Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 15:31
Static task
static1
Behavioral task
behavioral1
Sample
2985538024ccd7fbf883fc62e5f43d6a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2985538024ccd7fbf883fc62e5f43d6a.exe
Resource
win10v2004-20231215-en
General
-
Target
2985538024ccd7fbf883fc62e5f43d6a.exe
-
Size
512KB
-
MD5
2985538024ccd7fbf883fc62e5f43d6a
-
SHA1
dedc59f763fa208e197a649348d5e8f452948be6
-
SHA256
0f2111fb67cfd68f6993e7132253a9e6544402cc8cb7bf330f5144d7cdf4e9c7
-
SHA512
ae76771018e130a7275ffe7ebda9913a2ae2b86e899d44605648b4937c12bfbd844b1a29fc713a840396f7abdcb4ca757c54b7950acddb7e8e0af36553beee65
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bweijlyeua.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bweijlyeua.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bweijlyeua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bweijlyeua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" bweijlyeua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bweijlyeua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bweijlyeua.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bweijlyeua.exe -
Executes dropped EXE 5 IoCs
pid Process 2664 bweijlyeua.exe 2824 yjmypyhoogwawqq.exe 2876 ipqkzhks.exe 2588 bqdlrlpqnlxee.exe 2580 ipqkzhks.exe -
Loads dropped DLL 5 IoCs
pid Process 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2664 bweijlyeua.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bweijlyeua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bweijlyeua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bweijlyeua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bweijlyeua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bweijlyeua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" bweijlyeua.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bqdlrlpqnlxee.exe" yjmypyhoogwawqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ekuuwahv = "bweijlyeua.exe" yjmypyhoogwawqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msqwxqiv = "yjmypyhoogwawqq.exe" yjmypyhoogwawqq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: ipqkzhks.exe File opened (read-only) \??\s: ipqkzhks.exe File opened (read-only) \??\t: ipqkzhks.exe File opened (read-only) \??\j: bweijlyeua.exe File opened (read-only) \??\q: bweijlyeua.exe File opened (read-only) \??\t: ipqkzhks.exe File opened (read-only) \??\x: ipqkzhks.exe File opened (read-only) \??\g: bweijlyeua.exe File opened (read-only) \??\x: bweijlyeua.exe File opened (read-only) \??\e: ipqkzhks.exe File opened (read-only) \??\n: ipqkzhks.exe File opened (read-only) \??\a: bweijlyeua.exe File opened (read-only) \??\i: bweijlyeua.exe File opened (read-only) \??\z: ipqkzhks.exe File opened (read-only) \??\a: ipqkzhks.exe File opened (read-only) \??\t: bweijlyeua.exe File opened (read-only) \??\u: ipqkzhks.exe File opened (read-only) \??\b: ipqkzhks.exe File opened (read-only) \??\g: ipqkzhks.exe File opened (read-only) \??\k: ipqkzhks.exe File opened (read-only) \??\z: ipqkzhks.exe File opened (read-only) \??\l: bweijlyeua.exe File opened (read-only) \??\e: ipqkzhks.exe File opened (read-only) \??\q: ipqkzhks.exe File opened (read-only) \??\p: bweijlyeua.exe File opened (read-only) \??\v: bweijlyeua.exe File opened (read-only) \??\q: ipqkzhks.exe File opened (read-only) \??\o: ipqkzhks.exe File opened (read-only) \??\j: ipqkzhks.exe File opened (read-only) \??\n: ipqkzhks.exe File opened (read-only) \??\p: ipqkzhks.exe File opened (read-only) \??\k: bweijlyeua.exe File opened (read-only) \??\l: ipqkzhks.exe File opened (read-only) \??\y: ipqkzhks.exe File opened (read-only) \??\m: bweijlyeua.exe File opened (read-only) \??\n: bweijlyeua.exe File opened (read-only) \??\z: bweijlyeua.exe File opened (read-only) \??\p: ipqkzhks.exe File opened (read-only) \??\w: ipqkzhks.exe File opened (read-only) \??\s: bweijlyeua.exe File opened (read-only) \??\y: bweijlyeua.exe File opened (read-only) \??\h: ipqkzhks.exe File opened (read-only) \??\h: bweijlyeua.exe File opened (read-only) \??\r: bweijlyeua.exe File opened (read-only) \??\g: ipqkzhks.exe File opened (read-only) \??\v: ipqkzhks.exe File opened (read-only) \??\o: ipqkzhks.exe File opened (read-only) \??\w: bweijlyeua.exe File opened (read-only) \??\a: ipqkzhks.exe File opened (read-only) \??\h: ipqkzhks.exe File opened (read-only) \??\m: ipqkzhks.exe File opened (read-only) \??\o: bweijlyeua.exe File opened (read-only) \??\u: bweijlyeua.exe File opened (read-only) \??\b: ipqkzhks.exe File opened (read-only) \??\i: ipqkzhks.exe File opened (read-only) \??\s: ipqkzhks.exe File opened (read-only) \??\m: ipqkzhks.exe File opened (read-only) \??\y: ipqkzhks.exe File opened (read-only) \??\i: ipqkzhks.exe File opened (read-only) \??\v: ipqkzhks.exe File opened (read-only) \??\w: ipqkzhks.exe File opened (read-only) \??\e: bweijlyeua.exe File opened (read-only) \??\k: ipqkzhks.exe File opened (read-only) \??\x: ipqkzhks.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bweijlyeua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bweijlyeua.exe -
AutoIT Executable 17 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2164-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0008000000012281-5.dat autoit_exe behavioral1/files/0x000a000000012263-17.dat autoit_exe behavioral1/files/0x000a000000012263-20.dat autoit_exe behavioral1/files/0x000a000000012263-22.dat autoit_exe behavioral1/files/0x0008000000012281-23.dat autoit_exe behavioral1/files/0x002b000000015c1c-28.dat autoit_exe behavioral1/files/0x0008000000012281-26.dat autoit_exe behavioral1/files/0x002b000000015c1c-31.dat autoit_exe behavioral1/files/0x0007000000015c64-33.dat autoit_exe behavioral1/files/0x0007000000015c64-37.dat autoit_exe behavioral1/files/0x002b000000015c1c-39.dat autoit_exe behavioral1/files/0x0008000000012281-38.dat autoit_exe behavioral1/files/0x0007000000015c64-41.dat autoit_exe behavioral1/files/0x002b000000015c1c-43.dat autoit_exe behavioral1/files/0x002b000000015c1c-42.dat autoit_exe behavioral1/files/0x0006000000016d1d-76.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bqdlrlpqnlxee.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bweijlyeua.exe File created C:\Windows\SysWOW64\bweijlyeua.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File opened for modification C:\Windows\SysWOW64\bweijlyeua.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File created C:\Windows\SysWOW64\yjmypyhoogwawqq.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File created C:\Windows\SysWOW64\bqdlrlpqnlxee.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File opened for modification C:\Windows\SysWOW64\yjmypyhoogwawqq.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File created C:\Windows\SysWOW64\ipqkzhks.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File opened for modification C:\Windows\SysWOW64\ipqkzhks.exe 2985538024ccd7fbf883fc62e5f43d6a.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ipqkzhks.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ipqkzhks.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ipqkzhks.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ipqkzhks.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ipqkzhks.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ipqkzhks.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ipqkzhks.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ipqkzhks.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ipqkzhks.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ipqkzhks.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ipqkzhks.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ipqkzhks.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ipqkzhks.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ipqkzhks.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 2985538024ccd7fbf883fc62e5f43d6a.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bweijlyeua.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D7F9C2C83566A3676DC772F2CDB7CF464D8" 2985538024ccd7fbf883fc62e5f43d6a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FCF9485F851D9041D72B7E95BC97E13C594B664F6344D791" 2985538024ccd7fbf883fc62e5f43d6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bweijlyeua.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F46BC5FF1822DDD10ED0D68A0E9017" 2985538024ccd7fbf883fc62e5f43d6a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2112 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2664 bweijlyeua.exe 2664 bweijlyeua.exe 2664 bweijlyeua.exe 2664 bweijlyeua.exe 2664 bweijlyeua.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2876 ipqkzhks.exe 2876 ipqkzhks.exe 2876 ipqkzhks.exe 2876 ipqkzhks.exe 2824 yjmypyhoogwawqq.exe 2824 yjmypyhoogwawqq.exe 2824 yjmypyhoogwawqq.exe 2824 yjmypyhoogwawqq.exe 2824 yjmypyhoogwawqq.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2824 yjmypyhoogwawqq.exe 2580 ipqkzhks.exe 2580 ipqkzhks.exe 2580 ipqkzhks.exe 2580 ipqkzhks.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2824 yjmypyhoogwawqq.exe 2824 yjmypyhoogwawqq.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2824 yjmypyhoogwawqq.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2824 yjmypyhoogwawqq.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2824 yjmypyhoogwawqq.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2824 yjmypyhoogwawqq.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2824 yjmypyhoogwawqq.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2824 yjmypyhoogwawqq.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2824 yjmypyhoogwawqq.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2824 yjmypyhoogwawqq.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2824 yjmypyhoogwawqq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2664 bweijlyeua.exe 2664 bweijlyeua.exe 2664 bweijlyeua.exe 2824 yjmypyhoogwawqq.exe 2824 yjmypyhoogwawqq.exe 2824 yjmypyhoogwawqq.exe 2876 ipqkzhks.exe 2876 ipqkzhks.exe 2876 ipqkzhks.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2580 ipqkzhks.exe 2580 ipqkzhks.exe 2580 ipqkzhks.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 2664 bweijlyeua.exe 2664 bweijlyeua.exe 2664 bweijlyeua.exe 2824 yjmypyhoogwawqq.exe 2824 yjmypyhoogwawqq.exe 2824 yjmypyhoogwawqq.exe 2876 ipqkzhks.exe 2876 ipqkzhks.exe 2876 ipqkzhks.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2588 bqdlrlpqnlxee.exe 2580 ipqkzhks.exe 2580 ipqkzhks.exe 2580 ipqkzhks.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2112 WINWORD.EXE 2112 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2664 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 28 PID 2164 wrote to memory of 2664 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 28 PID 2164 wrote to memory of 2664 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 28 PID 2164 wrote to memory of 2664 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 28 PID 2164 wrote to memory of 2824 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 29 PID 2164 wrote to memory of 2824 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 29 PID 2164 wrote to memory of 2824 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 29 PID 2164 wrote to memory of 2824 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 29 PID 2164 wrote to memory of 2876 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 30 PID 2164 wrote to memory of 2876 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 30 PID 2164 wrote to memory of 2876 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 30 PID 2164 wrote to memory of 2876 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 30 PID 2164 wrote to memory of 2588 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 31 PID 2164 wrote to memory of 2588 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 31 PID 2164 wrote to memory of 2588 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 31 PID 2164 wrote to memory of 2588 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 31 PID 2664 wrote to memory of 2580 2664 bweijlyeua.exe 32 PID 2664 wrote to memory of 2580 2664 bweijlyeua.exe 32 PID 2664 wrote to memory of 2580 2664 bweijlyeua.exe 32 PID 2664 wrote to memory of 2580 2664 bweijlyeua.exe 32 PID 2164 wrote to memory of 2112 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 33 PID 2164 wrote to memory of 2112 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 33 PID 2164 wrote to memory of 2112 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 33 PID 2164 wrote to memory of 2112 2164 2985538024ccd7fbf883fc62e5f43d6a.exe 33 PID 2112 wrote to memory of 1536 2112 WINWORD.EXE 39 PID 2112 wrote to memory of 1536 2112 WINWORD.EXE 39 PID 2112 wrote to memory of 1536 2112 WINWORD.EXE 39 PID 2112 wrote to memory of 1536 2112 WINWORD.EXE 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\2985538024ccd7fbf883fc62e5f43d6a.exe"C:\Users\Admin\AppData\Local\Temp\2985538024ccd7fbf883fc62e5f43d6a.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\bweijlyeua.exebweijlyeua.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\ipqkzhks.exeC:\Windows\system32\ipqkzhks.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2580
-
-
-
C:\Windows\SysWOW64\yjmypyhoogwawqq.exeyjmypyhoogwawqq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824
-
-
C:\Windows\SysWOW64\ipqkzhks.exeipqkzhks.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2876
-
-
C:\Windows\SysWOW64\bqdlrlpqnlxee.exebqdlrlpqnlxee.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2588
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1536
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5ee0b72dca77c129ae405d828c11fdd6e
SHA130a30e917a8d01ec6be06cafaabf67d99cdd4bee
SHA256ab61590db2a6cc424de27d58f15f86745fd2405b0fd98b5989f8ed24e4351e05
SHA5120538148ff9bd2c58748af2bc473432ed3a6cf64c678b5bb4c890d36c64f1c7912732112299e75061a308f652ff86163e02a13ccdfcb02edb71ba915f7d92ad97
-
Filesize
20KB
MD54b89b6580d9fbf9c500b96ceb4a25fff
SHA12e8129c6a31edfdcc21e3731204373de9c3c2c38
SHA2560c7e68d6a57d2f3c180a9eeda4a295a9ecb82b221e7b5a1981caeb83a0b799c1
SHA512128ede9dd19d571757b63b27eb2217d544d932b4c9cfb2a707658faf3762416af1fd74a5717ddd1cce9e4c5c4f696d2dd9e786c962016c9aa37f7eb7c5bffdec
-
Filesize
211KB
MD54711466e68667e948a5ca4f427637383
SHA17cf5ff6df835b6c4d3184c2fb369ca70f4ad6dfd
SHA256ce74932b7852df37b65da9faa2507eb00fe34a1be26d8ff1f33cbc744e52ac6b
SHA512ce426f5f09f3e7e3215a96529c3fef6361f6e4e63d08dbb8a880b49916b9e0e220a573a18e547b9ab7d117058d3a406e513c5e005ace4670de1e64ed90f172b8
-
Filesize
164KB
MD5568be06d0548ad0dccff411caab6c305
SHA19ee04fb24e1595f7fae65dcfa9dd8afe7b9e3d58
SHA25639375da2a892f14f30f487153411b205b4ab17a85d7169d5c0a49e334df0d030
SHA51246541d81a819611aafeae220cd7c47e98a7f01239913873ae68963ef70324f28b6929ee45cbbcb2d536e6eb322e0406a251dd40dcdc51ef0816d444e3e9030e1
-
Filesize
464KB
MD53d6bde1997f023ec8bc71396e642577d
SHA1c91e35ffe159916e3c81decdb7d221943b94b583
SHA256705e9083d0ef4de2e0d62333314f65caa26a396cbc49b571b78d112536649796
SHA512af55692e4452f7de5d4583842d8d2d67dce187d65b275506d8cb8dd25f06aec980a0cd6d58155932b49fd28b572f0cc25f94fd0bf07a79c74b397c824b741e73
-
Filesize
308KB
MD535db84cc672fe1a510423da8085adc5c
SHA186f22b6d1b3b13922300d4f1471fc54351616425
SHA256e5212fb5ea441de34f31509987cc5e62c1bf5df487698c285ae05b3d078d386c
SHA512519c2f49de5e6edc9bbc42483d1b19f6b4d84641f4f570c906834868e8ff34f1d9400b23191609139616731f77a716f13d806af02058cd5ab1e6eed444b1c25f
-
Filesize
306KB
MD5752c80bc6d46465747351c58e2aa5955
SHA1d315155f9dda0545cd9ec1fb5111e389008989e8
SHA25635343cb07fb66ad4e8b8ea2c4a8d695e7aa464be1e3e823202880d761a32dbe7
SHA5125feff99765330d044e128bb4eddc71cf0fc0895d3cd647fc2238bae6da0a7f31efab488aaba70c532e892d9d6e76453a2d684033b2282071b3a52e1ec9dbb2b6
-
Filesize
191KB
MD582e612f8e605a6de2abc5fc772967644
SHA13801fed9a98795c7f14392beb0c5d5f6f4b355ed
SHA256daa16d4d88e22506b80e49409f74ad8fcf68d626a2b07ad8d931839121f84652
SHA5120c707a2132a7d4bb9a9bacbfaf6be5e9178dffd9b131419844ff74fadfc4ba03e95d7188034990558775069871320a01f9d5c73a9aa846098d5cbe7dffd88ee7
-
Filesize
48KB
MD5fb3a101133e649c3894ec0f44f2cfe91
SHA12e25f81ca8259608e37387ed32e15e94130361a8
SHA256eb822dbfbf69e99d7860703c40231f8dda0e3e527c852757ddacf0d87870dd58
SHA512cdfc64c409551d5afd3e98a11738aedca9e977bc01927f9683a2a17cac2385d020b52d08d14d85015e05358f2792342388b42c7dc45070a913174b58f021a180
-
Filesize
233KB
MD59a7a8e88de4993b678c731a7652a8fec
SHA1f3ef6ed74e0cb340de4cc2c06bb9e6cd173fa914
SHA25654f8a00be96215d01bec159d874d4933722c49805b4fcd103459f16b59882b89
SHA5121d52e52145603ad680b9fe3be0e1877db26120e3bceb92064be1d282a479d55c67dd230bc29f4e3fb6b54711c9e46b2a4751d39a807b5c6e0055c2fcd13eb0ee
-
Filesize
177KB
MD55b8a02dc06615c4f0efe170076cbb681
SHA139969b5e833aa4e7f93ebacb38a4f12a578220ac
SHA25600d00689964c10100b0cc2577e325bf3d39e6800a833074a6d78cb0122618672
SHA512b4ed74c81564ac54fb922159ff659295fcba4bf748367ab0f8969c5c7b6f35fbe3258a512b0e7a8270801e45ce2f00f91e84fd645866ec1df423f0414d6b9fa3
-
Filesize
512KB
MD558457ca36522d1747cb94e6c54f1f1eb
SHA1fc6ac1c72c944b319f4f9659f59603486cb4ae37
SHA2561e1cdaf7f418cbaacf9ac95019418a21427e64e527cde663cf847c77a79a23f3
SHA5120c8c7e3149a81a25db751745418def5468bc27e0e629380d2e766f1de6fb4309971359914ed0d9fc9ecb0e6f49e0aaa0fff537bc97ab16d824147707748561e8
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
200KB
MD504bdaf2192c0dacbdc66b022072eff92
SHA1d38802b86f094ac43dbfd21ffd2b06b6fe8620d7
SHA2569824525e0e335645ac08e26507c923d9926d14ac286ad80d2dc3c8fb3d7d33f7
SHA512c7f47130c0155d9df3a53005d1087f7ff16d38f6b5b1721aaf150a37e2cfc3c1e96c1eb0c36ace358040cab61f787ccb067db404c4a203ed48805818c100cb51
-
Filesize
512KB
MD5c370e5a532da791ac9d272fa438643d3
SHA1374f00adf36fb541ba485958eb450909a7203f65
SHA2568fafec4fd9b525ac5a9cff5bc2423119c611196357034d7515c9f732b4567467
SHA512b6d857deb8d0ad6d14eea02937f94bf6c584a36876ae33ccfb2db8cb97f067bcf4dc0939c27298cfe0f35a4260dd2a7a6532e1ed0bd34542d7244ed4d7b5c1d4
-
Filesize
253KB
MD57b414ad7d50ea39e6fe099ee816fc645
SHA1c8041267dbcb44dd0ee222803805fe57a4412db3
SHA25699e28e03246d2ef62aa680ce4391ec102d9e648edb8bf8403b8b2703361d9355
SHA5120f7409ab449c730c9790f7dd555c5b5d3e999e2d9c87f39cdf96bde8629632e38c80fa0a425e66135e5b1516d4f2bb66f929f6cab77bdb456d3b181bad76b0ea
-
Filesize
39KB
MD53c9f78eb3c9a83b389f3af17ac7fe61e
SHA1709310534662eccb93fb262b29094133b8073982
SHA256280b661fa34a409b464db192ac4f86861f8c16a35563a00675199e8a02dc42f3
SHA512688bd452eee5e7994f3a6de7825762c89378ded0c55a8248babbd6fc530fa1f4bb0038bbbe09bce8d9bc3a72539676579a2edd79ff650add81821da85421ac03
-
Filesize
254KB
MD5e171a86dfaf20898e09f4635cf6633ad
SHA10e4d6c5a262e0bce953618702201a13cab830849
SHA256750172ef0c0ebe23b7d096f0bc6e272e2aecb8d4638198722270422264fd5a90
SHA512d1e82abe2bb9fcad701285e8bd67f1527bc5e7af0de29fed6023d32cfc045f87e997dc0cc83af149110f59b71277eaa23230c8fe9ef56df78c1a241888e51b54