Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 22:35
Static task
static1
Behavioral task
behavioral1
Sample
2pSetup.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2pSetup.exe
Resource
win10v2004-20241007-en
General
-
Target
2pSetup.exe
-
Size
2.5MB
-
MD5
047236c75d06bc5f7a74e73e05cbf73c
-
SHA1
1e7a6e6e91c09474ec79208eaba8fdbadfb39b76
-
SHA256
b5d34d7d4f5dd5d40407f56c64abef2b91b668e6782604beccde54ff8147644d
-
SHA512
1d2491beb6c17ba797e5fe2f7dae9a9fdb88e6d88103d03a82ef6a55df9ce368b97feadff60730d1addfefd01c281150764e246ed7039fc0c61adc1961eace9f
-
SSDEEP
49152:q3Pnd9+Bq1OPFVvHECplutRiwbKu/oP5HVQYgbuztK9OVnWH/Tvwmd54z1WyAtRC:q3Pnd94TpyRbeiaVmXOVEbvnd+zFz
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 2836 2pbarsvc.exe 2784 2pbarsvc.exe 2932 2pbrmon.exe 788 2pbarsvc.exe 1508 2pHighIn.exe -
Loads dropped DLL 37 IoCs
pid Process 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 2836 2pbarsvc.exe 2836 2pbarsvc.exe 804 2pSetup.exe 2784 2pbarsvc.exe 804 2pSetup.exe 2784 2pbarsvc.exe 804 2pSetup.exe 804 2pSetup.exe 2932 2pbrmon.exe 2932 2pbrmon.exe 2932 2pbrmon.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 1508 2pHighIn.exe 1508 2pHighIn.exe 1508 2pHighIn.exe 804 2pSetup.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CouponAlert_2p Browser Plugin Loader = "C:\\PROGRA~2\\COUPON~1\\bar\\1.bin\\2pbrmon.exe" 2pSetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 6 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3a421c8f-e238-4aeb-8874-b8b5f2cc4772} 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3a421c8f-e238-4aeb-8874-b8b5f2cc4772}\ 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60e91567-ef8a-4520-bce2-83aba5256799} 2pSetup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{60e91567-ef8a-4520-bce2-83aba5256799} 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{60e91567-ef8a-4520-bce2-83aba5256799} 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{60e91567-ef8a-4520-bce2-83aba5256799}\ 2pSetup.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pauxstb.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pradio.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskin.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\INSTALL.RDF 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\LOGO.BMP 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbar.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtml.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtmlmu.dll 2pSetup.exe File opened for modification C:\Program Files\Internet Explorer\ieuser.exe 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\Message\COMMON.T8S 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\Message\COMMON.T8S 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\NP2pStub.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrstub.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pidle.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pimpipe.exe 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\chrome\2pffxtbr.jar 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbarsvc.exe 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pfeedmg.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtmlmu.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmlbtn.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregiet.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pscript.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdatact.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmedint.exe 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pradio.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2puabtn.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\LOGO.BMP 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pfeedmg.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregiet.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrmon.exe 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtml.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmsg.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pPlugin.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2puabtn.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\CHROME.MANIFEST 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\INSTALL.RDF 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmedint.exe 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmlbtn.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskin.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskplay.exe 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\CHROME.MANIFEST 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbarsvc.exe 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdatact.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdlghk.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\NP2pStub.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pauxstb.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrmon.exe 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrstub.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdyn.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phighin.exe 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pidle.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregfft.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pSrcAs.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbar.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phighin.exe 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskplay.exe 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2ptpinst.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdlghk.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phttpct.dll 2pSetup.exe File opened for modification C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregfft.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\Settings\s_pid.dat 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdyn.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phttpct.dll 2pSetup.exe File created C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pPlugin.dll 2pSetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2pbarsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2pbarsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2pbrmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2pbarsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2pHighIn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2pSetup.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225f6c9-cf64-4d6d-ae8a-169779fd7b4d}\Policy = "3" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f99d2ae-5c90-43c2-a2fe-81dbe512e2fc}\AppName = "2pSlSrch.exe" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f99d2ae-5c90-43c2-a2fe-81dbe512e2fc}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" 2pSetup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f99d2ae-5c90-43c2-a2fe-81dbe512e2fc}\Policy = "3" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2af08e71-3657-462f-898c-f7e791948f94}\AppName = "2pSrchMn.exe" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965dcf-718f-4148-becf-5a2b466f4556}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" 2pSetup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965dcf-718f-4148-becf-5a2b466f4556}\Policy = "3" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225f6c9-cf64-4d6d-ae8a-169779fd7b4d}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" 2pSetup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16fe2505-f2a0-4782-b035-af0e5188c02c}\Policy = "3" 2pSetup.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\UrlSearchHooks 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965dcf-718f-4148-becf-5a2b466f4556}\AppName = "2pimpipe.exe" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f99d2ae-5c90-43c2-a2fe-81dbe512e2fc} 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2af08e71-3657-462f-898c-f7e791948f94}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" 2pSetup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2af08e71-3657-462f-898c-f7e791948f94}\Policy = "3" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16fe2505-f2a0-4782-b035-af0e5188c02c}\AppPath = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin" 2pSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{7b9f8c21-46ec-4c0b-8683-e755ef84577a} 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965dcf-718f-4148-becf-5a2b466f4556} 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225f6c9-cf64-4d6d-ae8a-169779fd7b4d}\AppName = "2pmedint.exe" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2af08e71-3657-462f-898c-f7e791948f94} 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16fe2505-f2a0-4782-b035-af0e5188c02c}\AppName = "2pSkPlay.exe" 2pSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{3462c343-be19-4143-af70-cefb56f46fc6} 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225f6c9-cf64-4d6d-ae8a-169779fd7b4d} 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16fe2505-f2a0-4782-b035-af0e5188c02c} 2pSetup.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run 2pSetup.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run 2pSetup.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run 2pSetup.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ebbc4e43-292a-40df-88e3-3262b7521460}\ 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.ThirdPartyInstaller.1 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2d205adf-c992-4eda-99c3-096e13f38ab4}\VersionIndependentProgID 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7717f4b3-397f-4ce5-9192-6effde3ac999}\InprocServer32 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60e91567-ef8a-4520-bce2-83aba5256799} 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20BCCE5A-C687-46FF-8DD2-AD8235F5F2B4}\1.0\FLAGS 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.XMLSessionPlugin\CLSID\ = "{c2df3856-676c-41dc-a73b-facbdf8e81e9}" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53CA18E7-5223-4358-9FD9-97C62C66C5BD}\1.0 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23b0ae65-17d2-4491-98e5-b1aa6228dda2}\InprocServer32\ThreadingModel = "Apartment" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F701D7D-C869-41F0-B0E2-8136F02B539C} 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D244EAC5-A0F5-4859-A1F8-18ABC0AC3A00}\TypeLib 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.MultipleButton.1\CLSID\ = "{def07acd-bcea-4269-933a-4087d20842bb}" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8AF87C1-0B1E-494B-AAF0-CECC3FFEDF99}\ = "ITemplateXMLElement" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.ScriptButton\CurVer 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{79583DE9-D0C2-44EF-AE0D-CBFA16C2A785} 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7b9f8c21-46ec-4c0b-8683-e755ef84577a}\InprocServer32\ThreadingModel = "Apartment" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.FeedManager.1\CLSID\ = "{2d205adf-c992-4eda-99c3-096e13f38ab4}" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF2EBC1C-6579-41DB-91DD-945A1C8DB2D2}\TypeLib\ = "{20BCCE5A-C687-46FF-8DD2-AD8235F5F2B4}" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4116F8C-A634-4536-B9EF-6B9EBCC5BAE1}\1.0\HELPDIR 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.SettingsPlugin\CurVer 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{36A7148B-639E-423C-90BB-30B6E1A40BD7}\ProxyStubClsid32 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92580E8C-88F5-4551-9D9E-8147E7EE2C32}\ProxyStubClsid32 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16fe2505-f2a0-4782-b035-af0e5188c02c}\TypeLib 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.PseudoTransparentPlugin\ = "Pseudo Transparent Plugin" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CA3D0AB-F807-462C-BA7F-E27F07F91E32}\TypeLib 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{004EB151-885B-4A9E-A22D-CA98DD998D75}\ = "_ITemplateBarSettingsEvents" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAFC4DAE-7794-4E16-9A98-F6001303DCD0}\TypeLib\Version = "1.0" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36A7148B-639E-423C-90BB-30B6E1A40BD7}\TypeLib\ = "{7924FD2B-877C-4395-A063-A88AB887EA6D}" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{61DAB0AD-AD23-4E40-84AC-7C6CE64D4EB3}\TypeLib\ = "{53CA18E7-5223-4358-9FD9-97C62C66C5BD}" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{004EB151-885B-4A9E-A22D-CA98DD998D75}\TypeLib\ = "{D7CE22AF-CCB3-423F-84D5-4D77152181F3}" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.FeedManager\CurVer\ = "CouponAlert_2p.FeedManager.1" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D8E17B-312E-4E12-913B-A841A8631143}\TypeLib 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86d02bcf-0e0e-444f-8a8d-2d5c4a9e6578}\InprocServer32\ = "C:\\Program Files (x86)\\CouponAlert_2p\\bar\\1.bin\\2pdyn.dll" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4d8eacbc-e293-4462-b91e-42ea5b54b743}\InprocServer32\ThreadingModel = "Apartment" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7717f4b3-397f-4ce5-9192-6effde3ac999}\Version\ = "1.0" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16fe2505-f2a0-4782-b035-af0e5188c02c}\Version\ = "1.0" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF2EBC1C-6579-41DB-91DD-945A1C8DB2D2}\TypeLib 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.XMLSessionPlugin.1 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8542E415-0E53-4261-8BE4-0D1598229D90}\1.0\FLAGS\ = "0" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.DynamicBarButton\ = "Bar Button Class" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0bdf6c42-132c-45f5-92de-dc13f40c6dab}\ = "CouponAlert_2p HTML" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60e91567-ef8a-4520-bce2-83aba5256799}\InprocServer32 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{004EB151-885B-4A9E-A22D-CA98DD998D75}\ = "_ITemplateBarSettingsEvents" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F1794F2-900B-4C81-8146-9234E5CC5BE2}\TypeLib 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D244EAC5-A0F5-4859-A1F8-18ABC0AC3A00} 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8867ac9b-4426-44a2-a693-c95850d3405c}\MiscStatus\ = "0" 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53CA18E7-5223-4358-9FD9-97C62C66C5BD}\1.0\FLAGS\ = "0" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.HTMLMenu\CurVer 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CA3D0AB-F807-462C-BA7F-E27F07F91E32}\ = "It8PseudoTransparent" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8867ac9b-4426-44a2-a693-c95850d3405c}\Control 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16fe2505-f2a0-4782-b035-af0e5188c02c}\MiscStatus 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60FC9013-4A5A-4306-9695-FCE0A6617F22}\1.0\FLAGS\ = "0" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.DynamicBarButton.1 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8AF87C1-0B1E-494B-AAF0-CECC3FFEDF99}\ProxyStubClsid32 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2d205adf-c992-4eda-99c3-096e13f38ab4}\TypeLib 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FF2EBC1C-6579-41DB-91DD-945A1C8DB2D2}\TypeLib\Version = "1.0" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7E7FB02-C4FD-446E-8F5B-463A049935BF}\1.0 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.MultipleButton\CurVer 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CouponAlert_2p.ToolbarPlugin.1\ 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23b38049-323f-443d-9732-f454e5b15b72}\MiscStatus\1\ = "131473" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{411b1946-3277-4a7f-9f60-745266360613}\InprocServer32 2pSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D244EAC5-A0F5-4859-A1F8-18ABC0AC3A00}\TypeLib\Version = "1.0" 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cf9d6d4e-5496-438e-ba24-5a580a59f5a3}\TypeLib 2pSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21D9997E-5D2A-4737-BCBA-C958C0590295}\TypeLib 2pSetup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe 804 2pSetup.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 804 2pSetup.exe Token: SeBackupPrivilege 804 2pSetup.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2932 2pbrmon.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 804 wrote to memory of 2836 804 2pSetup.exe 30 PID 804 wrote to memory of 2836 804 2pSetup.exe 30 PID 804 wrote to memory of 2836 804 2pSetup.exe 30 PID 804 wrote to memory of 2836 804 2pSetup.exe 30 PID 804 wrote to memory of 2836 804 2pSetup.exe 30 PID 804 wrote to memory of 2836 804 2pSetup.exe 30 PID 804 wrote to memory of 2836 804 2pSetup.exe 30 PID 804 wrote to memory of 2784 804 2pSetup.exe 31 PID 804 wrote to memory of 2784 804 2pSetup.exe 31 PID 804 wrote to memory of 2784 804 2pSetup.exe 31 PID 804 wrote to memory of 2784 804 2pSetup.exe 31 PID 804 wrote to memory of 2784 804 2pSetup.exe 31 PID 804 wrote to memory of 2784 804 2pSetup.exe 31 PID 804 wrote to memory of 2784 804 2pSetup.exe 31 PID 804 wrote to memory of 2932 804 2pSetup.exe 32 PID 804 wrote to memory of 2932 804 2pSetup.exe 32 PID 804 wrote to memory of 2932 804 2pSetup.exe 32 PID 804 wrote to memory of 2932 804 2pSetup.exe 32 PID 804 wrote to memory of 2932 804 2pSetup.exe 32 PID 804 wrote to memory of 2932 804 2pSetup.exe 32 PID 804 wrote to memory of 2932 804 2pSetup.exe 32 PID 804 wrote to memory of 1508 804 2pSetup.exe 34 PID 804 wrote to memory of 1508 804 2pSetup.exe 34 PID 804 wrote to memory of 1508 804 2pSetup.exe 34 PID 804 wrote to memory of 1508 804 2pSetup.exe 34 PID 804 wrote to memory of 1508 804 2pSetup.exe 34 PID 804 wrote to memory of 1508 804 2pSetup.exe 34 PID 804 wrote to memory of 1508 804 2pSetup.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2pSetup.exe"C:\Users\Admin\AppData\Local\Temp\2pSetup.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe"C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe" -remove2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe"C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe" -install2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2784
-
-
C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe"C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2932
-
-
C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe"C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe" 2ptpinst.dll,#52⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1508
-
-
C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exeC:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:788
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5c0bebcb3dfc2edb4c296f1802766e1ff
SHA142191afd20e6359b4c5678acb96ecb03091d17e5
SHA25639189db0555c346d801a918f2f4e1c1a11a279123f9c23a984e1de2d7d70c888
SHA5124ed63a2a792909df0ed07d5c2db2fbd6c14515d3e00c0618b710f4571fb42b91eada8af0d5d260b98f3035f72260fdc59e747470a51bfe75c5bb3b6b4183dddc
-
Filesize
27KB
MD5ba4695385687403aa1820346c88dfa8a
SHA1e7d0f5a1b1d842341a4f0e863f9280a02d7471d6
SHA2562b2a045e70225cd04c7596d61e0950f103dc3745483b3b54032e85ea33db3b97
SHA512942f6a9d5a41036e15d71b7b93a4f0438447c4ebe053e22a4926e5fc13dc912de44df2a203ea0f28a858d7337d7a4bfa4b26127fe5d401d0db76ba0479a87536
-
Filesize
55KB
MD5c1b14848de571fc85c73c79c80bc1d1a
SHA1b133d05665047306caa7765db6da69660acaa50d
SHA256b78b1161f3537108d573df6d695225e27b460e9afdedcdae714ecb99b25d7cdb
SHA512e52478f47841b393d7f917349b22f128cf2c2d4caa1bee02c51a3ba7103579d49d1f243664ae0e099f3fb89b5269b2f6e7188d3a9b234bddb533249eec3c54cc
-
Filesize
59KB
MD505cb544850086b21597f3580b01e66fa
SHA1e1363223d3524141eb87aa65bd15606fc0031845
SHA256a33efa0b4cbabee12981cc49a96b9144b94a893100abe158b1e055677a7dc4dc
SHA512c1b1c7898e07b8ed50255c3e277cc44f61eae53b46943d0e04e43e05be72b1865124d3395424bba85755510fd1f71bd4b11312577729cf2325beb4bb41a8be16
-
Filesize
36KB
MD5bef8418e2bb907705989694fa04a4f3a
SHA1f1acca6a112aab18be7c4a38e3ebb042960d57c0
SHA256f8dc25c92591c9a921fd367739180b0ddf602f4075d73cd669981bcb1a55cd0a
SHA512c549c655f29abb91e65a3e445a0a28c65e78c82e6aa7c1fc99de2e5e3d3a2a4bc342e64e5f7c80b33a12b47131b74a537847e2446c632960825cf4fdd7e3e96f
-
Filesize
686KB
MD55afbf0822a1353e409b84f406ab6c275
SHA1b57a215306698751f73a4fec91330aa2739594ea
SHA25663020f4bb854913dcddeb0b0bd9469751a4861273391127ce041671ffe776dc5
SHA512bbee841572d868e51a0bb0685da0630a5708c3f444bfb352bd8093c747fa42d1367d99c57c8eed002e2b1db216c1396da1fe3f48eda78390ec6cf11117938ea7
-
Filesize
31KB
MD5209d8fffc7ba17b5edf69a558b220f5e
SHA13e8e000fff561708b23495ae87bdd4bffb1f9e43
SHA25656951b5eb91204eda94ae882da53a97a23b9e0accdff44b359a2dae210d10eef
SHA5129df7533a9daba33c808b3fb40b63741f54619d5f933a40890fae124aecc1439cf3799253512cba50a897c57e1fd15f587449caa8101bf23756e435dd2712f617
-
Filesize
92KB
MD579f32577d7ce7035054e987310187440
SHA158416d1488eed6f47ad78a7d0c62b854fe09b895
SHA2563140555e504168d849baa4d7cdf0f8f7fea2a7806d02dcde39afa8f56c72d6e3
SHA512d3e00f991fe41b365f3ed39f40babbb8ec8e4932b2e91395f7f5830a31b9cf6d2e1c28ac5c0816f63e874edf389974152de7676333aaec95543c37aea5afa5b5
-
Filesize
44KB
MD57e8b85dd3007138116d279c014ab070a
SHA1d6d69499bf74bb3f49b082cfef30ebc28e19454e
SHA25604f1d61353078eec7174b0dc53ad6307615f5841523be566e935d428c70c3bad
SHA512342162246f576e85b52c82324f6c520174f21823b8bcdcf52926c56dee313ea7c028f9934f916e6d42d3368a5371ae4e8fb4c9578b02ea32963a4304d2927769
-
Filesize
55KB
MD5d10a7cc5638f78f173901891caa0ea5f
SHA11d965ff58ad75e94bd00d9a1781a7f7610c1123f
SHA25692243e4c5b7f4df7491917b78bb09a02f986a7e8e79448e48a8f26eb895396a6
SHA51212886949d010e89adcfc0d75e2f81bbcc2a8be770be96f1e27ee380c79d1e93d02eed738431c18baa9a9020e732545e5390d02d41237b52c565141585ffa874f
-
Filesize
92KB
MD58d5dfbad16f8a6c928fcbb84c6cda655
SHA146d0ac5e455e6b40951b04867aaf21f793e38783
SHA256bdf16d30334874de3710dc2b37a493a1845d396d96f9c80d67d2c589866f4b71
SHA5124737730d149fac4e7569ba8ed804cdd1d8c2b347011746901ddaa922331ecf95c80854029490b802099ba8e0aabba5269dad89a0cd481500b425c9c9a751ea74
-
Filesize
28KB
MD5ede9efd100fed6f723ef26eef67f5bc7
SHA197401b6d2967a2dfb2ba0605d84e8abd7368450e
SHA256c4ac82da7e7eb1e5e7854571305897a8ae6a2f5704a3116ed8454188d9df3eb5
SHA5127570b96fc89e03daaf8d52caa0aacabb3ec626619678dba75d63d5482ff0a479be002fac3c7d5523f873c84f317aea44a3008d702f4c99cd3ded490dfc80f21a
-
Filesize
96KB
MD5dbb37c245084bfa6d149d6490a3def6c
SHA146469fd95dcbe9018dd5c20457c6b80f882b06f0
SHA256b14bee662471d747f7c94a62d45c6426934faeb5a597b2ea092bd621253f45b3
SHA512904f04fbbcdd50b3e30620c4e4be477a21c0c3639e54651a929daa4e4700f486112edfeba5496213b6c14732a45205581a93bdabbe9ede27c84e6ed31b1d7339
-
Filesize
164KB
MD5078142e03762f182c420dcec5bf57522
SHA1f715f1c82fa9311405cb7d50bb506dd4a08bcfa3
SHA2569e196cc00408096c7bf61a3bb7615182432b15e9476f86e8e556c7dbeec3597f
SHA51223a3ad0ab94e064f45f317352beaa615040d74f1fd3a20ef29d8d1e53a2b0cfcec5f359de688185f3695682dc22ef51ba04001d175d016504335acb4e1e889a2
-
Filesize
84KB
MD564451f703e38ce8ce558916d1b3b298c
SHA188278506406f9125daff32f8e8459574fe8f38df
SHA2569c9c071529d43298873a129c695508edc52a83e528ac0266fc58707faf2e58df
SHA512559e61be7b7a7d3000e523f6b208805e6908bbfd7fd123b4b869f5ee95337d76fb36e5807a1dcbee3a5379ae9a2f5dbce52be7efbf31c241051c9d9c13af05ca
-
Filesize
39KB
MD53470b060c813074d7ba1e06c019ec03c
SHA1c388e332081ca424274b92f53429e1ddee8e5775
SHA256584b0adfb7daf42504cc7a443f031f1463fbe19b63de8334fc8f18acdf3b1865
SHA512806a2ea5d5b703d4cac8973312da485497c14431b9c1b1a1a9e15f6423215961f1a2d54a429a4aca6f67435f2a3348dea426b86293b46c62af10b7953639bf38
-
Filesize
47KB
MD5f807dad358658e35e6f0fea173a6b4cf
SHA10fb2d953de4f1cbc548b6e5525580663c1896295
SHA256b61bc01059e4e9d8dad5a971a071fec40e7b21ee13155de14604da02f997f1bb
SHA512f2002553b415e92874254d07ba44a20104df027443c93b6df7f8240c18d9218b648b4a02c0545ffd2d92ae8b487b59af21bfac5dda5d3e68b2bbb6f06f7ee2a8
-
Filesize
152KB
MD5196c4d88c7c780fc2dc83393512883de
SHA16343f5711789bfb866e18a172828eb7d45606a62
SHA256ee57dff1e8d60a585c5ee37a52f5c825b75740359fddb5006bb913bb156cadfd
SHA512be685fa9d87c0b7521176fd6bffa37206d068f4efceafc5996bb5ff2f44d49e451a1ba02a28f30c5a6a0cd79c3ccd22da06e3ab7752dcb2f75ab979f56347e89
-
Filesize
119KB
MD505de9983317fe259ad8c88c7880ebeb3
SHA1919d95dafc2ff2580952b8dd14ab8471a73eb4e6
SHA256e35c66f120064017cf47255faee3dbf959bbd9ae182db647becf7d4da0bba53a
SHA5127b2a72955ed6637aef4df3af5cd20f9bd7afe4a3bb926d9353b1da8848628ba07fccf03056074f1208c1a04aafbd437000c817759f25e2c042f0f01f24ca8c11
-
Filesize
44KB
MD505b1f48b706799cf55cd8b52a7462f8f
SHA1003efc04aa08e9f1e59aee6199acf5c1863b6818
SHA2563974ea1583ee359c187b2e052985b022656acbbaa156cd030bb02cf7c68c2627
SHA512206ecbb1e2de89765e08a5f6f6bcd1012424129a72ec88e248bd38f182dfdf34cc85c8b3d4bdefcbf3163b7998064d2d1ee123b6e1b43b5658b13c13dfc47144
-
Filesize
44KB
MD57396779ccb97fe1db173857422226451
SHA10f7bc5793f586751eb47485a03c0afc8e3d7ab3f
SHA2565e8d884b7bc5f19ef56469e3804998832b281ba1d7b16101acf957046b3b1ef2
SHA5120130a673a8655e2452ea5f4d52973dfce453090eca40d864e18fa33840d02038dafe07d45bb844c39438dc8bc83bad75687203ab9b3469d04bcc886faf724193
-
Filesize
43KB
MD525ac933b59ff336367bd6e28562de857
SHA141ce69a759faccc49bdb85b1f4f2a84e2ccd1e6e
SHA2565750ed2046caa1ac617254f7c1e4cea3ea8f01bb7eaefcf5a668b49d716640d8
SHA512816ae02a00148589d5be0bf9246220fbb94a5029880e918d307cf8134d74c3d1883e177ee61d2cfcdd9eb01151a86770c60d14197109ffe71f852edcf2e08f76
-
Filesize
136KB
MD5c77e6a85934d428844473c9763747fe9
SHA131c04d3314cb73be5d623f1bb709f54816ce27a9
SHA256d3f4cddd3f6865c97d75613e4aa0185e5b42e75f44e2c0f0480cfba7f9176a1a
SHA5124ddb51d796dd34635e802bcce03e90eddcf62795f0f1b11a96e6099e4ad963f59fc6d0ab178640a6015ffce44d23231627f3ae9c94bef95cfb7e0a2507aaf0c8
-
Filesize
92KB
MD501acc19c649d35ae3e049095d77fe5bb
SHA1edf0fc52a8cc56f8aa68f05cb5610f37c1f6546a
SHA256bad75288a411654a815184bf6e140771ed1da28fbf2392da7c002e8785700e0d
SHA5128400b6db578440027fe3417ede304a82aacd3025b0e7f433873e4001e3c25e6951d733ee803de13ef271336b24680de4a197258eed731c0d3bf796e4f3a73e6e
-
Filesize
43KB
MD5af4987ef966a6270b5e99fafee9c9fa8
SHA12c3a0790e3638e61e711e3b97a6058b24ea49e57
SHA2569113c634fcdc656a47fedd35a43fd768f6234501e1f12c63c17a599b218e6bee
SHA512c4323519b534623e84568eb3fd1f61c1c268f22491dfc4bd689eb3af02f466c78c171afb016220d5c086ae8139bc160add0d3bb867f6dbfa4f6d41205b2fdfc9
-
Filesize
31KB
MD5a787e3fbc688c71cf530f951e1629da6
SHA1dcf03b6bc8b5780f9fafc1f5e008a50e4a1f30db
SHA256e63fd19af8bdd92476a365dc9b7a0f312c14a2f9595d6788c3700350b36084c7
SHA51294280e21a65805164be83a234a9918bca190f6ebcb0803203b5611a79b53a3f5f3b05cbb06ad944175e61b9175e1de023c1cef9c11d0f846e69148c2fbb3b983