Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 22:07
Behavioral task
behavioral1
Sample
2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe
Resource
win7-20240903-en
General
-
Target
2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe
-
Size
256KB
-
MD5
35acbae676bebc38d9948c0176d3eb55
-
SHA1
2eba5c17218ea94e9a4da3d84f7de1d4bebca5fa
-
SHA256
2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01
-
SHA512
aee2376f59b2b923c14888b4c3e048f5d1c90fa25b0844f85d6d2aafbfcb4e0fee8ecc015fbebb54465d50c1864079ab39ec2ebd3c7a7f9db071756136672390
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6Y:Plf5j6zCNa0xeE3mR
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tdkmlnmfdo.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tdkmlnmfdo.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" tdkmlnmfdo.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tdkmlnmfdo.exe -
Executes dropped EXE 5 IoCs
pid Process 1664 tdkmlnmfdo.exe 1864 qvrwxqrmmjxkpdi.exe 2680 dovyreyx.exe 2760 cqjxieyamfukj.exe 2820 dovyreyx.exe -
Loads dropped DLL 5 IoCs
pid Process 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 1664 tdkmlnmfdo.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" tdkmlnmfdo.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ueybtikp = "tdkmlnmfdo.exe" qvrwxqrmmjxkpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qlqmgzpe = "qvrwxqrmmjxkpdi.exe" qvrwxqrmmjxkpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cqjxieyamfukj.exe" qvrwxqrmmjxkpdi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: dovyreyx.exe File opened (read-only) \??\q: dovyreyx.exe File opened (read-only) \??\u: dovyreyx.exe File opened (read-only) \??\q: dovyreyx.exe File opened (read-only) \??\q: tdkmlnmfdo.exe File opened (read-only) \??\r: tdkmlnmfdo.exe File opened (read-only) \??\o: dovyreyx.exe File opened (read-only) \??\p: dovyreyx.exe File opened (read-only) \??\y: dovyreyx.exe File opened (read-only) \??\u: tdkmlnmfdo.exe File opened (read-only) \??\y: tdkmlnmfdo.exe File opened (read-only) \??\t: dovyreyx.exe File opened (read-only) \??\a: dovyreyx.exe File opened (read-only) \??\b: dovyreyx.exe File opened (read-only) \??\i: dovyreyx.exe File opened (read-only) \??\k: dovyreyx.exe File opened (read-only) \??\z: dovyreyx.exe File opened (read-only) \??\p: tdkmlnmfdo.exe File opened (read-only) \??\g: dovyreyx.exe File opened (read-only) \??\h: dovyreyx.exe File opened (read-only) \??\l: dovyreyx.exe File opened (read-only) \??\x: dovyreyx.exe File opened (read-only) \??\z: dovyreyx.exe File opened (read-only) \??\n: dovyreyx.exe File opened (read-only) \??\r: dovyreyx.exe File opened (read-only) \??\k: tdkmlnmfdo.exe File opened (read-only) \??\m: tdkmlnmfdo.exe File opened (read-only) \??\s: dovyreyx.exe File opened (read-only) \??\j: dovyreyx.exe File opened (read-only) \??\l: dovyreyx.exe File opened (read-only) \??\j: dovyreyx.exe File opened (read-only) \??\x: dovyreyx.exe File opened (read-only) \??\l: tdkmlnmfdo.exe File opened (read-only) \??\s: tdkmlnmfdo.exe File opened (read-only) \??\e: dovyreyx.exe File opened (read-only) \??\v: dovyreyx.exe File opened (read-only) \??\w: dovyreyx.exe File opened (read-only) \??\a: tdkmlnmfdo.exe File opened (read-only) \??\g: tdkmlnmfdo.exe File opened (read-only) \??\w: tdkmlnmfdo.exe File opened (read-only) \??\w: dovyreyx.exe File opened (read-only) \??\e: tdkmlnmfdo.exe File opened (read-only) \??\h: tdkmlnmfdo.exe File opened (read-only) \??\o: tdkmlnmfdo.exe File opened (read-only) \??\v: tdkmlnmfdo.exe File opened (read-only) \??\z: tdkmlnmfdo.exe File opened (read-only) \??\a: dovyreyx.exe File opened (read-only) \??\p: dovyreyx.exe File opened (read-only) \??\t: dovyreyx.exe File opened (read-only) \??\e: dovyreyx.exe File opened (read-only) \??\t: tdkmlnmfdo.exe File opened (read-only) \??\b: dovyreyx.exe File opened (read-only) \??\k: dovyreyx.exe File opened (read-only) \??\v: dovyreyx.exe File opened (read-only) \??\n: dovyreyx.exe File opened (read-only) \??\y: dovyreyx.exe File opened (read-only) \??\m: dovyreyx.exe File opened (read-only) \??\u: dovyreyx.exe File opened (read-only) \??\n: tdkmlnmfdo.exe File opened (read-only) \??\g: dovyreyx.exe File opened (read-only) \??\i: dovyreyx.exe File opened (read-only) \??\o: dovyreyx.exe File opened (read-only) \??\x: tdkmlnmfdo.exe File opened (read-only) \??\r: dovyreyx.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tdkmlnmfdo.exe -
AutoIT Executable 56 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2820-41-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2988-42-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2988-44-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-72-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-73-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-74-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-75-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2820-76-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-77-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-79-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-80-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-78-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2820-81-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2820-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2820-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-98-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-101-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-109-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-124-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-125-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-123-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-126-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-128-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-127-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1664-130-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-131-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2760-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\tdkmlnmfdo.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File created C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File opened for modification C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File opened for modification C:\Windows\SysWOW64\cqjxieyamfukj.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tdkmlnmfdo.exe File created C:\Windows\SysWOW64\tdkmlnmfdo.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File created C:\Windows\SysWOW64\dovyreyx.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File opened for modification C:\Windows\SysWOW64\dovyreyx.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File created C:\Windows\SysWOW64\cqjxieyamfukj.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe -
resource yara_rule behavioral1/memory/2988-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0008000000016276-5.dat upx behavioral1/files/0x000c000000012260-17.dat upx behavioral1/files/0x00070000000167ea-29.dat upx behavioral1/files/0x000800000001650a-28.dat upx behavioral1/memory/2820-41-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2988-42-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2988-44-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0002000000003d25-58.dat upx behavioral1/files/0x0002000000003d26-66.dat upx behavioral1/memory/1664-72-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-73-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2680-74-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-75-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2820-76-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-77-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2680-79-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-80-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-78-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2820-81-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2820-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2680-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2820-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2680-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-98-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-101-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-109-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-124-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-125-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-123-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-126-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-128-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-127-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1664-130-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-131-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2760-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dovyreyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal dovyreyx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dovyreyx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dovyreyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dovyreyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal dovyreyx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dovyreyx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dovyreyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal dovyreyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dovyreyx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dovyreyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal dovyreyx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dovyreyx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dovyreyx.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qvrwxqrmmjxkpdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dovyreyx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cqjxieyamfukj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dovyreyx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdkmlnmfdo.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tdkmlnmfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tdkmlnmfdo.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFCF9482A82199131D75B7E9CBD97E144594166426335D79E" 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB0FF6D21DAD10FD0A78A0B906A" 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tdkmlnmfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tdkmlnmfdo.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C7C9C2283526A3076A570542CD87DF364D6" 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4F9C9FE16F2E784783A40819939E3B0F902FE42600332E2CE429D08A3" 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tdkmlnmfdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tdkmlnmfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tdkmlnmfdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tdkmlnmfdo.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B15A449338EB52CCBAD7339CD4CE" 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C67D14E3DAB6B8BA7F97EC9E34CC" 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tdkmlnmfdo.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tdkmlnmfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tdkmlnmfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tdkmlnmfdo.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2576 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2680 dovyreyx.exe 2680 dovyreyx.exe 2680 dovyreyx.exe 2680 dovyreyx.exe 1664 tdkmlnmfdo.exe 1664 tdkmlnmfdo.exe 1664 tdkmlnmfdo.exe 1664 tdkmlnmfdo.exe 1664 tdkmlnmfdo.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 1864 qvrwxqrmmjxkpdi.exe 1864 qvrwxqrmmjxkpdi.exe 1864 qvrwxqrmmjxkpdi.exe 1864 qvrwxqrmmjxkpdi.exe 1864 qvrwxqrmmjxkpdi.exe 2820 dovyreyx.exe 2820 dovyreyx.exe 2820 dovyreyx.exe 2820 dovyreyx.exe 1864 qvrwxqrmmjxkpdi.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 1864 qvrwxqrmmjxkpdi.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 1864 qvrwxqrmmjxkpdi.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 1864 qvrwxqrmmjxkpdi.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 1864 qvrwxqrmmjxkpdi.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 1864 qvrwxqrmmjxkpdi.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 1864 qvrwxqrmmjxkpdi.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 1864 qvrwxqrmmjxkpdi.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 1864 qvrwxqrmmjxkpdi.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 1864 qvrwxqrmmjxkpdi.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 1864 qvrwxqrmmjxkpdi.exe 2760 cqjxieyamfukj.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2680 dovyreyx.exe 2680 dovyreyx.exe 2680 dovyreyx.exe 1664 tdkmlnmfdo.exe 1664 tdkmlnmfdo.exe 1664 tdkmlnmfdo.exe 1864 qvrwxqrmmjxkpdi.exe 1864 qvrwxqrmmjxkpdi.exe 1864 qvrwxqrmmjxkpdi.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 2820 dovyreyx.exe 2820 dovyreyx.exe 2820 dovyreyx.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2680 dovyreyx.exe 2680 dovyreyx.exe 2680 dovyreyx.exe 1664 tdkmlnmfdo.exe 1664 tdkmlnmfdo.exe 1664 tdkmlnmfdo.exe 1864 qvrwxqrmmjxkpdi.exe 1864 qvrwxqrmmjxkpdi.exe 1864 qvrwxqrmmjxkpdi.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 2760 cqjxieyamfukj.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2576 WINWORD.EXE 2576 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2988 wrote to memory of 1664 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 31 PID 2988 wrote to memory of 1664 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 31 PID 2988 wrote to memory of 1664 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 31 PID 2988 wrote to memory of 1664 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 31 PID 2988 wrote to memory of 1864 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 32 PID 2988 wrote to memory of 1864 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 32 PID 2988 wrote to memory of 1864 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 32 PID 2988 wrote to memory of 1864 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 32 PID 2988 wrote to memory of 2680 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 33 PID 2988 wrote to memory of 2680 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 33 PID 2988 wrote to memory of 2680 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 33 PID 2988 wrote to memory of 2680 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 33 PID 2988 wrote to memory of 2760 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 34 PID 2988 wrote to memory of 2760 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 34 PID 2988 wrote to memory of 2760 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 34 PID 2988 wrote to memory of 2760 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 34 PID 1664 wrote to memory of 2820 1664 tdkmlnmfdo.exe 35 PID 1664 wrote to memory of 2820 1664 tdkmlnmfdo.exe 35 PID 1664 wrote to memory of 2820 1664 tdkmlnmfdo.exe 35 PID 1664 wrote to memory of 2820 1664 tdkmlnmfdo.exe 35 PID 2988 wrote to memory of 2576 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 36 PID 2988 wrote to memory of 2576 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 36 PID 2988 wrote to memory of 2576 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 36 PID 2988 wrote to memory of 2576 2988 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 36 PID 2576 wrote to memory of 2508 2576 WINWORD.EXE 39 PID 2576 wrote to memory of 2508 2576 WINWORD.EXE 39 PID 2576 wrote to memory of 2508 2576 WINWORD.EXE 39 PID 2576 wrote to memory of 2508 2576 WINWORD.EXE 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe"C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\tdkmlnmfdo.exetdkmlnmfdo.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\dovyreyx.exeC:\Windows\system32\dovyreyx.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2820
-
-
-
C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exeqvrwxqrmmjxkpdi.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1864
-
-
C:\Windows\SysWOW64\dovyreyx.exedovyreyx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680
-
-
C:\Windows\SysWOW64\cqjxieyamfukj.execqjxieyamfukj.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2760
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2508
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD55ab16107bd9d4f1f3f842f8aa42bdd6f
SHA1f1d13d1d5e732b6d21fa2cb6dc650d23ec029c0f
SHA2565f6bda2c93292d669b9313a7ffbc68bf4e7d18958c47b87f2d68254c382a049c
SHA512d8d0f1fe7f47bf09b28c27e7dd14b2e9d2e204a0845324853dfdd00ff9202952bad63c21703169e8c559c72d5d076bb22661f6121e825611f5fa618cf495860f
-
Filesize
256KB
MD539f7bdca5a2b453c35921a4b2bdc33c6
SHA13dce515034396ffe5017d9eff3f0bbf2eff2a3a7
SHA256d95d556dd97d90950d2b3be5e0bd4a129a0113f86302a23ec4a01ae5fb4fa099
SHA512e7e9740aaaca946d7418d8162f80222e365c31f3c4fb751f881658e373b8b656d4d8761b32cb5aab7715b338da849686cfb5b3fef0e563cbfebb4fc5c6172286
-
Filesize
256KB
MD5da0c0d2aa56277f6128c90aa32f28d04
SHA1f8e66d9355055e86cbba7fd7677caf4336079478
SHA2568febe0e1881dd96f2737084d5e9ee0722d7be7d98cd2e0c1c26a670518d02c20
SHA51245553d444c0016e36087d76355d1093ef265805f20632e1813a2efee8d95270f53bea1f5dcc3bf742e06bfa2d52f9ebe6ae3669ba1708b0fa31e28d1f37ddd1a
-
Filesize
256KB
MD568df199f55eb43a47f090e53f716fd7d
SHA13664f81b11e2ebb01214a37418b95e9e049eab8d
SHA256e824770d7b0874dfd0e62a3686ae3e1bd352862e5ac1e3b8fc4c21c56e14ee64
SHA512c0b74c6ccf48005d719cf5eb8123a4c26ab71d7b9c6c791d33549717919f573aa69ee498feb85e23be0f27335c2c4718a6ed9babffd80b86409a01ec59ab0ecd
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
256KB
MD5cc2cc8c6c95eb41622a2144967bbceec
SHA1e08cbf42a04f16e1f7382f4d60d02c395c704341
SHA2563c67d9e139dc9654b8b1d22961ff290914e0b4d561fbe7eca653301a6d584dd1
SHA51283869566eb0045ae02d0129075f4300c690953d30d7c8f1b1eaeb1567f59bea8de810012c39f96a26df58610d3aeac52e3f59e1190ed0520de1d35b16f0daaca
-
Filesize
256KB
MD561f59638749b72309447f526ba4acf31
SHA1ea77105c8c378ff49602f1c94c3d7a809a7e7dc6
SHA25614d4360e326e802ad776d10316752bdb306eb3fe54773182e296eb7757da5476
SHA512eefa6cc905e26ff8c14aefa1681a657895d5337d695c1f18fe66976a3337b07129fbdf85c8d303223f6400945adf5690cbf327f81dde28fbea8092734ed1dcb7