Analysis
-
max time kernel
122s -
max time network
154s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
01-12-2022 20:45
Static task
static1
Behavioral task
behavioral1
Sample
dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe
Resource
win10-20220901-en
General
-
Target
dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe
-
Size
192KB
-
MD5
037c426ad162e9b1036335e123f8cf61
-
SHA1
d9ac69f0f2a7bf8306b7125a4822ace775faba65
-
SHA256
dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f
-
SHA512
eb5d5bacac29c2e158f435c2f083457da0bfa49e5e3f597d0022a8053ebd36ee6404b2a7ad4e8b722ac60ed7d922b7852c77a589327c0bdacf1ac260e609d3b6
-
SSDEEP
3072:GobD6e6hM46gUIJ5O5NJiprwVBDVeGPnEOLJa1Rs9E3AZxpR/VPT:Gtc46gUfTwprwVBs6nTvp
Malware Config
Extracted
djvu
http://fresherlights.com/lancer/get.php
-
extension
.uyit
-
offline_id
HtkmULXEgJoZa495hFUJlvKCD0OwnxklbkoITjt1
-
payload_url
http://uaery.top/dl/build2.exe
http://fresherlights.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-5UcwRdS3ED Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0611djfsieE
Extracted
vidar
56
517
https://t.me/asifrazatg
https://steamcommunity.com/profiles/76561199439929669
-
profile_id
517
Extracted
vidar
56
1148
https://t.me/asifrazatg
https://steamcommunity.com/profiles/76561199439929669
-
profile_id
1148
Extracted
amadey
3.50
62.204.41.252/nB8cWack3/index.php
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe204.exeschtasks.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f3ee7324-eea5-4e8f-92a0-5969697f5af3\\204.exe\" --AutoStart" 204.exe 4944 schtasks.exe 3308 schtasks.exe -
Detected Djvu ransomware 8 IoCs
Processes:
resource yara_rule behavioral1/memory/4164-247-0x0000000002200000-0x000000000231B000-memory.dmp family_djvu behavioral1/memory/4076-285-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/4076-509-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4076-678-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4076-692-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4864-722-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/4864-773-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4864-909-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Detects Smokeloader packer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2412-146-0x00000000001D0000-0x00000000001D9000-memory.dmp family_smokeloader behavioral1/memory/1132-350-0x0000000000550000-0x0000000000559000-memory.dmp family_smokeloader behavioral1/memory/4176-476-0x00000000004C0000-0x00000000004C9000-memory.dmp family_smokeloader -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
FF44.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts FF44.exe File created C:\Windows\System32\drivers\etc\hosts FF44.exe -
Executes dropped EXE 18 IoCs
Processes:
FF44.exe204.exeF45.exe1418.exe204.exe1BF9.exe237C.exeFF44.exe204.exe204.exebuild2.exebuild3.exebuild2.exeE805.exeE7A.exe1736.exe1736.exegntuud.exepid process 5072 FF44.exe 4164 204.exe 1132 F45.exe 428 1418.exe 4076 204.exe 4176 1BF9.exe 2588 237C.exe 4744 FF44.exe 4684 204.exe 4864 204.exe 204 build2.exe 4948 build3.exe 2536 build2.exe 3552 E805.exe 3532 E7A.exe 4420 1736.exe 4024 1736.exe 3872 gntuud.exe -
Deletes itself 1 IoCs
Processes:
pid process 8 -
Loads dropped DLL 3 IoCs
Processes:
regsvr32.exebuild2.exepid process 1640 regsvr32.exe 2536 build2.exe 2536 build2.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
204.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f3ee7324-eea5-4e8f-92a0-5969697f5af3\\204.exe\" --AutoStart" 204.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
Processes:
FF44.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\manifest.json FF44.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.2ip.ua 12 api.2ip.ua 68 api.2ip.ua 69 api.2ip.ua -
Suspicious use of SetThreadContext 5 IoCs
Processes:
204.exeFF44.exe204.exebuild2.exe1736.exedescription pid process target process PID 4164 set thread context of 4076 4164 204.exe 204.exe PID 5072 set thread context of 4744 5072 FF44.exe FF44.exe PID 4684 set thread context of 4864 4684 204.exe 204.exe PID 204 set thread context of 2536 204 build2.exe build2.exe PID 4420 set thread context of 4024 4420 1736.exe 1736.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2024 428 WerFault.exe 1418.exe 4636 4176 WerFault.exe 1BF9.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
237C.exeF45.exedd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 237C.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F45.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 237C.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 237C.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F45.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F45.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
build2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4944 schtasks.exe 3308 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 4300 timeout.exe 1396 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exepid process 2412 dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe 2412 dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 8 -
Suspicious behavior: MapViewOfSection 61 IoCs
Processes:
dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exeF45.exe237C.exeexplorer.exeexplorer.exepid process 2412 dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe 8 8 8 8 1132 F45.exe 2588 237C.exe 8 8 8 8 4456 explorer.exe 4456 explorer.exe 4456 explorer.exe 4456 explorer.exe 8 8 4456 explorer.exe 4456 explorer.exe 4456 explorer.exe 4456 explorer.exe 8 8 4456 explorer.exe 4456 explorer.exe 2524 explorer.exe 2524 explorer.exe 4456 explorer.exe 4456 explorer.exe 8 8 4456 explorer.exe 4456 explorer.exe 8 8 2524 explorer.exe 2524 explorer.exe 4456 explorer.exe 4456 explorer.exe 8 8 2524 explorer.exe 2524 explorer.exe 2524 explorer.exe 2524 explorer.exe 8 8 2524 explorer.exe 2524 explorer.exe 2524 explorer.exe 2524 explorer.exe 2524 explorer.exe 2524 explorer.exe 8 8 2524 explorer.exe 2524 explorer.exe 4456 explorer.exe 4456 explorer.exe 2524 explorer.exe 2524 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 Token: SeShutdownPrivilege 8 Token: SeCreatePagefilePrivilege 8 -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid process 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exe204.exeFF44.exeFF44.exechrome.exe204.exedescription pid process target process PID 8 wrote to memory of 5072 8 FF44.exe PID 8 wrote to memory of 5072 8 FF44.exe PID 8 wrote to memory of 5072 8 FF44.exe PID 8 wrote to memory of 4164 8 204.exe PID 8 wrote to memory of 4164 8 204.exe PID 8 wrote to memory of 4164 8 204.exe PID 8 wrote to memory of 3776 8 regsvr32.exe PID 8 wrote to memory of 3776 8 regsvr32.exe PID 3776 wrote to memory of 1640 3776 regsvr32.exe regsvr32.exe PID 3776 wrote to memory of 1640 3776 regsvr32.exe regsvr32.exe PID 3776 wrote to memory of 1640 3776 regsvr32.exe regsvr32.exe PID 8 wrote to memory of 1132 8 F45.exe PID 8 wrote to memory of 1132 8 F45.exe PID 8 wrote to memory of 1132 8 F45.exe PID 8 wrote to memory of 428 8 1418.exe PID 8 wrote to memory of 428 8 1418.exe PID 8 wrote to memory of 428 8 1418.exe PID 4164 wrote to memory of 4076 4164 204.exe 204.exe PID 4164 wrote to memory of 4076 4164 204.exe 204.exe PID 4164 wrote to memory of 4076 4164 204.exe 204.exe PID 4164 wrote to memory of 4076 4164 204.exe 204.exe PID 4164 wrote to memory of 4076 4164 204.exe 204.exe PID 4164 wrote to memory of 4076 4164 204.exe 204.exe PID 4164 wrote to memory of 4076 4164 204.exe 204.exe PID 4164 wrote to memory of 4076 4164 204.exe 204.exe PID 4164 wrote to memory of 4076 4164 204.exe 204.exe PID 4164 wrote to memory of 4076 4164 204.exe 204.exe PID 8 wrote to memory of 4176 8 1BF9.exe PID 8 wrote to memory of 4176 8 1BF9.exe PID 8 wrote to memory of 4176 8 1BF9.exe PID 8 wrote to memory of 2588 8 237C.exe PID 8 wrote to memory of 2588 8 237C.exe PID 8 wrote to memory of 2588 8 237C.exe PID 8 wrote to memory of 4644 8 explorer.exe PID 8 wrote to memory of 4644 8 explorer.exe PID 8 wrote to memory of 4644 8 explorer.exe PID 8 wrote to memory of 4644 8 explorer.exe PID 8 wrote to memory of 2608 8 explorer.exe PID 8 wrote to memory of 2608 8 explorer.exe PID 8 wrote to memory of 2608 8 explorer.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 5072 wrote to memory of 4744 5072 FF44.exe FF44.exe PID 4744 wrote to memory of 3432 4744 FF44.exe chrome.exe PID 4744 wrote to memory of 3432 4744 FF44.exe chrome.exe PID 3432 wrote to memory of 3124 3432 chrome.exe chrome.exe PID 3432 wrote to memory of 3124 3432 chrome.exe chrome.exe PID 4076 wrote to memory of 4440 4076 204.exe icacls.exe PID 4076 wrote to memory of 4440 4076 204.exe icacls.exe PID 4076 wrote to memory of 4440 4076 204.exe icacls.exe PID 3432 wrote to memory of 4560 3432 chrome.exe chrome.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe"C:\Users\Admin\AppData\Local\Temp\dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2412
-
C:\Users\Admin\AppData\Local\Temp\FF44.exeC:\Users\Admin\AppData\Local\Temp\FF44.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\FF44.exeC:\Users\Admin\AppData\Local\Temp\FF44.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops Chrome extension
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://search-hoj.com/reginst/prg/c2bcbb9f/102/0/"3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0x5c,0xd8,0x7ffd19dc4f50,0x7ffd19dc4f60,0x7ffd19dc4f704⤵PID:3124
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1732 /prefetch:84⤵PID:4628
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1516 /prefetch:24⤵PID:4560
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 /prefetch:84⤵PID:3164
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2928 /prefetch:14⤵PID:1980
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:14⤵PID:4120
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:14⤵PID:352
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4240 /prefetch:84⤵PID:4916
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:84⤵PID:4796
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:84⤵PID:3868
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 /prefetch:84⤵PID:4548
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:84⤵PID:60
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4916 /prefetch:84⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\204.exeC:\Users\Admin\AppData\Local\Temp\204.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\204.exeC:\Users\Admin\AppData\Local\Temp\204.exe2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f3ee7324-eea5-4e8f-92a0-5969697f5af3" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\204.exe"C:\Users\Admin\AppData\Local\Temp\204.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\204.exe"C:\Users\Admin\AppData\Local\Temp\204.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:4864 -
C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe"C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:204 -
C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe"C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe" & exit7⤵PID:4752
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
PID:4300 -
C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build3.exe"C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build3.exe"5⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"6⤵
- DcRat
- Creates scheduled task(s)
PID:4944
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\784.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\784.dll2⤵
- Loads dropped DLL
PID:1640
-
C:\Users\Admin\AppData\Local\Temp\F45.exeC:\Users\Admin\AppData\Local\Temp\F45.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1132
-
C:\Users\Admin\AppData\Local\Temp\1418.exeC:\Users\Admin\AppData\Local\Temp\1418.exe1⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 2722⤵
- Program crash
PID:2024
-
C:\Users\Admin\AppData\Local\Temp\1BF9.exeC:\Users\Admin\AppData\Local\Temp\1BF9.exe1⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 4762⤵
- Program crash
PID:4636
-
C:\Users\Admin\AppData\Local\Temp\237C.exeC:\Users\Admin\AppData\Local\Temp\237C.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2588
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4644
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\E805.exeC:\Users\Admin\AppData\Local\Temp\E805.exe1⤵
- Executes dropped EXE
PID:3552
-
C:\Users\Admin\AppData\Local\Temp\E7A.exeC:\Users\Admin\AppData\Local\Temp\E7A.exe1⤵
- Executes dropped EXE
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"2⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F3⤵
- DcRat
- Creates scheduled task(s)
PID:3308
-
C:\Users\Admin\AppData\Local\Temp\1736.exeC:\Users\Admin\AppData\Local\Temp\1736.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\1736.exe"C:\Users\Admin\AppData\Local\Temp\1736.exe"2⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1736.exe" & exit3⤵PID:4880
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
PID:1396
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1456
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:4456
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1784
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:2524
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1792
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1660
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:768
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2264
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:308
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵PID:4716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize2KB
MD561ffe15234088bd43d27e9eb101ad1f6
SHA180e8cf2dbbf66018e148cbab446cfc5e52eed1b2
SHA2561dc492a98f81cf0473e5ebc17c9284892b88c592b5194c31761a1ef1985c59b5
SHA512f925dbd2d421bc596f344241ce915b69e8f9a5112f4b9d6e62c82a717493ce2422366395dea33dfce896704b940afd6366923a7a2eb476d10563bc76de15b61d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5912da6b52d140c350937afa14a357061
SHA15eb54c7f9f32a1e3442113fd93c348027e218004
SHA256033b9d2ea11a924f8cd8af9d923c311efc401040802424ad0f7c8c811cb5f88d
SHA512ace1abd89c31d0979a817b994fff933fec49b5f1204bc8d6ba43a41fd776500e719d3df95f1f90358d000b6de1705abe3cd8d120d13a9096ecea24afff4bdc2e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize488B
MD5a3338a5ed608e4a8fb577ef08bf00f68
SHA154383542f5b542b3ccf3498a6cd7f5e9550da344
SHA2564f514684f30ec8e300b8ffa37dc6d13899729ede8ff17f3b65327db93a52c61f
SHA5123efd0990b4e71e273c4e77d72df1df8aceee2e4dd51498bb21c5b1d30da884dc6908feedfc0424f176248a40e6da989c69dce638dd337c46273956a7f80d4065
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD557894cab41d4f2af769899740721920c
SHA1e1f638fbb3a14903d64775bdcc412d5e7da07be7
SHA256e41252dcf314b123fa9251730214cd5747b0f6207ceb89898aa23aab5348cfb6
SHA51235c1a94ab54b74a8b6dd8a3e46ec1a6cbbf9858c8b2399d06a518b07c17e3f065b41676154808b0178ceecd020ef5ce1acd83b08c77a2d5d9d5a7af68c45d5de
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\128.png
Filesize8KB
MD51f2092ca6379fb8aaf583d4bc260955e
SHA11f5c95c87fc0e794fffa81f9db5e6663eefa2cd1
SHA256bf8b8d46317c1fda356507735093f90dff5a578f564ed482b1166088ffcb8015
SHA5125ee4e914801fd60a3f3840cb7836f4773c6a49cfc878b431a60d0eb7e7dc391d1efdb079fab134ed08148a94e83d1eeb483a698f6cb8d3136dadd645058b9cd7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\16.png
Filesize843B
MD5c2e121bfc2b42d77c4632f0e43968ac2
SHA10f1d5bc95df1b6b333055871f25172ee66ceb21d
SHA2567d0d655cccfc117307faf463404da2931c2f5deae5ce80e638e042beccfa7b1e
SHA512baa00af5fe6de9a3de61f85f4e27dec9c5c9a12052fb1d110f2dc5c1a4e39d275547a6d0368a93f6c0c88945dca3777b550408942f7c498ba556170b1e7a243c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\24.png
Filesize1KB
MD552b03cd5ab1715c9478925d24e470989
SHA1675804f5552867b9015b6cdb2328a88b3596a00c
SHA256afb7462a5952697a10eda8f653fb57287def531ba851678323dfa838a0291ccb
SHA51200dc3c4ae1939f16e506bf414d369c755e5043edbaf9181e9c05f48d1cc55c5f05f67c9cab2ab82a2845fdeba977d47c263bdd23762ba3cfcea43d8bb1b3fdd3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\32.png
Filesize1KB
MD5a11da999ffc6d60d18430e21be60a921
SHA1f98adfc8f6c526f2d3d9bd7b8726a7ea851ec1e5
SHA2561e8162fa7f3109b450c66d3c7a4a8ba205f1516d23a5b610ab396ec0931b6dc6
SHA5128aa2078ff8e68edd30ba46a4cae1a87df2a92e9623c848f0bcd816791f6243faa98164ec849c544130f22b8cb1fa1bd9e5bece8367fde1fd22fe8b1da09ce401
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\36.png
Filesize2KB
MD54e93455eb724d13f8cddbe4c5fd236c3
SHA13e8c930686c4024e0a3e6cd813d709ce67a7208d
SHA256a3e4f86e7e85040a8e234652d834c089bdb2849937194b612ca1963c81fcc69f
SHA51278a3c51f4db8aa273f6d0363c93c0b88d401752b18007b1a09303236b1d91e9758d8ea32a88b8ce76c6e820fe0ebca5ae1fc28c86dc98479f1ff8200c2dfeb83
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\48.png
Filesize3KB
MD5059ee71acc8439f352e350aecd374ab9
SHA1d5143bf7aad6847d46f0230f0edf6393db4c9a8c
SHA2560047690e602eb4a017c27402ad27cfe3b2e897b6e7b298e4f022e69fa2024b50
SHA51291928af347a547678d15b95836b7daeb6b2fbbd4855f067be9f6b8feadafff7803aa31159c8a1bf8f7cb95733bde883315a189dae54d898d517f521ea37d5ded
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\64.png
Filesize4KB
MD5d93ff667b54492bba9b9490cf588bf49
SHA19a9f6fc23ecbaacebbc3260c76bb57bab5949a63
SHA25655a82197ac30ec87ecbaa140ed6f007c4d4a379834370a518b77971e0107c9a0
SHA512923051a25d4c4567cee0af02feb4cf02bdecca3c6f344bc48994941632637c0ec47303734f5e3dc76160b2c9f2f4eae704ac48e2806ac998a4dc8707c7db59b6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\js\ads.js
Filesize5KB
MD5861911c84110225c3a7aedb619cdc8fd
SHA174e7694d3e1949d7fcdd3f6ad9fba26c7a139df9
SHA256739e8d5face2f027960a1e7974160687905f920adf128a7c6c936ee0b35ae9a3
SHA512425484b45d7941055aa7a7caea9b7fd072fece1a2fd0a34a44fd1e95b9f1c37d9a748f2746d56c12771ed68dc69814e9580607d64245391d1b92127e729384d2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\manifest.json
Filesize1KB
MD523bb601e1a3c4a5a19830739f33b6f7b
SHA13558f1194cf2562f66245d7d5f562e7331da8afd
SHA25604bbd2c615f81fd4f57663259f6373224033b23c623bc1265afcd8ceb548f1bb
SHA51271cb66058b9cd2feb98b01d78554422fbbad148fc2e9450a6fcdf25af6a8bed4a3c0d71df6293e1da22af4f24e31bc95fa1f54836e2f7798c56bd03d144b1dba
-
Filesize
116KB
MD51ce4a9844cc499a5e0a66e19f4ab9ff3
SHA16884ccfe0678bab97d1572f631b353a6908b1a0e
SHA256c413ed6426633c4e9e317173398a07e219c0c9cb4e97ff8ba192dd96a4e3a4b5
SHA51254585ba207400210c22d0b22ca6b267f08a6ac8aac4733acdf72c6a022da15c4e1f4bffb88f539bef3ec4125adeb9b3153085bf73eca4001a43da3925045f97d
-
Filesize
6KB
MD55fe9b333ef5fcd8dfed56408a7863ff4
SHA188b14ec87e25cd7ce0e28419a495399ebed59347
SHA256c1ace4768bb8d9308a146125f9f326619e3957bfa536d926f42234bf737c5ac1
SHA512bcaa04f39c01ded4739c5e670457e1b58fda58e16a8cac9c0675637f96d40c0dec3df353b9517bc31d632cb0236d75c3f0c4e551d46a420f8318c1564365457b
-
Filesize
17KB
MD5d1bf5238042c77fde4eb452904c185eb
SHA195d9d06427a0f1611fc6a26722ebff5a3a5f72b6
SHA256e49fb6bf5a42303af561059f8bb33cc3e9964aa335dc0c67ef4f556438eb2fae
SHA5121c1e7145534d3ea28dd8740268cf2bbe895297760c73e718ce22597c526a348b94614ac65d4b8b2ccf2bc19d7c04977c2d02ab44d58d2a4694ad36135c906927
-
Filesize
88KB
MD5e17f7f9f33aa50de34432ff8dfd3d9e7
SHA1f9c7f7aef043bfdf842494beedf375784ddc4ae8
SHA25606c8aae1c372bce37179bfaee1cd64a0c397a9d78aec254a4b46cef37dd4140e
SHA5127ce0e48f5701955b65ac7f447da2cdbfca805e657d550a811f2d8f64e8f3480e71aec6288dbed7c84bf4aef30eddb0d403ffedefe54ff2e6b163c9f110eadee3
-
Filesize
88KB
MD556b3efbcd6523f9687ea1dd6204458e0
SHA107cb84f9a4e886f0ea561a8517833491aae4d989
SHA2560b45cde49aa2da8ca588e11cc9eab35585e35a96597e759e1d2c968e61644350
SHA51241b3ca0ad2a4caa40a711c2b5459242e5027d63a4542be77469b46eed4f22ef25629ec0d850aecc89800527658ffd78fe22b96c8b647f30cd197e75f29ccf793
-
Filesize
107KB
MD5a2554e9ffce337a24189c4755a273a6f
SHA1135fd5128ed7ee677188f503de25c8507688f512
SHA256972bc98346a98fd4ef758fa99308356d1448c6eca4d0ec5418653963916cba72
SHA5128db5ba752174e86402783113bdb635e23e1789aa913d915f4558163afec9ce19bd83c16d2d983e909adcb102aa0b4c76a10137a3851a8ad885a1a7af704d8561
-
Filesize
191KB
MD5625dee38c26375c8e089f41a81655002
SHA12fc1b42b4cecb1862d2e2e0a3d26b164dbd53b7b
SHA2568e4eee8b58720238567ce15c10eed499c39c802f7e237f836ecaccdc0b6ca7d1
SHA5126d109a970a856f02f0935c5fca2380d82c641b70bb943fbcd2c0b28edb75a523ffccab0346005b78fdc7d5a36ec9876e6907ed8f6266e7ef0ba522b90539eb09
-
Filesize
191KB
MD5625dee38c26375c8e089f41a81655002
SHA12fc1b42b4cecb1862d2e2e0a3d26b164dbd53b7b
SHA2568e4eee8b58720238567ce15c10eed499c39c802f7e237f836ecaccdc0b6ca7d1
SHA5126d109a970a856f02f0935c5fca2380d82c641b70bb943fbcd2c0b28edb75a523ffccab0346005b78fdc7d5a36ec9876e6907ed8f6266e7ef0ba522b90539eb09
-
Filesize
444KB
MD5e9a0d9f852b134aea305a6910dddd141
SHA134a23d8a7a8ee46b15f90ce7de1c4d689cb6c907
SHA256c128a6e4bd58c45bf0499083c3e8f0c514d7d6575851cc7ef2620552a18541b9
SHA512d3362ea27e695d72fd375872a0dffe9b339ceef2261830516d0411964088d030a405ca694f56d1090071047534758b7ec03cb496fecd972019ef29abf88eecf7
-
Filesize
444KB
MD5e9a0d9f852b134aea305a6910dddd141
SHA134a23d8a7a8ee46b15f90ce7de1c4d689cb6c907
SHA256c128a6e4bd58c45bf0499083c3e8f0c514d7d6575851cc7ef2620552a18541b9
SHA512d3362ea27e695d72fd375872a0dffe9b339ceef2261830516d0411964088d030a405ca694f56d1090071047534758b7ec03cb496fecd972019ef29abf88eecf7
-
Filesize
444KB
MD5e9a0d9f852b134aea305a6910dddd141
SHA134a23d8a7a8ee46b15f90ce7de1c4d689cb6c907
SHA256c128a6e4bd58c45bf0499083c3e8f0c514d7d6575851cc7ef2620552a18541b9
SHA512d3362ea27e695d72fd375872a0dffe9b339ceef2261830516d0411964088d030a405ca694f56d1090071047534758b7ec03cb496fecd972019ef29abf88eecf7
-
Filesize
191KB
MD5ca6e023ab975494e626c825e45f6873c
SHA103081a7f1d82ac3c88bcfac56807ffcae6e344cb
SHA256cf4c64e20ab121c8740766b6dd10cd18d2b5085dbe30f876bae2b66952f25065
SHA5123025694c2db5510956f5d63e6f98f14bbfd58d01abcb8de77175dc847266caed6edda5a4fc1f1edbe91d21c92cbcaf5103abba55389f1247fcd6fb5dd3764560
-
Filesize
191KB
MD5ca6e023ab975494e626c825e45f6873c
SHA103081a7f1d82ac3c88bcfac56807ffcae6e344cb
SHA256cf4c64e20ab121c8740766b6dd10cd18d2b5085dbe30f876bae2b66952f25065
SHA5123025694c2db5510956f5d63e6f98f14bbfd58d01abcb8de77175dc847266caed6edda5a4fc1f1edbe91d21c92cbcaf5103abba55389f1247fcd6fb5dd3764560
-
Filesize
703KB
MD5dc91f3648d7b0240a0e5ca5da5160b8a
SHA17fa09bae115cf99b6a1f2440eef27bf3e6f5240a
SHA256cd1581c5c97e41d6b4954983ca48c081466e9f34fe1fc7a71bf99a32b76335e6
SHA5127f51ca1bec1a2deab5652fe77ed2a8764a22d610f503193ceb3307a2525eed68779015803f0fc6484019d29691233d322148da651595f7b28e85b40717319b35
-
Filesize
703KB
MD5dc91f3648d7b0240a0e5ca5da5160b8a
SHA17fa09bae115cf99b6a1f2440eef27bf3e6f5240a
SHA256cd1581c5c97e41d6b4954983ca48c081466e9f34fe1fc7a71bf99a32b76335e6
SHA5127f51ca1bec1a2deab5652fe77ed2a8764a22d610f503193ceb3307a2525eed68779015803f0fc6484019d29691233d322148da651595f7b28e85b40717319b35
-
Filesize
703KB
MD5dc91f3648d7b0240a0e5ca5da5160b8a
SHA17fa09bae115cf99b6a1f2440eef27bf3e6f5240a
SHA256cd1581c5c97e41d6b4954983ca48c081466e9f34fe1fc7a71bf99a32b76335e6
SHA5127f51ca1bec1a2deab5652fe77ed2a8764a22d610f503193ceb3307a2525eed68779015803f0fc6484019d29691233d322148da651595f7b28e85b40717319b35
-
Filesize
703KB
MD5dc91f3648d7b0240a0e5ca5da5160b8a
SHA17fa09bae115cf99b6a1f2440eef27bf3e6f5240a
SHA256cd1581c5c97e41d6b4954983ca48c081466e9f34fe1fc7a71bf99a32b76335e6
SHA5127f51ca1bec1a2deab5652fe77ed2a8764a22d610f503193ceb3307a2525eed68779015803f0fc6484019d29691233d322148da651595f7b28e85b40717319b35
-
Filesize
703KB
MD5dc91f3648d7b0240a0e5ca5da5160b8a
SHA17fa09bae115cf99b6a1f2440eef27bf3e6f5240a
SHA256cd1581c5c97e41d6b4954983ca48c081466e9f34fe1fc7a71bf99a32b76335e6
SHA5127f51ca1bec1a2deab5652fe77ed2a8764a22d610f503193ceb3307a2525eed68779015803f0fc6484019d29691233d322148da651595f7b28e85b40717319b35
-
Filesize
192KB
MD56b2eb5128b32097a5da4894177b08627
SHA1b17fe8600c6b7a2e2125b14d305562f9992d7570
SHA2562d06bbb31414ce7bcf71f257836164e93b6b127bf12e434d26bff9b359d21949
SHA5124a8b739ea147483b1bfdc21dd2eeb80643af0ab8e6e7b85a4bf89ebd15307403a3eeed618bef7a6d302e3f2fbe054cf80f53984e2f7fd70a836af33d84f2bc69
-
Filesize
192KB
MD56b2eb5128b32097a5da4894177b08627
SHA1b17fe8600c6b7a2e2125b14d305562f9992d7570
SHA2562d06bbb31414ce7bcf71f257836164e93b6b127bf12e434d26bff9b359d21949
SHA5124a8b739ea147483b1bfdc21dd2eeb80643af0ab8e6e7b85a4bf89ebd15307403a3eeed618bef7a6d302e3f2fbe054cf80f53984e2f7fd70a836af33d84f2bc69
-
Filesize
1.5MB
MD5b5a6673ea8122fd4e50b967f5a2be296
SHA1f2af0dff034e37f65791db6abba901174bd05d96
SHA2568d2f2df5c1fc4f8d47b080d7ba5527c92bf40764171f21090dd0ab73fc1c492f
SHA5125608315605cce0050b4b44ec570bd71a4d01696a8e1859bb8b59ffe3aef0e039f343201a6875598799236f51a3f879a6355a10aed64ecd182f3569a29401d578
-
Filesize
250KB
MD5ef20768d8e781368b6670d5675be6a50
SHA123e7c3aacc30dec429357a28778e44be1273c80e
SHA256ffa3a18c0ee028cfa575f28cbf71499fe55b0aa215825473e5b0a576362ceb37
SHA512f83fccc87a53812caea9cfa053179281f0f5f01935e9a0e725d7feea427b89da64f17857b389189a921dc1f82190c8c8dbda0b6a35b4860792f636b726462721
-
Filesize
250KB
MD5ef20768d8e781368b6670d5675be6a50
SHA123e7c3aacc30dec429357a28778e44be1273c80e
SHA256ffa3a18c0ee028cfa575f28cbf71499fe55b0aa215825473e5b0a576362ceb37
SHA512f83fccc87a53812caea9cfa053179281f0f5f01935e9a0e725d7feea427b89da64f17857b389189a921dc1f82190c8c8dbda0b6a35b4860792f636b726462721
-
Filesize
250KB
MD5ef20768d8e781368b6670d5675be6a50
SHA123e7c3aacc30dec429357a28778e44be1273c80e
SHA256ffa3a18c0ee028cfa575f28cbf71499fe55b0aa215825473e5b0a576362ceb37
SHA512f83fccc87a53812caea9cfa053179281f0f5f01935e9a0e725d7feea427b89da64f17857b389189a921dc1f82190c8c8dbda0b6a35b4860792f636b726462721
-
Filesize
3.7MB
MD51cdd58e5697337d574c1074e3022b6ef
SHA1096916c31a85410776e0e0f91c9ba844f68b5ca4
SHA25633ddf00433ffc36f224753c68880ed25bd110609d2a9630d67cd8e3f6e75e3ca
SHA51216e55e844bc3fd40148aaa352f01a388ac6c6493df9ed3689cc2986ac1fa390a4b3012794981441dafe143e4b4e2caac836de9583f33ddc1815f1fbbffc8778f
-
Filesize
3.7MB
MD51cdd58e5697337d574c1074e3022b6ef
SHA1096916c31a85410776e0e0f91c9ba844f68b5ca4
SHA25633ddf00433ffc36f224753c68880ed25bd110609d2a9630d67cd8e3f6e75e3ca
SHA51216e55e844bc3fd40148aaa352f01a388ac6c6493df9ed3689cc2986ac1fa390a4b3012794981441dafe143e4b4e2caac836de9583f33ddc1815f1fbbffc8778f
-
Filesize
192KB
MD5510415fbe19b40149650eba18ba69099
SHA156876ffb4b2aae49285741fdbf41db7448c645b3
SHA256c44700faae07d06395583ca84f7fbe1f1083971008d0316ad7aa8f72ee03965e
SHA512318c76f1c6b12f14c69df1033397208eb631701d8128de31c555f5d93e6471cc7e0c56a3ed8c9e0c19d7084b8e3c6f839ea35e8a8d01c34774f4fee193a477ce
-
Filesize
192KB
MD5510415fbe19b40149650eba18ba69099
SHA156876ffb4b2aae49285741fdbf41db7448c645b3
SHA256c44700faae07d06395583ca84f7fbe1f1083971008d0316ad7aa8f72ee03965e
SHA512318c76f1c6b12f14c69df1033397208eb631701d8128de31c555f5d93e6471cc7e0c56a3ed8c9e0c19d7084b8e3c6f839ea35e8a8d01c34774f4fee193a477ce
-
Filesize
2.0MB
MD547ad5d71dcd38f85253d882d93c04906
SHA1941ef208fb34ff9a3b25f7a325fcd0a44eacaaaf
SHA2566ba14148ff3ce0ee93f4d2641677ac454aa0187821cba41c8eb03212a8c04fe2
SHA51275291bdf369e90b76d7c15a45c3532f751e82a7acde205af1c019775e1138833cea32652fe940cc98e3a491f2c3677c45d58933c7e2ea55f089e99f2133dd0d0
-
Filesize
2.0MB
MD547ad5d71dcd38f85253d882d93c04906
SHA1941ef208fb34ff9a3b25f7a325fcd0a44eacaaaf
SHA2566ba14148ff3ce0ee93f4d2641677ac454aa0187821cba41c8eb03212a8c04fe2
SHA51275291bdf369e90b76d7c15a45c3532f751e82a7acde205af1c019775e1138833cea32652fe940cc98e3a491f2c3677c45d58933c7e2ea55f089e99f2133dd0d0
-
Filesize
258KB
MD5b9212ded69fae1fa1fb5d6db46a9fb76
SHA158face4245646b1cd379ee49f03a701eab1642be
SHA2567a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19adeda48b49acb20e16f
SHA51209cab8ccedb9e53d6d2725e8b9dbbe8fa9552607a58d89876b6539a6612b2e7ac0440ef281971bec9191510915fa6264048510add493e6a862b0d3b4f006e342
-
Filesize
258KB
MD5b9212ded69fae1fa1fb5d6db46a9fb76
SHA158face4245646b1cd379ee49f03a701eab1642be
SHA2567a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19adeda48b49acb20e16f
SHA51209cab8ccedb9e53d6d2725e8b9dbbe8fa9552607a58d89876b6539a6612b2e7ac0440ef281971bec9191510915fa6264048510add493e6a862b0d3b4f006e342
-
Filesize
258KB
MD5b9212ded69fae1fa1fb5d6db46a9fb76
SHA158face4245646b1cd379ee49f03a701eab1642be
SHA2567a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19adeda48b49acb20e16f
SHA51209cab8ccedb9e53d6d2725e8b9dbbe8fa9552607a58d89876b6539a6612b2e7ac0440ef281971bec9191510915fa6264048510add493e6a862b0d3b4f006e342
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
703KB
MD5dc91f3648d7b0240a0e5ca5da5160b8a
SHA17fa09bae115cf99b6a1f2440eef27bf3e6f5240a
SHA256cd1581c5c97e41d6b4954983ca48c081466e9f34fe1fc7a71bf99a32b76335e6
SHA5127f51ca1bec1a2deab5652fe77ed2a8764a22d610f503193ceb3307a2525eed68779015803f0fc6484019d29691233d322148da651595f7b28e85b40717319b35
-
Filesize
1KB
MD56b800a7ce8e526d4ef554af1d3c5df84
SHA1a55b3ee214f87bd52fa8bbd9366c4b5b9f25b11f
SHA256d3834400ae484a92575e325d9e64802d07a0f2a28ff76fb1aef48dbce32b931f
SHA512cce2d77ad7e26b9b2fae11761d8d7836b160db176777f2904471f4f73e5e39036979ba9ff66aea6fd21338a3bba4a6b0ad63f025870d55e1486bb569d813d49a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.5MB
MD5b5a6673ea8122fd4e50b967f5a2be296
SHA1f2af0dff034e37f65791db6abba901174bd05d96
SHA2568d2f2df5c1fc4f8d47b080d7ba5527c92bf40764171f21090dd0ab73fc1c492f
SHA5125608315605cce0050b4b44ec570bd71a4d01696a8e1859bb8b59ffe3aef0e039f343201a6875598799236f51a3f879a6355a10aed64ecd182f3569a29401d578