Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28/01/2024, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
7d172f1d232d758347932641bbbf7dcf.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7d172f1d232d758347932641bbbf7dcf.exe
Resource
win10v2004-20231215-en
General
-
Target
7d172f1d232d758347932641bbbf7dcf.exe
-
Size
512KB
-
MD5
7d172f1d232d758347932641bbbf7dcf
-
SHA1
2256a32fd4209fc94e66b7a94c120eea6a054a3a
-
SHA256
3e359659220833717f4206c8257124ee3d5ae741ec5ee1e643c094c07f2d3d05
-
SHA512
c963c99b8914efa0020791e0ea32f4ffa714b05a92449269070a017c5d9b6b91205fca6dc051a6323c01e7c4a1780ff8523006d884888bd15c46a53e14095e40
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jymukgwzza.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jymukgwzza.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jymukgwzza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jymukgwzza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jymukgwzza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jymukgwzza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jymukgwzza.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jymukgwzza.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
pid Process 1716 jymukgwzza.exe 3036 clvnvdoagrwzkdw.exe 2556 ymwyhewq.exe 2672 emwubcrcavrmo.exe 2640 ymwyhewq.exe -
Loads dropped DLL 5 IoCs
pid Process 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 1716 jymukgwzza.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jymukgwzza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jymukgwzza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jymukgwzza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jymukgwzza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jymukgwzza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jymukgwzza.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\labsqnjm = "clvnvdoagrwzkdw.exe" clvnvdoagrwzkdw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "emwubcrcavrmo.exe" clvnvdoagrwzkdw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wfwzxzof = "jymukgwzza.exe" clvnvdoagrwzkdw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: ymwyhewq.exe File opened (read-only) \??\y: ymwyhewq.exe File opened (read-only) \??\q: ymwyhewq.exe File opened (read-only) \??\a: ymwyhewq.exe File opened (read-only) \??\u: ymwyhewq.exe File opened (read-only) \??\i: ymwyhewq.exe File opened (read-only) \??\h: ymwyhewq.exe File opened (read-only) \??\i: ymwyhewq.exe File opened (read-only) \??\n: ymwyhewq.exe File opened (read-only) \??\m: jymukgwzza.exe File opened (read-only) \??\q: jymukgwzza.exe File opened (read-only) \??\r: jymukgwzza.exe File opened (read-only) \??\u: jymukgwzza.exe File opened (read-only) \??\s: ymwyhewq.exe File opened (read-only) \??\a: ymwyhewq.exe File opened (read-only) \??\t: ymwyhewq.exe File opened (read-only) \??\l: jymukgwzza.exe File opened (read-only) \??\w: ymwyhewq.exe File opened (read-only) \??\m: ymwyhewq.exe File opened (read-only) \??\s: jymukgwzza.exe File opened (read-only) \??\p: ymwyhewq.exe File opened (read-only) \??\y: ymwyhewq.exe File opened (read-only) \??\k: jymukgwzza.exe File opened (read-only) \??\g: ymwyhewq.exe File opened (read-only) \??\v: ymwyhewq.exe File opened (read-only) \??\u: ymwyhewq.exe File opened (read-only) \??\w: ymwyhewq.exe File opened (read-only) \??\o: ymwyhewq.exe File opened (read-only) \??\v: ymwyhewq.exe File opened (read-only) \??\z: ymwyhewq.exe File opened (read-only) \??\x: jymukgwzza.exe File opened (read-only) \??\z: ymwyhewq.exe File opened (read-only) \??\e: ymwyhewq.exe File opened (read-only) \??\n: ymwyhewq.exe File opened (read-only) \??\o: ymwyhewq.exe File opened (read-only) \??\b: ymwyhewq.exe File opened (read-only) \??\e: ymwyhewq.exe File opened (read-only) \??\r: ymwyhewq.exe File opened (read-only) \??\p: ymwyhewq.exe File opened (read-only) \??\v: jymukgwzza.exe File opened (read-only) \??\y: jymukgwzza.exe File opened (read-only) \??\g: ymwyhewq.exe File opened (read-only) \??\a: jymukgwzza.exe File opened (read-only) \??\l: ymwyhewq.exe File opened (read-only) \??\o: jymukgwzza.exe File opened (read-only) \??\t: jymukgwzza.exe File opened (read-only) \??\m: ymwyhewq.exe File opened (read-only) \??\s: ymwyhewq.exe File opened (read-only) \??\x: ymwyhewq.exe File opened (read-only) \??\e: jymukgwzza.exe File opened (read-only) \??\h: jymukgwzza.exe File opened (read-only) \??\p: jymukgwzza.exe File opened (read-only) \??\z: jymukgwzza.exe File opened (read-only) \??\q: ymwyhewq.exe File opened (read-only) \??\j: ymwyhewq.exe File opened (read-only) \??\k: ymwyhewq.exe File opened (read-only) \??\r: ymwyhewq.exe File opened (read-only) \??\t: ymwyhewq.exe File opened (read-only) \??\i: jymukgwzza.exe File opened (read-only) \??\j: jymukgwzza.exe File opened (read-only) \??\n: jymukgwzza.exe File opened (read-only) \??\k: ymwyhewq.exe File opened (read-only) \??\h: ymwyhewq.exe File opened (read-only) \??\b: jymukgwzza.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jymukgwzza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jymukgwzza.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2372-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000b000000015c52-5.dat autoit_exe behavioral1/files/0x0009000000015c33-17.dat autoit_exe behavioral1/files/0x0009000000015cfa-26.dat autoit_exe behavioral1/files/0x000b000000015c52-25.dat autoit_exe behavioral1/files/0x0009000000015cfa-29.dat autoit_exe behavioral1/files/0x0007000000015d2b-32.dat autoit_exe behavioral1/files/0x0009000000015c33-37.dat autoit_exe behavioral1/files/0x0007000000015d2b-36.dat autoit_exe behavioral1/files/0x000b000000015c52-39.dat autoit_exe behavioral1/files/0x0007000000015d2b-41.dat autoit_exe behavioral1/files/0x0009000000015cfa-42.dat autoit_exe behavioral1/files/0x0009000000015cfa-43.dat autoit_exe behavioral1/files/0x0006000000016bdb-72.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\jymukgwzza.exe 7d172f1d232d758347932641bbbf7dcf.exe File opened for modification C:\Windows\SysWOW64\jymukgwzza.exe 7d172f1d232d758347932641bbbf7dcf.exe File created C:\Windows\SysWOW64\clvnvdoagrwzkdw.exe 7d172f1d232d758347932641bbbf7dcf.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jymukgwzza.exe File opened for modification C:\Windows\SysWOW64\clvnvdoagrwzkdw.exe 7d172f1d232d758347932641bbbf7dcf.exe File created C:\Windows\SysWOW64\ymwyhewq.exe 7d172f1d232d758347932641bbbf7dcf.exe File opened for modification C:\Windows\SysWOW64\ymwyhewq.exe 7d172f1d232d758347932641bbbf7dcf.exe File created C:\Windows\SysWOW64\emwubcrcavrmo.exe 7d172f1d232d758347932641bbbf7dcf.exe File opened for modification C:\Windows\SysWOW64\emwubcrcavrmo.exe 7d172f1d232d758347932641bbbf7dcf.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ymwyhewq.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ymwyhewq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ymwyhewq.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ymwyhewq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ymwyhewq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ymwyhewq.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ymwyhewq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ymwyhewq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ymwyhewq.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ymwyhewq.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ymwyhewq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ymwyhewq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ymwyhewq.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ymwyhewq.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 7d172f1d232d758347932641bbbf7dcf.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC60915E0DBC3B9BC7C93ED9434BD" 7d172f1d232d758347932641bbbf7dcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" jymukgwzza.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FF8A4F27826D9141D75D7E97BDEEE133584166456333D79B" 7d172f1d232d758347932641bbbf7dcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302D089C2482236A3776D777212DAD7C8464D8" 7d172f1d232d758347932641bbbf7dcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F66BB3FF1A22A9D178D1A48A0F9117" 7d172f1d232d758347932641bbbf7dcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat jymukgwzza.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B15C449038EB53BDBAD73392D4BC" 7d172f1d232d758347932641bbbf7dcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2496 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 1716 jymukgwzza.exe 1716 jymukgwzza.exe 1716 jymukgwzza.exe 1716 jymukgwzza.exe 1716 jymukgwzza.exe 2556 ymwyhewq.exe 2556 ymwyhewq.exe 2556 ymwyhewq.exe 2556 ymwyhewq.exe 3036 clvnvdoagrwzkdw.exe 3036 clvnvdoagrwzkdw.exe 3036 clvnvdoagrwzkdw.exe 3036 clvnvdoagrwzkdw.exe 3036 clvnvdoagrwzkdw.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 2640 ymwyhewq.exe 2640 ymwyhewq.exe 2640 ymwyhewq.exe 2640 ymwyhewq.exe 3036 clvnvdoagrwzkdw.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 3036 clvnvdoagrwzkdw.exe 3036 clvnvdoagrwzkdw.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 3036 clvnvdoagrwzkdw.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 3036 clvnvdoagrwzkdw.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 3036 clvnvdoagrwzkdw.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 3036 clvnvdoagrwzkdw.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 3036 clvnvdoagrwzkdw.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 3036 clvnvdoagrwzkdw.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 3036 clvnvdoagrwzkdw.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 3036 clvnvdoagrwzkdw.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 3036 clvnvdoagrwzkdw.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 1716 jymukgwzza.exe 1716 jymukgwzza.exe 1716 jymukgwzza.exe 2556 ymwyhewq.exe 2556 ymwyhewq.exe 2556 ymwyhewq.exe 3036 clvnvdoagrwzkdw.exe 3036 clvnvdoagrwzkdw.exe 3036 clvnvdoagrwzkdw.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 2640 ymwyhewq.exe 2640 ymwyhewq.exe 2640 ymwyhewq.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 2372 7d172f1d232d758347932641bbbf7dcf.exe 1716 jymukgwzza.exe 1716 jymukgwzza.exe 1716 jymukgwzza.exe 2556 ymwyhewq.exe 2556 ymwyhewq.exe 2556 ymwyhewq.exe 3036 clvnvdoagrwzkdw.exe 3036 clvnvdoagrwzkdw.exe 3036 clvnvdoagrwzkdw.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 2672 emwubcrcavrmo.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2496 WINWORD.EXE 2496 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1716 2372 7d172f1d232d758347932641bbbf7dcf.exe 28 PID 2372 wrote to memory of 1716 2372 7d172f1d232d758347932641bbbf7dcf.exe 28 PID 2372 wrote to memory of 1716 2372 7d172f1d232d758347932641bbbf7dcf.exe 28 PID 2372 wrote to memory of 1716 2372 7d172f1d232d758347932641bbbf7dcf.exe 28 PID 2372 wrote to memory of 3036 2372 7d172f1d232d758347932641bbbf7dcf.exe 29 PID 2372 wrote to memory of 3036 2372 7d172f1d232d758347932641bbbf7dcf.exe 29 PID 2372 wrote to memory of 3036 2372 7d172f1d232d758347932641bbbf7dcf.exe 29 PID 2372 wrote to memory of 3036 2372 7d172f1d232d758347932641bbbf7dcf.exe 29 PID 2372 wrote to memory of 2556 2372 7d172f1d232d758347932641bbbf7dcf.exe 30 PID 2372 wrote to memory of 2556 2372 7d172f1d232d758347932641bbbf7dcf.exe 30 PID 2372 wrote to memory of 2556 2372 7d172f1d232d758347932641bbbf7dcf.exe 30 PID 2372 wrote to memory of 2556 2372 7d172f1d232d758347932641bbbf7dcf.exe 30 PID 2372 wrote to memory of 2672 2372 7d172f1d232d758347932641bbbf7dcf.exe 31 PID 2372 wrote to memory of 2672 2372 7d172f1d232d758347932641bbbf7dcf.exe 31 PID 2372 wrote to memory of 2672 2372 7d172f1d232d758347932641bbbf7dcf.exe 31 PID 2372 wrote to memory of 2672 2372 7d172f1d232d758347932641bbbf7dcf.exe 31 PID 1716 wrote to memory of 2640 1716 jymukgwzza.exe 32 PID 1716 wrote to memory of 2640 1716 jymukgwzza.exe 32 PID 1716 wrote to memory of 2640 1716 jymukgwzza.exe 32 PID 1716 wrote to memory of 2640 1716 jymukgwzza.exe 32 PID 2372 wrote to memory of 2496 2372 7d172f1d232d758347932641bbbf7dcf.exe 33 PID 2372 wrote to memory of 2496 2372 7d172f1d232d758347932641bbbf7dcf.exe 33 PID 2372 wrote to memory of 2496 2372 7d172f1d232d758347932641bbbf7dcf.exe 33 PID 2372 wrote to memory of 2496 2372 7d172f1d232d758347932641bbbf7dcf.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d172f1d232d758347932641bbbf7dcf.exe"C:\Users\Admin\AppData\Local\Temp\7d172f1d232d758347932641bbbf7dcf.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\jymukgwzza.exejymukgwzza.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\ymwyhewq.exeC:\Windows\system32\ymwyhewq.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2640
-
-
-
C:\Windows\SysWOW64\clvnvdoagrwzkdw.execlvnvdoagrwzkdw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3036
-
-
C:\Windows\SysWOW64\ymwyhewq.exeymwyhewq.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2556
-
-
C:\Windows\SysWOW64\emwubcrcavrmo.exeemwubcrcavrmo.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:772
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5e449f7cae5d90c20ac41ec7a1cf79799
SHA14f4339f9f436c96db37316ab0740a83ce4760ec9
SHA256fbb1371b44a911541fdc54b14885c213f7a3ffdf6298476beacfa9d3473b71b0
SHA5126822c90f337032354e1244d19e9a77d941fa708ad40bf0834f61ece5b55674df30a2a08a962d283ea707d0d348591b5e0664a17c19c8ab1a0d5831fa84cff0ec
-
Filesize
307KB
MD56c78ce2bc1f28e8e292231ee743b5923
SHA147149b239b982ca4d85bca9189df9040bcc9977d
SHA2561da4bb2717bb1177f8e0970fb0a4e1ac4ee345601c0d3d23032e03246b48aede
SHA512d96ee59d56b56ff48104f0cef5dd922ac51e3f809bbbd74b4b9c173745c3c094e0efbdb4850695517706e9d1fd8056341f09ce1736f3cf7a34960948275b7ab0
-
Filesize
389KB
MD5dbda106623e21f60ea6da27a054a6a13
SHA19320f67a599835dd84862201dc72fed1ac779611
SHA256ee491d24b01e6b0d6f62b7c819ad66a106c636ade3d71b4188fd2a107085c2b8
SHA512fc174f762f4d28bc6a3262ce0d9b9a190f5092ed9aefe1c4bde33c2d1fbf3f97013072e97dea07b80b540ccfa8232eb2c459e25af70b41bfd802072fb731e169
-
Filesize
512KB
MD5b31feeaf62054e79eeae34112fd5a5aa
SHA1d5228057e00319648ac1a106103a43a137421cc6
SHA256b13cdc33727b7a6265cf818e434fbb9877946acf6af94b5e653c6722b9b493f3
SHA5126e31e4580d5fd07e842e5a901095eeb2f0c01633f0ba88bb5aee7f800866bb26ed98fcab90d8e7666076e5295112a1f5b3ec0b3eab84d7649a1890a55f6b9976
-
Filesize
512KB
MD50c6a40a215f2c92f196edc0d4346715a
SHA1ec38d10c894dd46be5f9dfbb8b1a753a2619f0a2
SHA25697b7ea70a501a0f3d5eca913d5774925382f409ad42eb59106ea97672c0435fb
SHA5122a7bebe5e4889af1525de0a3dd6a294ad8e8e1408e1b2a4cfec09da5522fe696822fef340d4b696750ce83229990fd4ec1f08b2b962eb7cf8c64cb7fa7e8eb3a
-
Filesize
496KB
MD518b14c2e0aac4dd3f27b8a63e63c4eb4
SHA12625d70fc241869261405de95a5bdbd89071d2fd
SHA256e66aeedaa79a3271df1f21318308e18f806daa0656e5fcf1f94ee64e34360588
SHA512cfe6a273d7b2b1f22256be62d2c07fff79ce319a404498b04b176cbca0200b3b87f9a229571f764eaefc73193b8b3ed0da8893e13550a0f4bfaf220494456305
-
Filesize
423KB
MD5522fc5c938ebfc25a35f671e9201e682
SHA1f9e48c74481ded815b4ce03ee6969dc11c52647a
SHA256a3b187b33e7de7a71e8c2e8d67fd243b643915e917755c055a1c5cd41dcc274c
SHA5124a3fc433ba7b383e23cfbb6011f146072ea6b8c3a2b992fd35da07625dd6720f814998590cd882e55c3510cdc6ff0ba8c0b662cf437a3ba6bcc6487c3f128e5e
-
Filesize
494KB
MD57b1525b3472e00d432603fdf78f96f86
SHA12136d76b14d442a1c4a11b6eea826dcf62cc6d08
SHA256b62db2be6a1fb49632d6110ef70f37611ec2ea746dadb7b626e27e76f37dc935
SHA512786f8c53cad2d3ec7e0ea40aadce3ca463015a8dcf22b61837e8f4a5a11b1e0cf581811b09bc77a3809cf21d7e402ac860edbd360fbeaa8f49ec3daf4924c621
-
Filesize
350KB
MD58b3695b3287401eadd4542be6b5c383e
SHA10410a65d96fe5ca1bbbe204b1144fb368ff9ca50
SHA2562053afe1aa436ee71502c93b6a1864d71c928687b478219f776221788edc2698
SHA51240aca8406669b5b23e657fcc6a3cf8dd3400d93a63e969c20a2d12981ea70a7e4a0041e364198a422184bd0574006642edb47d7bbce5981682106cadf8584e46
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
220KB
MD597067760cfb027e11cf178153156b9ee
SHA1bbb15ab92f2d261ab72a3d7c133daa272d6fad9c
SHA2569f02f1661935d574ccc146ba3903eeb50d6d3c9944d226d287565ff28447af9e
SHA512ee6b91a6b05e79089a7b777ac2073a5c5ed4aaa7781cf06acf4dae7789123439ece138c90ebbe199967ce06a78bb17d586abdea75301076510af60b42b8cc0fe
-
Filesize
512KB
MD5be5b07a8017248b0fa0475f4e5eb14b9
SHA12c597657a42494a1262ed052128e7aafffe7c5ca
SHA256ed60b32f80a6e0d809823872e6eb51cde2273861b32357af36687f502922831c
SHA512af5c30a7eda259473f1ca72e5995234537e62aefad5520edd606c6db6f78ba4464b9129a10c2bc1a7288eb7c4b35685f0f130673136be951051ccb63fe5f8840
-
Filesize
512KB
MD50ed4ff3270b14c144b6a9af098b30e3d
SHA1d1aec4850ea72466e6f6006dfcd25ff3a0c46412
SHA256bfe89a5648dba7466ea02c199a140c8c29ee875cb36f37a75d81ef9f90d889cd
SHA5126cbac759249b0e9054fdc1974356cc2b9429032c002b934f0135f01d3abcff39ee8ae4fdbc98f880e0abb30c852d067dc8ee1b45665a8f36ef988b1585449c3a
-
Filesize
334KB
MD5bfdef0bc4988f2d6a89bad4e51a6e5cd
SHA1a405defa990a25591a377ae723fe2f47483e12cb
SHA2565820cf35b1d2c05edd7f3f53630c640c4f8752c7a9dc9640c2a5dd54a00bd4f4
SHA512a3d6669b5de2c52a96907f7745e292236c4709311b5e85f4cfe9c4e7872e7a5d785df357061a492097d5a00f57b8846ce3c26efc2848390c70b553faacdd3fa9