Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
8d7790b62884b7833d558c4fa2dfb11b.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8d7790b62884b7833d558c4fa2dfb11b.exe
Resource
win10v2004-20231215-en
General
-
Target
8d7790b62884b7833d558c4fa2dfb11b.exe
-
Size
512KB
-
MD5
8d7790b62884b7833d558c4fa2dfb11b
-
SHA1
38799b1de2f350d45a83fe153fffa33f3f322733
-
SHA256
ed389d561ce8e29e7416fa3005e3bb1b27b9984389564563bb77fcaca8fcbb04
-
SHA512
e8bf0c6bd48aac54830c7909af01951fb2fd8e5ab8047a4d018d3e119723241de42f028b8936e8551db5ad1093850b5ad971f3115637b9920e1824998537c027
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6x:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" skwucyxncn.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" skwucyxncn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" skwucyxncn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" skwucyxncn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" skwucyxncn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" skwucyxncn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" skwucyxncn.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" skwucyxncn.exe -
Executes dropped EXE 5 IoCs
pid Process 2280 skwucyxncn.exe 2136 ivarjrchajticuw.exe 2672 yvmefpvt.exe 2948 tzwhacaxpuyzy.exe 1640 yvmefpvt.exe -
Loads dropped DLL 5 IoCs
pid Process 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 2280 skwucyxncn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" skwucyxncn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" skwucyxncn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" skwucyxncn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" skwucyxncn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" skwucyxncn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" skwucyxncn.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xbfyuytb = "skwucyxncn.exe" ivarjrchajticuw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jhniuaic = "ivarjrchajticuw.exe" ivarjrchajticuw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tzwhacaxpuyzy.exe" ivarjrchajticuw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: skwucyxncn.exe File opened (read-only) \??\t: skwucyxncn.exe File opened (read-only) \??\a: yvmefpvt.exe File opened (read-only) \??\k: skwucyxncn.exe File opened (read-only) \??\x: skwucyxncn.exe File opened (read-only) \??\p: yvmefpvt.exe File opened (read-only) \??\n: yvmefpvt.exe File opened (read-only) \??\o: yvmefpvt.exe File opened (read-only) \??\u: yvmefpvt.exe File opened (read-only) \??\h: skwucyxncn.exe File opened (read-only) \??\n: yvmefpvt.exe File opened (read-only) \??\p: yvmefpvt.exe File opened (read-only) \??\x: yvmefpvt.exe File opened (read-only) \??\a: skwucyxncn.exe File opened (read-only) \??\j: skwucyxncn.exe File opened (read-only) \??\m: skwucyxncn.exe File opened (read-only) \??\n: skwucyxncn.exe File opened (read-only) \??\r: skwucyxncn.exe File opened (read-only) \??\i: yvmefpvt.exe File opened (read-only) \??\k: yvmefpvt.exe File opened (read-only) \??\v: yvmefpvt.exe File opened (read-only) \??\k: yvmefpvt.exe File opened (read-only) \??\r: yvmefpvt.exe File opened (read-only) \??\q: skwucyxncn.exe File opened (read-only) \??\j: yvmefpvt.exe File opened (read-only) \??\l: yvmefpvt.exe File opened (read-only) \??\b: yvmefpvt.exe File opened (read-only) \??\s: yvmefpvt.exe File opened (read-only) \??\g: skwucyxncn.exe File opened (read-only) \??\w: skwucyxncn.exe File opened (read-only) \??\z: skwucyxncn.exe File opened (read-only) \??\g: yvmefpvt.exe File opened (read-only) \??\j: yvmefpvt.exe File opened (read-only) \??\m: yvmefpvt.exe File opened (read-only) \??\i: skwucyxncn.exe File opened (read-only) \??\e: yvmefpvt.exe File opened (read-only) \??\h: yvmefpvt.exe File opened (read-only) \??\m: yvmefpvt.exe File opened (read-only) \??\q: yvmefpvt.exe File opened (read-only) \??\y: yvmefpvt.exe File opened (read-only) \??\e: skwucyxncn.exe File opened (read-only) \??\s: yvmefpvt.exe File opened (read-only) \??\x: yvmefpvt.exe File opened (read-only) \??\i: yvmefpvt.exe File opened (read-only) \??\q: yvmefpvt.exe File opened (read-only) \??\t: yvmefpvt.exe File opened (read-only) \??\b: skwucyxncn.exe File opened (read-only) \??\s: skwucyxncn.exe File opened (read-only) \??\e: yvmefpvt.exe File opened (read-only) \??\b: yvmefpvt.exe File opened (read-only) \??\w: yvmefpvt.exe File opened (read-only) \??\y: skwucyxncn.exe File opened (read-only) \??\g: yvmefpvt.exe File opened (read-only) \??\v: yvmefpvt.exe File opened (read-only) \??\u: skwucyxncn.exe File opened (read-only) \??\y: yvmefpvt.exe File opened (read-only) \??\o: skwucyxncn.exe File opened (read-only) \??\p: skwucyxncn.exe File opened (read-only) \??\o: yvmefpvt.exe File opened (read-only) \??\u: yvmefpvt.exe File opened (read-only) \??\z: yvmefpvt.exe File opened (read-only) \??\w: yvmefpvt.exe File opened (read-only) \??\v: skwucyxncn.exe File opened (read-only) \??\t: yvmefpvt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" skwucyxncn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" skwucyxncn.exe -
AutoIT Executable 21 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1704-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000c0000000139d6-5.dat autoit_exe behavioral1/files/0x000a00000001393e-17.dat autoit_exe behavioral1/files/0x000c0000000139d6-25.dat autoit_exe behavioral1/files/0x000c0000000139d6-30.dat autoit_exe behavioral1/files/0x00070000000142bc-38.dat autoit_exe behavioral1/files/0x000900000001411b-32.dat autoit_exe behavioral1/files/0x000900000001411b-42.dat autoit_exe behavioral1/files/0x000900000001411b-41.dat autoit_exe behavioral1/files/0x000900000001411b-40.dat autoit_exe behavioral1/files/0x00070000000142bc-33.dat autoit_exe behavioral1/files/0x00070000000142bc-45.dat autoit_exe behavioral1/files/0x000900000001411b-28.dat autoit_exe behavioral1/files/0x000a00000001393e-27.dat autoit_exe behavioral1/files/0x000c0000000139d6-21.dat autoit_exe behavioral1/files/0x000a00000001393e-20.dat autoit_exe behavioral1/files/0x00060000000155ed-74.dat autoit_exe behavioral1/files/0x000600000001560b-89.dat autoit_exe behavioral1/files/0x000600000001560b-87.dat autoit_exe behavioral1/files/0x00060000000155fd-84.dat autoit_exe behavioral1/files/0x00060000000155f3-77.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\yvmefpvt.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File created C:\Windows\SysWOW64\tzwhacaxpuyzy.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File opened for modification C:\Windows\SysWOW64\tzwhacaxpuyzy.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File created C:\Windows\SysWOW64\skwucyxncn.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File opened for modification C:\Windows\SysWOW64\skwucyxncn.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File opened for modification C:\Windows\SysWOW64\ivarjrchajticuw.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File created C:\Windows\SysWOW64\ivarjrchajticuw.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File opened for modification C:\Windows\SysWOW64\yvmefpvt.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll skwucyxncn.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe yvmefpvt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe yvmefpvt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal yvmefpvt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe yvmefpvt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal yvmefpvt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe yvmefpvt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal yvmefpvt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe yvmefpvt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe yvmefpvt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe yvmefpvt.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe yvmefpvt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal yvmefpvt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe yvmefpvt.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe yvmefpvt.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 8d7790b62884b7833d558c4fa2dfb11b.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C0A9D5582236A3F77A0772E2CA97DF664D7" 8d7790b62884b7833d558c4fa2dfb11b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" skwucyxncn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs skwucyxncn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 8d7790b62884b7833d558c4fa2dfb11b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FC8D4F2785199140D75D7D94BCE5E6325842664E6234D69D" 8d7790b62884b7833d558c4fa2dfb11b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc skwucyxncn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf skwucyxncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC67915ECDAB2B9C17CE5ED9734CA" 8d7790b62884b7833d558c4fa2dfb11b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat skwucyxncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" skwucyxncn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg skwucyxncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BB7FE1D22D1D10CD1A78B7D9113" 8d7790b62884b7833d558c4fa2dfb11b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2888 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 2280 skwucyxncn.exe 2280 skwucyxncn.exe 2280 skwucyxncn.exe 2280 skwucyxncn.exe 2280 skwucyxncn.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 2136 ivarjrchajticuw.exe 2136 ivarjrchajticuw.exe 2136 ivarjrchajticuw.exe 2136 ivarjrchajticuw.exe 2136 ivarjrchajticuw.exe 2672 yvmefpvt.exe 2672 yvmefpvt.exe 2672 yvmefpvt.exe 2672 yvmefpvt.exe 1640 yvmefpvt.exe 1640 yvmefpvt.exe 1640 yvmefpvt.exe 1640 yvmefpvt.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2136 ivarjrchajticuw.exe 2136 ivarjrchajticuw.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2136 ivarjrchajticuw.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2136 ivarjrchajticuw.exe 2136 ivarjrchajticuw.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2136 ivarjrchajticuw.exe 2136 ivarjrchajticuw.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2136 ivarjrchajticuw.exe 2136 ivarjrchajticuw.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2136 ivarjrchajticuw.exe 2136 ivarjrchajticuw.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2136 ivarjrchajticuw.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 2280 skwucyxncn.exe 2280 skwucyxncn.exe 2280 skwucyxncn.exe 2136 ivarjrchajticuw.exe 2136 ivarjrchajticuw.exe 2136 ivarjrchajticuw.exe 2672 yvmefpvt.exe 2672 yvmefpvt.exe 2672 yvmefpvt.exe 1640 yvmefpvt.exe 1640 yvmefpvt.exe 1640 yvmefpvt.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 2280 skwucyxncn.exe 2280 skwucyxncn.exe 2280 skwucyxncn.exe 2136 ivarjrchajticuw.exe 2136 ivarjrchajticuw.exe 2136 ivarjrchajticuw.exe 2672 yvmefpvt.exe 2672 yvmefpvt.exe 2672 yvmefpvt.exe 1640 yvmefpvt.exe 1640 yvmefpvt.exe 1640 yvmefpvt.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe 2948 tzwhacaxpuyzy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2888 WINWORD.EXE 2888 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2280 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 28 PID 1704 wrote to memory of 2280 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 28 PID 1704 wrote to memory of 2280 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 28 PID 1704 wrote to memory of 2280 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 28 PID 1704 wrote to memory of 2136 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 35 PID 1704 wrote to memory of 2136 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 35 PID 1704 wrote to memory of 2136 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 35 PID 1704 wrote to memory of 2136 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 35 PID 1704 wrote to memory of 2672 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 32 PID 1704 wrote to memory of 2672 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 32 PID 1704 wrote to memory of 2672 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 32 PID 1704 wrote to memory of 2672 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 32 PID 1704 wrote to memory of 2948 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 31 PID 1704 wrote to memory of 2948 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 31 PID 1704 wrote to memory of 2948 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 31 PID 1704 wrote to memory of 2948 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 31 PID 2280 wrote to memory of 1640 2280 skwucyxncn.exe 29 PID 2280 wrote to memory of 1640 2280 skwucyxncn.exe 29 PID 2280 wrote to memory of 1640 2280 skwucyxncn.exe 29 PID 2280 wrote to memory of 1640 2280 skwucyxncn.exe 29 PID 1704 wrote to memory of 2888 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 30 PID 1704 wrote to memory of 2888 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 30 PID 1704 wrote to memory of 2888 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 30 PID 1704 wrote to memory of 2888 1704 8d7790b62884b7833d558c4fa2dfb11b.exe 30 PID 2888 wrote to memory of 2864 2888 WINWORD.EXE 36 PID 2888 wrote to memory of 2864 2888 WINWORD.EXE 36 PID 2888 wrote to memory of 2864 2888 WINWORD.EXE 36 PID 2888 wrote to memory of 2864 2888 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d7790b62884b7833d558c4fa2dfb11b.exe"C:\Users\Admin\AppData\Local\Temp\8d7790b62884b7833d558c4fa2dfb11b.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\skwucyxncn.exeskwucyxncn.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\yvmefpvt.exeC:\Windows\system32\yvmefpvt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1640
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2864
-
-
-
C:\Windows\SysWOW64\tzwhacaxpuyzy.exetzwhacaxpuyzy.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2948
-
-
C:\Windows\SysWOW64\yvmefpvt.exeyvmefpvt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672
-
-
C:\Windows\SysWOW64\ivarjrchajticuw.exeivarjrchajticuw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2136
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD54c5c0aa810d29defafbb6703549263fb
SHA10060cb2bfa7ebdbabd5a123a52f4fe8e7f5b3467
SHA256ee5c2d3217e9b55e9080fc351693e354ccdd2827f7c548d3e1e946ea909ed6ac
SHA512d223161fa09480298292a489c86347301a27e9876e599f03217dadea6f088092d38f1b4900aa9885caab40bf78b0d36e690afead3a1de700766e117891644109
-
Filesize
294KB
MD51238bf562263cd371c1c14e182fcd21b
SHA1a699921e1a069a854791bf71fe895a232823ca1e
SHA256677a1e58c1cdf0fa4ce101a8ad16f2020d610dff9c421232262a9c7edf9cd6cf
SHA5124a272ddd7f0336f02994e74d093367d101aaf863a3db13eea84e5a09aa9b688bd2e7e38d58a7bb41db9eb1091342489f5cabb78d044b3bb87be14be7fd754984
-
Filesize
286KB
MD5f627014e440f70ade918a31c1dd379fd
SHA10a8296232734c19c73211ec4871c75563a255d10
SHA2567851074c5b7586e5650b6257c934468666cb937fb415fca1200c436abbe98b2f
SHA512f0a1e07a4a7c974170345084f8dcacbf1ce8eec40327a96298fa50b4dcd9a2cd728921ce0ecdd73bb5017f39cf025a7daa5744e5f5cc9182871ceec3663317e7
-
Filesize
96KB
MD5cc727bf87e75e50d52a07aae13046485
SHA11e3f482c3e5ce033458667b8600f90037a39f88c
SHA256a030d652d6e7aa73d0ee0f3cdc1c4c4de60b34c67e8ad81e9dccaf28e833871b
SHA512a724410143e813afcfba5b3033840a919bc1205f8a9cfbcfc8191d241051f10fa3d11bbaa5beabadb9b4456c717ec541013d42e125216620f2988a0f6acee44e
-
Filesize
101KB
MD5d0b7bf6e8d38fbe5262f9b092295b194
SHA1efce3b4690abff8bb7fe040918430cd6c0188052
SHA256a40276b67180c09d2aec8777d74fed9fb08ad5ebfba3cf89361950b99be93318
SHA51207a5bc6f790359445a54ecbf9cbd5b08ec536aace980ad68cc32c7ca36eb78b03f0c42de1a40feb9c0f0e08fc7c6606d4631b6e38a28923cd75b67bd074e4754
-
Filesize
80KB
MD564db68fe4b42f5608c3d316b698a85af
SHA1cc60ac7af93c29d15db552c2413f0b050cf33e14
SHA256db85e7ff75c6c000dda9acda1bfb0c4d3c4928dd0032850cf38ffe9b99a974db
SHA5123c17c335529c39bb75b8a381c7e0b9cdf33913ea11268414eacc79713fa67625f3fe555b3519061569c37279bf5e734394facd89532dc547fcd2cb7cc76638bf
-
Filesize
389KB
MD5751e7965e4f2c5295cf54730359b3213
SHA155209ce4145931501f3ff551836f857dbc03fcf3
SHA256c3c4e37616375ed909206e890548b159e032ae7efe6d051d6243c5de317103dd
SHA5121e77c2a797ed0f5d2231ef5dd67c7c9afe91bd9b8c11fc8d96b6053dc88cc080502a24b4107e66d0040588524a1a32fe455c1608535f069bc90fda107aa8d012
-
Filesize
320KB
MD5ca8e562ca64214a22778b31a3227c749
SHA1e6e151c6d1bdc315424e94d3702a32b8d7a97c22
SHA256722146d21aa1328bca6d611d71273ff1ded9ede078769952a18516f46446b027
SHA512ad2823f1daae203efb7342e1aa4b7e99daad1d0fa3ffc6173a9d24036996b6c2291ab9f6a65552fc9399f5f6d728faba337c9482697e582ffddbfb489dbd7257
-
Filesize
168KB
MD50969fd090631eb1969c9d727cdd6e609
SHA13392bdd1e1110b4f799b2f15033700083f332006
SHA2562049b7fa60f24026e63af8530b5d33a443103f07ab16d5e0e6bedbcc3074bb67
SHA512d942cd26366288fe376f44f58c4c5a738c9604c673e9cae6fb66a118aa5a12d0a02c573053dec41502f3682818b34049e122d8793638ce9c92fa90979c6042a3
-
Filesize
51KB
MD57c879a07be75279ab9edb85d30582a70
SHA136d7199407af862a19614e76ed0aaa62d93b7825
SHA2565f2e64711ca575a5ae71c9040b9f31878a1bb5d55fb90e175c2d68e1ee469043
SHA512064386a01ab7a5e922d94ffa36c98e48e9821dfce81a107ef04b9dba6111fce53c6824a05e8754177e9e17904162d920f61aa54495669fdcb018ca9097e7512c
-
Filesize
183KB
MD559cb97abbbdc01d72bd04471bb99b0f7
SHA18cee1324d11394234bebe52c5aeca0790ee6e359
SHA2568c692fffd38409902a54ca4e5eeeb1f95b2e145d0bebfe9fc87ddb88c74727be
SHA512ce0ec26f0760195d65c1a6a165c8869d35ac906bc58903985d11d8c72f0f492419200ee2b28ea7a040d52d4c096f8ae4d3b4369fe357f7132973e0d27e7d055e
-
Filesize
332KB
MD5e0df8926bb6150d505d0323a6fe16295
SHA1f32333dfe53b94d32821d9edcb10250e735f7d39
SHA256719ef12f73f6085e9480afd0de09e50fa62a8477aa5faf5807cfe56dddf59d03
SHA5124febec4fdd4e7f3834adb7f8ad5cb213539870bea60d64755561d822ec8518236ff2bf890fc377ca48f4420342e2f6d0b839d28fb509ae02c60dc0c885604d16
-
Filesize
164KB
MD5273cce1c5dfefc6c4bc6c5bc0993808a
SHA10deab2bf2f3fa8ebfb7ee20f0517350029d47933
SHA2564acabf217d383c363b8b657b97e639fe08cfd25c87dda965d7f7742fc66ac179
SHA512e2a3e46397a3d70ff671fe12d8a2f9d69677bc3fdba8c967769741c50f927733cfa8b4b70690f3ca4913e9618348035f499f6572d2ae71453e5ed4d8b4919341
-
Filesize
288KB
MD5f2bc30765ca02d0e7feafc4e1b251309
SHA1f0328587b12360a6389e6aa8cb7589b570c9c7bf
SHA256de87462af6370df1fd94bdb1e492c97695db52a6bb43a1a05b2578ec8483d592
SHA512193debdc47b87694d9f91813a5eb4850b376b2e83df88c469c3e17fc4cdb25cd64a7d3c48b0c9abbb214be45f3d5e60309b9e97688e96c38e6b69977e105a831
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
117KB
MD5d963fc6248a1e92065cf75d0ffea06e0
SHA1a3de7f340f092fa7668c5bb473207fa4ea561708
SHA2564ce0ce1ebab1763a8b8b6bf8a1c2f788582ae4d62514c4aafb8951b7e5917940
SHA51293e3f46fcf3c76149133761064484acf3bfd08be1ac1a16b9d1f55c384c04bb82b2ab8043b31c3710a853b19a9a266b23463ca9bd6b61b4a09cd9ec7043d47c9
-
Filesize
343KB
MD563be45f154ed4e6730ae00feff8033fa
SHA132f969942e82eef0950ae43fb903a86bfa7a0062
SHA256eaefe1fd763bfb854c27e354f938c61a7f9569f60326c284484d563648b6624e
SHA512185319beeed99cabef1df065a7e7259c26fe035fa02946cc6158b660d68d5311dcc491e815ad1cf4108393af5e59e05925ea222ee89ac612fb9da163975e317e
-
Filesize
99KB
MD57fc6cf931da79ecd4267f22c6a1aefa8
SHA1913682b9a75a4089cc18ec25b28e082916a6b314
SHA2562672445b36639d26c7bcf277704d7f634ea7a6f4eac634027b98fb3f94062487
SHA512272947751145ba29cbfecc6fe73cf5e20cf017c8c436a8af45198499e8b34c5f70215c3d5f21676a2a5de87616e85aa12b5cf0e263d57042e4221f7e12d81eaf
-
Filesize
201KB
MD50a74dde1cebf510117a707de33e1a0c1
SHA18f2afb393132223b4c2c5d0b5810c92aef08cf6f
SHA25627be35e2e7dc7b0548da5205bfcdde20a3f5bef89a6b8b8a487830b673ca3fb7
SHA5122d5a9633b1aefadee12005ad62a248d12de1a0035a775e2c9cfc82c34f06c4a7966403687b38be5e7a8444415881341f8ce3b6c95871357f7115a25202154353
-
Filesize
300KB
MD5e1c27a3729ee027b43bd8c6cbbbd12ba
SHA1d3f1736a08d4d5285f692437ee6567d4060839d7
SHA256472a061e96be25d6331ddb621c650dc1eb3dee80d27454b4f21b56cbe91ea690
SHA512fca32ac138cb3c1a453493bc51d7764b4c2d96c88b76f0d4b7434381baddd08d5b6d05ac3caaf96a8b71a6c9691fe3ae3fc30c18d48f9180c2b5af242d38027e
-
Filesize
190KB
MD5ceabacf87f41c29b1173f4329aac018d
SHA163fb4d0fe20fed730bcc23bafba8145dbdfe4ba7
SHA256161392b03fbf434bb932483b1461dc5d7ca8a897c9335b77743bcd278f97df91
SHA5129cbf61e8ea35f525761bcfc976deef375d6a4883bc560b172062a62bb5257a2388fb09a5029b5b777b4dd7db5dec645c02f2fa7671524c61e71149e0f280f86f