Analysis
-
max time kernel
126s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 16:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe
-
Size
549KB
-
MD5
61baabd3480b2985f9df8d77a4a5b7f8
-
SHA1
42e2a1ee4abc2a975732eb11ccea700f1f0fb46f
-
SHA256
a65c9ccabb00b7d75c54d16b09fe27dd9cdea8ec00921a423adcd2b23c9c2ff4
-
SHA512
611fa2eb6a4f8b4c05c6e6656ab35d9c3bf58e615438d2791983e5005fd0235e942fd1d1e62b2fe852c3a689430f3c892ae3eb3b14a00a763d2b015ba0072559
-
SSDEEP
12288:Z+QhIge+c1e7NR5rq2z9bZBnml/WkjtQhbYjtj:cQIiUehR5rN9FMvsitj
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 3052 minidownload.exe 2660 DownLoadDlg.exe 2236 ExternalApp.exe 880 UpdateService.exe 1300 XLDownloadCom.exe 1668 UpdateService.exe 2344 MiniTPFw.exe 324 ThunderFW.exe -
Loads dropped DLL 32 IoCs
pid Process 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 3052 minidownload.exe 3052 minidownload.exe 3052 minidownload.exe 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 2660 DownLoadDlg.exe 2236 ExternalApp.exe 2236 ExternalApp.exe 2236 ExternalApp.exe 2320 regsvr32.exe 2316 regsvr32.exe 2236 ExternalApp.exe 1560 regsvr32.exe 1600 regsvr32.exe 860 regsvr32.exe 2148 regsvr32.exe 2236 ExternalApp.exe 2236 ExternalApp.exe 880 UpdateService.exe 880 UpdateService.exe 880 UpdateService.exe 1300 XLDownloadCom.exe 1300 XLDownloadCom.exe 2348 regsvr32.exe 2660 DownLoadDlg.exe 1668 UpdateService.exe 1668 UpdateService.exe 1668 UpdateService.exe 2660 DownLoadDlg.exe 2344 MiniTPFw.exe -
Registers COM server for autorun 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32\ = "C:\\Program Files (x86)\\SogouDownLoad\\IEHint64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ = "C:\\Program Files (x86)\\SogouDownLoad\\npdownload64.dll" regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020} regsvr32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 DownLoadDlg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini regsvr32.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol regsvr32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI regsvr32.exe File opened for modification C:\Windows\System32\GroupPolicy regsvr32.exe -
Drops file in Program Files directory 35 IoCs
description ioc Process File created C:\Program Files (x86)\SogouDownLoad\XLDownloadComPS.dll ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\xldl.dll ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\IEHint64.dll ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\html\css\down.css minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\btn_spr.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\DlgHandler.dll ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_min.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\download\dl_peer_id.dll ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\download\msvcp71.dll ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\npdownload64.dll ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\download\MiniTPFw.exe ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\download\MiniThunderPlatform.exe ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\npdownload.dll ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_t.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\CommonState.dll ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\download\id.dat ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\bg_line.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\img_sx.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe DownLoadDlg.exe File created C:\Program Files (x86)\SogouDownLoad\download\ThunderFW.exe ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\download.html minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_close.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\download\atl71.dll ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\download\download_engine.dll ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\download\msvcr71.dll ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\download\zlib1.dll ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\uninst.exe ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\html\repair.html minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_set.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\img_exe.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_spr.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe ExternalApp.exe File created C:\Program Files (x86)\SogouDownLoad\IEHint.dll ExternalApp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 4 IoCs
resource yara_rule behavioral1/files/0x000a000000015cb1-1.dat nsis_installer_1 behavioral1/files/0x000a000000015cb1-1.dat nsis_installer_2 behavioral1/files/0x00060000000173c5-45.dat nsis_installer_1 behavioral1/files/0x00060000000173c5-45.dat nsis_installer_2 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main DownLoadDlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085} DownLoadDlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}\AppName = "DownLoadDlg.exe" DownLoadDlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}\AppPath = "C:\\Program Files (x86)\\SogouDownLoad" DownLoadDlg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}\Policy = "3" DownLoadDlg.exe -
Modifies data under HKEY_USERS 38 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext regsvr32.exe Key created \REGISTRY\USER\S-1-5-19 regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft regsvr32.exe Key created \REGISTRY\USER\S-1-5-20 regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats regsvr32.exe Key created \REGISTRY\USER\.DEFAULT regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\ = "DownLoadBHO Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\LocalServer32 XLDownloadCom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0\FLAGS XLDownloadCom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ = "IXLDownloadInterface" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\TypeLib\ = "{459CB386-4301-448D-A1DA-8751857E980B}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ = "C:\\Program Files (x86)\\SogouDownLoad\\npdownload.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SogouDownLoad" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\SogouDownLoad\\XLDownloadCom.exe" XLDownloadCom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\TypeLib XLDownloadCom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0 XLDownloadCom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}\LocalServer32 DownLoadDlg.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\TypeLib\Version = "1.0" XLDownloadCom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32\ = "C:\\Program Files (x86)\\SogouDownLoad\\IEHint.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SogouDownLoad" XLDownloadCom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\TypeLib\ = "{2D85F656-2970-437F-BA8A-C6F95B86EE0D}" XLDownloadCom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}\LocalServer32\ = "C:\\Program Files (x86)\\SogouDownLoad\\DownLoadDlg.exe" DownLoadDlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\ = "IIEHintBHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\ = "IEHintBHO Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\NumMethods\ = "14" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\SOFTWARE\Microsoft regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B411DAF2-77C4-4478-8477-5826A4147AE9} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\ = "SogouDownLoadLib" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\ = "IEHintLib" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ = "IXLDownloadInterface" XLDownloadCom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\ = "IEHintBHO Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D} XLDownloadCom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SogouDownLoad" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ProxyStubClsid32 XLDownloadCom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ProxyStubClsid32\ = "{B411DAF2-77C4-4478-8477-5826A4147AE9}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ = "IGameDownload" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\SOFTWARE\Microsoft\Windows regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\LocalServer32\ = "\"C:\\Program Files (x86)\\SogouDownLoad\\XLDownloadCom.exe\"" XLDownloadCom.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2660 DownLoadDlg.exe 2660 DownLoadDlg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 3052 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 28 PID 1984 wrote to memory of 3052 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 28 PID 1984 wrote to memory of 3052 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 28 PID 1984 wrote to memory of 3052 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 28 PID 1984 wrote to memory of 3052 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 28 PID 1984 wrote to memory of 3052 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 28 PID 1984 wrote to memory of 3052 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 28 PID 1984 wrote to memory of 2660 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 29 PID 1984 wrote to memory of 2660 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 29 PID 1984 wrote to memory of 2660 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 29 PID 1984 wrote to memory of 2660 1984 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 29 PID 2660 wrote to memory of 2236 2660 DownLoadDlg.exe 31 PID 2660 wrote to memory of 2236 2660 DownLoadDlg.exe 31 PID 2660 wrote to memory of 2236 2660 DownLoadDlg.exe 31 PID 2660 wrote to memory of 2236 2660 DownLoadDlg.exe 31 PID 2660 wrote to memory of 2236 2660 DownLoadDlg.exe 31 PID 2660 wrote to memory of 2236 2660 DownLoadDlg.exe 31 PID 2660 wrote to memory of 2236 2660 DownLoadDlg.exe 31 PID 2236 wrote to memory of 2320 2236 ExternalApp.exe 32 PID 2236 wrote to memory of 2320 2236 ExternalApp.exe 32 PID 2236 wrote to memory of 2320 2236 ExternalApp.exe 32 PID 2236 wrote to memory of 2320 2236 ExternalApp.exe 32 PID 2236 wrote to memory of 2320 2236 ExternalApp.exe 32 PID 2236 wrote to memory of 2320 2236 ExternalApp.exe 32 PID 2236 wrote to memory of 2320 2236 ExternalApp.exe 32 PID 2236 wrote to memory of 2316 2236 ExternalApp.exe 33 PID 2236 wrote to memory of 2316 2236 ExternalApp.exe 33 PID 2236 wrote to memory of 2316 2236 ExternalApp.exe 33 PID 2236 wrote to memory of 2316 2236 ExternalApp.exe 33 PID 2236 wrote to memory of 2316 2236 ExternalApp.exe 33 PID 2236 wrote to memory of 2316 2236 ExternalApp.exe 33 PID 2236 wrote to memory of 2316 2236 ExternalApp.exe 33 PID 2236 wrote to memory of 1560 2236 ExternalApp.exe 34 PID 2236 wrote to memory of 1560 2236 ExternalApp.exe 34 PID 2236 wrote to memory of 1560 2236 ExternalApp.exe 34 PID 2236 wrote to memory of 1560 2236 ExternalApp.exe 34 PID 2236 wrote to memory of 1560 2236 ExternalApp.exe 34 PID 2236 wrote to memory of 1560 2236 ExternalApp.exe 34 PID 2236 wrote to memory of 1560 2236 ExternalApp.exe 34 PID 1560 wrote to memory of 1600 1560 regsvr32.exe 35 PID 1560 wrote to memory of 1600 1560 regsvr32.exe 35 PID 1560 wrote to memory of 1600 1560 regsvr32.exe 35 PID 1560 wrote to memory of 1600 1560 regsvr32.exe 35 PID 1560 wrote to memory of 1600 1560 regsvr32.exe 35 PID 1560 wrote to memory of 1600 1560 regsvr32.exe 35 PID 1560 wrote to memory of 1600 1560 regsvr32.exe 35 PID 2236 wrote to memory of 860 2236 ExternalApp.exe 36 PID 2236 wrote to memory of 860 2236 ExternalApp.exe 36 PID 2236 wrote to memory of 860 2236 ExternalApp.exe 36 PID 2236 wrote to memory of 860 2236 ExternalApp.exe 36 PID 2236 wrote to memory of 860 2236 ExternalApp.exe 36 PID 2236 wrote to memory of 860 2236 ExternalApp.exe 36 PID 2236 wrote to memory of 860 2236 ExternalApp.exe 36 PID 860 wrote to memory of 2148 860 regsvr32.exe 37 PID 860 wrote to memory of 2148 860 regsvr32.exe 37 PID 860 wrote to memory of 2148 860 regsvr32.exe 37 PID 860 wrote to memory of 2148 860 regsvr32.exe 37 PID 860 wrote to memory of 2148 860 regsvr32.exe 37 PID 860 wrote to memory of 2148 860 regsvr32.exe 37 PID 860 wrote to memory of 2148 860 regsvr32.exe 37 PID 2236 wrote to memory of 880 2236 ExternalApp.exe 38 PID 2236 wrote to memory of 880 2236 ExternalApp.exe 38 PID 2236 wrote to memory of 880 2236 ExternalApp.exe 38 PID 2236 wrote to memory of 880 2236 ExternalApp.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\minidownload.exeC:\Users\Admin\AppData\Local\Temp\\minidownload.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3052
-
-
C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe"C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe" /Install?status=true&softurl=http%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3DYRyEVuHeM45mBjjEUSPVUEJm8GF_McJfVdEjKPrgnocp6RPTnPFSKls2-N19zn1VFn9n9_QE91hsipUd8ZPGCKrHmAlohI-Z5xWab8-hdzEZwANlQSdM_SG1O7Kkpbde98B6SY4clrbMXmmkh16MZMnFugp9LyMZymoJGOaTh0xmq_3hQETA5LFYnXbqILusGMRyn1oqoQ-_IhNtWMXWFw..%26pcid%3D3422649212502276885%26w%3D1950%26filename%3DFirefox-setup-39.0.0.5659.exe%26extra%3D8_tencent%26downloadtype%3Dsoftware&iconurl=http%3A%2F%2Fimgstore.cdn.sogou.com%2Fv2%2Fthumb%2Fretype%2Fext%2Fjpg%2Fcls%2Fimagick%3Fappid%3D200504%26url%3Dhttp%3A%2F%2Fdl.app.sogou.com%2Fpc_logo%2F3422649212502276885.png&softname=%E7%81%AB%E7%8B%90%E6%B5%8F%E8%A7%88%E5%99%A8&softsize=41.4+MB2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe"C:\Program Files (x86)\SogouDownLoad\tmp\ExternalApp.exe" /Update3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\npdownload.dll"4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2320
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\IEHint.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2316
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\npdownload64.dll"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\SogouDownLoad\npdownload64.dll"5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1600
-
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\IEHint64.dll"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\SogouDownLoad\IEHint64.dll"5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2148
-
-
-
C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe"C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe" /Install4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880
-
-
C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe"C:\Program Files (x86)\SogouDownLoad\XLDownloadCom.exe" /Regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1300
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SogouDownLoad\XLDownloadComPS.dll"4⤵
- Loads dropped DLL
- Modifies registry class
PID:2348
-
-
-
C:\Program Files (x86)\SogouDownLoad\download\MiniTPFw.exe"C:\Program Files (x86)\SogouDownLoad\download\MiniTPFw.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Program Files (x86)\SogouDownLoad\download\ThunderFW.exe"C:\Program Files (x86)\SogouDownLoad\download\ThunderFW.exe" MiniThunderPlatform2024-04-2916:24:37 "C:\Program Files (x86)\SogouDownLoad\download\MiniThunderPlatform.exe"4⤵
- Executes dropped EXE
PID:324
-
-
-
-
C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe"C:\Program Files (x86)\SogouDownLoad\update\UpdateService.exe" /Service1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
529KB
MD546339e5e0b54acec4be3b105ee123b36
SHA129963314f6b97d8511caadbf9b2b531ae9fd8344
SHA256a6192d7b0b7bce4648feda82506bfbd25f6e35299f4ca38a2d0952dfbe669dbb
SHA51272a07caf7ad0209400e6acba520594428560ebd81f4c7baa350392fb73b75a8907ce9b175088893d9de2bf0ad710ff2a5a3c0abb0add38fdf538ff6ce870a65c
-
Filesize
300KB
MD56cffe36e5e3d9364a18eaf4a44ebfc23
SHA18a3bb3fa5f76a7eac5dfc4bd201a5e5203c10bcf
SHA256cd57765f8cea6a4f422862c0b8a3e1945f17292e4c14b31333ec1525e05c6025
SHA5127e145a0a79bd3d8caa89bae2ddb1187ff4de481426bb820cdf8f0206c96819d38af0ade5aad6c9e89da4e11dad6d5ab692f3d8bb25b90da2596bf49619fe325b
-
Filesize
58KB
MD558bb62e88687791ad2ea5d8d6e3fe18b
SHA10ffb029064741d10c9cf3f629202aa97167883de
SHA256f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100
SHA512cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5
-
Filesize
71KB
MD5f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
Filesize
2KB
MD584db4fb862441444de44fc92f7872b28
SHA1e84789926527cfc0f07000720799266e7337ce85
SHA2562db706458c7b0b41021ef2f10549f4974f134f2d683f46ae4a78f49b97f981f1
SHA51239e4b7ace01af64248afcbebd01a1fb550dbb441ca9d083e0ad33cd8a7b859af86baf91d1ddfeb5fe6aafb07cfcbcfee69eb1b4d8016ad974126dbbf31bb3d7c
-
Filesize
4KB
MD5e50275eb17164ac5d97624940ab96a6e
SHA113ee435c49a781db1bebccfa33a8b0c28446ec86
SHA256afac1879d10be5235a4d074c9084e61aadff82aab839bacc96e39d103ba4f843
SHA5124f2cb13394555cd34ad2219740d342f71186c33409c3a69cc454486341b8cbc924e2b5d3208a86b45343dc1fccc2217beb0126fba467f920f014d94516dd0fbb
-
Filesize
2KB
MD570d3c5cc5e7561ae74683b1ce4530392
SHA146c09ecdd29f1ef35de4b4b3aea3854099910597
SHA25649c130fe7fd6e0d9b9e277383d7b977e2230a2986b311efa6c6e2152b46e26c4
SHA5123b02311524984112da93c8bbd09898532870017dcc5c3da1915e31fdf90d22a5bbed2f7328cd938a55c2b296c6ba5edee7fed7fafa6397a8f959c657c1b3b533
-
Filesize
1KB
MD549e7f208e1f652e42b9c46eaa3df8cdf
SHA17f24027e0069d4bc93655afd1a0bae4817b0a4bb
SHA25665ec71c6bcf1a5de158c7b71b3c55a71848bc2a7c15f94f7bcdaac3effd4da0e
SHA512b85f4be2a43bc1ee0ef19bfbd99d7c4d1d41a8a596748770c9c00e2456c6cfb02c7130dc3d24b88dba0d7f7c929bd5fa87905804c129052a9b70098f3cdb0b1e
-
Filesize
1KB
MD535cbcf30c37a40b66a7bdd9520907213
SHA1f1d252908873ba61906535d7bf14ced37be2aabc
SHA2564ae4ea3c7949bffc51a37c6219a9612594c2c48e2b92bff2c5991162b9ce9e41
SHA512654a0edee6601c679780550a4d2c080f81acdaf19d470d26164d791f774f6b3efcbc294a9b3f481183f1cff2fe5c2542e4aa3307513ca3499dcd569d0fcb112d
-
Filesize
657B
MD50e0ac8352cd69f396f271fa32f3ab554
SHA1ed6d306a5033707f45477df3318a53d15b47cf43
SHA256c2c34d6bf4e17b756954e409dc9b5663169d68997abd722ce1e86473b769f10c
SHA5125d2528489c21600f16f04559500be3ebe9db5a1dc7bf9abc9c1312187b4b8b7bc5966f9eb2a38e26bff26c854a6d964fa156641fed9501cf0e7befedb60fd7e0
-
Filesize
263KB
MD509c16c79a0093b38ef756c58c32d75e2
SHA1d6721cc14a1dd1879a923b38fd046d6e8b0f40df
SHA256a93cce637743104e4d418eca05f238405b3e97672163d8abd1ad429045f843b6
SHA512eabb9237b5121e9755a01d4e9522513fbf5ea4594779d336fe373708933006b94d10a23a749efc623177296b1270337a63aab46d4990a0ee1f73df7ee8622f87
-
Filesize
95B
MD543e6c149f44996d17a2b792b51526564
SHA189c5d614ff2a2609e875b7f6f2993174e9eb24f5
SHA2562d5bdea43c39aca9660c8b48dcee3aea545bba6412e8e200e8dd6f7eea9897b6
SHA51213110b6da95525729916d94b6ad19d567b3ad08bf45456c66dd6521a5d4b08b0c16ca27f6790c6d1175efde07204c918a13ce2cd991dd1044deb9f7b7a0850f7
-
Filesize
191KB
MD587d4aa3496919af493c9365619c3fd53
SHA1a883a0be2940811ef9232592c811b854f684f4b7
SHA256d4a4eb61a6ffba806c3f34fa6bb5fca32489f53138dbaf324a8b2d210afa0771
SHA512064637554b7e7e1c5699f4e4ced73dd4ca7bf87172009b121bedeb864f8e3d03a1352b6f6b9515b9a4020137e07b9981476a664eadbd27bd32acdd8a53003372
-
Filesize
346KB
MD530e7e39b49c8590aec85aca2664ff3e7
SHA18273c46fb4666e44ce3865012529aebb6aa95f1c
SHA2563d3f8c1a05c2b5b5362b9ee0ddc1ce653a22abf0b559acceebcc82b73dbaf79a
SHA5128d967605e4be98929cf6b508dccc217e60186da44dcb594d16e286f29b66c846dc1c4e676fab235de7f2326bcb4aae30528a535136de72f6a978a48d8a424245
-
Filesize
133KB
MD5004dcd89684f7fc42d3c77edf80dfc92
SHA18a086552df8c17ad146518757689f9237e27b87d
SHA25667510f7dd0476f12e07901ac0344d92186dd761a52398ee1e835421382094f1b
SHA5123a60493e77a7e59147d2b75bed788062d7482d922062d63a40ba3a050013736ce28e1f6319ba3eb7faecc44de9332ff571c028ea8582270d614d9659bf2769ac
-
Filesize
42KB
MD5ef217dde650c290e6f15bdbd7f55f26d
SHA187ef4ca0ac1f7dd6c50bdaa0aeeebc3d1e132dcf
SHA256a445ea86ffb20f9540d53aa12dc8f3737a9c87573241b9c5686109533b92e890
SHA512d2ae2574d2fa5455b590513066bdee9d3765bffd6b82450a5e619d01d4378013cbdcb4f0d9cec47ba7f03125098945c07cb0c6274a9a1ad0346bddd10fe022b5
-
Filesize
302KB
MD58523eee6d4c49b110e6c19ecfd7e5620
SHA1434ddf9f77f904812ef4c3c2329ce057b30dfdfc
SHA256a4917bf56e25576632e808c5199c3c43eb21c866e4e6eb6747c79168f6044c57
SHA512bb916842beac0a605675dda9bf240b2f75437a61bbdd3d89fd464694167db7addb9fd6dd2fce482b9670c9c0e46eb9b3952cf538fb555ade10a9787f4081934a
-
Filesize
2.4MB
MD5b58d945d3d2b83eb5199d60fc27d0e6a
SHA13b70e368422bab5ff123d1ef6c5779adb540ef5a
SHA256905de1f8ab574888fa9dbe7bb5a060ca1c09f710fed2c98e3c2699e595343b79
SHA512027b6ab2197451dae5224c6f3417120d3b7e1ca5cb1801e4a952cac4b832deeacd16955bb3cb3c13553317685609eac6a2202ce8d2ab85837963a5a1478eacdd
-
Filesize
154KB
MD544f5df9407679e7385a0a3a925fbc39b
SHA195681735e2b3e8d0296b39fb505a6e6644e2330b
SHA256a1779be9ef6a3ec798578c0b79a279d34316872d8509eb37f62c98b2fe6af23f
SHA512bf02965127b81da708e13b519b822903de9999b797bbd0ed6697a39e95279511c9e9044d793ef69d9a11f3d518fce1ba85250bbe58c6255f660a09bced35c63f
-
Filesize
232KB
MD58ee60bd9893bafd259db1189e6650bff
SHA1d3be976a5a7519f0c608b3f542b9df622ad14a97
SHA256a40a56b1dc70cb7347635f17a79f03aa71a048a0ebbdff4ad54bfdff8c3e9a6d
SHA51278492aca8d2d7201d983eaa94637c80d6adcd915f12e5085aedfa7f186cfb98c20e53414fd8a3cc2f3477482a8dfba166c308f199a825d143af6c520d3db40a7
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f