Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/01/2024, 14:08
Static task
static1
Behavioral task
behavioral1
Sample
7790847622da02038ed1c4d0c7c8f607.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7790847622da02038ed1c4d0c7c8f607.exe
Resource
win10v2004-20231215-en
General
-
Target
7790847622da02038ed1c4d0c7c8f607.exe
-
Size
512KB
-
MD5
7790847622da02038ed1c4d0c7c8f607
-
SHA1
41e7d135f841e4746e07134225375233eb232b15
-
SHA256
41c594abb2ef12b08222e3ce8ea23c094c0e81087f2d6410ad7a231db9f69a89
-
SHA512
428131a559e51e640e5ca9763e8a2d4471be674274598dad5f09d63357c3795fbb2fcf8c85f28da5942c010952b87b9fda79aa5f7258a38920bb1132b6873092
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6s:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5L
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jcjcnneudn.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jcjcnneudn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jcjcnneudn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jcjcnneudn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jcjcnneudn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jcjcnneudn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jcjcnneudn.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jcjcnneudn.exe -
Executes dropped EXE 5 IoCs
pid Process 2112 jcjcnneudn.exe 2416 cssslrzzpcjfcpi.exe 2680 rqpzfury.exe 2620 qclhzybatyspn.exe 2728 rqpzfury.exe -
Loads dropped DLL 5 IoCs
pid Process 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2112 jcjcnneudn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jcjcnneudn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jcjcnneudn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jcjcnneudn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jcjcnneudn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jcjcnneudn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jcjcnneudn.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\duwsdscj = "jcjcnneudn.exe" cssslrzzpcjfcpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tcbylksp = "cssslrzzpcjfcpi.exe" cssslrzzpcjfcpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qclhzybatyspn.exe" cssslrzzpcjfcpi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: rqpzfury.exe File opened (read-only) \??\v: rqpzfury.exe File opened (read-only) \??\x: jcjcnneudn.exe File opened (read-only) \??\l: rqpzfury.exe File opened (read-only) \??\m: rqpzfury.exe File opened (read-only) \??\e: jcjcnneudn.exe File opened (read-only) \??\n: jcjcnneudn.exe File opened (read-only) \??\a: rqpzfury.exe File opened (read-only) \??\j: rqpzfury.exe File opened (read-only) \??\v: rqpzfury.exe File opened (read-only) \??\k: rqpzfury.exe File opened (read-only) \??\k: rqpzfury.exe File opened (read-only) \??\w: rqpzfury.exe File opened (read-only) \??\a: rqpzfury.exe File opened (read-only) \??\w: rqpzfury.exe File opened (read-only) \??\s: jcjcnneudn.exe File opened (read-only) \??\h: rqpzfury.exe File opened (read-only) \??\n: rqpzfury.exe File opened (read-only) \??\q: rqpzfury.exe File opened (read-only) \??\g: jcjcnneudn.exe File opened (read-only) \??\l: jcjcnneudn.exe File opened (read-only) \??\e: rqpzfury.exe File opened (read-only) \??\r: rqpzfury.exe File opened (read-only) \??\s: rqpzfury.exe File opened (read-only) \??\b: rqpzfury.exe File opened (read-only) \??\p: rqpzfury.exe File opened (read-only) \??\t: rqpzfury.exe File opened (read-only) \??\e: rqpzfury.exe File opened (read-only) \??\i: rqpzfury.exe File opened (read-only) \??\p: jcjcnneudn.exe File opened (read-only) \??\q: jcjcnneudn.exe File opened (read-only) \??\r: jcjcnneudn.exe File opened (read-only) \??\u: jcjcnneudn.exe File opened (read-only) \??\v: jcjcnneudn.exe File opened (read-only) \??\l: rqpzfury.exe File opened (read-only) \??\o: rqpzfury.exe File opened (read-only) \??\i: jcjcnneudn.exe File opened (read-only) \??\o: jcjcnneudn.exe File opened (read-only) \??\n: rqpzfury.exe File opened (read-only) \??\q: rqpzfury.exe File opened (read-only) \??\z: rqpzfury.exe File opened (read-only) \??\a: jcjcnneudn.exe File opened (read-only) \??\h: jcjcnneudn.exe File opened (read-only) \??\i: rqpzfury.exe File opened (read-only) \??\x: rqpzfury.exe File opened (read-only) \??\s: rqpzfury.exe File opened (read-only) \??\j: jcjcnneudn.exe File opened (read-only) \??\m: jcjcnneudn.exe File opened (read-only) \??\w: jcjcnneudn.exe File opened (read-only) \??\m: rqpzfury.exe File opened (read-only) \??\z: rqpzfury.exe File opened (read-only) \??\g: rqpzfury.exe File opened (read-only) \??\u: rqpzfury.exe File opened (read-only) \??\k: jcjcnneudn.exe File opened (read-only) \??\t: jcjcnneudn.exe File opened (read-only) \??\h: rqpzfury.exe File opened (read-only) \??\u: rqpzfury.exe File opened (read-only) \??\b: jcjcnneudn.exe File opened (read-only) \??\y: jcjcnneudn.exe File opened (read-only) \??\j: rqpzfury.exe File opened (read-only) \??\o: rqpzfury.exe File opened (read-only) \??\r: rqpzfury.exe File opened (read-only) \??\z: jcjcnneudn.exe File opened (read-only) \??\y: rqpzfury.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jcjcnneudn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jcjcnneudn.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2548-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000c0000000122bb-17.dat autoit_exe behavioral1/files/0x000c000000013113-25.dat autoit_exe behavioral1/files/0x000c000000013113-21.dat autoit_exe behavioral1/files/0x000a00000001342b-28.dat autoit_exe behavioral1/files/0x000c0000000122bb-27.dat autoit_exe behavioral1/files/0x0008000000013a11-41.dat autoit_exe behavioral1/files/0x000a00000001342b-43.dat autoit_exe behavioral1/files/0x000a00000001342b-42.dat autoit_exe behavioral1/files/0x000a00000001342b-40.dat autoit_exe behavioral1/files/0x0008000000013a11-38.dat autoit_exe behavioral1/files/0x0008000000013a11-34.dat autoit_exe behavioral1/files/0x000c000000013113-33.dat autoit_exe behavioral1/files/0x000a00000001342b-31.dat autoit_exe behavioral1/files/0x000c0000000122bb-20.dat autoit_exe behavioral1/files/0x000c000000013113-5.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\qclhzybatyspn.exe 7790847622da02038ed1c4d0c7c8f607.exe File opened for modification C:\Windows\SysWOW64\jcjcnneudn.exe 7790847622da02038ed1c4d0c7c8f607.exe File created C:\Windows\SysWOW64\cssslrzzpcjfcpi.exe 7790847622da02038ed1c4d0c7c8f607.exe File opened for modification C:\Windows\SysWOW64\cssslrzzpcjfcpi.exe 7790847622da02038ed1c4d0c7c8f607.exe File created C:\Windows\SysWOW64\rqpzfury.exe 7790847622da02038ed1c4d0c7c8f607.exe File opened for modification C:\Windows\SysWOW64\rqpzfury.exe 7790847622da02038ed1c4d0c7c8f607.exe File created C:\Windows\SysWOW64\qclhzybatyspn.exe 7790847622da02038ed1c4d0c7c8f607.exe File created C:\Windows\SysWOW64\jcjcnneudn.exe 7790847622da02038ed1c4d0c7c8f607.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jcjcnneudn.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe rqpzfury.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal rqpzfury.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal rqpzfury.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe rqpzfury.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal rqpzfury.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal rqpzfury.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe rqpzfury.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe rqpzfury.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe rqpzfury.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe rqpzfury.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe rqpzfury.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe rqpzfury.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe rqpzfury.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe rqpzfury.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 7790847622da02038ed1c4d0c7c8f607.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B02B44EE38E853C8B9D733E8D4CF" 7790847622da02038ed1c4d0c7c8f607.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc jcjcnneudn.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" jcjcnneudn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7790847622da02038ed1c4d0c7c8f607.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C60B15E0DBB2B8C87C94ECE437C9" 7790847622da02038ed1c4d0c7c8f607.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat jcjcnneudn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf jcjcnneudn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2688 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2112 jcjcnneudn.exe 2112 jcjcnneudn.exe 2112 jcjcnneudn.exe 2112 jcjcnneudn.exe 2112 jcjcnneudn.exe 2416 cssslrzzpcjfcpi.exe 2416 cssslrzzpcjfcpi.exe 2416 cssslrzzpcjfcpi.exe 2416 cssslrzzpcjfcpi.exe 2416 cssslrzzpcjfcpi.exe 2680 rqpzfury.exe 2680 rqpzfury.exe 2680 rqpzfury.exe 2680 rqpzfury.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2728 rqpzfury.exe 2728 rqpzfury.exe 2728 rqpzfury.exe 2728 rqpzfury.exe 2416 cssslrzzpcjfcpi.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2416 cssslrzzpcjfcpi.exe 2416 cssslrzzpcjfcpi.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2416 cssslrzzpcjfcpi.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2416 cssslrzzpcjfcpi.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2416 cssslrzzpcjfcpi.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2416 cssslrzzpcjfcpi.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2416 cssslrzzpcjfcpi.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2416 cssslrzzpcjfcpi.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2416 cssslrzzpcjfcpi.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2416 cssslrzzpcjfcpi.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2416 cssslrzzpcjfcpi.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2112 jcjcnneudn.exe 2112 jcjcnneudn.exe 2112 jcjcnneudn.exe 2416 cssslrzzpcjfcpi.exe 2416 cssslrzzpcjfcpi.exe 2416 cssslrzzpcjfcpi.exe 2680 rqpzfury.exe 2680 rqpzfury.exe 2680 rqpzfury.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2728 rqpzfury.exe 2728 rqpzfury.exe 2728 rqpzfury.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2548 7790847622da02038ed1c4d0c7c8f607.exe 2112 jcjcnneudn.exe 2112 jcjcnneudn.exe 2112 jcjcnneudn.exe 2416 cssslrzzpcjfcpi.exe 2416 cssslrzzpcjfcpi.exe 2416 cssslrzzpcjfcpi.exe 2680 rqpzfury.exe 2680 rqpzfury.exe 2680 rqpzfury.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2620 qclhzybatyspn.exe 2728 rqpzfury.exe 2728 rqpzfury.exe 2728 rqpzfury.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2688 WINWORD.EXE 2688 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2112 2548 7790847622da02038ed1c4d0c7c8f607.exe 27 PID 2548 wrote to memory of 2112 2548 7790847622da02038ed1c4d0c7c8f607.exe 27 PID 2548 wrote to memory of 2112 2548 7790847622da02038ed1c4d0c7c8f607.exe 27 PID 2548 wrote to memory of 2112 2548 7790847622da02038ed1c4d0c7c8f607.exe 27 PID 2548 wrote to memory of 2416 2548 7790847622da02038ed1c4d0c7c8f607.exe 25 PID 2548 wrote to memory of 2416 2548 7790847622da02038ed1c4d0c7c8f607.exe 25 PID 2548 wrote to memory of 2416 2548 7790847622da02038ed1c4d0c7c8f607.exe 25 PID 2548 wrote to memory of 2416 2548 7790847622da02038ed1c4d0c7c8f607.exe 25 PID 2548 wrote to memory of 2680 2548 7790847622da02038ed1c4d0c7c8f607.exe 24 PID 2548 wrote to memory of 2680 2548 7790847622da02038ed1c4d0c7c8f607.exe 24 PID 2548 wrote to memory of 2680 2548 7790847622da02038ed1c4d0c7c8f607.exe 24 PID 2548 wrote to memory of 2680 2548 7790847622da02038ed1c4d0c7c8f607.exe 24 PID 2548 wrote to memory of 2620 2548 7790847622da02038ed1c4d0c7c8f607.exe 21 PID 2548 wrote to memory of 2620 2548 7790847622da02038ed1c4d0c7c8f607.exe 21 PID 2548 wrote to memory of 2620 2548 7790847622da02038ed1c4d0c7c8f607.exe 21 PID 2548 wrote to memory of 2620 2548 7790847622da02038ed1c4d0c7c8f607.exe 21 PID 2112 wrote to memory of 2728 2112 jcjcnneudn.exe 22 PID 2112 wrote to memory of 2728 2112 jcjcnneudn.exe 22 PID 2112 wrote to memory of 2728 2112 jcjcnneudn.exe 22 PID 2112 wrote to memory of 2728 2112 jcjcnneudn.exe 22 PID 2548 wrote to memory of 2688 2548 7790847622da02038ed1c4d0c7c8f607.exe 23 PID 2548 wrote to memory of 2688 2548 7790847622da02038ed1c4d0c7c8f607.exe 23 PID 2548 wrote to memory of 2688 2548 7790847622da02038ed1c4d0c7c8f607.exe 23 PID 2548 wrote to memory of 2688 2548 7790847622da02038ed1c4d0c7c8f607.exe 23 PID 2688 wrote to memory of 2848 2688 WINWORD.EXE 36 PID 2688 wrote to memory of 2848 2688 WINWORD.EXE 36 PID 2688 wrote to memory of 2848 2688 WINWORD.EXE 36 PID 2688 wrote to memory of 2848 2688 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\7790847622da02038ed1c4d0c7c8f607.exe"C:\Users\Admin\AppData\Local\Temp\7790847622da02038ed1c4d0c7c8f607.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\qclhzybatyspn.exeqclhzybatyspn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2848
-
-
-
C:\Windows\SysWOW64\rqpzfury.exerqpzfury.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680
-
-
C:\Windows\SysWOW64\cssslrzzpcjfcpi.execssslrzzpcjfcpi.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2416
-
-
C:\Windows\SysWOW64\jcjcnneudn.exejcjcnneudn.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2112
-
-
C:\Windows\SysWOW64\rqpzfury.exeC:\Windows\system32\rqpzfury.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD57f4c0684210154dbfd5071b3f72c44f1
SHA12ec929496b7075bf2448cf7fd44eaaff774c93ad
SHA2565cc53c70e4909151e9deebd19f870b4a3b25d904860eb873d06be6c342ecb964
SHA512bb0e5e005cf596d064c61cbb6f38f57af4df9cb9b6f51c9e01b9bc772cc25b3c389448acaedb8d0b547e279a2858028ddb0a7cfb4bfd62addef22e1945bb98f9
-
Filesize
278KB
MD5bbdeb8b6d8712e7ccce336c3356f4a49
SHA16faba454bee158a592729963c0bd4f896b948d57
SHA256d0e5ec704671aece5bc5459d7d97ca6933ec7b8bf0a9771d16c77fc8aefe1a7f
SHA512759eea566fc7b92223e37fe9b437db7c3b6c6f66c7d4da1e8580494de72ce7f158d78b959a91e5a393c2d42a0a85b2d0a904f3f5112579926ad9ecc579313ab1
-
Filesize
107KB
MD5108b8c3307bc693dfb1805414a94ce0e
SHA1ccf923d1900d68dc72e75179b216a84bd5e7f706
SHA256dc8eab410b1166eaef2265dc96d7e1b42ce60581b34760d5b12d5191a6a01230
SHA512ec3014310ed430b2441ab4dd0d68eb9873c1858efcd6993d068c333a901396b8de4a36fec8cc613d8f96d72c6aac5eb9bd1b3d3bced8521f7ee10824f7059129
-
Filesize
512KB
MD5512474b018868f46275891f3160e53f9
SHA1c904a103a0482bc2eb124b5709aea80266f278f8
SHA256d8cd5790010c3f0cd1ad5b32c2da7ddb430e60ed25e89054c259a2e9e59488ef
SHA512d0b4a10ed1d5dad1663ac91165d7f110500c462f06c499d0350f6c52e0ddbf7ed52ad5e4523b1aae9a75a241a08f37a3ad4f71ccc0f21d3b1b61724d8d1e6654
-
Filesize
512KB
MD5726930f2f3e537539374b29b46959428
SHA1c9a4206be9895e96b997390dccf2436f85f6b27f
SHA2564ee372fbf3d6f40a58d73f8076293f3a01e48b11a64d46981bc3de37b7806c0f
SHA512f7d95ce492bf806f839f099f41d535e575a6485575053bfcf7b504586cb6b1a6f63cb65762e29846480b4af63c28f3e821f811e59eb910e08dea60f37af92fb9
-
Filesize
143KB
MD518d2a726007bb46a3938e5cd330fcbbe
SHA1a824896be83b8a8e40b6147b851223047da7801a
SHA2564f48fcbe3b7d2256bff0568e9b2a61f940dd17af97392366c7f987c74b89244d
SHA5126d975cb01bdb75b269a8631e4f4e85106e98bb5178d0e4c74f18ee3b7722369a9b0f89020d5673561a20ecd35c3d0ba9906c1c258791361954481536b69e916e
-
Filesize
164KB
MD54b6cbeaaf6394f85bb35ebbc382c8267
SHA1ab5eac97b95be71edf74dfdebd21ee859e902727
SHA25662b439e4f5472a7f3df2881afad5e3faad04d38f88284301a9081781f8a3dac1
SHA5129fd22a9e442eac9e5347d53284b6dcc6b45bd43da704451ba25640a515351f42caa30d880c80011448c0f3aa6c64107a5eb83ae986fc0ab5e49b02668df8b499
-
Filesize
211KB
MD5fc43f296fbb9d23affbf1b7e87bc92f6
SHA133795448a3c37748151fdbe159303c3266c80081
SHA2564f0d095b1d736648325edd7e9d5892658cdee4022964d2b465c48b18615f243b
SHA512462d930a2e0238c598b19a4d2c6912b753dbe16622ed713419197425fb134c0244a9969011ce9bb79c10f61c0bebc8e609a2f44dbe84a7003cd7d9ba8b608b9f
-
Filesize
289KB
MD574bd631a170d9e91220f4a11c103ca8a
SHA15b51db5763527dae8ddf3626ab014cd52249a2aa
SHA2568d76e5c9e36a96cdf334f4ccffdac89bfb732dade57c14ef36bdd18bb038fc7e
SHA512a8b138e5d0cf17cf6fbf7910c7f1635519297413b6249a4eb195048454a5892556887c4421837946af711ca3d18422dd66d91464fd9597c0b9aa276b17c9263b
-
Filesize
180KB
MD52a03d4918305a29565f9b2797647ad93
SHA137ba2bb84f78c07094e35d1027d12072f5d0f790
SHA2562ec393eab6ebc31fca0d615ee68dbe625a20c6832ddc2ac2b4993d1b9f9a82a3
SHA5127c9438f2e4c821559d842afb765da17f69d42e7adc62a8a5807f62dbad6d0f896eb7772cd6beeb4b8a2e2f6982485cf928f8b9c85843209b9f24739d35c4c4d2
-
Filesize
95KB
MD51b723a8697f013f180fa89c1f34ad7f4
SHA1670278becc2316a3fd4ec9e1f7096ac02c8891d2
SHA256cccbe1e308aec9bacc48cd2401f86242d67a531c06c7d76db6c31cb142c80508
SHA512fa403e4b10c7c3051cbde89765d5d4d4c1880f3b624d30d3a76b89497a4ba487ef42f03e1b3e0b2672daa28af4ab707e9e5395ea501feb4a4a99bd87790ba8b5
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
295KB
MD55104beded17979f8dc8b74b10e8ebce2
SHA159e4207699d4a09e4aaa35d434f0c1492cec52ad
SHA256b393b1073d7fe03c7457944a2794389403fb37eabf1d36990e232c79ff469789
SHA512e961469df4db5c22c430085bdaa33129da4576684ebfbb8e3301924e0451b6947779c9c5fd5327a1b79d51e45ab8919f595c00a2440f96ee1c724ebcea559d89
-
Filesize
411KB
MD598886dd683b81cf5b36d34def4696d47
SHA19917299539a329d8ab086e53cc78f548a1dfc91f
SHA256962b9965f8bb85ec092ee97e8cd6d734c3196b3eb7ce09ae94bbb6fe4fe1dc9e
SHA51299a770aa1cff9eefaa28436e3ab0a11dd04847120c862f28d17fc549dc5453d681c7e27f66f01c21a680fbd431881bbbea8a01ec9b17c0e14839dc9f784bbf3c
-
Filesize
200KB
MD5695737ca9a34633e7fea1290d976bea6
SHA18b3ef01f3916f5b13c40af4d8e75566c62a196a6
SHA25667483d38b7d790df6327683d3e3367579c270e8c48d1cc5ef6166101bed4e925
SHA51248117498959bfbc5456007052781b98cbc93aa5d1fa9f5d2e94e4190a1e994f05a77199dcd075afd3028ba1b969e282c4857a028fa2e773360553878d2c4c295
-
Filesize
299KB
MD5eba9696bab2793d728e95c9684c5d8b6
SHA170f1c26036fb1d4efdca56d060cbcba00dd61dc7
SHA256d033971b3a875717c2ad76a3be5a0391f1294e3641ddd4ac5d107837db2e8a3d
SHA512176765821aaa07356eabeb7070b43bea1b00b5f8344a273f863ce0b86d3a7550b99dac40492cdd02cc51b53701957bdc10e1647abf448575ca20d18c64f81dea
-
Filesize
155KB
MD5a10cc637cce8d4a001d4655dae0086a6
SHA10ad4d8b51a83cbedfa48601d9c22c847c92df380
SHA2564b5dd2f48eed937d3b8aec0b9446c23d233341a3156ab987828cd89ed3c3a20b
SHA5120b13fb57d9ef88514e40e1690a691a9ab1a12acc7ef58bc83e7a121748101ba4fac4d8bacb6b4ec8c0bca5cc4f6bcf255489995a1ca7b1754719e9b5c28ceb9a