64\vzwnuxvp.exe 02f18e506d9e63ffbb3ef187f661e6a1.exe File created C:\Windows\SysWOW64\hjklelfboopcs.exe 02f18e506d9e63ffbb3ef187f661e6a1.exe File opened for modification C:\Windows\SysWOW64\hjklelfboopcs.exe 02f18e506d9e63ffbb3ef187f661e6a1.exe File created C:\Windows\SysWOW64\xohsoffdud.exe 02f18e506d9e63ffbb3ef187f661e6a1.exe File created C:\Windows\SysWOW64\vzwnuxvp.exe 02f18e506d9e63ffbb3ef187f661e6a1.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll xohsoffdud.exe File created C:\Windows\SysWOW64\dghfcncwaqwwbbf.exe 02f18e506d9e63ffbb3ef187f661e6a1.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\HideApprove.nal vzwnuxvp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vzwnuxvp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vzwnuxvp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vzwnuxvp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal vzwnuxvp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vzwnuxvp.exe File opened for modification \??\c:\Program Files\HideApprove.doc.exe vzwnuxvp.exe File opened for modification \??\c:\Program Files\HideApprove.doc.exe vzwnuxvp.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vzwnuxvp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal vzwnuxvp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vzwnuxvp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal vzwnuxvp.exe File opened for modification C:\Program Files\HideApprove.doc.exe vzwnuxvp.exe File created \??\c:\Program Files\HideApprove.doc.exe vzwnuxvp.exe File opened for modification C:\Program Files\HideApprove.nal vzwnuxvp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vzwnuxvp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vzwnuxvp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal vzwnuxvp.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vzwnuxvp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vzwnuxvp.exe File opened for modification C:\Program Files\HideApprove.doc.exe vzwnuxvp.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 02f18e506d9e63ffbb3ef187f661e6a1.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat xohsoffdud.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0806BB4FE1A22DFD279D1A98A099110" 02f18e506d9e63ffbb3ef187f661e6a1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" xohsoffdud.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC67514E7DAC7B9CD7FE4EC9F34CD" 02f18e506d9e63ffbb3ef187f661e6a1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg xohsoffdud.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322C779C2182256A3376D670202CDA7CF464DD" 02f18e506d9e63ffbb3ef187f661e6a1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc xohsoffdud.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" xohsoffdud.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2568 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 2704 xohsoffdud.exe 2704 xohsoffdud.exe 2704 xohsoffdud.exe 2704 xohsoffdud.exe 2704 xohsoffdud.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 2780 dghfcncwaqwwbbf.exe 2780 dghfcncwaqwwbbf.exe 2780 dghfcncwaqwwbbf.exe 2780 dghfcncwaqwwbbf.exe 2780 dghfcncwaqwwbbf.exe 2328 vzwnuxvp.exe 2328 vzwnuxvp.exe 2328 vzwnuxvp.exe 2328 vzwnuxvp.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2780 dghfcncwaqwwbbf.exe 2740 vzwnuxvp.exe 2740 vzwnuxvp.exe 2740 vzwnuxvp.exe 2740 vzwnuxvp.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2780 dghfcncwaqwwbbf.exe 2780 dghfcncwaqwwbbf.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2780 dghfcncwaqwwbbf.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2780 dghfcncwaqwwbbf.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2780 dghfcncwaqwwbbf.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2780 dghfcncwaqwwbbf.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2780 dghfcncwaqwwbbf.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2780 dghfcncwaqwwbbf.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2780 dghfcncwaqwwbbf.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2780 dghfcncwaqwwbbf.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2780 dghfcncwaqwwbbf.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 2244 explorer.exe Token: SeShutdownPrivilege 2244 explorer.exe Token: SeShutdownPrivilege 2244 explorer.exe Token: SeShutdownPrivilege 2244 explorer.exe Token: SeShutdownPrivilege 2244 explorer.exe Token: SeShutdownPrivilege 2244 explorer.exe Token: SeShutdownPrivilege 2244 explorer.exe Token: SeShutdownPrivilege 2244 explorer.exe Token: SeShutdownPrivilege 2244 explorer.exe Token: SeShutdownPrivilege 2244 explorer.exe Token: SeShutdownPrivilege 2244 explorer.exe Token: SeShutdownPrivilege 2244 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 2704 xohsoffdud.exe 2704 xohsoffdud.exe 2704 xohsoffdud.exe 2780 dghfcncwaqwwbbf.exe 2780 dghfcncwaqwwbbf.exe 2780 dghfcncwaqwwbbf.exe 2328 vzwnuxvp.exe 2328 vzwnuxvp.exe 2328 vzwnuxvp.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2740 vzwnuxvp.exe 2740 vzwnuxvp.exe 2740 vzwnuxvp.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 2704 xohsoffdud.exe 2704 xohsoffdud.exe 2704 xohsoffdud.exe 2780 dghfcncwaqwwbbf.exe 2780 dghfcncwaqwwbbf.exe 2780 dghfcncwaqwwbbf.exe 2328 vzwnuxvp.exe 2328 vzwnuxvp.exe 2328 vzwnuxvp.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2692 hjklelfboopcs.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe 2244 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2568 WINWORD.EXE 2568 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2704 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 28 PID 1992 wrote to memory of 2704 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 28 PID 1992 wrote to memory of 2704 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 28 PID 1992 wrote to memory of 2704 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 28 PID 1992 wrote to memory of 2780 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 29 PID 1992 wrote to memory of 2780 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 29 PID 1992 wrote to memory of 2780 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 29 PID 1992 wrote to memory of 2780 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 29 PID 1992 wrote to memory of 2328 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 30 PID 1992 wrote to memory of 2328 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 30 PID 1992 wrote to memory of 2328 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 30 PID 1992 wrote to memory of 2328 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 30 PID 1992 wrote to memory of 2692 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 31 PID 1992 wrote to memory of 2692 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 31 PID 1992 wrote to memory of 2692 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 31 PID 1992 wrote to memory of 2692 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 31 PID 2704 wrote to memory of 2740 2704 xohsoffdud.exe 32 PID 2704 wrote to memory of 2740 2704 xohsoffdud.exe 32 PID 2704 wrote to memory of 2740 2704 xohsoffdud.exe 32 PID 2704 wrote to memory of 2740 2704 xohsoffdud.exe 32 PID 1992 wrote to memory of 2568 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 33 PID 1992 wrote to memory of 2568 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 33 PID 1992 wrote to memory of 2568 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 33 PID 1992 wrote to memory of 2568 1992 02f18e506d9e63ffbb3ef187f661e6a1.exe 33 PID 2568 wrote to memory of 2152 2568 WINWORD.EXE 37 PID 2568 wrote to memory of 2152 2568 WINWORD.EXE 37 PID 2568 wrote to memory of 2152 2568 WINWORD.EXE 37 PID 2568 wrote to memory of 2152 2568 WINWORD.EXE 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\02f18e506d9e63ffbb3ef187f661e6a1.exe"C:\Users\Admin\AppData\Local\Temp\02f18e506d9e63ffbb3ef187f661e6a1.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\xohsoffdud.exexohsoffdud.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\vzwnuxvp.exeC:\Windows\system32\vzwnuxvp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2740
-
-
-
C:\Windows\SysWOW64\dghfcncwaqwwbbf.exedghfcncwaqwwbbf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2780
-
-
C:\Windows\SysWOW64\vzwnuxvp.exevzwnuxvp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2328
-
-
C:\Windows\SysWOW64\hjklelfboopcs.exehjklelfboopcs.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2692
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2152
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5ac6f483e2f9201a34a06a1a51bc1ce5c
SHA14d55a3eaf6b912bb0aacdcb4a6c9a3525737b185
SHA25639d293a08ea4cca92cd215ec22df01e0b1ceb9551906ea12550aa8a74085c805
SHA512a477eff0d2174543f9b5497ad14f7efb11742eee5cc083a17ee5dfe6998af8a13502a7ffe2996d94e4962b1d8bef7ae44f019ac80a1694d646c5ae5bba65d048
-
Filesize
512KB
MD5905e3d46a7d5542abf8466d9dfe5bbc6
SHA177a2118a8579cebcd81fcd37e5242849e1ef1b1f
SHA2565f5d674e13431466d1377719104e306c0e7beefecb556f3047d1554af6983b75
SHA51296d59d11181b8046074b9c84a2951ecd1aaf30f2180e3b84e98edb18391b615feb909d479cdb23e3c122491bb1d1f11c73c3c2484ca839386cb98e8a65bbd30a
-
Filesize
512KB
MD52a7ff3d9a5ddf5a8162c16ff9b8985bb
SHA16e1b2232d646d6c695b42bbe30e564adb177227b
SHA256ee15c55721cbf0971c765bff18cfc6eba2d8ce64a6c68c7fdfb7e7642d6a3853
SHA512daf34c006b09f171d1946df1d3bc7a2b6148d3b54b8fd24cd3b79be4791cb3efe4e6126bf6d9e230c17831137c39740bd575e16a57e124496bbe467966ff5892
-
Filesize
512KB
MD527f69dc3510a3bcdf517527b056ea100
SHA11e074bf2dfe19b58696d79c6435c49ad216f2a38
SHA256ec8286087240f828d28e9b012bbe2aa2555cccffed906d57913c8077a3437b05
SHA512feb5785512295ab5ede33f2ed4e98018a937808e5e3003fea96a4a38c8532d22cfc555dbe27e9740951846ce061f6a48edd85f81acad4838d67c7f32c0b7e690
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD51de866cbdec0acc68419f047c3ac2e1e
SHA1c451b3669302201cefc32e872398e30fe92fd22e
SHA256d6e34d0c000ecbc16021487902f7e55725b4db24252018695d2caa7d6cd4d0ed
SHA5123979d867fae32abbd35a1bc024c138f00896fd03046e09f673bd72c91e94f11a266e78ff0d7cf2085f54f3092989ba591ad1f174f0c1aaa23aa516d231b9c611
-
Filesize
512KB
MD5a1a858f960eb26c058c9270e8d114a3b
SHA19565c701ec68a24433d0ecb0b7e36cd7a7a665e2
SHA256bf40e5cf3c3e0a219e30e6b40e315c8170d96a8c0090de694eabc18fca3cc9a3
SHA512aa7daf6f7a8f594a84990e09de79fa7648c03361f100278d898bc874a3b2f19a17e843aa17badde3ff33a9ca6def1eff3fc8ac21bff086e8cb26adf70e0647cb
-
Filesize
512KB
MD503a412840fe53ee697d8a921b96f8595
SHA16f0167f83d8121a5387b9de739614766feab1a8f
SHA2565224bad51cf8bf0444573bc0ac4c6dd9b618c735c9d68f9a78ffe6c5ddc8e95a
SHA512071f805a4e1438a04a0f5f083ed4edba79b809451289e08539b02c482596dd7372ab38d90eb3a8d3d76923e721211dad97270da33e7a41dcd2706e86defce5f8