Malware Analysis Report

2024-11-15 07:56

Sample ID 241001-r2jfpsvbqq
Target RICHIESTA_OFFERTA_RDO2400423.docx.bin
SHA256 b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf
Tags
vipkeylogger discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf

Threat Level: Known bad

The file RICHIESTA_OFFERTA_RDO2400423.docx.bin was found to be: Known bad.

Malicious Activity Summary

vipkeylogger discovery keylogger stealer

VIPKeylogger

Blocklisted process makes network request

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Uses Volume Shadow Copy WMI provider

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Launches Equation Editor

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-01 14:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-01 14:41

Reported

2024-10-01 14:43

Platform

win7-20240903-en

Max time kernel

128s

Max time network

129s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2128 set thread context of 676 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\resources\0409\reproductivity.ini C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 2128 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2580 wrote to memory of 2128 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2580 wrote to memory of 2128 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2580 wrote to memory of 2128 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2172 wrote to memory of 1080 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2172 wrote to memory of 1080 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2172 wrote to memory of 1080 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2172 wrote to memory of 1080 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2128 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2128 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2128 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2128 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2128 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2128 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"

Network

Country Destination Domain Proto
US 154.216.20.22:80 154.216.20.22 tcp
US 154.216.20.22:80 154.216.20.22 tcp
US 154.216.20.22:80 154.216.20.22 tcp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.46:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.180.1:443 drive.usercontent.google.com tcp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2172-0-0x000000002F811000-0x000000002F812000-memory.dmp

memory/2172-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2172-2-0x00000000715BD000-0x00000000715C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{E38CD4C1-1FC8-4D55-8F24-6C0BF4E09291}

MD5 9ce1b525516f7b5f349c60069d3f9dfe
SHA1 0a3517babb843cf52aa892ff0abdf88ad19beae4
SHA256 cbb9241131d3bf56833bb864b860cbad141e29d4724514806e62ff084f00c3d6
SHA512 6e02a794f2b62ea97b1c94e2dd1867d1efc22a7560a924d342b36cca707452faf7d577f544b50cb57f2dd5886db10872bf60b2b56c772a5ff404f42cdf258ec3

memory/2172-61-0x00000000715BD000-0x00000000715C8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\tmtzxc[1].doc

MD5 08d1a4e26971fd55013dbc7d2744b2a5
SHA1 dd813694fc67b536f242ae7dd3deff14458b82ba
SHA256 fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc
SHA512 3c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6

C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

MD5 f7e702effaaad33faa0cbc4f87da2d07
SHA1 b8be783f38b987f8c88f7de258d69a648033be72
SHA256 a44de00550c4b3adc9409fd1fb559cab02a9efab1a1352ff07b896a2cea98678
SHA512 43e29d3926317d7234f333e41177cafce5e4bd297d3a854f7959aad341eb68748b57113c41bf9173b5d838c7460ca146c21ba2dbf982535e5ad736118773cec9

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 fe348c98f6ebe5d0fb590b75d45369bb
SHA1 68705028050ade177c0fc232d093e82ba4c2e610
SHA256 3373ba71f77e24bc83b58f28370221be19787a7115920420d2b4c6f5062a9d68
SHA512 2756fea01300dfe1c88ce52c456a47d374bc571e44bdd27925ef09faef9c6bde7c1f010c9df0306514924e46bdf23d7862375d22d932b74fa16ef4da6f7a8c6c

\Users\Admin\AppData\Local\Temp\nse4C01.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/676-115-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/676-138-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/676-139-0x0000000000480000-0x00000000004C8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-01 14:41

Reported

2024-10-01 14:43

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

144s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 154.216.20.22:80 154.216.20.22 tcp
US 8.8.8.8:53 22.20.216.154.in-addr.arpa udp
US 154.216.20.22:80 154.216.20.22 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.22.249.11:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 11.249.22.2.in-addr.arpa udp
GB 2.19.117.99:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.99:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.99:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.99:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.99:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.99:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.99:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.99:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.99:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.99:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.99:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.99:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.99:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 99.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3680-0-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

memory/3680-1-0x00007FFEADECD000-0x00007FFEADECE000-memory.dmp

memory/3680-3-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

memory/3680-2-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

memory/3680-4-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

memory/3680-8-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

memory/3680-9-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

memory/3680-7-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

memory/3680-13-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

memory/3680-12-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

memory/3680-11-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

memory/3680-15-0x00007FFE6BCF0000-0x00007FFE6BD00000-memory.dmp

memory/3680-16-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

memory/3680-14-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

memory/3680-10-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

memory/3680-6-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

memory/3680-5-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

memory/3680-17-0x00007FFE6BCF0000-0x00007FFE6BD00000-memory.dmp

memory/3680-28-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

memory/3680-29-0x00007FFEADECD000-0x00007FFEADECE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\tmtzxc[1].doc

MD5 08d1a4e26971fd55013dbc7d2744b2a5
SHA1 dd813694fc67b536f242ae7dd3deff14458b82ba
SHA256 fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc
SHA512 3c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 6517c16ba2ee750da04796df770633c7
SHA1 8241ea4f565d34a7297908a54bacd0fa2e6902be
SHA256 ab6043bfe5d586ba411b20258d28b16b35ea0988ce8eba2cfdbf249304276964
SHA512 afd4eba36daf5f53a7f11cbe4c1834386ed51cc0dec382574e75a12ff315ce708b0245c67815b02749db671a38074dcec861842d8ace95bef2d585935e1a89d5

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 a86990d4f4678ee2ff31716f9d4f1b82
SHA1 e28acb619f89ef0f8202c392b0195fd235c5b96f
SHA256 b1bf4c1b0bd1775461335470bc6bf89681c76278f17b7af6928d6952659d4166
SHA512 749bedb5d1e0879ce8a3a07a4d2c2e7cb10ff4a146b3a6d26f177b997095bfb6aec123d7756aaf9566884cde44b3f085feb95898f592130be499e9cf2e4ffbe4

C:\Users\Admin\AppData\Local\Temp\TCD723E.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e