Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
3a030c486057917499b7ceb5b7c779b7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3a030c486057917499b7ceb5b7c779b7.exe
Resource
win10v2004-20231215-en
General
-
Target
3a030c486057917499b7ceb5b7c779b7.exe
-
Size
512KB
-
MD5
3a030c486057917499b7ceb5b7c779b7
-
SHA1
6c9f1049b204b6188bb045e2aab068aa025c31fd
-
SHA256
ba1f3a8af79b8d23dcff35ca835a8585291b3db1307c0a0f1a58a8866d83f2e0
-
SHA512
edb117caa41be4dab98ad2aa208ebd9d42852b3fb903d408dbba70f10f9f8d42c3bd109a1bcd7de999da8e248df5ccf5f146cddc8d0b62395bff18269cf70d8f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fkmearhkdy.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fkmearhkdy.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fkmearhkdy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fkmearhkdy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fkmearhkdy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fkmearhkdy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fkmearhkdy.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fkmearhkdy.exe -
Executes dropped EXE 5 IoCs
pid Process 1996 fkmearhkdy.exe 1720 lrxawnlmacqetlq.exe 2740 twdkvxgz.exe 2688 nngfdjzhybrhn.exe 2816 twdkvxgz.exe -
Loads dropped DLL 5 IoCs
pid Process 2180 3a030c486057917499b7ceb5b7c779b7.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 1996 fkmearhkdy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fkmearhkdy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fkmearhkdy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fkmearhkdy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fkmearhkdy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fkmearhkdy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fkmearhkdy.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rycjlbxa = "fkmearhkdy.exe" lrxawnlmacqetlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hccaroxq = "lrxawnlmacqetlq.exe" lrxawnlmacqetlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nngfdjzhybrhn.exe" lrxawnlmacqetlq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: twdkvxgz.exe File opened (read-only) \??\v: twdkvxgz.exe File opened (read-only) \??\i: fkmearhkdy.exe File opened (read-only) \??\l: twdkvxgz.exe File opened (read-only) \??\a: twdkvxgz.exe File opened (read-only) \??\g: twdkvxgz.exe File opened (read-only) \??\r: twdkvxgz.exe File opened (read-only) \??\y: twdkvxgz.exe File opened (read-only) \??\g: fkmearhkdy.exe File opened (read-only) \??\o: fkmearhkdy.exe File opened (read-only) \??\n: twdkvxgz.exe File opened (read-only) \??\s: twdkvxgz.exe File opened (read-only) \??\y: twdkvxgz.exe File opened (read-only) \??\q: twdkvxgz.exe File opened (read-only) \??\t: twdkvxgz.exe File opened (read-only) \??\u: fkmearhkdy.exe File opened (read-only) \??\i: twdkvxgz.exe File opened (read-only) \??\u: twdkvxgz.exe File opened (read-only) \??\t: twdkvxgz.exe File opened (read-only) \??\z: twdkvxgz.exe File opened (read-only) \??\a: fkmearhkdy.exe File opened (read-only) \??\k: fkmearhkdy.exe File opened (read-only) \??\x: fkmearhkdy.exe File opened (read-only) \??\z: fkmearhkdy.exe File opened (read-only) \??\h: twdkvxgz.exe File opened (read-only) \??\a: twdkvxgz.exe File opened (read-only) \??\i: twdkvxgz.exe File opened (read-only) \??\k: twdkvxgz.exe File opened (read-only) \??\e: fkmearhkdy.exe File opened (read-only) \??\l: twdkvxgz.exe File opened (read-only) \??\n: twdkvxgz.exe File opened (read-only) \??\w: fkmearhkdy.exe File opened (read-only) \??\b: twdkvxgz.exe File opened (read-only) \??\j: twdkvxgz.exe File opened (read-only) \??\h: twdkvxgz.exe File opened (read-only) \??\o: twdkvxgz.exe File opened (read-only) \??\t: fkmearhkdy.exe File opened (read-only) \??\v: fkmearhkdy.exe File opened (read-only) \??\b: twdkvxgz.exe File opened (read-only) \??\s: twdkvxgz.exe File opened (read-only) \??\p: fkmearhkdy.exe File opened (read-only) \??\v: twdkvxgz.exe File opened (read-only) \??\u: twdkvxgz.exe File opened (read-only) \??\w: twdkvxgz.exe File opened (read-only) \??\z: twdkvxgz.exe File opened (read-only) \??\l: fkmearhkdy.exe File opened (read-only) \??\y: fkmearhkdy.exe File opened (read-only) \??\x: twdkvxgz.exe File opened (read-only) \??\m: twdkvxgz.exe File opened (read-only) \??\r: twdkvxgz.exe File opened (read-only) \??\x: twdkvxgz.exe File opened (read-only) \??\m: twdkvxgz.exe File opened (read-only) \??\m: fkmearhkdy.exe File opened (read-only) \??\n: fkmearhkdy.exe File opened (read-only) \??\p: twdkvxgz.exe File opened (read-only) \??\q: twdkvxgz.exe File opened (read-only) \??\w: twdkvxgz.exe File opened (read-only) \??\g: twdkvxgz.exe File opened (read-only) \??\j: twdkvxgz.exe File opened (read-only) \??\p: twdkvxgz.exe File opened (read-only) \??\q: fkmearhkdy.exe File opened (read-only) \??\b: fkmearhkdy.exe File opened (read-only) \??\r: fkmearhkdy.exe File opened (read-only) \??\e: twdkvxgz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fkmearhkdy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fkmearhkdy.exe -
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2180-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000c000000013a83-5.dat autoit_exe behavioral1/files/0x000b00000001224c-20.dat autoit_exe behavioral1/files/0x000c000000013a83-23.dat autoit_exe behavioral1/files/0x0007000000016cf2-33.dat autoit_exe behavioral1/files/0x0007000000016cf2-39.dat autoit_exe behavioral1/files/0x0037000000016c31-36.dat autoit_exe behavioral1/files/0x000c000000013a83-35.dat autoit_exe behavioral1/files/0x0007000000016cf2-41.dat autoit_exe behavioral1/files/0x0037000000016c31-43.dat autoit_exe behavioral1/files/0x0037000000016c31-42.dat autoit_exe behavioral1/files/0x0037000000016c31-31.dat autoit_exe behavioral1/files/0x000c000000013a83-26.dat autoit_exe behavioral1/files/0x0037000000016c31-28.dat autoit_exe behavioral1/files/0x000b00000001224c-22.dat autoit_exe behavioral1/files/0x000b00000001224c-17.dat autoit_exe behavioral1/files/0x0005000000019208-70.dat autoit_exe behavioral1/files/0x00050000000191fd-66.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\nngfdjzhybrhn.exe 3a030c486057917499b7ceb5b7c779b7.exe File created C:\Windows\SysWOW64\fkmearhkdy.exe 3a030c486057917499b7ceb5b7c779b7.exe File created C:\Windows\SysWOW64\lrxawnlmacqetlq.exe 3a030c486057917499b7ceb5b7c779b7.exe File opened for modification C:\Windows\SysWOW64\lrxawnlmacqetlq.exe 3a030c486057917499b7ceb5b7c779b7.exe File opened for modification C:\Windows\SysWOW64\twdkvxgz.exe 3a030c486057917499b7ceb5b7c779b7.exe File created C:\Windows\SysWOW64\nngfdjzhybrhn.exe 3a030c486057917499b7ceb5b7c779b7.exe File opened for modification C:\Windows\SysWOW64\fkmearhkdy.exe 3a030c486057917499b7ceb5b7c779b7.exe File created C:\Windows\SysWOW64\twdkvxgz.exe 3a030c486057917499b7ceb5b7c779b7.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fkmearhkdy.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe twdkvxgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal twdkvxgz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe twdkvxgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal twdkvxgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal twdkvxgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe twdkvxgz.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe twdkvxgz.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe twdkvxgz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe twdkvxgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal twdkvxgz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe twdkvxgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe twdkvxgz.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe twdkvxgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe twdkvxgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe twdkvxgz.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 3a030c486057917499b7ceb5b7c779b7.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452C0A9C2483236A4677D2702E2CAE7DF365AB" 3a030c486057917499b7ceb5b7c779b7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" fkmearhkdy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368C3FE6721A9D27CD0D38B0E916B" 3a030c486057917499b7ceb5b7c779b7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fkmearhkdy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B02D479539E952C8B9A13292D4CC" 3a030c486057917499b7ceb5b7c779b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg fkmearhkdy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2672 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2180 3a030c486057917499b7ceb5b7c779b7.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 1996 fkmearhkdy.exe 1996 fkmearhkdy.exe 1996 fkmearhkdy.exe 1996 fkmearhkdy.exe 1996 fkmearhkdy.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 1720 lrxawnlmacqetlq.exe 1720 lrxawnlmacqetlq.exe 1720 lrxawnlmacqetlq.exe 1720 lrxawnlmacqetlq.exe 1720 lrxawnlmacqetlq.exe 2740 twdkvxgz.exe 2740 twdkvxgz.exe 2740 twdkvxgz.exe 2740 twdkvxgz.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 2816 twdkvxgz.exe 2816 twdkvxgz.exe 2816 twdkvxgz.exe 2816 twdkvxgz.exe 1720 lrxawnlmacqetlq.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 1720 lrxawnlmacqetlq.exe 1720 lrxawnlmacqetlq.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 1720 lrxawnlmacqetlq.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 1720 lrxawnlmacqetlq.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 1720 lrxawnlmacqetlq.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 1720 lrxawnlmacqetlq.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 1720 lrxawnlmacqetlq.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 1720 lrxawnlmacqetlq.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 1720 lrxawnlmacqetlq.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 1720 lrxawnlmacqetlq.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 1720 lrxawnlmacqetlq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2180 3a030c486057917499b7ceb5b7c779b7.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 1996 fkmearhkdy.exe 1996 fkmearhkdy.exe 1996 fkmearhkdy.exe 1720 lrxawnlmacqetlq.exe 1720 lrxawnlmacqetlq.exe 1720 lrxawnlmacqetlq.exe 2740 twdkvxgz.exe 2740 twdkvxgz.exe 2740 twdkvxgz.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 2816 twdkvxgz.exe 2816 twdkvxgz.exe 2816 twdkvxgz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2180 3a030c486057917499b7ceb5b7c779b7.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 2180 3a030c486057917499b7ceb5b7c779b7.exe 1996 fkmearhkdy.exe 1996 fkmearhkdy.exe 1996 fkmearhkdy.exe 1720 lrxawnlmacqetlq.exe 1720 lrxawnlmacqetlq.exe 1720 lrxawnlmacqetlq.exe 2740 twdkvxgz.exe 2740 twdkvxgz.exe 2740 twdkvxgz.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 2688 nngfdjzhybrhn.exe 2816 twdkvxgz.exe 2816 twdkvxgz.exe 2816 twdkvxgz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2672 WINWORD.EXE 2672 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2180 wrote to memory of 1996 2180 3a030c486057917499b7ceb5b7c779b7.exe 34 PID 2180 wrote to memory of 1996 2180 3a030c486057917499b7ceb5b7c779b7.exe 34 PID 2180 wrote to memory of 1996 2180 3a030c486057917499b7ceb5b7c779b7.exe 34 PID 2180 wrote to memory of 1996 2180 3a030c486057917499b7ceb5b7c779b7.exe 34 PID 2180 wrote to memory of 1720 2180 3a030c486057917499b7ceb5b7c779b7.exe 32 PID 2180 wrote to memory of 1720 2180 3a030c486057917499b7ceb5b7c779b7.exe 32 PID 2180 wrote to memory of 1720 2180 3a030c486057917499b7ceb5b7c779b7.exe 32 PID 2180 wrote to memory of 1720 2180 3a030c486057917499b7ceb5b7c779b7.exe 32 PID 2180 wrote to memory of 2740 2180 3a030c486057917499b7ceb5b7c779b7.exe 31 PID 2180 wrote to memory of 2740 2180 3a030c486057917499b7ceb5b7c779b7.exe 31 PID 2180 wrote to memory of 2740 2180 3a030c486057917499b7ceb5b7c779b7.exe 31 PID 2180 wrote to memory of 2740 2180 3a030c486057917499b7ceb5b7c779b7.exe 31 PID 2180 wrote to memory of 2688 2180 3a030c486057917499b7ceb5b7c779b7.exe 29 PID 2180 wrote to memory of 2688 2180 3a030c486057917499b7ceb5b7c779b7.exe 29 PID 2180 wrote to memory of 2688 2180 3a030c486057917499b7ceb5b7c779b7.exe 29 PID 2180 wrote to memory of 2688 2180 3a030c486057917499b7ceb5b7c779b7.exe 29 PID 1996 wrote to memory of 2816 1996 fkmearhkdy.exe 28 PID 1996 wrote to memory of 2816 1996 fkmearhkdy.exe 28 PID 1996 wrote to memory of 2816 1996 fkmearhkdy.exe 28 PID 1996 wrote to memory of 2816 1996 fkmearhkdy.exe 28 PID 2180 wrote to memory of 2672 2180 3a030c486057917499b7ceb5b7c779b7.exe 30 PID 2180 wrote to memory of 2672 2180 3a030c486057917499b7ceb5b7c779b7.exe 30 PID 2180 wrote to memory of 2672 2180 3a030c486057917499b7ceb5b7c779b7.exe 30 PID 2180 wrote to memory of 2672 2180 3a030c486057917499b7ceb5b7c779b7.exe 30 PID 2672 wrote to memory of 2196 2672 WINWORD.EXE 36 PID 2672 wrote to memory of 2196 2672 WINWORD.EXE 36 PID 2672 wrote to memory of 2196 2672 WINWORD.EXE 36 PID 2672 wrote to memory of 2196 2672 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a030c486057917499b7ceb5b7c779b7.exe"C:\Users\Admin\AppData\Local\Temp\3a030c486057917499b7ceb5b7c779b7.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\nngfdjzhybrhn.exenngfdjzhybrhn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2688
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2196
-
-
-
C:\Windows\SysWOW64\twdkvxgz.exetwdkvxgz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2740
-
-
C:\Windows\SysWOW64\lrxawnlmacqetlq.exelrxawnlmacqetlq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1720
-
-
C:\Windows\SysWOW64\fkmearhkdy.exefkmearhkdy.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1996
-
-
C:\Windows\SysWOW64\twdkvxgz.exeC:\Windows\system32\twdkvxgz.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD59dc508c41a4a19b888828524d377bdf7
SHA1782564ce9ebf19b6fa5678675e65cb70cbc63a17
SHA2562a8c7500bc68da2db27a22c81a52ed9af2a41789cbefffa84244f73faa7ee453
SHA512ed8b276a7e20daa1c34baed7ab940ae138c57a67fd683e2d22871ccabbe52bbca05ad093c8dd82cf90c1f5ca4b537b7b8eb8fa12b2f12c37113dfc095eb417d3
-
Filesize
90KB
MD5f9c22ea15922eab30e9b97161bd6b396
SHA19a22089896ae8656f496d051c89b53cf8c6c53f9
SHA256d1284e97df42213bff2830103f95d97ebd05d3d6bdc8b272d9330bfda16e7ee2
SHA5126ce5aa618d60761e5c3841aaa73403dab4995d097ddf219301cfbcac3173877facb05ba2616760ea84fb94656c7e2110cb9fc80667fa0331e3aab818625f0afd
-
Filesize
20KB
MD55a81a833f2dd43c143a9a19b33f78811
SHA1840aac9569091cedfcb6d2e6c5ce5b97db9ece47
SHA2565d7674fc8af0092c6601d73558dd2515becdfd6f0815e7a0fd9c9d1edec71a1b
SHA51220532e6e374bd41d6175a3ea25314a5f3b4a2754fe3237be450d016dbf6b4c7dbf59197023cbd705da8fcdb2a068d2a4c8da8a53011c2e1b7f5bac280b85148d
-
Filesize
92KB
MD5f6e2b080a712fd8062bb5be6c382a1e8
SHA19f77d6ac645c356462ec12962635d281f8b062d9
SHA25614f9765336ee2cc5a58f1caff103c4a8fe0e92eefde552fc3884955fb906b230
SHA5128c173870bdff9cd056f4eb979345eb28de116582c865e3a931ce139287a52020f42f617b5afb5cdd9e18387b916376d683d2308ecd721432b2b74c26b65e1481
-
Filesize
512KB
MD56b03398122fe304ee6140567e941d721
SHA12c7de356db60fe2693e029fa6a8174f2a774c6d0
SHA256d28de86ca3a2bac614829e634994753bdbec79f43fe2666442843db460d1704c
SHA512cb9dcb9b4f39b2d297770a29e9a701ff0867265c22a55f0124b60ceb3931eb6ba3ea634317dc2edc4ca2230a08d68f438d1b74755cfd261c84045e9ae011eff6
-
Filesize
483KB
MD58ab2e6a4818bd3a87236a0018ead0b37
SHA1789b3212962949ea56222446bc249cac801500da
SHA2565f0340182856f4e2fac2d4a47fca5ad53ae1028b7b4071bd6abe602ec8a85120
SHA512c65dcd1caeab010cda8bd4166fcab63cfb0ed8c93728eb25d71fef69a468ac2ad4397ee77bdf8c3c9d7a19b67af522f9f4f8f852255f450096c2873cb14897ea
-
Filesize
200KB
MD5f816bede655927421e5866bfed385820
SHA1697efc6ac16132bc38e1602ce6abbf142f36095b
SHA256e2629e42179cc6ce46f2d642410d0b1b6b244a9f8c1f1988e35b59aee1c02c72
SHA5127267dac994cb2fc960c7ccce918e0b75f5cb4697954e59c1b5451459067c71585bba312881313dfad3277d3b07d8d74da6b95d7259d750c65813b876fdc403a1
-
Filesize
512KB
MD5b5f31818c6f65780237d0b7a64dbab7a
SHA1bce0db394b3c544034b27d9d9ebc37fce2620107
SHA25653f550d104a1e1597fdd5370895de202a518e0452eb4557eb2e17239711b54a1
SHA512cc565d5ab75fd1941a0113af70eae6dc265c9387d293bf7b7e227ea221c0848e7f77f782e7bc21c4b808500f26aabd37649e0783d56eabacba7418759a36b5dc
-
Filesize
138KB
MD51d4e9ccf1b6a7128434de6c05ac4d7e4
SHA10c2be2bfc3fb924d5a96851211642c21592ce92c
SHA25610b2113c60edcc6d5bb2046981c1b225dec1c0b92459042f413e1b62dae379fc
SHA512ed5d601902b7662e65f8e9d6dd1e08552c840e78b183b4ed4314c3383800708839c89ea1cef423c1f658cc20c1a5bd3e9917096d3ca7feb925eb19b1f01eb245
-
Filesize
85KB
MD527623bf17711551baa843bbab18a4b07
SHA12d6d50bab42c5defdd9bdf3f14fb826853558392
SHA2566a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368
SHA51253f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b
-
Filesize
257KB
MD542715f1ab6b2062c5d2f9e103f589be2
SHA119949b197528822724cc429fa66333a842f0ab08
SHA256c9e06210e7b49c4431bc7ffff7f8f34c1af59004cfed513aa64dfe996aa7db37
SHA5122ef7385f8fae204a50e385f2b7091c79f60cb2eb5aa40de22c0d4389e59034635c44fb878257a1deb1cd92e65f1b788aedaa69169ca37646cd5f75c2fa331fc0
-
Filesize
76KB
MD544da709b3074137f363068662032cd5d
SHA14b08eabc8c29bd327b205b86fc86faeb786228e5
SHA2566c830798bd184598030bdedf58be642720487c1b3a49553e57a623e699d3b8d6
SHA512801da8856826ab4cd2b799e9c48a8b5037f84e736068a162523edaeb53d2cf470aeeafa8aba40117a9cdd4fe1d72107b529234dd05f374bc5000fc1855e21bf7
-
Filesize
26KB
MD52a6e9cf6d7f01bae86f40f69ec65bf48
SHA14b968e267ae5e8632ef4690fdee66aafd93b2c62
SHA256ef519bbc052ba54e7a429bcbd3967de6054b5fa1d080f901930e2e14b4a169b5
SHA51262083b4573bd39ffeec415cc88baae6de3fb0700a8c5ed657cd27a4721fd64b0b1e19afa53b6c3b4745b558b19f3e23fc18de1ec2d63449c41912d6ac4604d7d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
492KB
MD57bfc4e5c685c5a1b941f07842e70ac22
SHA148a4319cbf0d9b7679ddca225fb56506a8dd5d75
SHA25639c8d7fc9ba3b695fbc5010164d00a48eae598c1caccbe951b91e3a59c1e8edc
SHA51202c61875fdf244b14e1459f750b49994aa8bdea8af0f77f5ecadbc7556060e4167f5baa4e473a74ec7c6c52e38260b55f07db3e0e296cf961b424df4a0f3b5c7
-
Filesize
307KB
MD519c2e30f6b50de166cc673003073eab2
SHA1bb4f8f810a19d2525bde450c95402f1bf5ec604f
SHA256815bbef557247e15a4d355bd04d98795d3f7535b36e13d6ead4eb82d0d4a01a8
SHA512b55ed5a355e8d727e10b71f05af67cb3181f525ddbdf1d2267ce0fa1c90092f7544ad5fb3701adeed5e63fb4df9d6e7c70e649ebd129f002d082a0f9af1c29f1
-
Filesize
137KB
MD580a2cb8cff25d8e6aa6f6bb26c2ff4e2
SHA1559bf3dda905af0ea2a16ad4065cf0793214e8b6
SHA2564dfdd49af018c5fbbab09bdb2c6a377e42ddee63a7064aec9df3e3a767ac25fe
SHA512adb882e9227c019016ec9d20356fffa1071a327f115770cadd38c25f5484286dbf567e385ad194cbaadc54edb013a9d5d60c35cbfd9270c269de345c58601b4a
-
Filesize
366KB
MD5ddb765b6e54500cb9d724832ec0308ca
SHA18bf42da5a56deb52e0025aae7a8aae71fe245678
SHA2561f8d0cc91bfc2c5aa0bb2811b89a1e7390964872fe19d08c62723010cc490d10
SHA51239623cb0967063e1e23b0c1ff68ad1fef1870f208b3d40f17fe1fce20359cbbff055df0a28e304fa655c8ee04e0acc2501425009a3066bc3a73992119bca1744
-
Filesize
93KB
MD5257f28bd5bdc2b725434b7ab570814e7
SHA1972446e0f8d210c5d6f42a57a921391a236d564d
SHA256d80f45a5995ba038d69dbe87f7c12827ffa2b53e79beedb0bc6ee91c10a61688
SHA512c27aa91c3c3605941a1a121021c840fc7886cf27d43e9d6b2c371888a276d9dfd39135600a4f933f62dfa3d46cb6e12de6e31b3f8b939676701ff37f8cc61575