Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
11/01/2024, 03:19 UTC
Static task
static1
Behavioral task
behavioral1
Sample
5263ee44519d3d416ec840fd28e3757c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5263ee44519d3d416ec840fd28e3757c.exe
Resource
win10v2004-20231215-en
General
-
Target
5263ee44519d3d416ec840fd28e3757c.exe
-
Size
512KB
-
MD5
5263ee44519d3d416ec840fd28e3757c
-
SHA1
b9f96e553e4e668d14d01d60ff67e4f647545906
-
SHA256
84d7ddcbfd77db7442c481199561925908aca7c30f36a28a39ceeafa0e9210ff
-
SHA512
8929f25b5a14b77f367fd52fcdce3ff915fa55b16777c2439c2452fd8d79fe33ef5a5183ca03954b7bc8d556298ecafb2634f546fcb2e4c19a1f50ac9413154b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ztdcyywuec.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ztdcyywuec.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ztdcyywuec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ztdcyywuec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ztdcyywuec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ztdcyywuec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ztdcyywuec.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ztdcyywuec.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
pid Process 2664 ztdcyywuec.exe 2788 vugbpulyscsnmbp.exe 2712 knkvosfu.exe 2084 pkviyyzhkzaaq.exe 1952 knkvosfu.exe -
Loads dropped DLL 5 IoCs
pid Process 2648 5263ee44519d3d416ec840fd28e3757c.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2664 ztdcyywuec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ztdcyywuec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ztdcyywuec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ztdcyywuec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ztdcyywuec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ztdcyywuec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ztdcyywuec.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wymtdfxq = "ztdcyywuec.exe" vugbpulyscsnmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yocmfobv = "vugbpulyscsnmbp.exe" vugbpulyscsnmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pkviyyzhkzaaq.exe" vugbpulyscsnmbp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: knkvosfu.exe File opened (read-only) \??\n: knkvosfu.exe File opened (read-only) \??\p: knkvosfu.exe File opened (read-only) \??\r: knkvosfu.exe File opened (read-only) \??\b: knkvosfu.exe File opened (read-only) \??\k: knkvosfu.exe File opened (read-only) \??\j: knkvosfu.exe File opened (read-only) \??\b: ztdcyywuec.exe File opened (read-only) \??\r: ztdcyywuec.exe File opened (read-only) \??\p: knkvosfu.exe File opened (read-only) \??\a: knkvosfu.exe File opened (read-only) \??\o: knkvosfu.exe File opened (read-only) \??\u: knkvosfu.exe File opened (read-only) \??\l: ztdcyywuec.exe File opened (read-only) \??\p: ztdcyywuec.exe File opened (read-only) \??\r: knkvosfu.exe File opened (read-only) \??\e: knkvosfu.exe File opened (read-only) \??\q: knkvosfu.exe File opened (read-only) \??\g: ztdcyywuec.exe File opened (read-only) \??\m: ztdcyywuec.exe File opened (read-only) \??\n: ztdcyywuec.exe File opened (read-only) \??\q: ztdcyywuec.exe File opened (read-only) \??\g: knkvosfu.exe File opened (read-only) \??\l: knkvosfu.exe File opened (read-only) \??\t: knkvosfu.exe File opened (read-only) \??\u: ztdcyywuec.exe File opened (read-only) \??\n: knkvosfu.exe File opened (read-only) \??\k: ztdcyywuec.exe File opened (read-only) \??\j: knkvosfu.exe File opened (read-only) \??\s: knkvosfu.exe File opened (read-only) \??\x: knkvosfu.exe File opened (read-only) \??\k: knkvosfu.exe File opened (read-only) \??\v: knkvosfu.exe File opened (read-only) \??\x: knkvosfu.exe File opened (read-only) \??\w: ztdcyywuec.exe File opened (read-only) \??\o: knkvosfu.exe File opened (read-only) \??\v: knkvosfu.exe File opened (read-only) \??\l: knkvosfu.exe File opened (read-only) \??\a: ztdcyywuec.exe File opened (read-only) \??\e: ztdcyywuec.exe File opened (read-only) \??\i: ztdcyywuec.exe File opened (read-only) \??\j: ztdcyywuec.exe File opened (read-only) \??\y: ztdcyywuec.exe File opened (read-only) \??\e: knkvosfu.exe File opened (read-only) \??\x: ztdcyywuec.exe File opened (read-only) \??\u: knkvosfu.exe File opened (read-only) \??\w: knkvosfu.exe File opened (read-only) \??\z: knkvosfu.exe File opened (read-only) \??\q: knkvosfu.exe File opened (read-only) \??\b: knkvosfu.exe File opened (read-only) \??\m: knkvosfu.exe File opened (read-only) \??\z: ztdcyywuec.exe File opened (read-only) \??\h: ztdcyywuec.exe File opened (read-only) \??\s: ztdcyywuec.exe File opened (read-only) \??\m: knkvosfu.exe File opened (read-only) \??\t: knkvosfu.exe File opened (read-only) \??\t: ztdcyywuec.exe File opened (read-only) \??\a: knkvosfu.exe File opened (read-only) \??\i: knkvosfu.exe File opened (read-only) \??\o: ztdcyywuec.exe File opened (read-only) \??\z: knkvosfu.exe File opened (read-only) \??\s: knkvosfu.exe File opened (read-only) \??\w: knkvosfu.exe File opened (read-only) \??\y: knkvosfu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ztdcyywuec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ztdcyywuec.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2648-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x00100000000133bf-5.dat autoit_exe behavioral1/files/0x0009000000012281-17.dat autoit_exe behavioral1/files/0x0009000000012281-22.dat autoit_exe behavioral1/files/0x00100000000133bf-26.dat autoit_exe behavioral1/files/0x002f000000015c93-31.dat autoit_exe behavioral1/files/0x00100000000133bf-23.dat autoit_exe behavioral1/files/0x002f000000015c93-33.dat autoit_exe behavioral1/files/0x002f000000015c93-28.dat autoit_exe behavioral1/files/0x00100000000133bf-38.dat autoit_exe behavioral1/files/0x002f000000015c93-42.dat autoit_exe behavioral1/files/0x0007000000015da6-44.dat autoit_exe behavioral1/files/0x002f000000015c93-41.dat autoit_exe behavioral1/files/0x0007000000015da6-34.dat autoit_exe behavioral1/files/0x0007000000015da6-39.dat autoit_exe behavioral1/files/0x0002000000003d1e-50.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\ztdcyywuec.exe 5263ee44519d3d416ec840fd28e3757c.exe File opened for modification C:\Windows\SysWOW64\vugbpulyscsnmbp.exe 5263ee44519d3d416ec840fd28e3757c.exe File created C:\Windows\SysWOW64\knkvosfu.exe 5263ee44519d3d416ec840fd28e3757c.exe File opened for modification C:\Windows\SysWOW64\ztdcyywuec.exe 5263ee44519d3d416ec840fd28e3757c.exe File created C:\Windows\SysWOW64\vugbpulyscsnmbp.exe 5263ee44519d3d416ec840fd28e3757c.exe File opened for modification C:\Windows\SysWOW64\knkvosfu.exe 5263ee44519d3d416ec840fd28e3757c.exe File created C:\Windows\SysWOW64\pkviyyzhkzaaq.exe 5263ee44519d3d416ec840fd28e3757c.exe File opened for modification C:\Windows\SysWOW64\pkviyyzhkzaaq.exe 5263ee44519d3d416ec840fd28e3757c.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ztdcyywuec.exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification C:\Program Files\DisconnectStart.doc.exe knkvosfu.exe File opened for modification C:\Program Files\DisconnectStart.nal knkvosfu.exe File opened for modification \??\c:\Program Files\SplitUnprotect.doc.exe knkvosfu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal knkvosfu.exe File opened for modification C:\Program Files\SplitUnprotect.nal knkvosfu.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe knkvosfu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal knkvosfu.exe File opened for modification \??\c:\Program Files\DisconnectStart.doc.exe knkvosfu.exe File opened for modification C:\Program Files\SplitUnprotect.doc.exe knkvosfu.exe File opened for modification \??\c:\Program Files\SplitUnprotect.doc.exe knkvosfu.exe File opened for modification C:\Program Files\SplitUnprotect.nal knkvosfu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe knkvosfu.exe File created \??\c:\Program Files\SplitUnprotect.doc.exe knkvosfu.exe File created \??\c:\Program Files\DisconnectStart.doc.exe knkvosfu.exe File opened for modification C:\Program Files\SplitUnprotect.doc.exe knkvosfu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal knkvosfu.exe File opened for modification C:\Program Files\DisconnectStart.doc.exe knkvosfu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal knkvosfu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe knkvosfu.exe File opened for modification \??\c:\Program Files\DisconnectStart.doc.exe knkvosfu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe knkvosfu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe knkvosfu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe knkvosfu.exe File opened for modification C:\Program Files\DisconnectStart.nal knkvosfu.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe knkvosfu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe knkvosfu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe knkvosfu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe knkvosfu.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 5263ee44519d3d416ec840fd28e3757c.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ztdcyywuec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D7C9C2D83256D3577A077212DDB7DF464DA" 5263ee44519d3d416ec840fd28e3757c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAF9B1F96AF1E084093A4486973E98B38C028C4212034EE1BA429B09D1" 5263ee44519d3d416ec840fd28e3757c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 5263ee44519d3d416ec840fd28e3757c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B15D47E5389D53B8B9D13293D4B8" 5263ee44519d3d416ec840fd28e3757c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFF8C4F2685189031D62E7EE6BDE5E14658366746633FD6EC" 5263ee44519d3d416ec840fd28e3757c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2580 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2648 5263ee44519d3d416ec840fd28e3757c.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2664 ztdcyywuec.exe 2664 ztdcyywuec.exe 2664 ztdcyywuec.exe 2664 ztdcyywuec.exe 2664 ztdcyywuec.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2712 knkvosfu.exe 2712 knkvosfu.exe 2712 knkvosfu.exe 2712 knkvosfu.exe 2788 vugbpulyscsnmbp.exe 2788 vugbpulyscsnmbp.exe 2788 vugbpulyscsnmbp.exe 2788 vugbpulyscsnmbp.exe 2788 vugbpulyscsnmbp.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 1952 knkvosfu.exe 1952 knkvosfu.exe 1952 knkvosfu.exe 1952 knkvosfu.exe 2788 vugbpulyscsnmbp.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2788 vugbpulyscsnmbp.exe 2788 vugbpulyscsnmbp.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2788 vugbpulyscsnmbp.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2788 vugbpulyscsnmbp.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2788 vugbpulyscsnmbp.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2788 vugbpulyscsnmbp.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2788 vugbpulyscsnmbp.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2788 vugbpulyscsnmbp.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2788 vugbpulyscsnmbp.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2788 vugbpulyscsnmbp.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2788 vugbpulyscsnmbp.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 2648 5263ee44519d3d416ec840fd28e3757c.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2664 ztdcyywuec.exe 2664 ztdcyywuec.exe 2664 ztdcyywuec.exe 2712 knkvosfu.exe 2712 knkvosfu.exe 2712 knkvosfu.exe 2788 vugbpulyscsnmbp.exe 2788 vugbpulyscsnmbp.exe 2788 vugbpulyscsnmbp.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 1952 knkvosfu.exe 1952 knkvosfu.exe 1952 knkvosfu.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 2648 5263ee44519d3d416ec840fd28e3757c.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2648 5263ee44519d3d416ec840fd28e3757c.exe 2664 ztdcyywuec.exe 2664 ztdcyywuec.exe 2664 ztdcyywuec.exe 2712 knkvosfu.exe 2712 knkvosfu.exe 2712 knkvosfu.exe 2788 vugbpulyscsnmbp.exe 2788 vugbpulyscsnmbp.exe 2788 vugbpulyscsnmbp.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2084 pkviyyzhkzaaq.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2580 WINWORD.EXE 2580 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2664 2648 5263ee44519d3d416ec840fd28e3757c.exe 28 PID 2648 wrote to memory of 2664 2648 5263ee44519d3d416ec840fd28e3757c.exe 28 PID 2648 wrote to memory of 2664 2648 5263ee44519d3d416ec840fd28e3757c.exe 28 PID 2648 wrote to memory of 2664 2648 5263ee44519d3d416ec840fd28e3757c.exe 28 PID 2648 wrote to memory of 2788 2648 5263ee44519d3d416ec840fd28e3757c.exe 29 PID 2648 wrote to memory of 2788 2648 5263ee44519d3d416ec840fd28e3757c.exe 29 PID 2648 wrote to memory of 2788 2648 5263ee44519d3d416ec840fd28e3757c.exe 29 PID 2648 wrote to memory of 2788 2648 5263ee44519d3d416ec840fd28e3757c.exe 29 PID 2648 wrote to memory of 2712 2648 5263ee44519d3d416ec840fd28e3757c.exe 31 PID 2648 wrote to memory of 2712 2648 5263ee44519d3d416ec840fd28e3757c.exe 31 PID 2648 wrote to memory of 2712 2648 5263ee44519d3d416ec840fd28e3757c.exe 31 PID 2648 wrote to memory of 2712 2648 5263ee44519d3d416ec840fd28e3757c.exe 31 PID 2648 wrote to memory of 2084 2648 5263ee44519d3d416ec840fd28e3757c.exe 30 PID 2648 wrote to memory of 2084 2648 5263ee44519d3d416ec840fd28e3757c.exe 30 PID 2648 wrote to memory of 2084 2648 5263ee44519d3d416ec840fd28e3757c.exe 30 PID 2648 wrote to memory of 2084 2648 5263ee44519d3d416ec840fd28e3757c.exe 30 PID 2664 wrote to memory of 1952 2664 ztdcyywuec.exe 32 PID 2664 wrote to memory of 1952 2664 ztdcyywuec.exe 32 PID 2664 wrote to memory of 1952 2664 ztdcyywuec.exe 32 PID 2664 wrote to memory of 1952 2664 ztdcyywuec.exe 32 PID 2648 wrote to memory of 2580 2648 5263ee44519d3d416ec840fd28e3757c.exe 33 PID 2648 wrote to memory of 2580 2648 5263ee44519d3d416ec840fd28e3757c.exe 33 PID 2648 wrote to memory of 2580 2648 5263ee44519d3d416ec840fd28e3757c.exe 33 PID 2648 wrote to memory of 2580 2648 5263ee44519d3d416ec840fd28e3757c.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5263ee44519d3d416ec840fd28e3757c.exe"C:\Users\Admin\AppData\Local\Temp\5263ee44519d3d416ec840fd28e3757c.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\ztdcyywuec.exeztdcyywuec.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\knkvosfu.exeC:\Windows\system32\knkvosfu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1952
-
-
-
C:\Windows\SysWOW64\vugbpulyscsnmbp.exevugbpulyscsnmbp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2788
-
-
C:\Windows\SysWOW64\pkviyyzhkzaaq.exepkviyyzhkzaaq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2084
-
-
C:\Windows\SysWOW64\knkvosfu.exeknkvosfu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2712
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2580
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2472
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
337KB
MD53eb0a308d41f6936208559c255e8877b
SHA1a4bac734ad29b66f009bcc65d2e558313abd11e9
SHA2569db914eb0fa4e170ea2456f42b0514eb03ec48549c671e470ea7280dafd02bbf
SHA5129a58ed28d2b1da8fbb617bf1d76a0ec35b9181243196f580a7c692f99d66af3cfdd9c61f4098f9680a7c3e273f14bae7b98cd0a1c3961ede4f9f97364ad65327
-
Filesize
30KB
MD59049e6bbc10adaa2c03d5a60e579ccf3
SHA1e47e06c43f2ec0561483b761ae2ecccd3712ed9d
SHA256f714cb3575b5a702f70abb9dc899cf25f279f44c01c0a3e46d74f52ce4728283
SHA512800ff578e97ec5990c578b07aa0926c46d36683b6a49e0433e004b9f59a0e58474b3053c54258545d67c3725e1695960b0eb3fa6711dab14374bac02271c81be
-
Filesize
345KB
MD534bdbe55c7eb68b4aea144e2ccadabe8
SHA134b8fe6e7573a61f9704732b7671957b4214aaa7
SHA25683e7f5d2420849eadf2e9d703bbd0cac012e6d5cf43ec19a75c626f53005fd89
SHA51247f2a805bd367e6eb508cff044bfbcc32f4e34a71c5486b8bfc9840306a6551376eb4af25842c213b9c08634f6d3a45cec312dff56bd8f68d4b65e90c842de54
-
Filesize
381KB
MD59995d2f692a7f3e60a4351dc09ec453a
SHA133fdc4cfe7ff49bde1159a522dcab09c7ca462a2
SHA256c00a5fccf496864b0af740e8aa89ebc17eeaf4165f81f533bc84925eb7960e41
SHA512f714de63f93ba68964d33ad047aec87fafa9639602b3bb118ddaec45e5a65d78d7925cd8204fa4d673b401a7f4cda193950394e546453ce17299decde5423945
-
Filesize
466KB
MD55c8978da67f66039c809318729728cbc
SHA18f553268746d0636d169c5b9dd85d4debced348a
SHA256146a4be9bca65ceafb21462979bac37b882d7ef40d799b1f7cbfb6abe7643b29
SHA51207c70e9063802ab62e73681b0a3b7d50ac4e7fd35d00c699bc549a5b4d43b65e89a37b4d69d1c41a4ea2df6cb84945469ca2914cf88202325373490c01940b94
-
Filesize
385KB
MD51af7e0b81936176869fc12e85f954d2b
SHA1d32dd2ec067c6b4cdbab051ae8489bf883fc1d02
SHA256ba65ea9edce23dadc4744b353e238001829e6d5cdd50efa76e5e8cf4aa13e0df
SHA51262e595ab43b0772695e2174db8a442969f5b1c83763a39f97bd73178a949a4fda09b562eedc9d3c046db72ee2e1ca025bbd9d07e4fa56ab681f664a4067d0c29
-
Filesize
24KB
MD53853d8b90f81d232abcf861600e5c17c
SHA1dff05514421858dcf8382d0501779c452efcba31
SHA25684c06b69e9531d6e2473b11ad5e83dabbec3fd500bb9e2c54a29a1a1d27abacf
SHA51256bacb24be4fb31048a476baab034a4fb299bd3eb3e63e62191d19abbca6af369a835f89beb1893ca0780ec6a04bb97449aecc23c776c8491888f7c07ef6c027
-
Filesize
410KB
MD532298f5f131ff4e4d0847331f113aba6
SHA1c8ae57715477b340c543aeca6c85cc2b7556a634
SHA256dbef92936a0ca30ed1e46536f22db3d70ccb448eb63ab01b8d2b10953bfda559
SHA5122a2fc47a638ab2041532a5798d257f8abfb0f389cbf46ab397edb593b57d0484ba2f71b0b3b48fb3f91efca357f36da85bb37c84a0beaf51b61559fe5c797b81
-
Filesize
512KB
MD5ce762988d8809c3c94c9cfcd8ab23702
SHA13c412852377fd5583c2e127df1553f938579238a
SHA256ec80302fe06b760dcdfd825ef4528c5048fe06385263c62cfedf5f974cc849ff
SHA5127f6405f428cff482d74575769e7127c7dbcddca861aacafaa310e6a48484779fa9709e56af68e4508c8b0534bbb6d907a7f729b22e8f9d984565d59022f985e4
-
Filesize
381KB
MD56b4db2d51a6d07abb195937bd9f737c0
SHA150332fe1f7a59d3e57fbb1cd7e6e7eae68f61a4b
SHA256370bbbe0b65ceeabb7f27fc734efdc19aaad52252d2608e2ca22790de76cc3a3
SHA5126d50a59a932e00fa276cccb6fa3945f7c8f419fed7f44aac41cef2cfa650a97e79dc233c3402a95c7cf49ff28b82cdf50a3dc55480d4363dc2147918f43a6a83
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD56783c156f9e774efd715396c3938fe9d
SHA11f4c3a4940ee490522b0dd7c1aff3352708e9d8c
SHA25653b38f59859e615926a292b8f8be42350fe867c238e56a2169e275ce887a7aa1
SHA5120b0b6765c0c465f45a6e776d2de802dfd97b4a2e76164f1446b8ede42ea60a5ab4a61e916a460bdd73d64c778938f652a8bb1d09cdfc076ccd19b4ce85c63149
-
Filesize
383KB
MD5f2da9014910be9007ba05c55c80af761
SHA150be8400869b37a586679bb7d808f82e83a3861c
SHA25665ac234b58eff0259f20e56ee412763df36a46cbe7275139f6f1b2bb1f94dfa5
SHA51285c6c394768e0f1f99ea8c8fea5c1f5e90c96d41fe5a9ee4e90aa66f3c7d532197ddcac19b64c452a172f0ec6c6cdd6b07add00defaf26204a65297f1dbe5646
-
Filesize
406KB
MD50b844d949ac46f910ef4aa1642b6b3be
SHA178840733e1a849c0ca97f11340707d81d1eaa1f4
SHA256b735b0f17607e3ccf1d1b69f3c7b4adf9b5951eeefaa85dfed4e3a2722e81599
SHA512c240c5a797ed52c60dd40ff0d061b220b8aea5755db5d42ce3a4373a3f276f146c5a1fc32cb4fef9030d54cdbe46b2a7f0dfd0f09577f2b61e50bac6a2b7a171
-
Filesize
61KB
MD5410bbed7f087c0724804ea84d51385e4
SHA14b40bcf8504b2085704484095a8dfd6c20435197
SHA256cc17fac3ea58993d999a130172f661c795aa7b4ecd596b8b4ab4e3cd8c981cd4
SHA512d4af28748c442b1fea3b832e4cd03f44cf153fd07ffd4357018cd233a359412b854a8877e7b4226f2f5832fc4d12c68aa1b29b65028593df1f774691146d6892
-
Filesize
512KB
MD5e7f891b01a9a9da2e401eb0939d37657
SHA155ddb4217a41cf40a7fc29f7bb347a5acc845785
SHA2560eb3708944aafa1c46deb6cb8f7383c1e2ebc94e71110c1f3c98a08ce1378a18
SHA5121923c8170f1585f9f2f66b876585524f21feb1cabbf13fdb3a29f4c29503ac2583b3c19274a8b9690b2845e38c4b42a51ad8c55ae2c0e3f0363a621095a050f3