Analysis
-
max time kernel
151s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
ab0757415e5a33fde6893ba93d5683ff.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ab0757415e5a33fde6893ba93d5683ff.exe
Resource
win10v2004-20231215-en
General
-
Target
ab0757415e5a33fde6893ba93d5683ff.exe
-
Size
512KB
-
MD5
ab0757415e5a33fde6893ba93d5683ff
-
SHA1
0836ceb3d65019483a8a1664a80422dffdfec99d
-
SHA256
677fc2b026079044c61098fc32986c2624095fc78d0f478e74e588a559bba8a0
-
SHA512
3c13d8a82243d85f1462ad9951abdfe4d07fe3e65e1b63c70f23aebf70a27adaab84c5dff41bcd622d04497ec5e7bb69b0cd5b0ca95e07aab1bcaea6efb63565
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6a:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5n
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nrnahlpexs.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nrnahlpexs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nrnahlpexs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nrnahlpexs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nrnahlpexs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nrnahlpexs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nrnahlpexs.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nrnahlpexs.exe -
Executes dropped EXE 5 IoCs
pid Process 2668 nrnahlpexs.exe 2736 xgeddcddpsqcpfs.exe 2656 tddulpyx.exe 2708 klncvszjgclwb.exe 2692 tddulpyx.exe -
Loads dropped DLL 5 IoCs
pid Process 1308 ab0757415e5a33fde6893ba93d5683ff.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 2668 nrnahlpexs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nrnahlpexs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" nrnahlpexs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nrnahlpexs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nrnahlpexs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nrnahlpexs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nrnahlpexs.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lfmuxtfn = "nrnahlpexs.exe" xgeddcddpsqcpfs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\abkzyrpj = "xgeddcddpsqcpfs.exe" xgeddcddpsqcpfs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "klncvszjgclwb.exe" xgeddcddpsqcpfs.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: tddulpyx.exe File opened (read-only) \??\y: nrnahlpexs.exe File opened (read-only) \??\n: tddulpyx.exe File opened (read-only) \??\r: tddulpyx.exe File opened (read-only) \??\k: nrnahlpexs.exe File opened (read-only) \??\p: nrnahlpexs.exe File opened (read-only) \??\e: tddulpyx.exe File opened (read-only) \??\j: tddulpyx.exe File opened (read-only) \??\m: tddulpyx.exe File opened (read-only) \??\r: tddulpyx.exe File opened (read-only) \??\y: tddulpyx.exe File opened (read-only) \??\h: nrnahlpexs.exe File opened (read-only) \??\q: tddulpyx.exe File opened (read-only) \??\x: tddulpyx.exe File opened (read-only) \??\q: nrnahlpexs.exe File opened (read-only) \??\u: nrnahlpexs.exe File opened (read-only) \??\a: tddulpyx.exe File opened (read-only) \??\e: tddulpyx.exe File opened (read-only) \??\o: tddulpyx.exe File opened (read-only) \??\i: tddulpyx.exe File opened (read-only) \??\p: tddulpyx.exe File opened (read-only) \??\l: nrnahlpexs.exe File opened (read-only) \??\m: nrnahlpexs.exe File opened (read-only) \??\v: tddulpyx.exe File opened (read-only) \??\x: tddulpyx.exe File opened (read-only) \??\w: nrnahlpexs.exe File opened (read-only) \??\h: tddulpyx.exe File opened (read-only) \??\k: tddulpyx.exe File opened (read-only) \??\q: tddulpyx.exe File opened (read-only) \??\t: nrnahlpexs.exe File opened (read-only) \??\b: tddulpyx.exe File opened (read-only) \??\g: tddulpyx.exe File opened (read-only) \??\s: tddulpyx.exe File opened (read-only) \??\w: tddulpyx.exe File opened (read-only) \??\g: nrnahlpexs.exe File opened (read-only) \??\n: nrnahlpexs.exe File opened (read-only) \??\i: tddulpyx.exe File opened (read-only) \??\g: tddulpyx.exe File opened (read-only) \??\e: nrnahlpexs.exe File opened (read-only) \??\i: nrnahlpexs.exe File opened (read-only) \??\x: nrnahlpexs.exe File opened (read-only) \??\v: tddulpyx.exe File opened (read-only) \??\a: tddulpyx.exe File opened (read-only) \??\o: nrnahlpexs.exe File opened (read-only) \??\t: tddulpyx.exe File opened (read-only) \??\h: tddulpyx.exe File opened (read-only) \??\m: tddulpyx.exe File opened (read-only) \??\w: tddulpyx.exe File opened (read-only) \??\t: tddulpyx.exe File opened (read-only) \??\u: tddulpyx.exe File opened (read-only) \??\k: tddulpyx.exe File opened (read-only) \??\u: tddulpyx.exe File opened (read-only) \??\s: tddulpyx.exe File opened (read-only) \??\z: nrnahlpexs.exe File opened (read-only) \??\n: tddulpyx.exe File opened (read-only) \??\v: nrnahlpexs.exe File opened (read-only) \??\p: tddulpyx.exe File opened (read-only) \??\b: tddulpyx.exe File opened (read-only) \??\z: tddulpyx.exe File opened (read-only) \??\s: nrnahlpexs.exe File opened (read-only) \??\y: tddulpyx.exe File opened (read-only) \??\z: tddulpyx.exe File opened (read-only) \??\o: tddulpyx.exe File opened (read-only) \??\j: nrnahlpexs.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" nrnahlpexs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" nrnahlpexs.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1308-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000c000000016cac-5.dat autoit_exe behavioral1/files/0x0007000000012281-17.dat autoit_exe behavioral1/files/0x000c000000016cac-21.dat autoit_exe behavioral1/files/0x000c000000016cac-26.dat autoit_exe behavioral1/files/0x0007000000016d71-38.dat autoit_exe behavioral1/files/0x0007000000016d71-34.dat autoit_exe behavioral1/files/0x002e000000016d2d-43.dat autoit_exe behavioral1/files/0x002e000000016d2d-42.dat autoit_exe behavioral1/files/0x002e000000016d2d-29.dat autoit_exe behavioral1/files/0x0007000000012281-24.dat autoit_exe behavioral1/files/0x000500000001948c-67.dat autoit_exe behavioral1/files/0x0005000000019493-74.dat autoit_exe behavioral1/files/0x00050000000194a8-77.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\xgeddcddpsqcpfs.exe ab0757415e5a33fde6893ba93d5683ff.exe File created C:\Windows\SysWOW64\tddulpyx.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\SysWOW64\tddulpyx.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\SysWOW64\klncvszjgclwb.exe ab0757415e5a33fde6893ba93d5683ff.exe File created C:\Windows\SysWOW64\nrnahlpexs.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\SysWOW64\nrnahlpexs.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll nrnahlpexs.exe File created C:\Windows\SysWOW64\xgeddcddpsqcpfs.exe ab0757415e5a33fde6893ba93d5683ff.exe File created C:\Windows\SysWOW64\klncvszjgclwb.exe ab0757415e5a33fde6893ba93d5683ff.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal tddulpyx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tddulpyx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tddulpyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal tddulpyx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tddulpyx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tddulpyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tddulpyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tddulpyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal tddulpyx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tddulpyx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tddulpyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tddulpyx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tddulpyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal tddulpyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tddulpyx.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" nrnahlpexs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc nrnahlpexs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFF8B482E85129045D65D7EE6BDE7E135594467346242D7ED" ab0757415e5a33fde6893ba93d5683ff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh nrnahlpexs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342D7A9C2783276A3476DC77262CDB7C8665DA" ab0757415e5a33fde6893ba93d5683ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2540 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1308 ab0757415e5a33fde6893ba93d5683ff.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 2668 nrnahlpexs.exe 2668 nrnahlpexs.exe 2668 nrnahlpexs.exe 2668 nrnahlpexs.exe 2668 nrnahlpexs.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 2736 xgeddcddpsqcpfs.exe 2736 xgeddcddpsqcpfs.exe 2736 xgeddcddpsqcpfs.exe 2736 xgeddcddpsqcpfs.exe 2736 xgeddcddpsqcpfs.exe 2656 tddulpyx.exe 2656 tddulpyx.exe 2656 tddulpyx.exe 2656 tddulpyx.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2692 tddulpyx.exe 2692 tddulpyx.exe 2692 tddulpyx.exe 2692 tddulpyx.exe 2736 xgeddcddpsqcpfs.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2736 xgeddcddpsqcpfs.exe 2736 xgeddcddpsqcpfs.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2736 xgeddcddpsqcpfs.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2736 xgeddcddpsqcpfs.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2736 xgeddcddpsqcpfs.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2736 xgeddcddpsqcpfs.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2736 xgeddcddpsqcpfs.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2736 xgeddcddpsqcpfs.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2736 xgeddcddpsqcpfs.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2736 xgeddcddpsqcpfs.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2736 xgeddcddpsqcpfs.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1308 ab0757415e5a33fde6893ba93d5683ff.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 2668 nrnahlpexs.exe 2668 nrnahlpexs.exe 2668 nrnahlpexs.exe 2736 xgeddcddpsqcpfs.exe 2736 xgeddcddpsqcpfs.exe 2736 xgeddcddpsqcpfs.exe 2656 tddulpyx.exe 2656 tddulpyx.exe 2656 tddulpyx.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2692 tddulpyx.exe 2692 tddulpyx.exe 2692 tddulpyx.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1308 ab0757415e5a33fde6893ba93d5683ff.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 1308 ab0757415e5a33fde6893ba93d5683ff.exe 2668 nrnahlpexs.exe 2668 nrnahlpexs.exe 2668 nrnahlpexs.exe 2736 xgeddcddpsqcpfs.exe 2736 xgeddcddpsqcpfs.exe 2736 xgeddcddpsqcpfs.exe 2656 tddulpyx.exe 2656 tddulpyx.exe 2656 tddulpyx.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2708 klncvszjgclwb.exe 2692 tddulpyx.exe 2692 tddulpyx.exe 2692 tddulpyx.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2540 WINWORD.EXE 2540 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1308 wrote to memory of 2668 1308 ab0757415e5a33fde6893ba93d5683ff.exe 28 PID 1308 wrote to memory of 2668 1308 ab0757415e5a33fde6893ba93d5683ff.exe 28 PID 1308 wrote to memory of 2668 1308 ab0757415e5a33fde6893ba93d5683ff.exe 28 PID 1308 wrote to memory of 2668 1308 ab0757415e5a33fde6893ba93d5683ff.exe 28 PID 1308 wrote to memory of 2736 1308 ab0757415e5a33fde6893ba93d5683ff.exe 29 PID 1308 wrote to memory of 2736 1308 ab0757415e5a33fde6893ba93d5683ff.exe 29 PID 1308 wrote to memory of 2736 1308 ab0757415e5a33fde6893ba93d5683ff.exe 29 PID 1308 wrote to memory of 2736 1308 ab0757415e5a33fde6893ba93d5683ff.exe 29 PID 1308 wrote to memory of 2656 1308 ab0757415e5a33fde6893ba93d5683ff.exe 33 PID 1308 wrote to memory of 2656 1308 ab0757415e5a33fde6893ba93d5683ff.exe 33 PID 1308 wrote to memory of 2656 1308 ab0757415e5a33fde6893ba93d5683ff.exe 33 PID 1308 wrote to memory of 2656 1308 ab0757415e5a33fde6893ba93d5683ff.exe 33 PID 1308 wrote to memory of 2708 1308 ab0757415e5a33fde6893ba93d5683ff.exe 32 PID 1308 wrote to memory of 2708 1308 ab0757415e5a33fde6893ba93d5683ff.exe 32 PID 1308 wrote to memory of 2708 1308 ab0757415e5a33fde6893ba93d5683ff.exe 32 PID 1308 wrote to memory of 2708 1308 ab0757415e5a33fde6893ba93d5683ff.exe 32 PID 2668 wrote to memory of 2692 2668 nrnahlpexs.exe 30 PID 2668 wrote to memory of 2692 2668 nrnahlpexs.exe 30 PID 2668 wrote to memory of 2692 2668 nrnahlpexs.exe 30 PID 2668 wrote to memory of 2692 2668 nrnahlpexs.exe 30 PID 1308 wrote to memory of 2540 1308 ab0757415e5a33fde6893ba93d5683ff.exe 31 PID 1308 wrote to memory of 2540 1308 ab0757415e5a33fde6893ba93d5683ff.exe 31 PID 1308 wrote to memory of 2540 1308 ab0757415e5a33fde6893ba93d5683ff.exe 31 PID 1308 wrote to memory of 2540 1308 ab0757415e5a33fde6893ba93d5683ff.exe 31 PID 2540 wrote to memory of 1948 2540 WINWORD.EXE 36 PID 2540 wrote to memory of 1948 2540 WINWORD.EXE 36 PID 2540 wrote to memory of 1948 2540 WINWORD.EXE 36 PID 2540 wrote to memory of 1948 2540 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab0757415e5a33fde6893ba93d5683ff.exe"C:\Users\Admin\AppData\Local\Temp\ab0757415e5a33fde6893ba93d5683ff.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\nrnahlpexs.exenrnahlpexs.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\tddulpyx.exeC:\Windows\system32\tddulpyx.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2692
-
-
-
C:\Windows\SysWOW64\xgeddcddpsqcpfs.exexgeddcddpsqcpfs.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1948
-
-
-
C:\Windows\SysWOW64\klncvszjgclwb.exeklncvszjgclwb.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708
-
-
C:\Windows\SysWOW64\tddulpyx.exetddulpyx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2656
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5e72a03b4cbc70dd02a2a891bbad55125
SHA1300ca87e84272e2d1fd3448be4cf473cf79b3ec9
SHA256c3ef95656206a2188502faf16e7a60b9edd56bdb1cbf55b55bfffe747e61ec82
SHA51252ee9d5fe27c647ad6474c518403f8f4471410ab20b56ddca88f4644ca8561d597f30a7e30a41241c6b0d9620ffcd2371f25377abe41581299345bda1904ff37
-
Filesize
36KB
MD5af0170a6c815eca0de7c8f53512add64
SHA1d2e1f2c52efd65a612a352faa80ec5562b00db7b
SHA2566e2f625bd893ee21a55f07c9148d5204918e0df6aec58dd80b2854d921ddc910
SHA5120d26f17d05eef1f72fc7ef2d381bd3e1fc241e8eb4b9a7713befdd6c7cb895d4dd4291e23950ea47dcd11b12d78a3e77f6f914b480d38c899e1b53a3f29d25e9
-
Filesize
20KB
MD50dfb9a88c389cfd27d405594f07ad056
SHA1f25ce7f3faf5cfc4bb738878f284856d12c2be02
SHA256f30394fdda489b71b287a4e4c8578d6fc74af1d46ee6dd1204808047cc2fd886
SHA512c4054d3de2ef9147b97550dccfb3e27b64a859052d7780b8a8ef94251b4318fc2ed4986a1ede52520542ed998860d0c5f6cce93e616d484ad043f5ef5198fc02
-
Filesize
112KB
MD5b9bc6aea0a33849b8d92167fee3034de
SHA1e8f2ff6eef336da9a942b4be1aca09720cc62c85
SHA2565453c6ca4503e32bf86205fe82cf30436f5c5b92573a57b6188a8586eb10de96
SHA5128f6b500525f627c86df565d6c24770cfa972dd7f5d9821dd70746715a6a6734fbc4fea50cef4569e6379460b8daf6d6a1f17016d7f32ffa3579b405cb552f51c
-
Filesize
118KB
MD5bdc83ea97433795a5c26b1d826ac8323
SHA175aefbc23df2df09a1b60d58e85abb4c5326619f
SHA256b15923256b7e7a49cff71b64858b0a02ba69f7f352f275eee801a36353913dbd
SHA512ef7c67e85a9861b1dbb863e82e6f89b6012e26cb67b392bff6fc02c7b0ecfa80ae1840f94ba30c4cc3d32ad7d5ef5c3e62dcd014e43d3c957799e8f72d5a249f
-
Filesize
286KB
MD5c8f31e331d8c82a1f4150bbc9512e520
SHA19c59fd655a1ba8c9cbd48ad9c3f4c3f501f6d1a1
SHA256d05c0b78773e864a2cf2f940a4aa7617303b72ae23da7e1562016a412461e56e
SHA512328827fde9c316017132fbb2c58b835c5a689a77e75c11221fc939753f054da57703c1c274d25ee18b5106f42264d7702f0854296e5781cef643749d5dc619e9
-
Filesize
28KB
MD533ee1a8a64e645d4f6851dc714022c15
SHA1ba4eb8765bbe95e8699077340904fcedc382ccea
SHA25660d0cf8ef77e3c55dde0f067d6782fe549ee95bb5548f864093f5e142c84762b
SHA51294c8ab332fad1c7d1b6df385159a6f657f66742a034d82b158a887a0a4872514b016d6e4baaf04e5889bfbcfd226f2559aabf02d34c751780dd6956710c2345f
-
Filesize
85KB
MD527623bf17711551baa843bbab18a4b07
SHA12d6d50bab42c5defdd9bdf3f14fb826853558392
SHA2566a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368
SHA51253f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b
-
Filesize
512KB
MD5408dfd55c92f6bcff5726eb159a5d864
SHA1faad33f4d3eee41523ee331dfdaab2a0b528238d
SHA256b51d47b62f5da9d0d9b11b2ae8d1488274ce19f2027c9fe675fa31b001ee1856
SHA512224ad987157e3804025fe32f6791d0dc0feaf5ac17142f969e6b03b7d98b972df0250333bd8d724cb6cbd39545d4abdd5c59457766efe5491d13ddcf13bb0bf6
-
Filesize
382KB
MD5badd716c7c48a8241873d9251da496d1
SHA16bd2a072c8f64a1780fe75d983cb7b6584985c6d
SHA256ad4373bfa026f66380b8ce44d6bc300d146770114fb10087019af7c616dc11d7
SHA5127bf3f09216e2ba376053e668963797cd78f91119467917a84f467dd3110d6bd26592784cdf7cefd293413ff5b6dbe10a996d89627177235d9f109732c05f36c5
-
Filesize
512KB
MD5e37e88958b9a6bd01c13e2d82773ca14
SHA1b03ae165d97f002b565d207a8f57905548781bd3
SHA256d829f701c034149f22fd4e43d80a4a7267ca63b9b5a57c7c34f87f7841d3761c
SHA512a52e720bce8a636900edd1ced181f76ebc6a0b70f0a28f82b0c8c2e9220989281994b512e0bdadff1a4e9c2689602d2c563a9340cb6f048de2296e86e23aab37
-
Filesize
416KB
MD5f2743abd2bcd7b8ddb886282eb27c5fe
SHA112fedd2bb51b8480bae521c788c0428c7f1a7163
SHA25634d4acba07430a8f06759ba85825be072f942f3dcc684f7ddeccd271496ffcfa
SHA5120e38d916edfc5d63492872ec5b0a33f855afd3904f724196d96bc80c5a18e56bb5ee50bf81da471ec17f97984d2baf09713702239d0f492f58ffefd6f5336ac3
-
Filesize
124KB
MD5de83bfac85a2c62d0cb12eb47652d5dc
SHA11990b0d527e8ea6e7503d0084dced33b9ffce8a6
SHA2565d14fa9e8658105bdf0715b3de050ea871e8b3aceb585810c35435c966aed51c
SHA512fee49bcb9c25cce746b005724afca9832b0b74b422569a441bb521bec8d31bca3f286c599b8822e7926cae1d0866a27215be6baf8b285356cd1a0bdf4f5da51e
-
Filesize
384KB
MD50e151ec3919b72f9a6c7fe60d10f4ea0
SHA191fb01badc6db9808233ff95abf39c37982a8c85
SHA256f644299fe8f10c5f3e24c1943fc808270b5d4f853e2316abf091c8d18344193c
SHA51241d25f82ce04a14c21d19a9ad2d12663714221b6ecb1c3ee579a4a134949de0bfb3e6212e9acf97d0659d50e7a034dcdc103ecbedd8a71fbfefdc30f5728c12b