Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:44
Behavioral task
behavioral1
Sample
752018ae89f569d80a8de45e8de1f020.exe
Resource
win7-20231215-en
General
-
Target
752018ae89f569d80a8de45e8de1f020.exe
-
Size
255KB
-
MD5
752018ae89f569d80a8de45e8de1f020
-
SHA1
f40cb58566c5d3dbade3aa49e19d3467cb773af2
-
SHA256
ef2d55d039eb1946f31db372da327246ec57ae9288cd23c61cb1ef6a3aca867f
-
SHA512
6d1360658d211436ca0e243046c9930ea5c81ae083b3831c9576fe119dd444a18c6a5db362e7efb83d4ef8d9c51c78c921e145c7dfb79869422d83d0ee10c340
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJF:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIc
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ykbipdpxpg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ykbipdpxpg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ykbipdpxpg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ykbipdpxpg.exe -
Processes:
ykbipdpxpg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ykbipdpxpg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ykbipdpxpg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ykbipdpxpg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ykbipdpxpg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ykbipdpxpg.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ykbipdpxpg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ykbipdpxpg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
752018ae89f569d80a8de45e8de1f020.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 752018ae89f569d80a8de45e8de1f020.exe -
Executes dropped EXE 5 IoCs
Processes:
ykbipdpxpg.exejppivurlbkqieke.exehytmqygc.exeowuscomlzmgwz.exehytmqygc.exepid process 1744 ykbipdpxpg.exe 3452 jppivurlbkqieke.exe 1304 hytmqygc.exe 2212 owuscomlzmgwz.exe 3856 hytmqygc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1228-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\jppivurlbkqieke.exe upx C:\Windows\SysWOW64\ykbipdpxpg.exe upx behavioral2/memory/1744-20-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\hytmqygc.exe upx behavioral2/memory/1304-29-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\owuscomlzmgwz.exe upx behavioral2/memory/2212-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1228-34-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe upx C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe upx behavioral2/memory/1744-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1744-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3452-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1304-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2212-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3856-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Users\Admin\Documents\DebugCheckpoint.doc.exe upx behavioral2/memory/1304-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2212-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1744-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3452-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1304-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2212-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3856-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3856-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1744-124-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3452-125-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1304-126-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2212-127-0x0000000000400000-0x00000000004A0000-memory.dmp upx \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe upx behavioral2/memory/3856-134-0x0000000000400000-0x00000000004A0000-memory.dmp upx \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe upx \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe upx behavioral2/memory/1744-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3452-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1304-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2212-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3856-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1744-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3452-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1304-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2212-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3856-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1744-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3452-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1304-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2212-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3856-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1744-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1304-161-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3452-160-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2212-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3856-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1744-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3452-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1304-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2212-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3856-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1304-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3856-170-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1744-171-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3452-172-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2212-173-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Processes:
ykbipdpxpg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ykbipdpxpg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ykbipdpxpg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ykbipdpxpg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ykbipdpxpg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ykbipdpxpg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ykbipdpxpg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
jppivurlbkqieke.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hfwhmscg = "ykbipdpxpg.exe" jppivurlbkqieke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mgtaahqj = "jppivurlbkqieke.exe" jppivurlbkqieke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "owuscomlzmgwz.exe" jppivurlbkqieke.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
hytmqygc.exehytmqygc.exeykbipdpxpg.exedescription ioc process File opened (read-only) \??\g: hytmqygc.exe File opened (read-only) \??\z: hytmqygc.exe File opened (read-only) \??\o: hytmqygc.exe File opened (read-only) \??\s: hytmqygc.exe File opened (read-only) \??\n: ykbipdpxpg.exe File opened (read-only) \??\r: ykbipdpxpg.exe File opened (read-only) \??\t: ykbipdpxpg.exe File opened (read-only) \??\h: hytmqygc.exe File opened (read-only) \??\b: hytmqygc.exe File opened (read-only) \??\l: ykbipdpxpg.exe File opened (read-only) \??\p: ykbipdpxpg.exe File opened (read-only) \??\x: ykbipdpxpg.exe File opened (read-only) \??\i: hytmqygc.exe File opened (read-only) \??\t: hytmqygc.exe File opened (read-only) \??\h: hytmqygc.exe File opened (read-only) \??\a: hytmqygc.exe File opened (read-only) \??\e: hytmqygc.exe File opened (read-only) \??\o: hytmqygc.exe File opened (read-only) \??\j: hytmqygc.exe File opened (read-only) \??\q: ykbipdpxpg.exe File opened (read-only) \??\l: hytmqygc.exe File opened (read-only) \??\p: hytmqygc.exe File opened (read-only) \??\g: hytmqygc.exe File opened (read-only) \??\t: hytmqygc.exe File opened (read-only) \??\i: ykbipdpxpg.exe File opened (read-only) \??\l: hytmqygc.exe File opened (read-only) \??\a: ykbipdpxpg.exe File opened (read-only) \??\g: ykbipdpxpg.exe File opened (read-only) \??\o: ykbipdpxpg.exe File opened (read-only) \??\x: hytmqygc.exe File opened (read-only) \??\w: hytmqygc.exe File opened (read-only) \??\v: hytmqygc.exe File opened (read-only) \??\s: ykbipdpxpg.exe File opened (read-only) \??\w: ykbipdpxpg.exe File opened (read-only) \??\b: hytmqygc.exe File opened (read-only) \??\m: hytmqygc.exe File opened (read-only) \??\e: hytmqygc.exe File opened (read-only) \??\b: ykbipdpxpg.exe File opened (read-only) \??\m: ykbipdpxpg.exe File opened (read-only) \??\j: hytmqygc.exe File opened (read-only) \??\y: hytmqygc.exe File opened (read-only) \??\n: hytmqygc.exe File opened (read-only) \??\j: ykbipdpxpg.exe File opened (read-only) \??\k: ykbipdpxpg.exe File opened (read-only) \??\u: hytmqygc.exe File opened (read-only) \??\u: hytmqygc.exe File opened (read-only) \??\m: hytmqygc.exe File opened (read-only) \??\e: ykbipdpxpg.exe File opened (read-only) \??\i: hytmqygc.exe File opened (read-only) \??\y: ykbipdpxpg.exe File opened (read-only) \??\r: hytmqygc.exe File opened (read-only) \??\w: hytmqygc.exe File opened (read-only) \??\v: ykbipdpxpg.exe File opened (read-only) \??\s: hytmqygc.exe File opened (read-only) \??\h: ykbipdpxpg.exe File opened (read-only) \??\u: ykbipdpxpg.exe File opened (read-only) \??\n: hytmqygc.exe File opened (read-only) \??\v: hytmqygc.exe File opened (read-only) \??\k: hytmqygc.exe File opened (read-only) \??\p: hytmqygc.exe File opened (read-only) \??\q: hytmqygc.exe File opened (read-only) \??\r: hytmqygc.exe File opened (read-only) \??\x: hytmqygc.exe File opened (read-only) \??\y: hytmqygc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ykbipdpxpg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ykbipdpxpg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ykbipdpxpg.exe -
AutoIT Executable 58 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1304-29-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-32-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1228-34-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3452-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1304-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3856-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1304-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3452-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1304-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3856-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3856-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-124-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3452-125-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1304-126-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-127-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3856-134-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3452-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1304-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3856-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3452-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1304-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3856-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3452-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1304-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3856-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1304-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3452-160-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3856-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3452-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1304-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3856-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1304-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3856-170-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-171-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3452-172-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-173-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-197-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-199-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3452-198-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-200-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3452-201-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-202-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
752018ae89f569d80a8de45e8de1f020.exehytmqygc.exehytmqygc.exeykbipdpxpg.exedescription ioc process File created C:\Windows\SysWOW64\hytmqygc.exe 752018ae89f569d80a8de45e8de1f020.exe File opened for modification C:\Windows\SysWOW64\owuscomlzmgwz.exe 752018ae89f569d80a8de45e8de1f020.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hytmqygc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hytmqygc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hytmqygc.exe File created C:\Windows\SysWOW64\jppivurlbkqieke.exe 752018ae89f569d80a8de45e8de1f020.exe File opened for modification C:\Windows\SysWOW64\ykbipdpxpg.exe 752018ae89f569d80a8de45e8de1f020.exe File opened for modification C:\Windows\SysWOW64\jppivurlbkqieke.exe 752018ae89f569d80a8de45e8de1f020.exe File opened for modification C:\Windows\SysWOW64\hytmqygc.exe 752018ae89f569d80a8de45e8de1f020.exe File created C:\Windows\SysWOW64\owuscomlzmgwz.exe 752018ae89f569d80a8de45e8de1f020.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ykbipdpxpg.exe File created C:\Windows\SysWOW64\ykbipdpxpg.exe 752018ae89f569d80a8de45e8de1f020.exe -
Drops file in Program Files directory 14 IoCs
Processes:
hytmqygc.exehytmqygc.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hytmqygc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hytmqygc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hytmqygc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hytmqygc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hytmqygc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hytmqygc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hytmqygc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hytmqygc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hytmqygc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hytmqygc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hytmqygc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hytmqygc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hytmqygc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hytmqygc.exe -
Drops file in Windows directory 19 IoCs
Processes:
hytmqygc.exehytmqygc.exeWINWORD.EXE752018ae89f569d80a8de45e8de1f020.exedescription ioc process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hytmqygc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hytmqygc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hytmqygc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hytmqygc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hytmqygc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hytmqygc.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hytmqygc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hytmqygc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hytmqygc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hytmqygc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hytmqygc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hytmqygc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hytmqygc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hytmqygc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hytmqygc.exe File opened for modification C:\Windows\mydoc.rtf 752018ae89f569d80a8de45e8de1f020.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hytmqygc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
ykbipdpxpg.exe752018ae89f569d80a8de45e8de1f020.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ykbipdpxpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ykbipdpxpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ykbipdpxpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ykbipdpxpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C0A9C5283566D4576D477262DD67C8E64DE" 752018ae89f569d80a8de45e8de1f020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC60F14E6DAC5B8BC7C95EC9F34BC" 752018ae89f569d80a8de45e8de1f020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ykbipdpxpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BB3FF1A21D0D27DD1D48A7A9114" 752018ae89f569d80a8de45e8de1f020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ykbipdpxpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ykbipdpxpg.exe Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings 752018ae89f569d80a8de45e8de1f020.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 752018ae89f569d80a8de45e8de1f020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ykbipdpxpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ykbipdpxpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ykbipdpxpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ykbipdpxpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ykbipdpxpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFF9CBFE14F190840F3A44819939E4B08D02FF4269034BE1CB42EB08D6" 752018ae89f569d80a8de45e8de1f020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B058449539EF52CFB9A23292D7C5" 752018ae89f569d80a8de45e8de1f020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFCFB4F5C82129142D7287DE7BDE1E641594A67406242D69E" 752018ae89f569d80a8de45e8de1f020.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4120 WINWORD.EXE 4120 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
752018ae89f569d80a8de45e8de1f020.exeykbipdpxpg.exejppivurlbkqieke.exehytmqygc.exeowuscomlzmgwz.exehytmqygc.exepid process 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1744 ykbipdpxpg.exe 1744 ykbipdpxpg.exe 1744 ykbipdpxpg.exe 1744 ykbipdpxpg.exe 1744 ykbipdpxpg.exe 1744 ykbipdpxpg.exe 1744 ykbipdpxpg.exe 1744 ykbipdpxpg.exe 1744 ykbipdpxpg.exe 1744 ykbipdpxpg.exe 3452 jppivurlbkqieke.exe 3452 jppivurlbkqieke.exe 3452 jppivurlbkqieke.exe 3452 jppivurlbkqieke.exe 3452 jppivurlbkqieke.exe 3452 jppivurlbkqieke.exe 3452 jppivurlbkqieke.exe 1304 hytmqygc.exe 3452 jppivurlbkqieke.exe 1304 hytmqygc.exe 1304 hytmqygc.exe 1304 hytmqygc.exe 1304 hytmqygc.exe 1304 hytmqygc.exe 1304 hytmqygc.exe 1304 hytmqygc.exe 3452 jppivurlbkqieke.exe 3452 jppivurlbkqieke.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 3452 jppivurlbkqieke.exe 3452 jppivurlbkqieke.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 3856 hytmqygc.exe 3856 hytmqygc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
752018ae89f569d80a8de45e8de1f020.exeykbipdpxpg.exejppivurlbkqieke.exehytmqygc.exeowuscomlzmgwz.exehytmqygc.exepid process 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1744 ykbipdpxpg.exe 1744 ykbipdpxpg.exe 1744 ykbipdpxpg.exe 3452 jppivurlbkqieke.exe 3452 jppivurlbkqieke.exe 3452 jppivurlbkqieke.exe 1304 hytmqygc.exe 1304 hytmqygc.exe 1304 hytmqygc.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 3856 hytmqygc.exe 3856 hytmqygc.exe 3856 hytmqygc.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
752018ae89f569d80a8de45e8de1f020.exeykbipdpxpg.exejppivurlbkqieke.exehytmqygc.exeowuscomlzmgwz.exehytmqygc.exepid process 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1228 752018ae89f569d80a8de45e8de1f020.exe 1744 ykbipdpxpg.exe 1744 ykbipdpxpg.exe 1744 ykbipdpxpg.exe 3452 jppivurlbkqieke.exe 3452 jppivurlbkqieke.exe 3452 jppivurlbkqieke.exe 1304 hytmqygc.exe 1304 hytmqygc.exe 1304 hytmqygc.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 2212 owuscomlzmgwz.exe 3856 hytmqygc.exe 3856 hytmqygc.exe 3856 hytmqygc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4120 WINWORD.EXE 4120 WINWORD.EXE 4120 WINWORD.EXE 4120 WINWORD.EXE 4120 WINWORD.EXE 4120 WINWORD.EXE 4120 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
752018ae89f569d80a8de45e8de1f020.exeykbipdpxpg.exedescription pid process target process PID 1228 wrote to memory of 1744 1228 752018ae89f569d80a8de45e8de1f020.exe ykbipdpxpg.exe PID 1228 wrote to memory of 1744 1228 752018ae89f569d80a8de45e8de1f020.exe ykbipdpxpg.exe PID 1228 wrote to memory of 1744 1228 752018ae89f569d80a8de45e8de1f020.exe ykbipdpxpg.exe PID 1228 wrote to memory of 3452 1228 752018ae89f569d80a8de45e8de1f020.exe jppivurlbkqieke.exe PID 1228 wrote to memory of 3452 1228 752018ae89f569d80a8de45e8de1f020.exe jppivurlbkqieke.exe PID 1228 wrote to memory of 3452 1228 752018ae89f569d80a8de45e8de1f020.exe jppivurlbkqieke.exe PID 1228 wrote to memory of 1304 1228 752018ae89f569d80a8de45e8de1f020.exe hytmqygc.exe PID 1228 wrote to memory of 1304 1228 752018ae89f569d80a8de45e8de1f020.exe hytmqygc.exe PID 1228 wrote to memory of 1304 1228 752018ae89f569d80a8de45e8de1f020.exe hytmqygc.exe PID 1228 wrote to memory of 2212 1228 752018ae89f569d80a8de45e8de1f020.exe owuscomlzmgwz.exe PID 1228 wrote to memory of 2212 1228 752018ae89f569d80a8de45e8de1f020.exe owuscomlzmgwz.exe PID 1228 wrote to memory of 2212 1228 752018ae89f569d80a8de45e8de1f020.exe owuscomlzmgwz.exe PID 1228 wrote to memory of 4120 1228 752018ae89f569d80a8de45e8de1f020.exe WINWORD.EXE PID 1228 wrote to memory of 4120 1228 752018ae89f569d80a8de45e8de1f020.exe WINWORD.EXE PID 1744 wrote to memory of 3856 1744 ykbipdpxpg.exe hytmqygc.exe PID 1744 wrote to memory of 3856 1744 ykbipdpxpg.exe hytmqygc.exe PID 1744 wrote to memory of 3856 1744 ykbipdpxpg.exe hytmqygc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe"C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\ykbipdpxpg.exeykbipdpxpg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\hytmqygc.exeC:\Windows\system32\hytmqygc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3856 -
C:\Windows\SysWOW64\jppivurlbkqieke.exejppivurlbkqieke.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3452 -
C:\Windows\SysWOW64\hytmqygc.exehytmqygc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1304 -
C:\Windows\SysWOW64\owuscomlzmgwz.exeowuscomlzmgwz.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2212 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4120
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5897b5c7a66d506d671b800cb1b6aefe3
SHA1fc0e8164aae695d5609d0dfa58b9dfab3aa36dda
SHA256da6553f7e93ee8fe36feca086987d6dbdfed24cd41714019d0822dc85e898b59
SHA5125bd5e51f369ef313a30b3fc3aa7bfe6ef23c5670a575b83a070f63badf365c0ef90e6291aef2c5a6b1c342020b620950d3159897d866efb97f61330ff341f9d4
-
Filesize
255KB
MD55d673531f83baafccfa1d510415ac063
SHA1b2bb38c4fbd3ccf61ad9ee59f95e82607d3a109f
SHA2562758b4184c508db73095a3d7ccd49be7d1c3e5cd543964abd8ff83b098d7c754
SHA512aa54192b750a0aff025ae1b036f8de1a31639cc6fee5053bf8d8205e13bcb9d205cb6c1ee0cb2511988df7f8b6877bf01d914b87983400dde6a80e382eb67481
-
Filesize
209B
MD5b1cefafb03065339e24eed313a0fac7f
SHA1a5dc7d197c29dcef1c5aa03d901b5bd8d5bbb42d
SHA256a49f061a098c0f192f2bf918cd7c54e6c4223c96ba3846afa429e7d16a8e8317
SHA512f731e7b2046d0158610e291f2ef86c0f86b22b809fb1dc635aa55446579ba1a6ca2f9636d64d48556494e05bac7749011f4e84330c82da5bcfcea7e9867c4415
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a455deb2e6e25fcb5623df5ae386c810
SHA16006d2ac0c223266e62a4cc96a4b5a1c199e0999
SHA25655755e59b10af5963a6ecaa5b0f078d1dd09cb8edb2ccd5347e28e1df09cc49d
SHA512d6092162cf12f094e6248b735e0ac3a621009e46eea9a11d8cde818899363fae02034203d032129e3419133ad44542fd9e3a2ee5d0d9e3855f81a6795fcb63a0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD522b1c17843583978c2705ad07d086ce2
SHA15fe875542b4ca9c9362a9f3cb0534ed683ae3235
SHA256ca44ad287e8c9d9957fe820d1953db08b3386e7f6b91d362941a0eb47522edfd
SHA512c7c3ce9d2a089fc5db1e0f9ba3c03a8721d5d26a4f83ccd20b1ad42a56d5a16e669fcbb41cbaf588aeb4c31b5c6dfc8e59d4de6dfd3c0374eee647e7bb50d50d
-
Filesize
255KB
MD5a894e96b67bb365c07527b6f69654907
SHA164632418e4c66758f70a74bb1cdbc8ad7bd08c97
SHA2563c1f6d41140d53d6f802c0a4b31bc9b3660279c4f6f0044d401d05ad2680db82
SHA512f49aeb33e42e7147bc9b3e2599a4ecf3bc87b0f1f8112af610af5fe720358e778533dd1c23e0f7f84b635af6100344860845f94ca5ef9c345ff55bc24b6481b6
-
Filesize
255KB
MD5ce90ed8be8a7ec3e0e26f00e934c8ce4
SHA10cc095c973419a6d6423dbb0d793459c3b9b5c57
SHA2566a0e1e07275c6f951d5174150dc62d23dbb97a4f12b0047fa066f7c4075c54e4
SHA512ebf98f51d18ff0136291633574aace1ada40397ba7ff6fd6ad4089fc182853f043c210a567bd2cadcab4d4c7182ed39bfedacb9457c9bf539ca02fd108d97826
-
Filesize
255KB
MD576084c51c03ce3773c5bd76bde2e8881
SHA1c7e796706d413d5017c085604521219613d237b3
SHA2565b815baf5b6728405615fc8ba50b03285d79bd02c4a09ab0d518a8e08d466338
SHA512826bc9905c58df64df06b69f07ef869e70a5b66207c39a1ca63e4186c536f6ef613cd3f7b60e9838c9bc7cb31e561d68865320e12aca0c548743fd286af75e39
-
Filesize
255KB
MD5dc8f90874d2f8dd6e19f6f61fa1b6df1
SHA1e8c4b0a9a24ccb369f8609b30cd6b8595f55ebe2
SHA2565800e431f49361a67ff944cbb0a78a847962d3d426c9b10e225d951041844a44
SHA512df7cb387cc483f8189d16527027358d31de296e607ebcdabaa0158054841477f09d6eaf4b7029173b9484325c0561ce4476ad1e3820dc6c3ffdc8f2d71d085aa
-
Filesize
255KB
MD591f665dee72c481364c2d86c5b185add
SHA1254915e23e732511978257390af11974fc84bff4
SHA256f5a931bcea068dc2a3c5ece070756492cc701a3ccd1dfd6e739671dc2ae1713e
SHA512be04e9bad6faeb05729b00e8f114cdfc54502a6e797f118b0d97b4a6a4351a9262ee5d21a4b082513da83a7e83a1b0d7c361c03c069996af49c2557a7dc92197
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD51bedb92ac2450bc3dd259e3e9fc7872d
SHA1ed611d12875363696a38ec8fc124337258c5f4b1
SHA25605be60b079efdde17428948f8adc76831eba9cc843c65ae63d7fc77605f4fe22
SHA5128475d3cab6ccef59bc475655b58669a2adfe40cc3fa03a9a34f5ebc38a6b04a58f8f26fe0de5c25213d8e687f087dc87331cc8ef945eb824d9b8316e786d713c
-
Filesize
255KB
MD5b6ca400fe2844eddd92445acfbd223d8
SHA1443bf0a367955058db4c1de2e475531327300026
SHA2567509c2d8e827656a7a24737e62eba923eb3f7fe8084c47e928c65ea7d5167aa8
SHA5123c92a321434aa2e0f1366e4da074d97d7dbef635871a02a3c4c33d030390aab0cf4b5a9401feb4b57b4621e1fcf0d56d81a39a52f2b8a5918e02cbeabdeb7fc0
-
Filesize
255KB
MD54e994e5e4190863c1f57a09320bcdd77
SHA14462b49bc74ed14b8c34d114452a79217307912c
SHA2568fbb27a36d7ef16aa3090446ec6568caa3fed55b28dfc2394c56104077b64021
SHA512cf3040403cb6c0b8760458c32d53c20e745f94b378888e607ccfeac03b8d28819fa6ec1b5eaa96b00bb75ee75643bd29844ebbd51598d691fad4e7c3abf6ffee