Analysis
-
max time kernel
251s -
max time network
277s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 03:42
Static task
static1
Behavioral task
behavioral1
Sample
514d4ec35b688cd54467278e5c5d41a2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
514d4ec35b688cd54467278e5c5d41a2.exe
Resource
win10v2004-20231215-en
General
-
Target
514d4ec35b688cd54467278e5c5d41a2.exe
-
Size
512KB
-
MD5
514d4ec35b688cd54467278e5c5d41a2
-
SHA1
2a116bc638fd3367872f8dac3760cba5b581d7e4
-
SHA256
c438c375ddbd6a62753a5cdd333f225626dc5ce3fb39e0f96a72ae7d09dc130f
-
SHA512
3ff4f28b4cac41efd744d188ca8f72f54aa5ef05de1f6807d2cca5597dbd4eed522cca077cfde117ad90b5301ea319bdc4bd42785aa724891c6c74e5c0d605a7
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6O:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5T
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" thwepacoym.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" thwepacoym.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" thwepacoym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" thwepacoym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" thwepacoym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" thwepacoym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" thwepacoym.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" thwepacoym.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
pid Process 2144 thwepacoym.exe 1272 yvjxpbtqotsrtvb.exe 2188 tddbmjmp.exe 1164 qcyicbvsadafm.exe 1244 tddbmjmp.exe -
Loads dropped DLL 5 IoCs
pid Process 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2144 thwepacoym.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" thwepacoym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" thwepacoym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" thwepacoym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" thwepacoym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" thwepacoym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" thwepacoym.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mpcgnfox = "thwepacoym.exe" yvjxpbtqotsrtvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oiinokzz = "yvjxpbtqotsrtvb.exe" yvjxpbtqotsrtvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qcyicbvsadafm.exe" yvjxpbtqotsrtvb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: tddbmjmp.exe File opened (read-only) \??\m: thwepacoym.exe File opened (read-only) \??\p: thwepacoym.exe File opened (read-only) \??\g: tddbmjmp.exe File opened (read-only) \??\s: thwepacoym.exe File opened (read-only) \??\l: tddbmjmp.exe File opened (read-only) \??\p: tddbmjmp.exe File opened (read-only) \??\u: tddbmjmp.exe File opened (read-only) \??\x: tddbmjmp.exe File opened (read-only) \??\x: thwepacoym.exe File opened (read-only) \??\b: tddbmjmp.exe File opened (read-only) \??\h: tddbmjmp.exe File opened (read-only) \??\o: tddbmjmp.exe File opened (read-only) \??\r: tddbmjmp.exe File opened (read-only) \??\i: tddbmjmp.exe File opened (read-only) \??\o: thwepacoym.exe File opened (read-only) \??\u: thwepacoym.exe File opened (read-only) \??\a: tddbmjmp.exe File opened (read-only) \??\k: tddbmjmp.exe File opened (read-only) \??\l: tddbmjmp.exe File opened (read-only) \??\o: tddbmjmp.exe File opened (read-only) \??\u: tddbmjmp.exe File opened (read-only) \??\y: tddbmjmp.exe File opened (read-only) \??\z: tddbmjmp.exe File opened (read-only) \??\q: tddbmjmp.exe File opened (read-only) \??\b: tddbmjmp.exe File opened (read-only) \??\e: thwepacoym.exe File opened (read-only) \??\i: thwepacoym.exe File opened (read-only) \??\t: tddbmjmp.exe File opened (read-only) \??\a: tddbmjmp.exe File opened (read-only) \??\r: tddbmjmp.exe File opened (read-only) \??\s: tddbmjmp.exe File opened (read-only) \??\l: thwepacoym.exe File opened (read-only) \??\y: thwepacoym.exe File opened (read-only) \??\s: tddbmjmp.exe File opened (read-only) \??\j: tddbmjmp.exe File opened (read-only) \??\m: tddbmjmp.exe File opened (read-only) \??\g: thwepacoym.exe File opened (read-only) \??\k: thwepacoym.exe File opened (read-only) \??\w: thwepacoym.exe File opened (read-only) \??\m: tddbmjmp.exe File opened (read-only) \??\g: tddbmjmp.exe File opened (read-only) \??\q: tddbmjmp.exe File opened (read-only) \??\q: thwepacoym.exe File opened (read-only) \??\j: tddbmjmp.exe File opened (read-only) \??\v: thwepacoym.exe File opened (read-only) \??\n: tddbmjmp.exe File opened (read-only) \??\v: tddbmjmp.exe File opened (read-only) \??\k: tddbmjmp.exe File opened (read-only) \??\j: thwepacoym.exe File opened (read-only) \??\n: thwepacoym.exe File opened (read-only) \??\r: thwepacoym.exe File opened (read-only) \??\e: tddbmjmp.exe File opened (read-only) \??\e: tddbmjmp.exe File opened (read-only) \??\v: tddbmjmp.exe File opened (read-only) \??\b: thwepacoym.exe File opened (read-only) \??\t: thwepacoym.exe File opened (read-only) \??\x: tddbmjmp.exe File opened (read-only) \??\y: tddbmjmp.exe File opened (read-only) \??\z: thwepacoym.exe File opened (read-only) \??\h: tddbmjmp.exe File opened (read-only) \??\p: tddbmjmp.exe File opened (read-only) \??\w: tddbmjmp.exe File opened (read-only) \??\n: tddbmjmp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" thwepacoym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" thwepacoym.exe -
AutoIT Executable 17 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2876-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x001000000000b1f5-6.dat autoit_exe behavioral1/files/0x0004000000004ed7-17.dat autoit_exe behavioral1/files/0x001000000000b1f5-22.dat autoit_exe behavioral1/files/0x001000000000b1f5-28.dat autoit_exe behavioral1/files/0x000c000000014122-41.dat autoit_exe behavioral1/files/0x000c00000001234f-40.dat autoit_exe behavioral1/files/0x000c000000014122-38.dat autoit_exe behavioral1/files/0x000c000000014122-33.dat autoit_exe behavioral1/files/0x000c00000001234f-32.dat autoit_exe behavioral1/files/0x000c00000001234f-29.dat autoit_exe behavioral1/files/0x0004000000004ed7-26.dat autoit_exe behavioral1/files/0x000c00000001234f-43.dat autoit_exe behavioral1/files/0x000c00000001234f-42.dat autoit_exe behavioral1/files/0x0006000000016fde-87.dat autoit_exe behavioral1/files/0x00060000000170f7-89.dat autoit_exe behavioral1/files/0x000600000001755b-95.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\yvjxpbtqotsrtvb.exe 514d4ec35b688cd54467278e5c5d41a2.exe File opened for modification C:\Windows\SysWOW64\yvjxpbtqotsrtvb.exe 514d4ec35b688cd54467278e5c5d41a2.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll thwepacoym.exe File created C:\Windows\SysWOW64\qcyicbvsadafm.exe 514d4ec35b688cd54467278e5c5d41a2.exe File opened for modification C:\Windows\SysWOW64\qcyicbvsadafm.exe 514d4ec35b688cd54467278e5c5d41a2.exe File created C:\Windows\SysWOW64\thwepacoym.exe 514d4ec35b688cd54467278e5c5d41a2.exe File opened for modification C:\Windows\SysWOW64\thwepacoym.exe 514d4ec35b688cd54467278e5c5d41a2.exe File created C:\Windows\SysWOW64\tddbmjmp.exe 514d4ec35b688cd54467278e5c5d41a2.exe File opened for modification C:\Windows\SysWOW64\tddbmjmp.exe 514d4ec35b688cd54467278e5c5d41a2.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\WaitUnblock.nal tddbmjmp.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tddbmjmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tddbmjmp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tddbmjmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal tddbmjmp.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tddbmjmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tddbmjmp.exe File opened for modification \??\c:\Program Files\WaitUnblock.doc.exe tddbmjmp.exe File opened for modification \??\c:\Program Files\WaitUnblock.doc.exe tddbmjmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal tddbmjmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal tddbmjmp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tddbmjmp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tddbmjmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tddbmjmp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tddbmjmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal tddbmjmp.exe File opened for modification C:\Program Files\WaitUnblock.doc.exe tddbmjmp.exe File opened for modification C:\Program Files\WaitUnblock.nal tddbmjmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tddbmjmp.exe File opened for modification C:\Program Files\WaitUnblock.doc.exe tddbmjmp.exe File created \??\c:\Program Files\WaitUnblock.doc.exe tddbmjmp.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 514d4ec35b688cd54467278e5c5d41a2.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg thwepacoym.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9C9F967F29184093B43819F3E90B08003F04212023BE2CA45E608A8" 514d4ec35b688cd54467278e5c5d41a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_Classes\Local Settings explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc thwepacoym.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs thwepacoym.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" thwepacoym.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" thwepacoym.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C0B9D5583236D4576D170252CAA7C8764AF" 514d4ec35b688cd54467278e5c5d41a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh thwepacoym.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B12E4795399953BABAA73298D4BF" 514d4ec35b688cd54467278e5c5d41a2.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 240 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2144 thwepacoym.exe 2144 thwepacoym.exe 2144 thwepacoym.exe 2144 thwepacoym.exe 2144 thwepacoym.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 1272 yvjxpbtqotsrtvb.exe 1272 yvjxpbtqotsrtvb.exe 1272 yvjxpbtqotsrtvb.exe 1272 yvjxpbtqotsrtvb.exe 1272 yvjxpbtqotsrtvb.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 2188 tddbmjmp.exe 2188 tddbmjmp.exe 2188 tddbmjmp.exe 2188 tddbmjmp.exe 1272 yvjxpbtqotsrtvb.exe 1244 tddbmjmp.exe 1244 tddbmjmp.exe 1244 tddbmjmp.exe 1244 tddbmjmp.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1272 yvjxpbtqotsrtvb.exe 1272 yvjxpbtqotsrtvb.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1272 yvjxpbtqotsrtvb.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1272 yvjxpbtqotsrtvb.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1272 yvjxpbtqotsrtvb.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1272 yvjxpbtqotsrtvb.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1272 yvjxpbtqotsrtvb.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1272 yvjxpbtqotsrtvb.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1272 yvjxpbtqotsrtvb.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1272 yvjxpbtqotsrtvb.exe 1164 qcyicbvsadafm.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe Token: 33 2300 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2300 AUDIODG.EXE Token: 33 2300 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2300 AUDIODG.EXE Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe Token: SeShutdownPrivilege 1064 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2144 thwepacoym.exe 2144 thwepacoym.exe 2144 thwepacoym.exe 1272 yvjxpbtqotsrtvb.exe 1272 yvjxpbtqotsrtvb.exe 1272 yvjxpbtqotsrtvb.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 2188 tddbmjmp.exe 2188 tddbmjmp.exe 2188 tddbmjmp.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1244 tddbmjmp.exe 1064 explorer.exe 1064 explorer.exe 1244 tddbmjmp.exe 1244 tddbmjmp.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe -
Suspicious use of SendNotifyMessage 44 IoCs
pid Process 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2876 514d4ec35b688cd54467278e5c5d41a2.exe 2144 thwepacoym.exe 2144 thwepacoym.exe 2144 thwepacoym.exe 1272 yvjxpbtqotsrtvb.exe 1272 yvjxpbtqotsrtvb.exe 1272 yvjxpbtqotsrtvb.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 1164 qcyicbvsadafm.exe 2188 tddbmjmp.exe 2188 tddbmjmp.exe 2188 tddbmjmp.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1244 tddbmjmp.exe 1244 tddbmjmp.exe 1244 tddbmjmp.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe 1064 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 240 WINWORD.EXE 240 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2144 2876 514d4ec35b688cd54467278e5c5d41a2.exe 28 PID 2876 wrote to memory of 2144 2876 514d4ec35b688cd54467278e5c5d41a2.exe 28 PID 2876 wrote to memory of 2144 2876 514d4ec35b688cd54467278e5c5d41a2.exe 28 PID 2876 wrote to memory of 2144 2876 514d4ec35b688cd54467278e5c5d41a2.exe 28 PID 2876 wrote to memory of 1272 2876 514d4ec35b688cd54467278e5c5d41a2.exe 32 PID 2876 wrote to memory of 1272 2876 514d4ec35b688cd54467278e5c5d41a2.exe 32 PID 2876 wrote to memory of 1272 2876 514d4ec35b688cd54467278e5c5d41a2.exe 32 PID 2876 wrote to memory of 1272 2876 514d4ec35b688cd54467278e5c5d41a2.exe 32 PID 2876 wrote to memory of 2188 2876 514d4ec35b688cd54467278e5c5d41a2.exe 31 PID 2876 wrote to memory of 2188 2876 514d4ec35b688cd54467278e5c5d41a2.exe 31 PID 2876 wrote to memory of 2188 2876 514d4ec35b688cd54467278e5c5d41a2.exe 31 PID 2876 wrote to memory of 2188 2876 514d4ec35b688cd54467278e5c5d41a2.exe 31 PID 2876 wrote to memory of 1164 2876 514d4ec35b688cd54467278e5c5d41a2.exe 29 PID 2876 wrote to memory of 1164 2876 514d4ec35b688cd54467278e5c5d41a2.exe 29 PID 2876 wrote to memory of 1164 2876 514d4ec35b688cd54467278e5c5d41a2.exe 29 PID 2876 wrote to memory of 1164 2876 514d4ec35b688cd54467278e5c5d41a2.exe 29 PID 2144 wrote to memory of 1244 2144 thwepacoym.exe 35 PID 2144 wrote to memory of 1244 2144 thwepacoym.exe 35 PID 2144 wrote to memory of 1244 2144 thwepacoym.exe 35 PID 2144 wrote to memory of 1244 2144 thwepacoym.exe 35 PID 2876 wrote to memory of 240 2876 514d4ec35b688cd54467278e5c5d41a2.exe 36 PID 2876 wrote to memory of 240 2876 514d4ec35b688cd54467278e5c5d41a2.exe 36 PID 2876 wrote to memory of 240 2876 514d4ec35b688cd54467278e5c5d41a2.exe 36 PID 2876 wrote to memory of 240 2876 514d4ec35b688cd54467278e5c5d41a2.exe 36 PID 240 wrote to memory of 2800 240 WINWORD.EXE 40 PID 240 wrote to memory of 2800 240 WINWORD.EXE 40 PID 240 wrote to memory of 2800 240 WINWORD.EXE 40 PID 240 wrote to memory of 2800 240 WINWORD.EXE 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\514d4ec35b688cd54467278e5c5d41a2.exe"C:\Users\Admin\AppData\Local\Temp\514d4ec35b688cd54467278e5c5d41a2.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\thwepacoym.exethwepacoym.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\tddbmjmp.exeC:\Windows\system32\tddbmjmp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1244
-
-
-
C:\Windows\SysWOW64\qcyicbvsadafm.exeqcyicbvsadafm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1164
-
-
C:\Windows\SysWOW64\tddbmjmp.exetddbmjmp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2188
-
-
C:\Windows\SysWOW64\yvjxpbtqotsrtvb.exeyvjxpbtqotsrtvb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1272
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2800
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1064
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5181⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5c44c176945767acdaae39fd86e54a726
SHA1695a06751fd9946f2a88a2b28201a4d3f4c7557a
SHA256a28c190a7e15d301285b8a50fb4964282ac0a47ea4996bc345a2ecdd22dbf4ae
SHA5124574fb87385cc864e11bb70aa286d38fc09b190aa40f789f8211b733ca867b1121862ca21029a9742332d09c02730cff1bcb83296fbd1d313b6abb79f03cc205
-
Filesize
512KB
MD56197102822b0c19d20a786b4b21f1d31
SHA144a0b6953fbcd92eb39ac7da49bb780e03009279
SHA256915f20dd50abf26855a9e396f516aae6d2e8c0a77461c19646d5244f6b8b7574
SHA5122bf5368846e4f6a9acfddf6dee3322c69493dcff33f5fe400a5920a376caed1ff14479b973536336915b9d80294d65b9562a3f3d78e71d6adb6049bead35c0f5
-
Filesize
512KB
MD502eed8a3405c1ccaaa4971aa5419eb81
SHA12228e41559938d4009a56df8c8053fe8e8d01083
SHA256a2996ccf8dcfe2b981742dddd18666852857319dcab79d859dd00cd7281fa9f3
SHA512ae8367d27a4f6d891a5e8f98b830e459438d01311727dde3b77bc28d427450e5cdaa956cb9a7319486ffc95d341b869ba9ce5931d61b85701960f862cc068b1d
-
Filesize
375KB
MD50ff1bd2acf1477af7b3bb02963b0a039
SHA175171dab260e5b0a9f7177c2afc8c01a9af77907
SHA2563b81ab762fdc77d3c915f204f1699279a2e44a35526ca4d64fedf2dce1074f08
SHA512db8a494433543e915cea8f4dd09ea71a2a0b8ae463a2c3d903c28f14d468c02e07850c3b9040e514096f61d16e530e57449020141a065e03a16ae1de3a157452
-
Filesize
85KB
MD527623bf17711551baa843bbab18a4b07
SHA12d6d50bab42c5defdd9bdf3f14fb826853558392
SHA2566a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368
SHA51253f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b
-
Filesize
396KB
MD5fb799a6e0b41bb2634213d6216733613
SHA17753dcaa5e7302edde3b5163e3861fc2345c5944
SHA2568d7bc1c78c48b4f420d976ff85487201ab077106bca7b2b4eacb8a2d8bc4b75c
SHA5124da825f761986a01a5c5b7933ca2ee52f161a00f6ea9b2ae94d3a37845ade83dc10d28a84e903649d10b2e8fab82598b48c077469db5c8b45a754ec8b88c7430
-
Filesize
13KB
MD593b60a88e7843a99ec04168b8d93750a
SHA1687f563ea0695b0af22e5b18bd7758a6a986bc66
SHA256114298a30a908f2084f327bcd252fb420560148edaf8ca96051eb47c3b65eb9a
SHA512f1fc5c1306169f0bf937e16a1046f81ac6f68797a57894273fd140f827a66deebd9271af52955fe59e4a8e309f36722740f5c35dd9e994bf1026663cc74ddbd8
-
Filesize
512KB
MD53aed660d8e799608bb97362104914eb9
SHA1ef0d8f36e234c46bb8b215176217666c8bee810f
SHA2568a5c6ef55933065c0795b729c79c65159b618e45228c7d11726f55e706579349
SHA51277ca102c24d364a0c1ee086dacdc11710fe296d4ae9762747f6341aa3a3205017d9931e1f0662a58f05e1d668974de51ad2589b52e32409678e1a8ab25e5b200
-
Filesize
356KB
MD57e32204c7be91c53b7f7aa0dde2a281f
SHA180fcad69a52741c426eebf14983948804b02c45f
SHA256fa488fc752a975c4883e3fbaac48ff4562831a19f1dc1bb3f49e62af3cc251da
SHA51263420fcaade6cc2ea3873c87b4b73beca4af578b4e7da1c0844e98f3d2d8f8abb8db0d050208a94b1dce9881269910c4409400519c85cefad0192a3c91dad915
-
Filesize
4KB
MD59a39eab4787614a330232f9f85c7af4c
SHA1c79a07e88a091f9ca67498ecd3451f1e67e0c472
SHA256e71fdc77a001fbf0ccb31a1ba522ceb5444f1f1bf76657f6743346e8366ef5f4
SHA51219afc5c83e0bc815dad7a43598aadf7f76393ef90491246c39f250f1cf202d408560e97be32505abf0a429421c0948a1bbe8230cec4ee3e7a9023ff193de93b6
-
Filesize
512KB
MD5c9a5589741bb940912b0c84a84b583f2
SHA147a205c26ce9e7caf1a7a67bb58f1d63a607bc4e
SHA2560eac1d5cabafad894c388208bae104452fb3c1e58c1368c9c9e33a2cac81ad7b
SHA5127fc2332f959b151617450d9e2159613b7ca8cc8d50fbc093587f747ed1352cb774d2c988233d84a4b841eb1decd3f79048dd49ef4b8f6b0363f962655d277514
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
410KB
MD58e62a97f98717700d3e36c35e0661c84
SHA103aab201834daca81ffa89d0d0bf5c11ad3122da
SHA25633a6a56166b2bf473055462e9e0ca130f3c126d1837d379cbf34d43ebf66ca72
SHA512088e01aff5d5b12c05c74be8d9387f6f9523cecaa217471832766824ed443e4bdcc1ddc9b7f4cc10c506f01909e672bc5b4c01ab0f6f0e77f2640c158c13bdb5
-
Filesize
381KB
MD530aec9e0b33fbd99234328357879f812
SHA13c9d37139d4ccfe2b694afba9633170d0f510a92
SHA25615aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563
SHA5122060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415
-
Filesize
344KB
MD51d4f16c098a1369204d84f81b7920b5e
SHA127bb2e82d7e54cc6bacfee84c0b25830306f9ada
SHA256edc5320048192807fbb6fd03f7cde14eafd8e0321de75df1d52a27bf062af261
SHA5123ce617cedf7862abad1bccb180c1cf5e8d68b2471a9ab73334f2ede4ceaeacc5f9f720690af3b346134193f38b41086801691c48f34d6e8a7819c6cb8ea6285b
-
Filesize
512KB
MD5bb6144c6c2deec4d9da2556fa0c006c2
SHA117f61798b8ce702021e6ef2b7edd2c79a8318cb0
SHA25603b66766a5aa73b748f19a4fca9a7bddb9c292efd34c1b4070af254775b3bf41
SHA512f5c32dad3b2f8197d06f34a0c5c58b9e3863426aeb042742e3ebb74a6bc4f03188280a73255feebe2528518e92d674848be580eda7fbea4acb2d2b95657a0e1c
-
Filesize
101KB
MD5ae8598f4c728c11dbfa0293180fc8af2
SHA151cce6eba90d17f4e091ac0535558e0f3b808073
SHA2563ab006fc6ba6f62248806db47b6484fa0fac6e5672b4034895478b832e9fec91
SHA5122ff3c65c7e0cd5503844ea5808bb81118945e884878946d918a8182ee5ffee4f444c5985f9eff09676132fb457deb8e44e3a416208dba898633115efb99477fc