Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 16:52
Static task
static1
Behavioral task
behavioral1
Sample
6fd1083bf5feeb646bd239a8a746071b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6fd1083bf5feeb646bd239a8a746071b.exe
Resource
win10v2004-20231215-en
General
-
Target
6fd1083bf5feeb646bd239a8a746071b.exe
-
Size
512KB
-
MD5
6fd1083bf5feeb646bd239a8a746071b
-
SHA1
b2fa8706e82e41d761acb14bd8cb2f3f5c9297c1
-
SHA256
a52f6ab0aa9602129134aeddd524fa53ed0b02e7f2f4c6e10358f12384c4cfd2
-
SHA512
7099119882f3ed29b8e8480e946f2d8cf2ae38ab12aed10f65ae4d1beedeb99b9d1d13666f6f7c3f9f3e9a20322d57c7cd0db647869c4e5cd5103f98e9459c4a
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj65:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bynytgzeob.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bynytgzeob.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" bynytgzeob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bynytgzeob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bynytgzeob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bynytgzeob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bynytgzeob.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bynytgzeob.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
pid Process 2796 bynytgzeob.exe 2724 uzdocdmqooyceye.exe 2580 vdjxjtla.exe 2940 ywibyjqirjxhk.exe 2644 vdjxjtla.exe -
Loads dropped DLL 5 IoCs
pid Process 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2796 bynytgzeob.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bynytgzeob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bynytgzeob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bynytgzeob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bynytgzeob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bynytgzeob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" bynytgzeob.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gcowzkgd = "uzdocdmqooyceye.exe" uzdocdmqooyceye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ywibyjqirjxhk.exe" uzdocdmqooyceye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zdspntga = "bynytgzeob.exe" uzdocdmqooyceye.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: vdjxjtla.exe File opened (read-only) \??\j: bynytgzeob.exe File opened (read-only) \??\e: bynytgzeob.exe File opened (read-only) \??\x: bynytgzeob.exe File opened (read-only) \??\a: vdjxjtla.exe File opened (read-only) \??\h: vdjxjtla.exe File opened (read-only) \??\m: bynytgzeob.exe File opened (read-only) \??\z: bynytgzeob.exe File opened (read-only) \??\b: vdjxjtla.exe File opened (read-only) \??\q: vdjxjtla.exe File opened (read-only) \??\t: vdjxjtla.exe File opened (read-only) \??\k: vdjxjtla.exe File opened (read-only) \??\o: vdjxjtla.exe File opened (read-only) \??\v: vdjxjtla.exe File opened (read-only) \??\l: bynytgzeob.exe File opened (read-only) \??\u: vdjxjtla.exe File opened (read-only) \??\x: vdjxjtla.exe File opened (read-only) \??\j: vdjxjtla.exe File opened (read-only) \??\p: vdjxjtla.exe File opened (read-only) \??\s: vdjxjtla.exe File opened (read-only) \??\z: vdjxjtla.exe File opened (read-only) \??\a: bynytgzeob.exe File opened (read-only) \??\g: bynytgzeob.exe File opened (read-only) \??\h: bynytgzeob.exe File opened (read-only) \??\i: bynytgzeob.exe File opened (read-only) \??\h: vdjxjtla.exe File opened (read-only) \??\r: vdjxjtla.exe File opened (read-only) \??\l: vdjxjtla.exe File opened (read-only) \??\m: vdjxjtla.exe File opened (read-only) \??\q: vdjxjtla.exe File opened (read-only) \??\r: vdjxjtla.exe File opened (read-only) \??\o: vdjxjtla.exe File opened (read-only) \??\y: vdjxjtla.exe File opened (read-only) \??\t: bynytgzeob.exe File opened (read-only) \??\u: bynytgzeob.exe File opened (read-only) \??\v: vdjxjtla.exe File opened (read-only) \??\y: vdjxjtla.exe File opened (read-only) \??\z: vdjxjtla.exe File opened (read-only) \??\w: vdjxjtla.exe File opened (read-only) \??\k: bynytgzeob.exe File opened (read-only) \??\n: bynytgzeob.exe File opened (read-only) \??\y: bynytgzeob.exe File opened (read-only) \??\g: vdjxjtla.exe File opened (read-only) \??\a: vdjxjtla.exe File opened (read-only) \??\u: vdjxjtla.exe File opened (read-only) \??\b: bynytgzeob.exe File opened (read-only) \??\v: bynytgzeob.exe File opened (read-only) \??\w: bynytgzeob.exe File opened (read-only) \??\w: vdjxjtla.exe File opened (read-only) \??\k: vdjxjtla.exe File opened (read-only) \??\x: vdjxjtla.exe File opened (read-only) \??\l: vdjxjtla.exe File opened (read-only) \??\i: vdjxjtla.exe File opened (read-only) \??\n: vdjxjtla.exe File opened (read-only) \??\p: bynytgzeob.exe File opened (read-only) \??\g: vdjxjtla.exe File opened (read-only) \??\p: vdjxjtla.exe File opened (read-only) \??\t: vdjxjtla.exe File opened (read-only) \??\e: vdjxjtla.exe File opened (read-only) \??\i: vdjxjtla.exe File opened (read-only) \??\r: bynytgzeob.exe File opened (read-only) \??\j: vdjxjtla.exe File opened (read-only) \??\n: vdjxjtla.exe File opened (read-only) \??\b: vdjxjtla.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bynytgzeob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bynytgzeob.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2508-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000d0000000122b8-8.dat autoit_exe behavioral1/files/0x0008000000012233-17.dat autoit_exe behavioral1/files/0x0010000000014984-28.dat autoit_exe behavioral1/files/0x0008000000014ee2-34.dat autoit_exe behavioral1/files/0x0006000000016d18-70.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\vdjxjtla.exe 6fd1083bf5feeb646bd239a8a746071b.exe File created C:\Windows\SysWOW64\ywibyjqirjxhk.exe 6fd1083bf5feeb646bd239a8a746071b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bynytgzeob.exe File opened for modification C:\Windows\SysWOW64\uzdocdmqooyceye.exe 6fd1083bf5feeb646bd239a8a746071b.exe File opened for modification C:\Windows\SysWOW64\bynytgzeob.exe 6fd1083bf5feeb646bd239a8a746071b.exe File created C:\Windows\SysWOW64\uzdocdmqooyceye.exe 6fd1083bf5feeb646bd239a8a746071b.exe File opened for modification C:\Windows\SysWOW64\vdjxjtla.exe 6fd1083bf5feeb646bd239a8a746071b.exe File opened for modification C:\Windows\SysWOW64\ywibyjqirjxhk.exe 6fd1083bf5feeb646bd239a8a746071b.exe File created C:\Windows\SysWOW64\bynytgzeob.exe 6fd1083bf5feeb646bd239a8a746071b.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\SearchFormat.nal vdjxjtla.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vdjxjtla.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal vdjxjtla.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vdjxjtla.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal vdjxjtla.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vdjxjtla.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vdjxjtla.exe File opened for modification \??\c:\Program Files\SearchFormat.doc.exe vdjxjtla.exe File opened for modification C:\Program Files\SearchFormat.doc.exe vdjxjtla.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vdjxjtla.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vdjxjtla.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal vdjxjtla.exe File opened for modification C:\Program Files\SearchFormat.doc.exe vdjxjtla.exe File opened for modification \??\c:\Program Files\SearchFormat.doc.exe vdjxjtla.exe File opened for modification C:\Program Files\SearchFormat.nal vdjxjtla.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vdjxjtla.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal vdjxjtla.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vdjxjtla.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vdjxjtla.exe File created \??\c:\Program Files\SearchFormat.doc.exe vdjxjtla.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vdjxjtla.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 6fd1083bf5feeb646bd239a8a746071b.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B12E47E438EA53C4B9D63299D7BC" 6fd1083bf5feeb646bd239a8a746071b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FCFB482985139031D72D7E94BDE4E6305936664F6336D79F" 6fd1083bf5feeb646bd239a8a746071b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bynytgzeob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6fd1083bf5feeb646bd239a8a746071b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D089C2782566D4176D777552CDB7D8164DB" 6fd1083bf5feeb646bd239a8a746071b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bynytgzeob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bynytgzeob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bynytgzeob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2444 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2796 bynytgzeob.exe 2796 bynytgzeob.exe 2796 bynytgzeob.exe 2796 bynytgzeob.exe 2796 bynytgzeob.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2724 uzdocdmqooyceye.exe 2724 uzdocdmqooyceye.exe 2724 uzdocdmqooyceye.exe 2724 uzdocdmqooyceye.exe 2724 uzdocdmqooyceye.exe 2580 vdjxjtla.exe 2580 vdjxjtla.exe 2580 vdjxjtla.exe 2580 vdjxjtla.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2724 uzdocdmqooyceye.exe 2644 vdjxjtla.exe 2644 vdjxjtla.exe 2644 vdjxjtla.exe 2644 vdjxjtla.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2724 uzdocdmqooyceye.exe 2724 uzdocdmqooyceye.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2724 uzdocdmqooyceye.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2724 uzdocdmqooyceye.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2724 uzdocdmqooyceye.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2724 uzdocdmqooyceye.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2724 uzdocdmqooyceye.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2724 uzdocdmqooyceye.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2724 uzdocdmqooyceye.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2724 uzdocdmqooyceye.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2724 uzdocdmqooyceye.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1336 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 1336 explorer.exe Token: SeShutdownPrivilege 1336 explorer.exe Token: SeShutdownPrivilege 1336 explorer.exe Token: SeShutdownPrivilege 1336 explorer.exe Token: SeShutdownPrivilege 1336 explorer.exe Token: SeShutdownPrivilege 1336 explorer.exe Token: SeShutdownPrivilege 1336 explorer.exe Token: SeShutdownPrivilege 1336 explorer.exe Token: SeShutdownPrivilege 1336 explorer.exe Token: SeShutdownPrivilege 1336 explorer.exe Token: SeShutdownPrivilege 1336 explorer.exe Token: SeShutdownPrivilege 1336 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2796 bynytgzeob.exe 2796 bynytgzeob.exe 2796 bynytgzeob.exe 2724 uzdocdmqooyceye.exe 2724 uzdocdmqooyceye.exe 2724 uzdocdmqooyceye.exe 2580 vdjxjtla.exe 2580 vdjxjtla.exe 2580 vdjxjtla.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2644 vdjxjtla.exe 2644 vdjxjtla.exe 2644 vdjxjtla.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2508 6fd1083bf5feeb646bd239a8a746071b.exe 2796 bynytgzeob.exe 2796 bynytgzeob.exe 2796 bynytgzeob.exe 2724 uzdocdmqooyceye.exe 2724 uzdocdmqooyceye.exe 2724 uzdocdmqooyceye.exe 2580 vdjxjtla.exe 2580 vdjxjtla.exe 2580 vdjxjtla.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 2940 ywibyjqirjxhk.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe 1336 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2444 WINWORD.EXE 2444 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2796 2508 6fd1083bf5feeb646bd239a8a746071b.exe 28 PID 2508 wrote to memory of 2796 2508 6fd1083bf5feeb646bd239a8a746071b.exe 28 PID 2508 wrote to memory of 2796 2508 6fd1083bf5feeb646bd239a8a746071b.exe 28 PID 2508 wrote to memory of 2796 2508 6fd1083bf5feeb646bd239a8a746071b.exe 28 PID 2508 wrote to memory of 2724 2508 6fd1083bf5feeb646bd239a8a746071b.exe 29 PID 2508 wrote to memory of 2724 2508 6fd1083bf5feeb646bd239a8a746071b.exe 29 PID 2508 wrote to memory of 2724 2508 6fd1083bf5feeb646bd239a8a746071b.exe 29 PID 2508 wrote to memory of 2724 2508 6fd1083bf5feeb646bd239a8a746071b.exe 29 PID 2508 wrote to memory of 2580 2508 6fd1083bf5feeb646bd239a8a746071b.exe 30 PID 2508 wrote to memory of 2580 2508 6fd1083bf5feeb646bd239a8a746071b.exe 30 PID 2508 wrote to memory of 2580 2508 6fd1083bf5feeb646bd239a8a746071b.exe 30 PID 2508 wrote to memory of 2580 2508 6fd1083bf5feeb646bd239a8a746071b.exe 30 PID 2508 wrote to memory of 2940 2508 6fd1083bf5feeb646bd239a8a746071b.exe 31 PID 2508 wrote to memory of 2940 2508 6fd1083bf5feeb646bd239a8a746071b.exe 31 PID 2508 wrote to memory of 2940 2508 6fd1083bf5feeb646bd239a8a746071b.exe 31 PID 2508 wrote to memory of 2940 2508 6fd1083bf5feeb646bd239a8a746071b.exe 31 PID 2796 wrote to memory of 2644 2796 bynytgzeob.exe 32 PID 2796 wrote to memory of 2644 2796 bynytgzeob.exe 32 PID 2796 wrote to memory of 2644 2796 bynytgzeob.exe 32 PID 2796 wrote to memory of 2644 2796 bynytgzeob.exe 32 PID 2508 wrote to memory of 2444 2508 6fd1083bf5feeb646bd239a8a746071b.exe 33 PID 2508 wrote to memory of 2444 2508 6fd1083bf5feeb646bd239a8a746071b.exe 33 PID 2508 wrote to memory of 2444 2508 6fd1083bf5feeb646bd239a8a746071b.exe 33 PID 2508 wrote to memory of 2444 2508 6fd1083bf5feeb646bd239a8a746071b.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fd1083bf5feeb646bd239a8a746071b.exe"C:\Users\Admin\AppData\Local\Temp\6fd1083bf5feeb646bd239a8a746071b.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\bynytgzeob.exebynytgzeob.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\vdjxjtla.exeC:\Windows\system32\vdjxjtla.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2644
-
-
-
C:\Windows\SysWOW64\uzdocdmqooyceye.exeuzdocdmqooyceye.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2724
-
-
C:\Windows\SysWOW64\vdjxjtla.exevdjxjtla.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2580
-
-
C:\Windows\SysWOW64\ywibyjqirjxhk.exeywibyjqirjxhk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2940
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1336
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f1c4c8f9a9396c617d6d99f701944cfe
SHA17165b9ba86d064bd7f4db61b12c7c64d6c037a70
SHA256ff79c0fd78441c5836bac825a28da512fb22056cd482fd0fed2e331518b6ab46
SHA51236f71852c162c8472faf5cbb72d003f8c03364218f4afedb4ae1649b60d5c1dee469998bd25d270ec612acd661ea1e08300aae3efde2147fca6ac847d3eac1d5
-
Filesize
512KB
MD58d0f76668531af83f4fac43ef08d159f
SHA13c17d848e74d1bd0468516608826e5a3f4eb7ed0
SHA2560df0a215abfaacd46d23f31b0ae796a262799ae76c3c3bd014cdc680e95c77b2
SHA51253bbb3842fecab56ea053df3f26d8f562a715c47bcda5432800c8c102a7c142c86373d8fc8039994a51e037c7872a46740baf4fc60453b6e952d387a53772ded
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD586f0b44999e226cc9878cdad082cc6bd
SHA162fe694f6918c3c47520d9805479fea29942d52a
SHA256b6a6a737a965ce5f7e2f63a572235e8e3419f7c984e5c0812b9cd27d153eb7d0
SHA5126b3bd3932be93e0ba979c02d1481cc9b4980cf39cc6a6a6459eb0a86328e6676f34300692219c709e70b12f15996cedb830855cb12d9ef8439871a5ecc62e656
-
Filesize
512KB
MD5e18c745fffd23d4e3a55efebe2e86cf1
SHA1923dc2b142e388b6536cec5dee11a47b52f2a31d
SHA256976c7e5d03fe4138b191bfd3173b1d4283f6681dae45fb75fbd48006a452e8a3
SHA5121f9b119f87086c74b8e55f0eb34ef52e303e79c99448cc51df09a580c061a7fd98ba50f47ada08f934e33030e0be8ca2d0ee72bcf1a6ecb4614c638b75a8190d
-
Filesize
512KB
MD5be0746c26aa6b6f5c3ef5fa035c75222
SHA166fe8dd7df009610033b0ae7df010a6129b68c40
SHA256d6b00c1a7fa71b35186f78842ca6fd07767a72715852a87948d0124a19e710df
SHA5122e1567c9e2d874e89e2e96d3837318577af2bff0c4b79df67a5bae46ae0f98088ba3ca77f101fa1ca3a7e3f198ad671fb6ddbf5387beb768cc0d32f983c0834f