Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 01:35
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
bd518227345c27dc2203145dd52d81d3.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
bd518227345c27dc2203145dd52d81d3.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
bd518227345c27dc2203145dd52d81d3.exe
-
Size
512KB
-
MD5
bd518227345c27dc2203145dd52d81d3
-
SHA1
68cf99f91c7e06f4460f222a1a77727deb902949
-
SHA256
385eb0e913f8cb912525b47bb3b3904b34983a982c404968e2e099cb8b136001
-
SHA512
2d0688686cfb5f62e76442cbd0ff62e82579d6bde26db701bb19fe5825533f31692be2a66124988a17d052163e90de80666531dd0faefedb470ca0cf5561d484
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" igsalitsfi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" igsalitsfi.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" igsalitsfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" igsalitsfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" igsalitsfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" igsalitsfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" igsalitsfi.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" igsalitsfi.exe -
Executes dropped EXE 5 IoCs
pid Process 1720 igsalitsfi.exe 2432 apcmexnxwcdhrir.exe 2444 scrnchtf.exe 2848 zuikqaaapakfn.exe 2544 scrnchtf.exe -
Loads dropped DLL 5 IoCs
pid Process 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 1720 igsalitsfi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" igsalitsfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" igsalitsfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" igsalitsfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" igsalitsfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" igsalitsfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" igsalitsfi.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gqhzwfvz = "igsalitsfi.exe" apcmexnxwcdhrir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tovxyaby = "apcmexnxwcdhrir.exe" apcmexnxwcdhrir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zuikqaaapakfn.exe" apcmexnxwcdhrir.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: scrnchtf.exe File opened (read-only) \??\o: scrnchtf.exe File opened (read-only) \??\o: scrnchtf.exe File opened (read-only) \??\s: scrnchtf.exe File opened (read-only) \??\t: scrnchtf.exe File opened (read-only) \??\h: igsalitsfi.exe File opened (read-only) \??\k: igsalitsfi.exe File opened (read-only) \??\v: scrnchtf.exe File opened (read-only) \??\g: scrnchtf.exe File opened (read-only) \??\i: scrnchtf.exe File opened (read-only) \??\u: scrnchtf.exe File opened (read-only) \??\m: scrnchtf.exe File opened (read-only) \??\p: scrnchtf.exe File opened (read-only) \??\n: igsalitsfi.exe File opened (read-only) \??\x: igsalitsfi.exe File opened (read-only) \??\y: igsalitsfi.exe File opened (read-only) \??\x: scrnchtf.exe File opened (read-only) \??\g: igsalitsfi.exe File opened (read-only) \??\j: igsalitsfi.exe File opened (read-only) \??\l: igsalitsfi.exe File opened (read-only) \??\b: scrnchtf.exe File opened (read-only) \??\s: scrnchtf.exe File opened (read-only) \??\u: scrnchtf.exe File opened (read-only) \??\h: scrnchtf.exe File opened (read-only) \??\j: scrnchtf.exe File opened (read-only) \??\r: scrnchtf.exe File opened (read-only) \??\h: scrnchtf.exe File opened (read-only) \??\j: scrnchtf.exe File opened (read-only) \??\p: scrnchtf.exe File opened (read-only) \??\w: scrnchtf.exe File opened (read-only) \??\y: scrnchtf.exe File opened (read-only) \??\l: scrnchtf.exe File opened (read-only) \??\b: igsalitsfi.exe File opened (read-only) \??\g: scrnchtf.exe File opened (read-only) \??\w: scrnchtf.exe File opened (read-only) \??\y: scrnchtf.exe File opened (read-only) \??\a: igsalitsfi.exe File opened (read-only) \??\w: igsalitsfi.exe File opened (read-only) \??\z: scrnchtf.exe File opened (read-only) \??\e: scrnchtf.exe File opened (read-only) \??\m: scrnchtf.exe File opened (read-only) \??\v: scrnchtf.exe File opened (read-only) \??\v: igsalitsfi.exe File opened (read-only) \??\a: scrnchtf.exe File opened (read-only) \??\n: scrnchtf.exe File opened (read-only) \??\q: scrnchtf.exe File opened (read-only) \??\t: scrnchtf.exe File opened (read-only) \??\i: scrnchtf.exe File opened (read-only) \??\q: scrnchtf.exe File opened (read-only) \??\t: igsalitsfi.exe File opened (read-only) \??\x: scrnchtf.exe File opened (read-only) \??\q: igsalitsfi.exe File opened (read-only) \??\k: scrnchtf.exe File opened (read-only) \??\k: scrnchtf.exe File opened (read-only) \??\m: igsalitsfi.exe File opened (read-only) \??\o: igsalitsfi.exe File opened (read-only) \??\s: igsalitsfi.exe File opened (read-only) \??\u: igsalitsfi.exe File opened (read-only) \??\b: scrnchtf.exe File opened (read-only) \??\e: igsalitsfi.exe File opened (read-only) \??\r: igsalitsfi.exe File opened (read-only) \??\z: igsalitsfi.exe File opened (read-only) \??\p: igsalitsfi.exe File opened (read-only) \??\e: scrnchtf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" igsalitsfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" igsalitsfi.exe -
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2004-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000a00000001466c-5.dat autoit_exe behavioral1/files/0x000900000001222c-17.dat autoit_exe behavioral1/files/0x000900000001222c-20.dat autoit_exe behavioral1/files/0x000a00000001466c-25.dat autoit_exe behavioral1/files/0x000a00000001466c-27.dat autoit_exe behavioral1/files/0x000900000001222c-30.dat autoit_exe behavioral1/files/0x000c000000014fe1-28.dat autoit_exe behavioral1/files/0x000a00000001466c-21.dat autoit_exe behavioral1/files/0x00080000000155e2-38.dat autoit_exe behavioral1/files/0x00080000000155e2-40.dat autoit_exe behavioral1/files/0x00080000000155e2-33.dat autoit_exe behavioral1/files/0x000c000000014fe1-41.dat autoit_exe behavioral1/files/0x000c000000014fe1-32.dat autoit_exe behavioral1/files/0x000c000000014fe1-43.dat autoit_exe behavioral1/files/0x0006000000016b5e-73.dat autoit_exe behavioral1/files/0x0006000000016b96-75.dat autoit_exe behavioral1/files/0x0006000000016c10-82.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\igsalitsfi.exe bd518227345c27dc2203145dd52d81d3.exe File opened for modification C:\Windows\SysWOW64\apcmexnxwcdhrir.exe bd518227345c27dc2203145dd52d81d3.exe File created C:\Windows\SysWOW64\scrnchtf.exe bd518227345c27dc2203145dd52d81d3.exe File opened for modification C:\Windows\SysWOW64\scrnchtf.exe bd518227345c27dc2203145dd52d81d3.exe File created C:\Windows\SysWOW64\zuikqaaapakfn.exe bd518227345c27dc2203145dd52d81d3.exe File opened for modification C:\Windows\SysWOW64\zuikqaaapakfn.exe bd518227345c27dc2203145dd52d81d3.exe File opened for modification C:\Windows\SysWOW64\igsalitsfi.exe bd518227345c27dc2203145dd52d81d3.exe File created C:\Windows\SysWOW64\apcmexnxwcdhrir.exe bd518227345c27dc2203145dd52d81d3.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll igsalitsfi.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe scrnchtf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal scrnchtf.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe scrnchtf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal scrnchtf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe scrnchtf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe scrnchtf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe scrnchtf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe scrnchtf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal scrnchtf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe scrnchtf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe scrnchtf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe scrnchtf.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe scrnchtf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal scrnchtf.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf bd518227345c27dc2203145dd52d81d3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4F9CBF911F19483753A3286EE3E99B388028C43130348E2CC42E909A8" bd518227345c27dc2203145dd52d81d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh igsalitsfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes bd518227345c27dc2203145dd52d81d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2512 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 1720 igsalitsfi.exe 1720 igsalitsfi.exe 1720 igsalitsfi.exe 1720 igsalitsfi.exe 1720 igsalitsfi.exe 2432 apcmexnxwcdhrir.exe 2432 apcmexnxwcdhrir.exe 2432 apcmexnxwcdhrir.exe 2432 apcmexnxwcdhrir.exe 2432 apcmexnxwcdhrir.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2444 scrnchtf.exe 2444 scrnchtf.exe 2444 scrnchtf.exe 2444 scrnchtf.exe 2432 apcmexnxwcdhrir.exe 2544 scrnchtf.exe 2544 scrnchtf.exe 2544 scrnchtf.exe 2544 scrnchtf.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2432 apcmexnxwcdhrir.exe 2432 apcmexnxwcdhrir.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2432 apcmexnxwcdhrir.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2432 apcmexnxwcdhrir.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2432 apcmexnxwcdhrir.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2432 apcmexnxwcdhrir.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2432 apcmexnxwcdhrir.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2432 apcmexnxwcdhrir.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2432 apcmexnxwcdhrir.exe 2432 apcmexnxwcdhrir.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 2432 apcmexnxwcdhrir.exe 2432 apcmexnxwcdhrir.exe 2432 apcmexnxwcdhrir.exe 1720 igsalitsfi.exe 1720 igsalitsfi.exe 1720 igsalitsfi.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2444 scrnchtf.exe 2444 scrnchtf.exe 2444 scrnchtf.exe 2544 scrnchtf.exe 2544 scrnchtf.exe 2544 scrnchtf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 2004 bd518227345c27dc2203145dd52d81d3.exe 2432 apcmexnxwcdhrir.exe 2432 apcmexnxwcdhrir.exe 2432 apcmexnxwcdhrir.exe 1720 igsalitsfi.exe 1720 igsalitsfi.exe 1720 igsalitsfi.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2848 zuikqaaapakfn.exe 2444 scrnchtf.exe 2444 scrnchtf.exe 2444 scrnchtf.exe 2544 scrnchtf.exe 2544 scrnchtf.exe 2544 scrnchtf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2512 WINWORD.EXE 2512 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2004 wrote to memory of 1720 2004 bd518227345c27dc2203145dd52d81d3.exe 28 PID 2004 wrote to memory of 1720 2004 bd518227345c27dc2203145dd52d81d3.exe 28 PID 2004 wrote to memory of 1720 2004 bd518227345c27dc2203145dd52d81d3.exe 28 PID 2004 wrote to memory of 1720 2004 bd518227345c27dc2203145dd52d81d3.exe 28 PID 2004 wrote to memory of 2432 2004 bd518227345c27dc2203145dd52d81d3.exe 29 PID 2004 wrote to memory of 2432 2004 bd518227345c27dc2203145dd52d81d3.exe 29 PID 2004 wrote to memory of 2432 2004 bd518227345c27dc2203145dd52d81d3.exe 29 PID 2004 wrote to memory of 2432 2004 bd518227345c27dc2203145dd52d81d3.exe 29 PID 2004 wrote to memory of 2444 2004 bd518227345c27dc2203145dd52d81d3.exe 30 PID 2004 wrote to memory of 2444 2004 bd518227345c27dc2203145dd52d81d3.exe 30 PID 2004 wrote to memory of 2444 2004 bd518227345c27dc2203145dd52d81d3.exe 30 PID 2004 wrote to memory of 2444 2004 bd518227345c27dc2203145dd52d81d3.exe 30 PID 2004 wrote to memory of 2848 2004 bd518227345c27dc2203145dd52d81d3.exe 31 PID 2004 wrote to memory of 2848 2004 bd518227345c27dc2203145dd52d81d3.exe 31 PID 2004 wrote to memory of 2848 2004 bd518227345c27dc2203145dd52d81d3.exe 31 PID 2004 wrote to memory of 2848 2004 bd518227345c27dc2203145dd52d81d3.exe 31 PID 1720 wrote to memory of 2544 1720 igsalitsfi.exe 33 PID 1720 wrote to memory of 2544 1720 igsalitsfi.exe 33 PID 1720 wrote to memory of 2544 1720 igsalitsfi.exe 33 PID 1720 wrote to memory of 2544 1720 igsalitsfi.exe 33 PID 2004 wrote to memory of 2512 2004 bd518227345c27dc2203145dd52d81d3.exe 32 PID 2004 wrote to memory of 2512 2004 bd518227345c27dc2203145dd52d81d3.exe 32 PID 2004 wrote to memory of 2512 2004 bd518227345c27dc2203145dd52d81d3.exe 32 PID 2004 wrote to memory of 2512 2004 bd518227345c27dc2203145dd52d81d3.exe 32 PID 2512 wrote to memory of 1940 2512 WINWORD.EXE 36 PID 2512 wrote to memory of 1940 2512 WINWORD.EXE 36 PID 2512 wrote to memory of 1940 2512 WINWORD.EXE 36 PID 2512 wrote to memory of 1940 2512 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd518227345c27dc2203145dd52d81d3.exe"C:\Users\Admin\AppData\Local\Temp\bd518227345c27dc2203145dd52d81d3.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\igsalitsfi.exeigsalitsfi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\scrnchtf.exeC:\Windows\system32\scrnchtf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2544
-
-
-
C:\Windows\SysWOW64\apcmexnxwcdhrir.exeapcmexnxwcdhrir.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2432
-
-
C:\Windows\SysWOW64\scrnchtf.exescrnchtf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2444
-
-
C:\Windows\SysWOW64\zuikqaaapakfn.exezuikqaaapakfn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2848
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1940
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD58bf4b7d799c11461b942f43bec067ab1
SHA130ba95cae8a6331f4f4d6f86518da14953749c24
SHA256df755c313a7e075e731c06bc7c3f051144071f527928e991325094d24979e2c6
SHA51206ab80ab128c06093b5eabf9e025a1030405f63f88c0defcae918a48b4fafe5e26f49f4e322e18a03ed3a69eaa09471508841dbc751798dc9cb8251764f2075b
-
Filesize
512KB
MD56deecde9644d59f414eabb1597a23e2f
SHA137a2af18b711cbb46c2b4fd1ffdc09d8dda98974
SHA25631cdeeb313da40403e7d83ebb4cf3b625c740908a937685b15b572c21b1c7cc3
SHA5127aefe5204015c7d1dc874c83220071dce93955825d6ffa075f1b6a8cfb2d3001a04226eefe8ca1555220b9b14172a35afc1baed58f58fff4c49815de88cc2ae9
-
Filesize
20KB
MD5689a0bb1de4eb5458da5dfa53f8ea9d5
SHA1fa6b7658f81696b8ae5e52f50fde7dcc25d7d87c
SHA2562bb3dd637b0726ea893fde4b9cf79d82e1e1dc9253c2ae38dd941e74c14bdaf0
SHA5123100f9c48cb348e100f16236daaa882b006983cdc4a981cac56b446e8b90de56db58def9c694bcfed23ac9fee36c67f5091370703900d70d006cdcfbf57104d9
-
Filesize
512KB
MD59154f99a8fd6133cbf865bdba7d49f6a
SHA197f417488f814566f6568ddb09e8039e31c96b7a
SHA256523c512c60f29dd747b5df6c27aff6ece16de8a05203fdd455907ded13b7bfbb
SHA512c6e471305ae6c96a196a0366d01f12476867a2e0f0c5c871a463dab75ee88afd9eddde6d2c122ee0491a71ed852a355ecae7dc9d5297b298bf0f5a56c9406582
-
Filesize
213KB
MD5ea7acc46617ae6860e8766f57b7ab781
SHA12297f92f835aaa0b5d9674ca06000c97b2d827db
SHA2562e57a25bfeac57c415ba88c539357cef9c5a4e4afba061860405ab6786dc39a6
SHA512e23a169b18f0aacc3a0b1839d7f754305f6d59b61e8228bc757b1af6ef46ec0caf6f831d5081affaa9318d959dc94b8d336b2a089be438fea10fe20b12b2b589
-
Filesize
188KB
MD566e9601f42ef3ae5e7da29dfdbfee5f3
SHA1b18b8a699697ec4e8a75d349faea7be2aef2c12f
SHA256586f9a1a1498ce3745bf16883a12babd138153e984cab731fce3a90bf0a7592c
SHA51297b66d1fac56efa6ac98fdff85a7a19041aa207a00f840b0e037823025306f05888f29d5f4153273b1f1c84f5cd01b780781a8bccf93999f74b00ae4d07d6592
-
Filesize
512KB
MD54591de5cddeb741f426c539d1a6c7ff7
SHA195599a87e5c434be70de3538936e3ad5ee8d64f8
SHA256d78102f7b8d603ca34c1b3df0fed626c47fd2239ea07ce21e3215633fb37f2d2
SHA512eab091ae184954a6039a3648c74af6b88001c391a0d9d5cb72795aeaae21663db0975ff34ae666946f5496f3d20bc322f273a809cafb96eefe8f76c6899fcbf2
-
Filesize
254KB
MD5834697778719e5029e498c1a22e292a9
SHA1d84c0935dd7747c4e5a22efcea2e4e318079d5ff
SHA2560b188390257223962ad6591035f99b301cc6fdeb7d688f090bd9867ab3da7deb
SHA5128d498082cdde9e3de8314d6c573ac2d71d3e95f2327cd047805789a2e81e40c2703e7603a9cb8c32ea5e72857bbf2b9107720209c622e1498944b229a79c7c1a
-
Filesize
220KB
MD598a2e0de0f09663afeb4933f2788643c
SHA1c15f49eab6e2db4cb3ca884fddb852e4df296eef
SHA256cd7a0c38c7b3334841dcb17d86b3f84158e66914f4eceab3256795bcaf9cc7ee
SHA512159d479c3e552888abff4f0459994bb81ecdf408be1a285fa89a256cfa451161de086cb91d9683ae3ed5de63203daf9a5a46ccfcc83269f052c4508048cd2592
-
Filesize
126KB
MD5fad13cd6f4f306277db6fded387cf6fd
SHA15a74e5d1b9ed656b1593e76a261163dc93818f07
SHA256845d1ab2cd57a802bde25e584cd145adb225ac5c23ccd9090712e45bd95bcd69
SHA5124aa4683547e952f72cb70af9bcc169113c9463d7392263540e9be939a88cfc5799199dbca33fab7c73e4300214dd993c7f99ea620e8174bbdda074dada671ad8
-
Filesize
197KB
MD542988ff57bbf1f6e2ffc5d4db1347540
SHA15940e5f981552290ae83225985ddc38489462b5d
SHA2565d7510cec8077f80d6f2b886666710ab51adcd74bdeff919e7173eb41123ee0c
SHA512be4e1f97c06939d04afeacadceff43ada8ccd30569676a0f5ef0b22808ad152a498e58fec5fe026c473943bfb7540b615c57d625f36392d538555d815e925d0f
-
Filesize
512KB
MD52a9da882ba5565115bb0e9666b3842a7
SHA1c1c1722869ebcf779b7b8814ec9f4f76b200fab1
SHA256d2f7ab5aab538b4a049754e31f7077b47f168f6558951fcb03694850256017dd
SHA512a6f15bb0a6dfae38225037c114e39130214a677d6afde494f464a523a25ec135d4d1a7fe1f6d27261d044546de18a8b3a92a82390a0d943a4823c8a7ed3b6c1b
-
Filesize
127KB
MD51bf2f26a5049c23fb81b128e3dc8b920
SHA153d5ca2008af66851d03f525f539d21d21bb9f10
SHA2566133e54265db14d8241dd21b0f0e583059014742d0af60ab2e99938f8ba0b1ef
SHA51226d006b2b2d37e83b1172e0c6da31d9dcad2d5b02ced4105d87f323a7627d7fe7ab2f5a224feb5770b18307e9c9698659e8b7ff7cd6b1892ddd4116dd94d78e8
-
Filesize
117KB
MD5838c0d4718440b5534b3e71d6225c2e2
SHA1f962e9a057da9267f5134f2d50964f1e36849f91
SHA256f033b70e012b28c207a628d03a26d278582f52fa4a7dfbbe73989535fe453b79
SHA512cabf4ef7fc261b321aee10d583cb6eb8deb2d435ed14710c3467b03732f6aaaaadead76a96e105dcc465b01d2dc1599f2c63c100ea7931b531ac63f0c7f5d2c9
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
269KB
MD5659250b988ffa321baaf354541d16dda
SHA187f7d2ff437af7f2e3413597ffaa493c4ca5a420
SHA25618e1ba919155261334e703d42b5bbce1c108842bf800903a49d246728b93064a
SHA5126e975e65c21a2280e8c8c3f7f845b4b66fbf7bdf5b72bb2243759af97d5f92680f8d9fcf647cbd3f3479407d909a7d59ad4a52ce39c337efd1edf82ae50d3fd2
-
Filesize
391KB
MD5cdf164b47e0add6166e98426ea6ca91e
SHA1b510c17bfdb82586af7c56fa1dc1798465b616fe
SHA2563ec33e89fc7c9032e0f93a83de7a4ffad3b0841590b946f5527f25b0923d3ae3
SHA5126e9fcdfdd40d88b62b41ff295b7332b24d276358431d69df4a64979b4890fc4ef76020668cd06f7883a8b414ca23936adb10c2ba8147492246345f29fbd5be88
-
Filesize
217KB
MD562dce85388bfa6d202b93b5a15bd1c4b
SHA13a868014a43e985d5c0ddcdfeda7f7cfa38bc1da
SHA256a560f2c1ee512ddec84f2fd175a7105987d6a9a66a7b3269c0cd5f3b1697353c
SHA512ca787c9df5ae7fb66ea430534677f9dc6a2cd19ef636ec738e0d7830eac15091d615dbcc13aaa207b9d171cff313079101e7d48224527e75c57035d6868dce2d
-
Filesize
176KB
MD54805565f00240b653f627a416e507e71
SHA148350b02b6d7eaa6de25bdf54fd0ff64a090954c
SHA256651c13617ec70bee0c4cb207d8180a23b373a40f0f77b4cfd55734d9ab042d7d
SHA5126d2e7afb055a3e63d11c93063752e76b98d5b9e11e29b3bf00471cbb1381bf6cb10d36c3a4b3b652aefbe9ab18f505913d713310cfc2116a4d7b7392e1dec8b6