Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 15:50
Static task
static1
Behavioral task
behavioral1
Sample
469c9f35d47dcbbdf7135c893430fa33.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
469c9f35d47dcbbdf7135c893430fa33.exe
Resource
win10v2004-20231215-en
General
-
Target
469c9f35d47dcbbdf7135c893430fa33.exe
-
Size
512KB
-
MD5
469c9f35d47dcbbdf7135c893430fa33
-
SHA1
04b660df1b63c0da69de9b0ff1d3cca546cd548a
-
SHA256
f74e1f8bb9b8fd81cb1174c39233ca2f6c2726bd0c015e3fc3e87313a4a721bf
-
SHA512
96bbf0129bb4af6161b765f02e8d639bb6dcbc83a6996cac274174b003f504c618ae5c30bf04d5925eda1d9a015475fadeb6e1d1929e767b8612aacf5ea7aadb
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" veokwoutrz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" veokwoutrz.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" veokwoutrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" veokwoutrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" veokwoutrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" veokwoutrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" veokwoutrz.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" veokwoutrz.exe -
Executes dropped EXE 5 IoCs
pid Process 2940 veokwoutrz.exe 2148 hegkknojjaobagy.exe 2700 csaefuyf.exe 2760 zhjmgojxregxm.exe 2564 csaefuyf.exe -
Loads dropped DLL 5 IoCs
pid Process 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2940 veokwoutrz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" veokwoutrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" veokwoutrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" veokwoutrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" veokwoutrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" veokwoutrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" veokwoutrz.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dveelxbp = "hegkknojjaobagy.exe" hegkknojjaobagy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zhjmgojxregxm.exe" hegkknojjaobagy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheugfzp = "veokwoutrz.exe" hegkknojjaobagy.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: veokwoutrz.exe File opened (read-only) \??\n: csaefuyf.exe File opened (read-only) \??\p: csaefuyf.exe File opened (read-only) \??\h: csaefuyf.exe File opened (read-only) \??\l: csaefuyf.exe File opened (read-only) \??\y: csaefuyf.exe File opened (read-only) \??\o: veokwoutrz.exe File opened (read-only) \??\p: veokwoutrz.exe File opened (read-only) \??\x: csaefuyf.exe File opened (read-only) \??\g: csaefuyf.exe File opened (read-only) \??\p: csaefuyf.exe File opened (read-only) \??\x: veokwoutrz.exe File opened (read-only) \??\a: csaefuyf.exe File opened (read-only) \??\s: csaefuyf.exe File opened (read-only) \??\z: csaefuyf.exe File opened (read-only) \??\j: csaefuyf.exe File opened (read-only) \??\m: csaefuyf.exe File opened (read-only) \??\z: csaefuyf.exe File opened (read-only) \??\w: csaefuyf.exe File opened (read-only) \??\g: veokwoutrz.exe File opened (read-only) \??\g: csaefuyf.exe File opened (read-only) \??\e: csaefuyf.exe File opened (read-only) \??\i: csaefuyf.exe File opened (read-only) \??\r: csaefuyf.exe File opened (read-only) \??\v: veokwoutrz.exe File opened (read-only) \??\q: csaefuyf.exe File opened (read-only) \??\q: veokwoutrz.exe File opened (read-only) \??\s: veokwoutrz.exe File opened (read-only) \??\h: csaefuyf.exe File opened (read-only) \??\y: csaefuyf.exe File opened (read-only) \??\v: csaefuyf.exe File opened (read-only) \??\a: veokwoutrz.exe File opened (read-only) \??\h: veokwoutrz.exe File opened (read-only) \??\t: veokwoutrz.exe File opened (read-only) \??\e: csaefuyf.exe File opened (read-only) \??\j: veokwoutrz.exe File opened (read-only) \??\n: veokwoutrz.exe File opened (read-only) \??\t: csaefuyf.exe File opened (read-only) \??\w: csaefuyf.exe File opened (read-only) \??\o: csaefuyf.exe File opened (read-only) \??\m: veokwoutrz.exe File opened (read-only) \??\q: csaefuyf.exe File opened (read-only) \??\t: csaefuyf.exe File opened (read-only) \??\x: csaefuyf.exe File opened (read-only) \??\k: csaefuyf.exe File opened (read-only) \??\l: csaefuyf.exe File opened (read-only) \??\o: csaefuyf.exe File opened (read-only) \??\m: csaefuyf.exe File opened (read-only) \??\s: csaefuyf.exe File opened (read-only) \??\k: veokwoutrz.exe File opened (read-only) \??\r: veokwoutrz.exe File opened (read-only) \??\v: csaefuyf.exe File opened (read-only) \??\n: csaefuyf.exe File opened (read-only) \??\b: veokwoutrz.exe File opened (read-only) \??\l: veokwoutrz.exe File opened (read-only) \??\z: veokwoutrz.exe File opened (read-only) \??\u: csaefuyf.exe File opened (read-only) \??\e: veokwoutrz.exe File opened (read-only) \??\i: veokwoutrz.exe File opened (read-only) \??\w: veokwoutrz.exe File opened (read-only) \??\i: csaefuyf.exe File opened (read-only) \??\r: csaefuyf.exe File opened (read-only) \??\b: csaefuyf.exe File opened (read-only) \??\k: csaefuyf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" veokwoutrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" veokwoutrz.exe -
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2356-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000c000000012738-5.dat autoit_exe behavioral1/files/0x000a00000001224a-17.dat autoit_exe behavioral1/files/0x000a00000001224a-20.dat autoit_exe behavioral1/files/0x000c000000012738-25.dat autoit_exe behavioral1/files/0x000a00000001224a-30.dat autoit_exe behavioral1/files/0x0007000000016441-39.dat autoit_exe behavioral1/files/0x003500000001604a-36.dat autoit_exe behavioral1/files/0x0007000000016441-41.dat autoit_exe behavioral1/files/0x0007000000016441-34.dat autoit_exe behavioral1/files/0x003500000001604a-32.dat autoit_exe behavioral1/files/0x000c000000012738-29.dat autoit_exe behavioral1/files/0x000c000000012738-21.dat autoit_exe behavioral1/files/0x003500000001604a-42.dat autoit_exe behavioral1/files/0x0006000000018b07-81.dat autoit_exe behavioral1/files/0x0006000000018b07-78.dat autoit_exe behavioral1/files/0x0006000000018b01-76.dat autoit_exe behavioral1/files/0x0006000000018b01-72.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\csaefuyf.exe 469c9f35d47dcbbdf7135c893430fa33.exe File created C:\Windows\SysWOW64\zhjmgojxregxm.exe 469c9f35d47dcbbdf7135c893430fa33.exe File opened for modification C:\Windows\SysWOW64\veokwoutrz.exe 469c9f35d47dcbbdf7135c893430fa33.exe File created C:\Windows\SysWOW64\hegkknojjaobagy.exe 469c9f35d47dcbbdf7135c893430fa33.exe File opened for modification C:\Windows\SysWOW64\hegkknojjaobagy.exe 469c9f35d47dcbbdf7135c893430fa33.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll veokwoutrz.exe File created C:\Windows\SysWOW64\veokwoutrz.exe 469c9f35d47dcbbdf7135c893430fa33.exe File created C:\Windows\SysWOW64\csaefuyf.exe 469c9f35d47dcbbdf7135c893430fa33.exe File opened for modification C:\Windows\SysWOW64\zhjmgojxregxm.exe 469c9f35d47dcbbdf7135c893430fa33.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal csaefuyf.exe File opened for modification C:\Program Files\UninstallClear.doc.exe csaefuyf.exe File opened for modification C:\Program Files\UninstallClear.nal csaefuyf.exe File opened for modification C:\Program Files\UninstallClear.nal csaefuyf.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe csaefuyf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe csaefuyf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe csaefuyf.exe File opened for modification \??\c:\Program Files\UninstallClear.doc.exe csaefuyf.exe File created \??\c:\Program Files\UninstallClear.doc.exe csaefuyf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe csaefuyf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal csaefuyf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal csaefuyf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe csaefuyf.exe File opened for modification \??\c:\Program Files\UninstallClear.doc.exe csaefuyf.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe csaefuyf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe csaefuyf.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe csaefuyf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal csaefuyf.exe File opened for modification C:\Program Files\UninstallClear.doc.exe csaefuyf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe csaefuyf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe csaefuyf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe csaefuyf.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 469c9f35d47dcbbdf7135c893430fa33.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDFAB1F96AF192837B3B3086ED39E2B0FC028A4367033BE1CF42E709A3" 469c9f35d47dcbbdf7135c893430fa33.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs veokwoutrz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BC4FE1822DDD20ED0A88B08906A" 469c9f35d47dcbbdf7135c893430fa33.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh veokwoutrz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C70C15E7DABEB8C87F95EDE737C9" 469c9f35d47dcbbdf7135c893430fa33.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 469c9f35d47dcbbdf7135c893430fa33.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 268 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2148 hegkknojjaobagy.exe 2148 hegkknojjaobagy.exe 2148 hegkknojjaobagy.exe 2148 hegkknojjaobagy.exe 2148 hegkknojjaobagy.exe 2940 veokwoutrz.exe 2940 veokwoutrz.exe 2940 veokwoutrz.exe 2940 veokwoutrz.exe 2940 veokwoutrz.exe 2700 csaefuyf.exe 2700 csaefuyf.exe 2700 csaefuyf.exe 2700 csaefuyf.exe 2148 hegkknojjaobagy.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2148 hegkknojjaobagy.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2148 hegkknojjaobagy.exe 2148 hegkknojjaobagy.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2148 hegkknojjaobagy.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2148 hegkknojjaobagy.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2148 hegkknojjaobagy.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2564 csaefuyf.exe 2564 csaefuyf.exe 2564 csaefuyf.exe 2564 csaefuyf.exe 2148 hegkknojjaobagy.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2148 hegkknojjaobagy.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2148 hegkknojjaobagy.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2148 hegkknojjaobagy.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2148 hegkknojjaobagy.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2148 hegkknojjaobagy.exe 2148 hegkknojjaobagy.exe 2148 hegkknojjaobagy.exe 2940 veokwoutrz.exe 2940 veokwoutrz.exe 2940 veokwoutrz.exe 2700 csaefuyf.exe 2700 csaefuyf.exe 2700 csaefuyf.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2564 csaefuyf.exe 2564 csaefuyf.exe 2564 csaefuyf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2356 469c9f35d47dcbbdf7135c893430fa33.exe 2148 hegkknojjaobagy.exe 2148 hegkknojjaobagy.exe 2148 hegkknojjaobagy.exe 2940 veokwoutrz.exe 2940 veokwoutrz.exe 2940 veokwoutrz.exe 2700 csaefuyf.exe 2700 csaefuyf.exe 2700 csaefuyf.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2760 zhjmgojxregxm.exe 2564 csaefuyf.exe 2564 csaefuyf.exe 2564 csaefuyf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 268 WINWORD.EXE 268 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2940 2356 469c9f35d47dcbbdf7135c893430fa33.exe 28 PID 2356 wrote to memory of 2940 2356 469c9f35d47dcbbdf7135c893430fa33.exe 28 PID 2356 wrote to memory of 2940 2356 469c9f35d47dcbbdf7135c893430fa33.exe 28 PID 2356 wrote to memory of 2940 2356 469c9f35d47dcbbdf7135c893430fa33.exe 28 PID 2356 wrote to memory of 2148 2356 469c9f35d47dcbbdf7135c893430fa33.exe 29 PID 2356 wrote to memory of 2148 2356 469c9f35d47dcbbdf7135c893430fa33.exe 29 PID 2356 wrote to memory of 2148 2356 469c9f35d47dcbbdf7135c893430fa33.exe 29 PID 2356 wrote to memory of 2148 2356 469c9f35d47dcbbdf7135c893430fa33.exe 29 PID 2356 wrote to memory of 2700 2356 469c9f35d47dcbbdf7135c893430fa33.exe 33 PID 2356 wrote to memory of 2700 2356 469c9f35d47dcbbdf7135c893430fa33.exe 33 PID 2356 wrote to memory of 2700 2356 469c9f35d47dcbbdf7135c893430fa33.exe 33 PID 2356 wrote to memory of 2700 2356 469c9f35d47dcbbdf7135c893430fa33.exe 33 PID 2356 wrote to memory of 2760 2356 469c9f35d47dcbbdf7135c893430fa33.exe 32 PID 2356 wrote to memory of 2760 2356 469c9f35d47dcbbdf7135c893430fa33.exe 32 PID 2356 wrote to memory of 2760 2356 469c9f35d47dcbbdf7135c893430fa33.exe 32 PID 2356 wrote to memory of 2760 2356 469c9f35d47dcbbdf7135c893430fa33.exe 32 PID 2148 wrote to memory of 2852 2148 hegkknojjaobagy.exe 31 PID 2148 wrote to memory of 2852 2148 hegkknojjaobagy.exe 31 PID 2148 wrote to memory of 2852 2148 hegkknojjaobagy.exe 31 PID 2148 wrote to memory of 2852 2148 hegkknojjaobagy.exe 31 PID 2940 wrote to memory of 2564 2940 veokwoutrz.exe 34 PID 2940 wrote to memory of 2564 2940 veokwoutrz.exe 34 PID 2940 wrote to memory of 2564 2940 veokwoutrz.exe 34 PID 2940 wrote to memory of 2564 2940 veokwoutrz.exe 34 PID 2356 wrote to memory of 268 2356 469c9f35d47dcbbdf7135c893430fa33.exe 35 PID 2356 wrote to memory of 268 2356 469c9f35d47dcbbdf7135c893430fa33.exe 35 PID 2356 wrote to memory of 268 2356 469c9f35d47dcbbdf7135c893430fa33.exe 35 PID 2356 wrote to memory of 268 2356 469c9f35d47dcbbdf7135c893430fa33.exe 35 PID 268 wrote to memory of 1636 268 WINWORD.EXE 39 PID 268 wrote to memory of 1636 268 WINWORD.EXE 39 PID 268 wrote to memory of 1636 268 WINWORD.EXE 39 PID 268 wrote to memory of 1636 268 WINWORD.EXE 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\469c9f35d47dcbbdf7135c893430fa33.exe"C:\Users\Admin\AppData\Local\Temp\469c9f35d47dcbbdf7135c893430fa33.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\veokwoutrz.exeveokwoutrz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\csaefuyf.exeC:\Windows\system32\csaefuyf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2564
-
-
-
C:\Windows\SysWOW64\hegkknojjaobagy.exehegkknojjaobagy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.execmd.exe /c zhjmgojxregxm.exe3⤵PID:2852
-
-
-
C:\Windows\SysWOW64\zhjmgojxregxm.exezhjmgojxregxm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2760
-
-
C:\Windows\SysWOW64\csaefuyf.execsaefuyf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1636
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5f4032cd1c77a7d7d854897f17e5032d9
SHA1fbab2edd210dd32775e2a4e187a901656b0dba6c
SHA256e2171db6a9b8b607c815d016eed39dd45294a430eca71a72f0e9d0f5b90acd02
SHA512133607cac5878b4d9b9ad855d8ab8dc0cca2f5cfce1cf55bd0358e6c59ecb2602de9247068d7cf9d05b6b8906900147216433947754418c5e89314ced8825b8f
-
Filesize
30KB
MD5cfc1f955dcbd856a0c6ef4ecfa99feaa
SHA11f2b1d314d08e60134a0a666aa781f19577f147a
SHA256a33953e397d90bd0863e9ca35d0c772596bbd4417c93e6ace4495956120178c1
SHA512180d11bc45cf397dcc5682d8d39bc2b1230b896a25be11d7105332803996b04dda9ce309feddcd2acdc37c9a8cffb186c06f375a62df835320a9c85fa47e10c4
-
Filesize
64KB
MD547e3ccc2537e858b77e2d5fe7cc788d9
SHA1a12fb8f3694bc8ab6f0444cadb5387325d2ac3eb
SHA256a70d1a38e9657a4cb843a3d53663dcef55265078d7222fafec24e881772cf401
SHA5121b59a9d6671d66f98e5ae9194882e39f5dbb2bad34cde7766fb56642a722a064335f003564ad8f89d385f8a3696817916df6a36cc23ce6502a06871d4cf439fc
-
Filesize
20KB
MD508603bd55786751800fafc6f7e386a2e
SHA1258f7020aef714a9c2929b19b71fe300cde63aa1
SHA256a87f3d3da301a3fe973acefd09765c3967a327075943d605d1f1ef113b4d17d1
SHA51282a97606e03e6157d07f383649e62f31144b4672be70a69ad698dc24f21aebb53f26896a0b68b7dc10f09645ed29b8f93f8e0251040af1b87cac333aa2677357
-
Filesize
484KB
MD5c20b22a4d25384d8a0cd66d1f0bfcaab
SHA1028106f49f28d18cc00a78330e8284c0a67faf06
SHA25699da1f9baf086f6abfdf7649ae47abc1f7d3bf19f312094782a60a89f2b0db45
SHA512936895a3dc399433cb1c15b4bd04f514d875e7e45f682a8675c706dba54762a6fb512d3846fb2668ad3227ed6e3ac07124e75c729b94b10e04bdfd1675d6fb47
-
Filesize
161KB
MD51a4f75add49bb607e1b39fd1f7f8bff9
SHA108fde774f69d0ef1ddca8981ccd4717065326949
SHA25607b9f429b14f5b0aa31ed181014568942c8afadc0d13b59919be98c821cd6658
SHA512e860066d61c164ad28802e6a0168db2a03e96e6ac1c264b1502ec43e58e6ff85c98aba9205851e61e42f750c5899ea6c2d6251d2ff6ff981c440939e6e15c070
-
Filesize
365KB
MD550f04569c229914edb77d0b53d5b130f
SHA12a518b3f9abac577f81b76583a5512ff4efbf883
SHA25651d2703581fd83a5831ac168e9d48a19465e167f1d5146059642225ebc3d8281
SHA5123ae0c2db8d308c1681a5927637c501b5c9c05743bf91ae1574b8dec4ff6cdc2535f83513b8f2432b5587193d497852c93204de2b41f8adae54849543ba692b82
-
Filesize
291KB
MD5775db6a457f607f8ec9aef8d4462b799
SHA19582f883b5db2e150fc46fa88a375b3471f689f1
SHA256ac2c20ff78912b2f140cdad9bc05c7ec0922ac3978c2bd0031b7c821bbe699e1
SHA512d457ff0343e80303bcf70e95ddcad8951d70d5c03bd79ad0de51e6c4f7ebcaa613880548bf27f71ab36422fa862f9b7c3d228be0f776332ab4e62447e7d145cf
-
Filesize
306KB
MD510665347c243dd575cf456a1ccabf8d3
SHA1001f80cb5b1a1d93179169d63ec148cb8a8235df
SHA256fd7c996e7abd651fcc187899e9d838adec3bd6796989ea9d86aff731dfee7931
SHA512bbc5cffe1c529aabcfa5031d704d89b1bd78102d8ddbb446afb502a723ad449d89c29177b81348086c55ff0365a88a225c32d553fef85bcd0d3b098b512f270c
-
Filesize
253KB
MD597e963d23f6c5fdc7a0d21bb35ffa1b2
SHA1f59a373d716baba0f598f023174e79675723334f
SHA256dedc2c6c545ea650d51a3b36fc5e94962dc52d8ccecd835de0caf3af0028bc1f
SHA512f5c893c32aa4ded2bbb56e37a43afb3e43ebe74d6e3373cf118e1ddd9b28e596de3103b8c55cf46c86b6d086a47bd5558e1a5bbfd66412d94240d88f0cf7d0c1
-
Filesize
206KB
MD508f765d4f6a44b2943fdaa4767415e91
SHA1512528ddfbfce4b5fb99b04a0935a0a6983c014f
SHA25650bc5d74ec19d9c4be64975c36c6a3bdee9b3e000ec8e6c6bb497716a3fb7e03
SHA512e9de2735e32c23b2c6c979e43527aa5208d9674c88b89a9323f94341895777c19fe633cab4c1f5d9b7439f48108da5c999e2987f6f56c4db9588ae80fb8fbc15
-
Filesize
347KB
MD5d084325687bb449e4bfae8c3b6ea911d
SHA194c53a9a6a4d647489a13595d125ecf04d07609d
SHA256b699b4641abc2b553f57a41a47acc1ec0e5db27b30a6c6f684d3da2b838b9364
SHA512e4f516a0784ec8841f7a6a60c5d432b28fc5bf0c0c59ca4c9985a71a7b266f9a58de78d145c39375d6ea989d8d75d4a0a13bddc26212664cbe2ccfef2a90739c
-
Filesize
97KB
MD5cb1e37785b27efb00cb958ea6f4f3789
SHA12ea3047a81f06aea3293cf9042babdc02bbefc52
SHA25688bd6706fbd94e35a6e73c9eee983e9c840c8f2ad05533ec41d2855e9bc38907
SHA512cd140c5c077314582814cc9092a9a9eff83b6356b1b1166aad5d0e509767423772eab4e167ccb9d48e14669e6588c291b29c138a3070da6f19b99e226da639dc
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5afb8469eadd91b177c6b256a587878a5
SHA1e210315d22a664ad8a3b171c2955f3bae1829e11
SHA2560eafc6841a70482339bc68cc4e47797fadcd37b30cb3259969545a32c7d48d64
SHA5129fd1de0392d29e8299aea64980edd937f63d1b99e03e6e87fd308dce53133279d909dc93ca3f949d54efb9dd5951b72cdf9a4760a84457a1197cf3f1b3ca1042
-
Filesize
296KB
MD5ff7ff3fd8e8d4417e43f9d3a75c42da3
SHA108a07be1579608414d85a0053fdfd4f9b189e464
SHA25663c928c15b81ffcb9c803fd637108acac3356c846a58f36d04409e1b81038c81
SHA51254bae0811ab753505406b3686c0ed39a56c33619c78ef737421cd0f18a94b193ba37ec8563bec06e5c0af718227cb05af69a6719950a59682f0384da30b3f63a
-
Filesize
512KB
MD5854111985a818a29a09b6a0ac28a3605
SHA18c876d67327e3652c18a644b457a84976b0a24b9
SHA256756371765752f132c0e5af598fc31d140176997ed834794883d3d497758a38b5
SHA512fdf58b1dc6f9d295733d4150b3e46e2d80952b6fe5d50d1a267bcf1563bddc37a2fb2e70e9fa922ef030e9790d2d783044283e445115011c22d85f6394817bfd
-
Filesize
290KB
MD5122c01d5b011347216f191e3a68a7430
SHA176eef2667b0ec1a4924600bf00bec20c29ddef4b
SHA256455dad73d4138cc72445644c9be19a34591324fa1b07acabd8773c581133861d
SHA5128b625cdbf4d20eddac8c50712eafc7ef1bde50d1f186bba793c520b146b73c377750b661732f2d75bd306a030b0c9003232935fc837eb1a6d213f0770408f65d