Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 03:17
Static task
static1
Behavioral task
behavioral1
Sample
0276f65dff093433bc35b40d852e5825.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0276f65dff093433bc35b40d852e5825.exe
Resource
win10v2004-20231215-en
General
-
Target
0276f65dff093433bc35b40d852e5825.exe
-
Size
512KB
-
MD5
0276f65dff093433bc35b40d852e5825
-
SHA1
77bb0c664fc7515d461e43558aaebb76fb154d91
-
SHA256
4af568f0576b3ec963aeaed7bf5f0887adc3381128cff58964b19b58a86a1f6f
-
SHA512
dff66347db146d9ba8bc02376bad874c921de1e340666798269af2d5395ac43e2b8e0a656cd6bbbab6c4353f67887a7f7183dd46f32182dbe72ba5a978083524
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6f:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm52
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gqewpjgtwb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gqewpjgtwb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gqewpjgtwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gqewpjgtwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gqewpjgtwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gqewpjgtwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" gqewpjgtwb.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gqewpjgtwb.exe -
Executes dropped EXE 5 IoCs
pid Process 2784 gqewpjgtwb.exe 2852 lwtuhjtniwyykmh.exe 2768 efrdlecy.exe 2748 yrpozfvpdqdjg.exe 2132 efrdlecy.exe -
Loads dropped DLL 5 IoCs
pid Process 1720 0276f65dff093433bc35b40d852e5825.exe 1720 0276f65dff093433bc35b40d852e5825.exe 1720 0276f65dff093433bc35b40d852e5825.exe 1720 0276f65dff093433bc35b40d852e5825.exe 2784 gqewpjgtwb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" gqewpjgtwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gqewpjgtwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gqewpjgtwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gqewpjgtwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gqewpjgtwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gqewpjgtwb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kewedkvn = "gqewpjgtwb.exe" lwtuhjtniwyykmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ppeacxdp = "lwtuhjtniwyykmh.exe" lwtuhjtniwyykmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yrpozfvpdqdjg.exe" lwtuhjtniwyykmh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: efrdlecy.exe File opened (read-only) \??\h: efrdlecy.exe File opened (read-only) \??\i: efrdlecy.exe File opened (read-only) \??\n: efrdlecy.exe File opened (read-only) \??\y: efrdlecy.exe File opened (read-only) \??\b: efrdlecy.exe File opened (read-only) \??\k: efrdlecy.exe File opened (read-only) \??\v: efrdlecy.exe File opened (read-only) \??\o: gqewpjgtwb.exe File opened (read-only) \??\x: gqewpjgtwb.exe File opened (read-only) \??\z: gqewpjgtwb.exe File opened (read-only) \??\l: efrdlecy.exe File opened (read-only) \??\e: efrdlecy.exe File opened (read-only) \??\m: efrdlecy.exe File opened (read-only) \??\g: gqewpjgtwb.exe File opened (read-only) \??\g: efrdlecy.exe File opened (read-only) \??\l: efrdlecy.exe File opened (read-only) \??\p: efrdlecy.exe File opened (read-only) \??\t: efrdlecy.exe File opened (read-only) \??\h: gqewpjgtwb.exe File opened (read-only) \??\r: efrdlecy.exe File opened (read-only) \??\a: efrdlecy.exe File opened (read-only) \??\k: gqewpjgtwb.exe File opened (read-only) \??\u: gqewpjgtwb.exe File opened (read-only) \??\b: efrdlecy.exe File opened (read-only) \??\x: efrdlecy.exe File opened (read-only) \??\j: gqewpjgtwb.exe File opened (read-only) \??\t: gqewpjgtwb.exe File opened (read-only) \??\s: efrdlecy.exe File opened (read-only) \??\h: efrdlecy.exe File opened (read-only) \??\y: efrdlecy.exe File opened (read-only) \??\s: gqewpjgtwb.exe File opened (read-only) \??\k: efrdlecy.exe File opened (read-only) \??\m: efrdlecy.exe File opened (read-only) \??\n: efrdlecy.exe File opened (read-only) \??\u: efrdlecy.exe File opened (read-only) \??\i: efrdlecy.exe File opened (read-only) \??\e: efrdlecy.exe File opened (read-only) \??\p: efrdlecy.exe File opened (read-only) \??\b: gqewpjgtwb.exe File opened (read-only) \??\m: gqewpjgtwb.exe File opened (read-only) \??\q: gqewpjgtwb.exe File opened (read-only) \??\y: gqewpjgtwb.exe File opened (read-only) \??\o: efrdlecy.exe File opened (read-only) \??\j: efrdlecy.exe File opened (read-only) \??\r: efrdlecy.exe File opened (read-only) \??\i: gqewpjgtwb.exe File opened (read-only) \??\t: efrdlecy.exe File opened (read-only) \??\u: efrdlecy.exe File opened (read-only) \??\g: efrdlecy.exe File opened (read-only) \??\o: efrdlecy.exe File opened (read-only) \??\z: efrdlecy.exe File opened (read-only) \??\a: gqewpjgtwb.exe File opened (read-only) \??\p: gqewpjgtwb.exe File opened (read-only) \??\a: efrdlecy.exe File opened (read-only) \??\z: efrdlecy.exe File opened (read-only) \??\e: gqewpjgtwb.exe File opened (read-only) \??\l: gqewpjgtwb.exe File opened (read-only) \??\r: gqewpjgtwb.exe File opened (read-only) \??\v: gqewpjgtwb.exe File opened (read-only) \??\w: gqewpjgtwb.exe File opened (read-only) \??\v: efrdlecy.exe File opened (read-only) \??\w: efrdlecy.exe File opened (read-only) \??\s: efrdlecy.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gqewpjgtwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gqewpjgtwb.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1720-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000d0000000122d2-5.dat autoit_exe behavioral1/files/0x0009000000012280-17.dat autoit_exe behavioral1/files/0x0009000000012280-20.dat autoit_exe behavioral1/files/0x000d0000000122d2-26.dat autoit_exe behavioral1/files/0x002e000000014636-29.dat autoit_exe behavioral1/files/0x0007000000014ac9-35.dat autoit_exe behavioral1/files/0x002e000000014636-32.dat autoit_exe behavioral1/files/0x002e000000014636-43.dat autoit_exe behavioral1/files/0x002e000000014636-42.dat autoit_exe behavioral1/files/0x000600000001604a-69.dat autoit_exe behavioral1/files/0x0006000000015eb6-66.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\efrdlecy.exe 0276f65dff093433bc35b40d852e5825.exe File opened for modification C:\Windows\SysWOW64\lwtuhjtniwyykmh.exe 0276f65dff093433bc35b40d852e5825.exe File opened for modification C:\Windows\SysWOW64\gqewpjgtwb.exe 0276f65dff093433bc35b40d852e5825.exe File created C:\Windows\SysWOW64\lwtuhjtniwyykmh.exe 0276f65dff093433bc35b40d852e5825.exe File opened for modification C:\Windows\SysWOW64\efrdlecy.exe 0276f65dff093433bc35b40d852e5825.exe File created C:\Windows\SysWOW64\yrpozfvpdqdjg.exe 0276f65dff093433bc35b40d852e5825.exe File opened for modification C:\Windows\SysWOW64\yrpozfvpdqdjg.exe 0276f65dff093433bc35b40d852e5825.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gqewpjgtwb.exe File created C:\Windows\SysWOW64\gqewpjgtwb.exe 0276f65dff093433bc35b40d852e5825.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal efrdlecy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe efrdlecy.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe efrdlecy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe efrdlecy.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe efrdlecy.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe efrdlecy.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe efrdlecy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe efrdlecy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal efrdlecy.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe efrdlecy.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe efrdlecy.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe efrdlecy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal efrdlecy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe efrdlecy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal efrdlecy.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 0276f65dff093433bc35b40d852e5825.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gqewpjgtwb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gqewpjgtwb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gqewpjgtwb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BB0FF1A21DDD20FD0A58B7F9164" 0276f65dff093433bc35b40d852e5825.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat gqewpjgtwb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gqewpjgtwb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC70E15E7DAC5B8BE7F95EDE537C9" 0276f65dff093433bc35b40d852e5825.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gqewpjgtwb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gqewpjgtwb.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2752 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1720 0276f65dff093433bc35b40d852e5825.exe 1720 0276f65dff093433bc35b40d852e5825.exe 1720 0276f65dff093433bc35b40d852e5825.exe 1720 0276f65dff093433bc35b40d852e5825.exe 1720 0276f65dff093433bc35b40d852e5825.exe 1720 0276f65dff093433bc35b40d852e5825.exe 1720 0276f65dff093433bc35b40d852e5825.exe 2784 gqewpjgtwb.exe 2784 gqewpjgtwb.exe 2784 gqewpjgtwb.exe 2784 gqewpjgtwb.exe 2784 gqewpjgtwb.exe 2852 lwtuhjtniwyykmh.exe 2852 lwtuhjtniwyykmh.exe 2852 lwtuhjtniwyykmh.exe 2852 lwtuhjtniwyykmh.exe 2852 lwtuhjtniwyykmh.exe 1720 0276f65dff093433bc35b40d852e5825.exe 2852 lwtuhjtniwyykmh.exe 2768 efrdlecy.exe 2768 efrdlecy.exe 2768 efrdlecy.exe 2768 efrdlecy.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2132 efrdlecy.exe 2132 efrdlecy.exe 2132 efrdlecy.exe 2132 efrdlecy.exe 2852 lwtuhjtniwyykmh.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2852 lwtuhjtniwyykmh.exe 2852 lwtuhjtniwyykmh.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2852 lwtuhjtniwyykmh.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2852 lwtuhjtniwyykmh.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2852 lwtuhjtniwyykmh.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2852 lwtuhjtniwyykmh.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2852 lwtuhjtniwyykmh.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2852 lwtuhjtniwyykmh.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2852 lwtuhjtniwyykmh.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2852 lwtuhjtniwyykmh.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1720 0276f65dff093433bc35b40d852e5825.exe 1720 0276f65dff093433bc35b40d852e5825.exe 1720 0276f65dff093433bc35b40d852e5825.exe 2784 gqewpjgtwb.exe 2784 gqewpjgtwb.exe 2784 gqewpjgtwb.exe 2852 lwtuhjtniwyykmh.exe 2852 lwtuhjtniwyykmh.exe 2852 lwtuhjtniwyykmh.exe 2768 efrdlecy.exe 2768 efrdlecy.exe 2768 efrdlecy.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2132 efrdlecy.exe 2132 efrdlecy.exe 2132 efrdlecy.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1720 0276f65dff093433bc35b40d852e5825.exe 1720 0276f65dff093433bc35b40d852e5825.exe 1720 0276f65dff093433bc35b40d852e5825.exe 2784 gqewpjgtwb.exe 2784 gqewpjgtwb.exe 2784 gqewpjgtwb.exe 2852 lwtuhjtniwyykmh.exe 2852 lwtuhjtniwyykmh.exe 2852 lwtuhjtniwyykmh.exe 2768 efrdlecy.exe 2768 efrdlecy.exe 2768 efrdlecy.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2748 yrpozfvpdqdjg.exe 2132 efrdlecy.exe 2132 efrdlecy.exe 2132 efrdlecy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2752 WINWORD.EXE 2752 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2784 1720 0276f65dff093433bc35b40d852e5825.exe 28 PID 1720 wrote to memory of 2784 1720 0276f65dff093433bc35b40d852e5825.exe 28 PID 1720 wrote to memory of 2784 1720 0276f65dff093433bc35b40d852e5825.exe 28 PID 1720 wrote to memory of 2784 1720 0276f65dff093433bc35b40d852e5825.exe 28 PID 1720 wrote to memory of 2852 1720 0276f65dff093433bc35b40d852e5825.exe 29 PID 1720 wrote to memory of 2852 1720 0276f65dff093433bc35b40d852e5825.exe 29 PID 1720 wrote to memory of 2852 1720 0276f65dff093433bc35b40d852e5825.exe 29 PID 1720 wrote to memory of 2852 1720 0276f65dff093433bc35b40d852e5825.exe 29 PID 1720 wrote to memory of 2768 1720 0276f65dff093433bc35b40d852e5825.exe 35 PID 1720 wrote to memory of 2768 1720 0276f65dff093433bc35b40d852e5825.exe 35 PID 1720 wrote to memory of 2768 1720 0276f65dff093433bc35b40d852e5825.exe 35 PID 1720 wrote to memory of 2768 1720 0276f65dff093433bc35b40d852e5825.exe 35 PID 2852 wrote to memory of 2672 2852 lwtuhjtniwyykmh.exe 32 PID 2852 wrote to memory of 2672 2852 lwtuhjtniwyykmh.exe 32 PID 2852 wrote to memory of 2672 2852 lwtuhjtniwyykmh.exe 32 PID 2852 wrote to memory of 2672 2852 lwtuhjtniwyykmh.exe 32 PID 1720 wrote to memory of 2748 1720 0276f65dff093433bc35b40d852e5825.exe 31 PID 1720 wrote to memory of 2748 1720 0276f65dff093433bc35b40d852e5825.exe 31 PID 1720 wrote to memory of 2748 1720 0276f65dff093433bc35b40d852e5825.exe 31 PID 1720 wrote to memory of 2748 1720 0276f65dff093433bc35b40d852e5825.exe 31 PID 2784 wrote to memory of 2132 2784 gqewpjgtwb.exe 33 PID 2784 wrote to memory of 2132 2784 gqewpjgtwb.exe 33 PID 2784 wrote to memory of 2132 2784 gqewpjgtwb.exe 33 PID 2784 wrote to memory of 2132 2784 gqewpjgtwb.exe 33 PID 1720 wrote to memory of 2752 1720 0276f65dff093433bc35b40d852e5825.exe 34 PID 1720 wrote to memory of 2752 1720 0276f65dff093433bc35b40d852e5825.exe 34 PID 1720 wrote to memory of 2752 1720 0276f65dff093433bc35b40d852e5825.exe 34 PID 1720 wrote to memory of 2752 1720 0276f65dff093433bc35b40d852e5825.exe 34 PID 2752 wrote to memory of 2868 2752 WINWORD.EXE 39 PID 2752 wrote to memory of 2868 2752 WINWORD.EXE 39 PID 2752 wrote to memory of 2868 2752 WINWORD.EXE 39 PID 2752 wrote to memory of 2868 2752 WINWORD.EXE 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\0276f65dff093433bc35b40d852e5825.exe"C:\Users\Admin\AppData\Local\Temp\0276f65dff093433bc35b40d852e5825.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\gqewpjgtwb.exegqewpjgtwb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\efrdlecy.exeC:\Windows\system32\efrdlecy.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2132
-
-
-
C:\Windows\SysWOW64\lwtuhjtniwyykmh.exelwtuhjtniwyykmh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\cmd.execmd.exe /c yrpozfvpdqdjg.exe3⤵PID:2672
-
-
-
C:\Windows\SysWOW64\yrpozfvpdqdjg.exeyrpozfvpdqdjg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2748
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2868
-
-
-
C:\Windows\SysWOW64\efrdlecy.exeefrdlecy.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2768
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5110f40dbeb901f612cee1dc242fdb309
SHA10d668d172ef81b3f17c1f870513988629c697600
SHA2562776ac73ff5e792a5a804395643f25e611d6eb66037ffd261caacd95ae084b82
SHA512076fda5dfa04f3c443f91657f607ef768185b7753767eb70d557635d398a76f85c8b3c19c7d864f9c342ced1af18c9c98f6f4da4b7bb86dca104230fa71b6df1
-
Filesize
166KB
MD55ad5bbc4f36b4b929e6dc4767f678b61
SHA162ea0b683a614c1216089f7291216d593cb66162
SHA256510d15aad650d105aeea2ae3ee9a5725e88f2d544c30bb121c0d77e911c6b235
SHA51240d351d1bfcfc0f516bafabe16abdbed1fa9ad4fc9f8fb3ee36dcffece1da93e725aaa7a14cec1c04d8fc6b6eed9000cd5e14deeea7ebf244b19695128720775
-
Filesize
20KB
MD54f5e4cf993930d936a59df4d31acbc7b
SHA1cceaf2f8290951e8e94568a5205ff5ccaa42fdd9
SHA2567861492763a8c2279cb368ae74de04d6974c98c695454c5e1176f3740cd3edb0
SHA51256528bcdd133fb663b3860b3a518d421234e0d92162f6cfaf7405957339e36ae17ce2d31d0b67ff07a50c33952cd9c9f013d7058fa0c0446f5d82821d9d6084a
-
Filesize
512KB
MD5d48ab50937ed31e0f349f9cbdcd733f6
SHA1709123c4e684fef7e0e0824af64e3ac97e8f675d
SHA256a5f631d22697f1f18841c495067a14d7bd80e791fb3efea1dc5492eed7d20dab
SHA5120f91b871bb547e00cf4602d957af053cae65460409feaeae43beeee09bd559f6c0fd0447abce82ec5ae6db85238d08ac9f96a78159b27796076d2aac4a8667e0
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
384KB
MD50e151ec3919b72f9a6c7fe60d10f4ea0
SHA191fb01badc6db9808233ff95abf39c37982a8c85
SHA256f644299fe8f10c5f3e24c1943fc808270b5d4f853e2316abf091c8d18344193c
SHA51241d25f82ce04a14c21d19a9ad2d12663714221b6ecb1c3ee579a4a134949de0bfb3e6212e9acf97d0659d50e7a034dcdc103ecbedd8a71fbfefdc30f5728c12b
-
Filesize
320KB
MD540eccbf82b7b8fc916befc4f91646a41
SHA19b26728b4c732bfeb504f70ab523d90def972d37
SHA2561dc118e41bf637830be03d9bfe6d57960cf8dc9dbe9c8302a78e3406285bbaaa
SHA5124714d4a188098bfac7feb042ef4c6f0236e826c335c740df7f47d60f0e70d50c5eeaf73e1b94afb0408bd8c6b5ef6fa9d49577a6ac214ce115f4b6db0b341cdf
-
Filesize
512KB
MD565d61752ecdc1f463205659da1676dcc
SHA10c13bd2a32424d900654a48894ee8df1d321517e
SHA2569f60eacd12ce74a7cd8ae6ce442dbb3569509f7292c6d180bdfb7dabdd3e6eca
SHA51232f816520f1daf414e3cd2ab8fe198ad923e81586592e618834a8f8c4e8c9c5de256007c9280bf32590b18a165ea1876041a07c8f41185e7e59a98b436365df9
-
Filesize
85KB
MD527623bf17711551baa843bbab18a4b07
SHA12d6d50bab42c5defdd9bdf3f14fb826853558392
SHA2566a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368
SHA51253f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b
-
Filesize
91KB
MD545919c63699643c76616ebd5003d3c7f
SHA18b3a793ac7b62244d18fe49c548f6d0dd5f20b5a
SHA256f2cd726bd32c1aa89c38bc0b95fd8c47873ab1ef5bc8194fd04885fd76ac9e77
SHA51241bbabacc22a42afd857735de38345818a8caf8aa6d902181c22f30a696826adfe74ab2350ec0c124c4130b103aa4f6db290c57d13e4de9b3b5f4b1d7dfbc8bd
-
Filesize
512KB
MD59670aad22bc46978e58e36bf34df130e
SHA1a9c35137406fa364ad92658331717c2c9b86cb98
SHA256f905dd6b43752ba9da912d6b8a424b65c8e11594208735276f8165bdf6d10787
SHA5128bce46da9c852422b955b23edfd45e741ee7779aab3cc9a9b8c3e66e0bf191d950d849e8d1228694184191adb45543efbafdc7cd22cbdb51ee4869909580a7c1
-
Filesize
512KB
MD52223b58f09569f236db8c62484d6504d
SHA1857dba76a23f00bdde56550179d57c041d0599db
SHA2563dfe8fe1d7d8c6769050615f45fac6bc05b80e3b0fa09b15f973a7350315be9c
SHA5126f17a6d6f499b87413b858f4c1db807ebbe597da91b096d798b827cde2316f9931b97a0dfec3e45861b05078ee6e16f49dcde937594d260117d0399c4fe2b082