Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/01/2024, 16:23
Static task
static1
Behavioral task
behavioral1
Sample
804c591d6ff5b6254b2830e7095c5616.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
804c591d6ff5b6254b2830e7095c5616.exe
Resource
win10v2004-20231215-en
General
-
Target
804c591d6ff5b6254b2830e7095c5616.exe
-
Size
512KB
-
MD5
804c591d6ff5b6254b2830e7095c5616
-
SHA1
1eeffa7793c6d11fcb824a840122cacdca0011d6
-
SHA256
f4c7db55a97184b0ab799d8f447197c89d152806effc4ac8d3d23fe559cbc402
-
SHA512
88c5e7ec2bef58aaa1750ebd74e71e860550da6f0e39c3ba3da0bc88ea59b623ecaf0e03f0a942758679918f58453749c8f6e0c14817f6210809a87c8889f70a
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6+:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ceuozvjjvt.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ceuozvjjvt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ceuozvjjvt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ceuozvjjvt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ceuozvjjvt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ceuozvjjvt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ceuozvjjvt.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ceuozvjjvt.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
pid Process 2768 ceuozvjjvt.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2832 pxcieuhc.exe 2580 pxcieuhc.exe -
Loads dropped DLL 5 IoCs
pid Process 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2768 ceuozvjjvt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ceuozvjjvt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ceuozvjjvt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ceuozvjjvt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ceuozvjjvt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ceuozvjjvt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ceuozvjjvt.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iuqdoijn = "uxygyynguabxokb.exe" uxygyynguabxokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jarzbhjfmsian.exe" uxygyynguabxokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jplqrxlp = "ceuozvjjvt.exe" uxygyynguabxokb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: ceuozvjjvt.exe File opened (read-only) \??\m: ceuozvjjvt.exe File opened (read-only) \??\y: pxcieuhc.exe File opened (read-only) \??\z: pxcieuhc.exe File opened (read-only) \??\n: ceuozvjjvt.exe File opened (read-only) \??\o: ceuozvjjvt.exe File opened (read-only) \??\t: ceuozvjjvt.exe File opened (read-only) \??\j: pxcieuhc.exe File opened (read-only) \??\j: pxcieuhc.exe File opened (read-only) \??\z: ceuozvjjvt.exe File opened (read-only) \??\x: pxcieuhc.exe File opened (read-only) \??\y: pxcieuhc.exe File opened (read-only) \??\r: pxcieuhc.exe File opened (read-only) \??\s: pxcieuhc.exe File opened (read-only) \??\h: ceuozvjjvt.exe File opened (read-only) \??\q: ceuozvjjvt.exe File opened (read-only) \??\i: pxcieuhc.exe File opened (read-only) \??\a: pxcieuhc.exe File opened (read-only) \??\e: ceuozvjjvt.exe File opened (read-only) \??\b: pxcieuhc.exe File opened (read-only) \??\e: pxcieuhc.exe File opened (read-only) \??\t: pxcieuhc.exe File opened (read-only) \??\g: pxcieuhc.exe File opened (read-only) \??\o: pxcieuhc.exe File opened (read-only) \??\q: pxcieuhc.exe File opened (read-only) \??\w: ceuozvjjvt.exe File opened (read-only) \??\x: ceuozvjjvt.exe File opened (read-only) \??\e: pxcieuhc.exe File opened (read-only) \??\z: pxcieuhc.exe File opened (read-only) \??\w: pxcieuhc.exe File opened (read-only) \??\t: pxcieuhc.exe File opened (read-only) \??\a: ceuozvjjvt.exe File opened (read-only) \??\j: ceuozvjjvt.exe File opened (read-only) \??\l: ceuozvjjvt.exe File opened (read-only) \??\a: pxcieuhc.exe File opened (read-only) \??\l: pxcieuhc.exe File opened (read-only) \??\k: pxcieuhc.exe File opened (read-only) \??\p: ceuozvjjvt.exe File opened (read-only) \??\b: pxcieuhc.exe File opened (read-only) \??\k: pxcieuhc.exe File opened (read-only) \??\r: pxcieuhc.exe File opened (read-only) \??\h: pxcieuhc.exe File opened (read-only) \??\p: pxcieuhc.exe File opened (read-only) \??\q: pxcieuhc.exe File opened (read-only) \??\m: pxcieuhc.exe File opened (read-only) \??\n: pxcieuhc.exe File opened (read-only) \??\i: ceuozvjjvt.exe File opened (read-only) \??\r: ceuozvjjvt.exe File opened (read-only) \??\s: pxcieuhc.exe File opened (read-only) \??\v: pxcieuhc.exe File opened (read-only) \??\l: pxcieuhc.exe File opened (read-only) \??\o: pxcieuhc.exe File opened (read-only) \??\w: pxcieuhc.exe File opened (read-only) \??\p: pxcieuhc.exe File opened (read-only) \??\b: ceuozvjjvt.exe File opened (read-only) \??\u: ceuozvjjvt.exe File opened (read-only) \??\y: ceuozvjjvt.exe File opened (read-only) \??\g: pxcieuhc.exe File opened (read-only) \??\n: pxcieuhc.exe File opened (read-only) \??\k: ceuozvjjvt.exe File opened (read-only) \??\m: pxcieuhc.exe File opened (read-only) \??\u: pxcieuhc.exe File opened (read-only) \??\u: pxcieuhc.exe File opened (read-only) \??\v: pxcieuhc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ceuozvjjvt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ceuozvjjvt.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2292-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000d0000000122e8-7.dat autoit_exe behavioral1/files/0x000a000000012243-17.dat autoit_exe behavioral1/files/0x0007000000015d03-36.dat autoit_exe behavioral1/files/0x0028000000015c63-37.dat autoit_exe behavioral1/files/0x0006000000018b7e-69.dat autoit_exe behavioral1/files/0x0006000000018b9d-75.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\uxygyynguabxokb.exe 804c591d6ff5b6254b2830e7095c5616.exe File created C:\Windows\SysWOW64\pxcieuhc.exe 804c591d6ff5b6254b2830e7095c5616.exe File opened for modification C:\Windows\SysWOW64\jarzbhjfmsian.exe 804c591d6ff5b6254b2830e7095c5616.exe File created C:\Windows\SysWOW64\uxygyynguabxokb.exe 804c591d6ff5b6254b2830e7095c5616.exe File opened for modification C:\Windows\SysWOW64\ceuozvjjvt.exe 804c591d6ff5b6254b2830e7095c5616.exe File opened for modification C:\Windows\SysWOW64\pxcieuhc.exe 804c591d6ff5b6254b2830e7095c5616.exe File created C:\Windows\SysWOW64\jarzbhjfmsian.exe 804c591d6ff5b6254b2830e7095c5616.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ceuozvjjvt.exe File created C:\Windows\SysWOW64\ceuozvjjvt.exe 804c591d6ff5b6254b2830e7095c5616.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pxcieuhc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal pxcieuhc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pxcieuhc.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pxcieuhc.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pxcieuhc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pxcieuhc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal pxcieuhc.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pxcieuhc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal pxcieuhc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pxcieuhc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pxcieuhc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal pxcieuhc.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pxcieuhc.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pxcieuhc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 804c591d6ff5b6254b2830e7095c5616.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78068B5FE6822D9D172D1A68A75906A" 804c591d6ff5b6254b2830e7095c5616.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ceuozvjjvt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ceuozvjjvt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ceuozvjjvt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ceuozvjjvt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ceuozvjjvt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2604 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2768 ceuozvjjvt.exe 2768 ceuozvjjvt.exe 2768 ceuozvjjvt.exe 2768 ceuozvjjvt.exe 2768 ceuozvjjvt.exe 2760 uxygyynguabxokb.exe 2760 uxygyynguabxokb.exe 2760 uxygyynguabxokb.exe 2760 uxygyynguabxokb.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2832 pxcieuhc.exe 2832 pxcieuhc.exe 2832 pxcieuhc.exe 2832 pxcieuhc.exe 2760 uxygyynguabxokb.exe 2580 pxcieuhc.exe 2580 pxcieuhc.exe 2580 pxcieuhc.exe 2580 pxcieuhc.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2760 uxygyynguabxokb.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2648 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2768 ceuozvjjvt.exe 2768 ceuozvjjvt.exe 2768 ceuozvjjvt.exe 2760 uxygyynguabxokb.exe 2760 uxygyynguabxokb.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2832 pxcieuhc.exe 2832 pxcieuhc.exe 2832 pxcieuhc.exe 2580 pxcieuhc.exe 2580 pxcieuhc.exe 2580 pxcieuhc.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2292 804c591d6ff5b6254b2830e7095c5616.exe 2768 ceuozvjjvt.exe 2768 ceuozvjjvt.exe 2768 ceuozvjjvt.exe 2760 uxygyynguabxokb.exe 2760 uxygyynguabxokb.exe 2760 uxygyynguabxokb.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2808 jarzbhjfmsian.exe 2832 pxcieuhc.exe 2832 pxcieuhc.exe 2832 pxcieuhc.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2604 WINWORD.EXE 2604 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2768 2292 804c591d6ff5b6254b2830e7095c5616.exe 28 PID 2292 wrote to memory of 2768 2292 804c591d6ff5b6254b2830e7095c5616.exe 28 PID 2292 wrote to memory of 2768 2292 804c591d6ff5b6254b2830e7095c5616.exe 28 PID 2292 wrote to memory of 2768 2292 804c591d6ff5b6254b2830e7095c5616.exe 28 PID 2292 wrote to memory of 2760 2292 804c591d6ff5b6254b2830e7095c5616.exe 29 PID 2292 wrote to memory of 2760 2292 804c591d6ff5b6254b2830e7095c5616.exe 29 PID 2292 wrote to memory of 2760 2292 804c591d6ff5b6254b2830e7095c5616.exe 29 PID 2292 wrote to memory of 2760 2292 804c591d6ff5b6254b2830e7095c5616.exe 29 PID 2292 wrote to memory of 2832 2292 804c591d6ff5b6254b2830e7095c5616.exe 30 PID 2292 wrote to memory of 2832 2292 804c591d6ff5b6254b2830e7095c5616.exe 30 PID 2292 wrote to memory of 2832 2292 804c591d6ff5b6254b2830e7095c5616.exe 30 PID 2292 wrote to memory of 2832 2292 804c591d6ff5b6254b2830e7095c5616.exe 30 PID 2292 wrote to memory of 2808 2292 804c591d6ff5b6254b2830e7095c5616.exe 31 PID 2292 wrote to memory of 2808 2292 804c591d6ff5b6254b2830e7095c5616.exe 31 PID 2292 wrote to memory of 2808 2292 804c591d6ff5b6254b2830e7095c5616.exe 31 PID 2292 wrote to memory of 2808 2292 804c591d6ff5b6254b2830e7095c5616.exe 31 PID 2768 wrote to memory of 2580 2768 ceuozvjjvt.exe 32 PID 2768 wrote to memory of 2580 2768 ceuozvjjvt.exe 32 PID 2768 wrote to memory of 2580 2768 ceuozvjjvt.exe 32 PID 2768 wrote to memory of 2580 2768 ceuozvjjvt.exe 32 PID 2292 wrote to memory of 2604 2292 804c591d6ff5b6254b2830e7095c5616.exe 33 PID 2292 wrote to memory of 2604 2292 804c591d6ff5b6254b2830e7095c5616.exe 33 PID 2292 wrote to memory of 2604 2292 804c591d6ff5b6254b2830e7095c5616.exe 33 PID 2292 wrote to memory of 2604 2292 804c591d6ff5b6254b2830e7095c5616.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\804c591d6ff5b6254b2830e7095c5616.exe"C:\Users\Admin\AppData\Local\Temp\804c591d6ff5b6254b2830e7095c5616.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\ceuozvjjvt.execeuozvjjvt.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\pxcieuhc.exeC:\Windows\system32\pxcieuhc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2580
-
-
-
C:\Windows\SysWOW64\uxygyynguabxokb.exeuxygyynguabxokb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2760
-
-
C:\Windows\SysWOW64\pxcieuhc.exepxcieuhc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2832
-
-
C:\Windows\SysWOW64\jarzbhjfmsian.exejarzbhjfmsian.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2808
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5d857e6cdccf645b75bb08e6d0bc3d808
SHA11f6c865e00e89aaaf691ce3caf8ba4307b8f5538
SHA256d4b4e62b23ee6649a1bdb6c87a631606b3a614dd3b0485e9592cda1c9d063f52
SHA512378dd0df647187db19b86708fa3d129c69a54e26963b46ab5f8936a3855626ac6cf978faebf95605816133030d252b786052e7181ba13575b21957d56f5414e0
-
Filesize
512KB
MD581915d00849bb628247d209da0ae2821
SHA1831f691886adbce50da7b0da79b0694d5e075998
SHA256b7d101886cb80a456e276c01dfaafc57660da68c82cebbfc90545f9b1a861232
SHA512ce3f583ef651765329c6751bd64c7d004bfdd71ca8e487ad21b94e375b3b5c46328319879bb1bc49aab684edd9a6f3d5443dc3cce85c722b98c9299b2274d21a
-
Filesize
512KB
MD5a61e2e5e5f3591edb59c722ad9ee052d
SHA1c397dcd292958952a1ce203c57cdfec6db003c01
SHA2569dfaecb1ef46f376ccaa926ecd9c1883cbe490c23f3be528396ed5f388def510
SHA512eec8780743395f571bfb0d7b6c1e71ad890b2d22cb4fff11ce4a460a2923d7e89e6b99eb98891e5c74653f63e0dd0b32a3ed458ed3f81001ee088b645487c82f
-
Filesize
512KB
MD5fcf125a22fc8aff63e07e87cb2dddaba
SHA162524dd62155bf7a75a93c7e0acdfee5f8d4b975
SHA2569dc763d6d7b50c7fe34a388510373c2a231a1caddadcebc5569ba59c4cc815e4
SHA5123442f0fbe6b30d095c32e0e9469a1cc96c8aea786f1818c4fe79c2aa029db58f599f4cb193f9d010a570231226b59036dcaceafa2d94ce343019ceef3aca91dd
-
Filesize
512KB
MD59c21741882498b251be6068641a905af
SHA1e6431d49400f8636e358b5d6c69d058aee913f49
SHA256da5f6f622f626e9d4dc040d5d28d93816d095b3c1da8413d8e49ddb6a23e4683
SHA512f732bbf22728278dce6d379d9bae951d4470903ee6f25ed80718e1f112ffdbd33e78be18a27813b4638b6e8204a5afd54f813a12a786c9c0d3ad1aef58c03060
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5bb61567a9070adc596ce21b407ac097f
SHA14d65c8110d1890db7bd26cf9c7f9187e4de022b5
SHA256f4c73abdbeded1601bd143da73d425fb6d38835aff362989de198174cf5f7a61
SHA51295dd0a98e44c3cccb352e700bf4799f893640402988d8b9c24dbb150685f3b1f7bc880b23f3ca7582f523e82b7c4cf4aff8d1aee62123a96ae0dae7a3c922a6c