Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
05/01/2024, 12:33
Static task
static1
Behavioral task
behavioral1
Sample
43b1e4d14fbf528e5d467fab8c087b29.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
43b1e4d14fbf528e5d467fab8c087b29.exe
Resource
win10v2004-20231215-en
General
-
Target
43b1e4d14fbf528e5d467fab8c087b29.exe
-
Size
512KB
-
MD5
43b1e4d14fbf528e5d467fab8c087b29
-
SHA1
1cb1894a9bdac78f3016e3fcfb587836a7335053
-
SHA256
a82b27816e216a1989d545384074bf2e6cdbaf8a5d13268c697ef4134715242b
-
SHA512
d15cc6df8ce240e874d7f7ff6afba0217746c5b2394f419b723f6ff67b982f1d387714f99540e0dbb96958eac5a18dd2260dc0a8a4ef14d9ef83f922a1303863
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6x:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5k
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jctencthpr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jctencthpr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jctencthpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jctencthpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jctencthpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jctencthpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jctencthpr.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jctencthpr.exe -
Executes dropped EXE 5 IoCs
pid Process 2380 jctencthpr.exe 2800 qmygkhyvbsmlcuz.exe 3012 dlwqpbqr.exe 2764 kcmhmowznqyem.exe 2828 dlwqpbqr.exe -
Loads dropped DLL 5 IoCs
pid Process 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2380 jctencthpr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jctencthpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jctencthpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jctencthpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jctencthpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jctencthpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jctencthpr.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\phfrbsdd = "jctencthpr.exe" qmygkhyvbsmlcuz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xftbahqv = "qmygkhyvbsmlcuz.exe" qmygkhyvbsmlcuz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kcmhmowznqyem.exe" qmygkhyvbsmlcuz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: dlwqpbqr.exe File opened (read-only) \??\m: dlwqpbqr.exe File opened (read-only) \??\v: dlwqpbqr.exe File opened (read-only) \??\z: jctencthpr.exe File opened (read-only) \??\t: dlwqpbqr.exe File opened (read-only) \??\i: dlwqpbqr.exe File opened (read-only) \??\s: dlwqpbqr.exe File opened (read-only) \??\m: jctencthpr.exe File opened (read-only) \??\u: jctencthpr.exe File opened (read-only) \??\v: jctencthpr.exe File opened (read-only) \??\w: dlwqpbqr.exe File opened (read-only) \??\r: dlwqpbqr.exe File opened (read-only) \??\u: dlwqpbqr.exe File opened (read-only) \??\x: dlwqpbqr.exe File opened (read-only) \??\s: jctencthpr.exe File opened (read-only) \??\x: dlwqpbqr.exe File opened (read-only) \??\a: jctencthpr.exe File opened (read-only) \??\a: dlwqpbqr.exe File opened (read-only) \??\j: dlwqpbqr.exe File opened (read-only) \??\l: dlwqpbqr.exe File opened (read-only) \??\u: dlwqpbqr.exe File opened (read-only) \??\y: dlwqpbqr.exe File opened (read-only) \??\h: jctencthpr.exe File opened (read-only) \??\p: jctencthpr.exe File opened (read-only) \??\q: jctencthpr.exe File opened (read-only) \??\y: dlwqpbqr.exe File opened (read-only) \??\g: dlwqpbqr.exe File opened (read-only) \??\j: jctencthpr.exe File opened (read-only) \??\p: dlwqpbqr.exe File opened (read-only) \??\o: dlwqpbqr.exe File opened (read-only) \??\n: dlwqpbqr.exe File opened (read-only) \??\n: jctencthpr.exe File opened (read-only) \??\o: dlwqpbqr.exe File opened (read-only) \??\i: dlwqpbqr.exe File opened (read-only) \??\s: dlwqpbqr.exe File opened (read-only) \??\b: dlwqpbqr.exe File opened (read-only) \??\n: dlwqpbqr.exe File opened (read-only) \??\r: dlwqpbqr.exe File opened (read-only) \??\i: jctencthpr.exe File opened (read-only) \??\r: jctencthpr.exe File opened (read-only) \??\m: dlwqpbqr.exe File opened (read-only) \??\k: jctencthpr.exe File opened (read-only) \??\l: jctencthpr.exe File opened (read-only) \??\b: dlwqpbqr.exe File opened (read-only) \??\p: dlwqpbqr.exe File opened (read-only) \??\g: jctencthpr.exe File opened (read-only) \??\t: jctencthpr.exe File opened (read-only) \??\b: jctencthpr.exe File opened (read-only) \??\w: jctencthpr.exe File opened (read-only) \??\e: dlwqpbqr.exe File opened (read-only) \??\k: dlwqpbqr.exe File opened (read-only) \??\q: dlwqpbqr.exe File opened (read-only) \??\w: dlwqpbqr.exe File opened (read-only) \??\z: dlwqpbqr.exe File opened (read-only) \??\l: dlwqpbqr.exe File opened (read-only) \??\q: dlwqpbqr.exe File opened (read-only) \??\t: dlwqpbqr.exe File opened (read-only) \??\e: jctencthpr.exe File opened (read-only) \??\g: dlwqpbqr.exe File opened (read-only) \??\h: dlwqpbqr.exe File opened (read-only) \??\j: dlwqpbqr.exe File opened (read-only) \??\x: jctencthpr.exe File opened (read-only) \??\y: jctencthpr.exe File opened (read-only) \??\h: dlwqpbqr.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jctencthpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jctencthpr.exe -
AutoIT Executable 20 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2232-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000d00000001232d-5.dat autoit_exe behavioral1/files/0x000d00000001224d-17.dat autoit_exe behavioral1/files/0x000d00000001224d-20.dat autoit_exe behavioral1/files/0x000d00000001232d-22.dat autoit_exe behavioral1/files/0x000d00000001224d-24.dat autoit_exe behavioral1/files/0x0037000000014721-27.dat autoit_exe behavioral1/files/0x0007000000014b5b-35.dat autoit_exe behavioral1/files/0x0007000000014b5b-41.dat autoit_exe behavioral1/files/0x0007000000014b5b-39.dat autoit_exe behavioral1/files/0x0037000000014721-34.dat autoit_exe behavioral1/files/0x0037000000014721-43.dat autoit_exe behavioral1/files/0x0037000000014721-42.dat autoit_exe behavioral1/files/0x000d00000001232d-33.dat autoit_exe behavioral1/files/0x0037000000014721-31.dat autoit_exe behavioral1/files/0x000d00000001232d-26.dat autoit_exe behavioral1/files/0x0006000000016110-72.dat autoit_exe behavioral1/files/0x0006000000015fdb-66.dat autoit_exe behavioral1/files/0x00060000000161e2-77.dat autoit_exe behavioral1/files/0x00060000000161e2-74.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\kcmhmowznqyem.exe 43b1e4d14fbf528e5d467fab8c087b29.exe File opened for modification C:\Windows\SysWOW64\kcmhmowznqyem.exe 43b1e4d14fbf528e5d467fab8c087b29.exe File created C:\Windows\SysWOW64\jctencthpr.exe 43b1e4d14fbf528e5d467fab8c087b29.exe File opened for modification C:\Windows\SysWOW64\jctencthpr.exe 43b1e4d14fbf528e5d467fab8c087b29.exe File opened for modification C:\Windows\SysWOW64\dlwqpbqr.exe 43b1e4d14fbf528e5d467fab8c087b29.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jctencthpr.exe File created C:\Windows\SysWOW64\qmygkhyvbsmlcuz.exe 43b1e4d14fbf528e5d467fab8c087b29.exe File opened for modification C:\Windows\SysWOW64\qmygkhyvbsmlcuz.exe 43b1e4d14fbf528e5d467fab8c087b29.exe File created C:\Windows\SysWOW64\dlwqpbqr.exe 43b1e4d14fbf528e5d467fab8c087b29.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dlwqpbqr.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dlwqpbqr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dlwqpbqr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal dlwqpbqr.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dlwqpbqr.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dlwqpbqr.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dlwqpbqr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dlwqpbqr.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dlwqpbqr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal dlwqpbqr.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dlwqpbqr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal dlwqpbqr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe dlwqpbqr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe dlwqpbqr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal dlwqpbqr.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 43b1e4d14fbf528e5d467fab8c087b29.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat jctencthpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" jctencthpr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc jctencthpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh jctencthpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C60C14E6DAC0B8BC7C95EC9F37CF" 43b1e4d14fbf528e5d467fab8c087b29.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4FAB9FE64F1E7837B3B3281EB3E97B08D038C4365034CE1CD459E09A0" 43b1e4d14fbf528e5d467fab8c087b29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BC4FE1D22DAD272D1D48A7D9111" 43b1e4d14fbf528e5d467fab8c087b29.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs jctencthpr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" jctencthpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2600 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 3012 dlwqpbqr.exe 3012 dlwqpbqr.exe 3012 dlwqpbqr.exe 3012 dlwqpbqr.exe 2800 qmygkhyvbsmlcuz.exe 2800 qmygkhyvbsmlcuz.exe 2800 qmygkhyvbsmlcuz.exe 2800 qmygkhyvbsmlcuz.exe 2800 qmygkhyvbsmlcuz.exe 2380 jctencthpr.exe 2380 jctencthpr.exe 2380 jctencthpr.exe 2380 jctencthpr.exe 2380 jctencthpr.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2828 dlwqpbqr.exe 2828 dlwqpbqr.exe 2828 dlwqpbqr.exe 2828 dlwqpbqr.exe 2800 qmygkhyvbsmlcuz.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2800 qmygkhyvbsmlcuz.exe 2800 qmygkhyvbsmlcuz.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2800 qmygkhyvbsmlcuz.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2800 qmygkhyvbsmlcuz.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2800 qmygkhyvbsmlcuz.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2800 qmygkhyvbsmlcuz.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2800 qmygkhyvbsmlcuz.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2800 qmygkhyvbsmlcuz.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2800 qmygkhyvbsmlcuz.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2800 qmygkhyvbsmlcuz.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2800 qmygkhyvbsmlcuz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2380 jctencthpr.exe 2380 jctencthpr.exe 2380 jctencthpr.exe 2800 qmygkhyvbsmlcuz.exe 3012 dlwqpbqr.exe 3012 dlwqpbqr.exe 3012 dlwqpbqr.exe 2800 qmygkhyvbsmlcuz.exe 2800 qmygkhyvbsmlcuz.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2828 dlwqpbqr.exe 2828 dlwqpbqr.exe 2828 dlwqpbqr.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 2380 jctencthpr.exe 2380 jctencthpr.exe 2380 jctencthpr.exe 2800 qmygkhyvbsmlcuz.exe 3012 dlwqpbqr.exe 3012 dlwqpbqr.exe 3012 dlwqpbqr.exe 2800 qmygkhyvbsmlcuz.exe 2800 qmygkhyvbsmlcuz.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2764 kcmhmowznqyem.exe 2828 dlwqpbqr.exe 2828 dlwqpbqr.exe 2828 dlwqpbqr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2600 WINWORD.EXE 2600 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2380 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 28 PID 2232 wrote to memory of 2380 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 28 PID 2232 wrote to memory of 2380 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 28 PID 2232 wrote to memory of 2380 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 28 PID 2232 wrote to memory of 2800 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 29 PID 2232 wrote to memory of 2800 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 29 PID 2232 wrote to memory of 2800 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 29 PID 2232 wrote to memory of 2800 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 29 PID 2232 wrote to memory of 3012 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 33 PID 2232 wrote to memory of 3012 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 33 PID 2232 wrote to memory of 3012 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 33 PID 2232 wrote to memory of 3012 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 33 PID 2232 wrote to memory of 2764 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 30 PID 2232 wrote to memory of 2764 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 30 PID 2232 wrote to memory of 2764 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 30 PID 2232 wrote to memory of 2764 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 30 PID 2380 wrote to memory of 2828 2380 jctencthpr.exe 32 PID 2380 wrote to memory of 2828 2380 jctencthpr.exe 32 PID 2380 wrote to memory of 2828 2380 jctencthpr.exe 32 PID 2380 wrote to memory of 2828 2380 jctencthpr.exe 32 PID 2232 wrote to memory of 2600 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 31 PID 2232 wrote to memory of 2600 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 31 PID 2232 wrote to memory of 2600 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 31 PID 2232 wrote to memory of 2600 2232 43b1e4d14fbf528e5d467fab8c087b29.exe 31 PID 2600 wrote to memory of 2576 2600 WINWORD.EXE 36 PID 2600 wrote to memory of 2576 2600 WINWORD.EXE 36 PID 2600 wrote to memory of 2576 2600 WINWORD.EXE 36 PID 2600 wrote to memory of 2576 2600 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\43b1e4d14fbf528e5d467fab8c087b29.exe"C:\Users\Admin\AppData\Local\Temp\43b1e4d14fbf528e5d467fab8c087b29.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\jctencthpr.exejctencthpr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\dlwqpbqr.exeC:\Windows\system32\dlwqpbqr.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2828
-
-
-
C:\Windows\SysWOW64\qmygkhyvbsmlcuz.exeqmygkhyvbsmlcuz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2800
-
-
C:\Windows\SysWOW64\kcmhmowznqyem.exekcmhmowznqyem.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2764
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2576
-
-
-
C:\Windows\SysWOW64\dlwqpbqr.exedlwqpbqr.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3012
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5be3e38fa62bc50f30ad23331f9ed8250
SHA1d5263066f41f70095f18b4af87a082eecba0cf6f
SHA256b14c91af2ebeb83b42a1af3465ee3344246717d5f5599baff07a97349305ba7c
SHA5126f453142676544cab086b0291de9b5e5e7ad8f467d72e5ac7f36f40c397b640fe81c280d7f679f3ecd8ec79535d9916013569a07dda077e9be4cfa97a4fe8dd6
-
Filesize
79KB
MD54f744cb2767e93f37eb847dc522a340f
SHA1b9ff9fc463475560848a98beb27744e309574348
SHA25691d31976a3bcfc14a59575fa6481d89f7d83e2f5445edc1dab6a51515d8c2c41
SHA512b58cfb0cf76a66a79df4645839cfddb689eb636190a405af8b5995cd239d6235b0eb587bd3261ad1d68a66bcefc32848ef5031b55f09bf266159465ee91c2bdd
-
Filesize
20KB
MD5d594102a91ea5a5bc1ac5ef460371477
SHA10ed9ce89521e30a4066c99ea6d26444a5bab8e2b
SHA25658a2ca33d093369e4f338cac0d715e1c5d3c2eb92acc9a946b3b1949533fb77b
SHA5125f6bb1d7afc0307c49b17d3683e724dec8f5220f624994420cbf99eed3348b482cc505aebc22829ea7b3f14c1221053f091ba0804668f4d2c332c16fef75fdb8
-
Filesize
405KB
MD5538ddc8a7b5a2a287c99f2f2dac124b4
SHA10944b63ddcd3496303ba81f767e3f605b77b8a11
SHA2560fbbd7c959975381ccc9d92ef87c6137848541b47325cf508baace8215185120
SHA51226d82a40c928e367455076db7d0d2d5b884d01a446eb212d8aac242843f16f3daadfdf3b3db73ae22b1c9e8745180ad1e866004cfecdbf5448591c4233ef21ac
-
Filesize
415KB
MD57d3eb4363b539b4c419fdfa48ae17258
SHA18c1b0ccdf62a2588424e1541355f4748b7074480
SHA256d72a3769b551f37574847d99ea33bff802b1fb5eec3b2390caa5106c90c59959
SHA51238ceb25db74c897180da04ecae91d4d24f11e1abc5a93f7f6cda377898847991ed652f852a47eca4953c486d8df3e82808687e73b88cd94a1bf838c716608f7b
-
Filesize
318KB
MD513c6f90720231a8c1c1822bab4bae602
SHA1c3d2b38d32f2b92c87a0f40f6aac9423446f9741
SHA2568eed536dd3a4bc26f6a4ee6ac68185a59f90162e0045e037bfa8719e5e9422a1
SHA5127cd43dc2a15cd8bd39ec09f9ee2a2e9207f39a2c1ea799bc97e2d4cce266ea59a4c05e1596d49f237f008aa83ce1599acee83ace7158193e80f614872a74491d
-
Filesize
294KB
MD5e95e653d79337d5e371ea091cf2e1bd0
SHA137e04d1352bd68b2b4293cb276fbdbdc19dfbc84
SHA2564372f8f2aa79f4f598bfe828b11387cc0d58002549f4aa8ca6a8f9b0fbc91cad
SHA512a380073c0baa3ec3b5ea765dc991d5403fed99e0bf75282bfee286eb2df34643b73cce0641bd3c6a6474406cb024b2d54a394947bb6f7b5c36369ff11698dc92
-
Filesize
246KB
MD503c28b72a9efc41bab4656deca13c882
SHA166b131471d015d35d4fd4923fb571f9eb0f8cdd9
SHA256954fbf318b75c87fb24df76a5730e1e68bf9fcf100363b058f598bbcc082c2ae
SHA5126b35dfc4bc4024003c78049a69e2e25a7e4b2f874d7553d9039cb653631a91252e06320e3fbaf4fe651aee553a40c548af4bd582b1d28739b74eee46e622fe49
-
Filesize
338KB
MD51b30a8fe959665cfe9abe96863df8dbb
SHA117e6d5af2e793462f95ca6f5223f3597f23cfd1b
SHA256c51ce3a2d6b1e1afc4f36f183479cc721d3b1b4c523265f106e60ba941f5f6ea
SHA5128e28b8610e291648d2cd906bbe4f13c112bf6ed16b4a9ef79b06afbb00cb40877e355d8a9b300d476bf8aea385d9db1fc55d01cbe9811890f79e14e7f11fb703
-
Filesize
309KB
MD50bb13602bf7d551a3caf9ddf3616b8e0
SHA162f324247218b5db0e096784234b4e69c27cfda2
SHA2567fb50a3474ad85e9201ced39cce3a482efc0ee29c3a6aac2fdfd77fea0a899dc
SHA5129c91658a54fa19b8aa64518eb44d50faafc54c17cff8532a8afa32008ab33b4526f23cad995bb3729725301dd1170a477cb5a23add9626e87065b0cc4cebae69
-
Filesize
324KB
MD556b65a97d28314933e3c5189d591ddf0
SHA1ef6df08380110a914232d7828bbdf6ec29172bb4
SHA256760c17e4b61ec1706ce5071597953f9e8b8743e43af4fb7d46ee77c78dfab9d0
SHA512d93c94fd88278b001f0550b17bbef93e065dea0a862eb715b74af1ee41c4ec43927a35f630514a8c93c84d587f23529060da0a05cb4d4adfcece3cbb1703239a
-
Filesize
241KB
MD5d8fef572ee6fef44169288eceb712f70
SHA1e960a0e0b39e9ed44a85b5d72f7ed5aa1910b619
SHA25662192da1894d1a2bb4e27162cb5e31763236fee9d9335ade2f3dcd80c8f4e03b
SHA512ad771be4001a2c915f109f09133ebbbd7f55baa291a37298d535fddec5c5de02d2124c4b25cd34768872ca88db3cbb7c6f6ea4272a07fa5631ffc1a7be412e3f
-
Filesize
302KB
MD5d3c529fc4888a26b4766c9b88bf4d4d7
SHA156fb646474648f9f276597885c1a1f0aa9c5df62
SHA256c7b6ec87930bf2a881dd5f22e296babaa0e991edb0ac1fa11e85d3f6ebf24a0e
SHA512c15a059e055a578af012c9baba61d5ad92c8f5d60daf890adb554afe21b15e3403b6a9fa3c63199db7b091a80b765eb2f27655af7dec71369f77c048c7b298d7
-
Filesize
272KB
MD5190c42d663fc1eb1d257d32cd27f44c0
SHA1a24af9f88e75eecbc7e55a9740239a64d5b3e30e
SHA256d996656e929baaed010fb8ba65af9f4c676ac8c43bc81c01eec0054667d79d7f
SHA51214dbb7bb11a98677b5daf8311b5cac724812c81c9f0695ee1e620bc7037e00e0a528da971b3befcf50c46e9d605c3590b2fa25122d0e993354e429b2dcb81511
-
Filesize
512KB
MD5b44fd41c6a9e6c1b7b83f8305b0c0a69
SHA1da906ce530b5319676731eff34fb51071055ee80
SHA2567647a14901595076e1ba61dd4f57630ae352f1b4dfd346ecd345d5c4621c191a
SHA5127e2d517d36a54a165bccac4339da458c69cb267a974fe7520c99e7e55a29faeb7964c51d4823d1afec5572664532196feba02f9ca8ea611cfc828172dd85e4a7
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
322KB
MD5576ff3cda2b3ac4688241b36dd050294
SHA133ab5c3f40292b63a880d464d8045c8575d4b981
SHA256c82347933c83875b70b2f530d20fea3d02e987d2cf53dda65bba3149e93aebd4
SHA51265eb5f6f400aeacc5e15bd753dd6ac471cc7ca84e4a6fdd984269ec3d037788015cb180cb478dae90fc3564b7b201f8080dc50df59cf471807eecf29a085b19e
-
Filesize
309KB
MD585663848a0161eb9b236f2dd251e48b5
SHA153682e0db61b34c29cf969b67f2f6c6e4e3bcbf2
SHA2568162d6dc3a1c5885eca08777f699dc9787e2f2c05d7b734f8c19f6e07c1c4084
SHA512cdbdb83e68200ecfe88537835c7515912c57076d2dd49edbf84a519be0d0ed84de009664eb315213ec2174c70e2f6fb32e6879356a9d877a435b16c9935b1ea1
-
Filesize
99KB
MD57fc6cf931da79ecd4267f22c6a1aefa8
SHA1913682b9a75a4089cc18ec25b28e082916a6b314
SHA2562672445b36639d26c7bcf277704d7f634ea7a6f4eac634027b98fb3f94062487
SHA512272947751145ba29cbfecc6fe73cf5e20cf017c8c436a8af45198499e8b34c5f70215c3d5f21676a2a5de87616e85aa12b5cf0e263d57042e4221f7e12d81eaf
-
Filesize
231KB
MD527aca2544b12d86edf4a95ee5ee8af32
SHA12c21cd0bfdf541be91777523a3e88092b9ae5ae5
SHA256912a600fb70891642ba13bd233b117b328f4dd52cf200763eea0cbe15e5b26f1
SHA512b8b2e9473a1ba4da4e8400e2ee7a904c953ab38d8b3aa294e6e70e11919125eef9b4af73752865fbd06377114d2724056f7078ec91a51dd91baabae666535260
-
Filesize
346KB
MD5172812aa2fa714828b337cd237eaec4c
SHA1a0a21aad217cde03fb4ccd3cc05ab8a8b2f610ca
SHA256eefebbdbdda4918cd390d61e4c55399325d9bcd8cea6e493964af81072336771
SHA512e9d2b966b16455e112e7207533cb483514ee91e267e8b3cdd2364367291c40ec256adf9722bcfb42c18f984002c6839bd7af82d9d5a868f5d5561632bfc1e272