Analysis
-
max time kernel
599s -
max time network
605s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 22:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/YL0E1LwZ#ueyXvmDCNzdDwOjyh301hRPRHUpJ6pW8ysTw2wjk9Do
Resource
win10v2004-20240508-en
General
-
Target
https://mega.nz/file/YL0E1LwZ#ueyXvmDCNzdDwOjyh301hRPRHUpJ6pW8ysTw2wjk9Do
Malware Config
Signatures
-
Enumerates VirtualBox DLL files 2 TTPs 4 IoCs
description ioc Process File opened (read-only) C:\windows\SysWOW64\vboxhook.dll Lexyvirus.exe File opened (read-only) C:\windows\SysWOW64\vboxmrxnp.dll Lexyvirus.exe File opened (read-only) C:\windows\SysWOW64\vboxhook.dll .exe File opened (read-only) C:\windows\SysWOW64\vboxmrxnp.dll .exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3644 powershell.exe 5744 powershell.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1096 attrib.exe -
ACProtect 1.3x - 1.4x DLL software 36 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0007000000023575-1422.dat acprotect behavioral1/files/0x00070000000234f0-1432.dat acprotect behavioral1/files/0x0007000000023527-1433.dat acprotect behavioral1/files/0x00070000000234f4-1441.dat acprotect behavioral1/files/0x0007000000023529-1446.dat acprotect behavioral1/files/0x00070000000238e0-1463.dat acprotect behavioral1/files/0x000700000002352e-1451.dat acprotect behavioral1/files/0x000700000002352d-1450.dat acprotect behavioral1/files/0x000700000002352c-1449.dat acprotect behavioral1/files/0x000700000002352b-1448.dat acprotect behavioral1/files/0x00070000000234f7-1473.dat acprotect behavioral1/files/0x00070000000234f6-1472.dat acprotect behavioral1/files/0x00070000000234f5-1471.dat acprotect behavioral1/files/0x00070000000234f3-1470.dat acprotect behavioral1/files/0x00070000000234f2-1469.dat acprotect behavioral1/files/0x00070000000234f1-1468.dat acprotect behavioral1/files/0x00070000000234ef-1467.dat acprotect behavioral1/files/0x00070000000234ed-1466.dat acprotect behavioral1/files/0x0007000000023949-1465.dat acprotect behavioral1/files/0x000700000002393e-1464.dat acprotect behavioral1/files/0x000700000002357b-1462.dat acprotect behavioral1/files/0x000700000002357a-1461.dat acprotect behavioral1/files/0x0007000000023579-1460.dat acprotect behavioral1/files/0x00070000000234eb-1459.dat acprotect behavioral1/files/0x00070000000234ea-1458.dat acprotect behavioral1/files/0x00070000000234e9-1457.dat acprotect behavioral1/files/0x00070000000234e8-1456.dat acprotect behavioral1/files/0x000700000002354b-1455.dat acprotect behavioral1/files/0x0007000000023548-1454.dat acprotect behavioral1/files/0x0007000000023530-1453.dat acprotect behavioral1/files/0x000700000002352f-1452.dat acprotect behavioral1/files/0x000700000002352a-1447.dat acprotect behavioral1/files/0x0007000000023528-1445.dat acprotect behavioral1/files/0x0007000000023526-1444.dat acprotect behavioral1/files/0x000700000002351f-1443.dat acprotect behavioral1/files/0x00070000000234ee-1438.dat acprotect -
Executes dropped EXE 4 IoCs
pid Process 3004 Lexyvirus.exe 4520 Lexyvirus.exe 1564 .exe 5924 .exe -
Loads dropped DLL 64 IoCs
pid Process 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe -
resource yara_rule behavioral1/files/0x0007000000023575-1422.dat upx behavioral1/memory/4520-1426-0x0000000074BF0000-0x00000000751C8000-memory.dmp upx behavioral1/files/0x00070000000234f0-1432.dat upx behavioral1/files/0x0007000000023527-1433.dat upx behavioral1/memory/4520-1436-0x0000000074B90000-0x0000000074B9D000-memory.dmp upx behavioral1/memory/4520-1440-0x0000000074B70000-0x0000000074B88000-memory.dmp upx behavioral1/files/0x00070000000234f4-1441.dat upx behavioral1/memory/4520-1442-0x0000000074B40000-0x0000000074B67000-memory.dmp upx behavioral1/files/0x0007000000023529-1446.dat upx behavioral1/files/0x00070000000238e0-1463.dat upx behavioral1/files/0x000700000002352e-1451.dat upx behavioral1/memory/4520-1474-0x0000000074B30000-0x0000000074B40000-memory.dmp upx behavioral1/files/0x000700000002352d-1450.dat upx behavioral1/files/0x000700000002352c-1449.dat upx behavioral1/files/0x000700000002352b-1448.dat upx behavioral1/files/0x00070000000234f7-1473.dat upx behavioral1/files/0x00070000000234f6-1472.dat upx behavioral1/files/0x00070000000234f5-1471.dat upx behavioral1/files/0x00070000000234f3-1470.dat upx behavioral1/files/0x00070000000234f2-1469.dat upx behavioral1/files/0x00070000000234f1-1468.dat upx behavioral1/files/0x00070000000234ef-1467.dat upx behavioral1/files/0x00070000000234ed-1466.dat upx behavioral1/files/0x0007000000023949-1465.dat upx behavioral1/files/0x000700000002393e-1464.dat upx behavioral1/files/0x000700000002357b-1462.dat upx behavioral1/files/0x000700000002357a-1461.dat upx behavioral1/files/0x0007000000023579-1460.dat upx behavioral1/files/0x00070000000234eb-1459.dat upx behavioral1/memory/4520-1475-0x0000000074790000-0x0000000074B23000-memory.dmp upx behavioral1/files/0x00070000000234ea-1458.dat upx behavioral1/files/0x00070000000234e9-1457.dat upx behavioral1/memory/4520-1476-0x0000000074770000-0x0000000074785000-memory.dmp upx behavioral1/files/0x00070000000234e8-1456.dat upx behavioral1/files/0x000700000002354b-1455.dat upx behavioral1/memory/4520-1477-0x0000000074720000-0x000000007472C000-memory.dmp upx behavioral1/memory/4520-1479-0x0000000074640000-0x00000000746E9000-memory.dmp upx behavioral1/memory/4520-1478-0x00000000746F0000-0x000000007471E000-memory.dmp upx behavioral1/files/0x0007000000023548-1454.dat upx behavioral1/files/0x0007000000023530-1453.dat upx behavioral1/memory/4520-1480-0x00000000745D0000-0x00000000745DC000-memory.dmp upx behavioral1/files/0x000700000002352f-1452.dat upx behavioral1/files/0x000700000002352a-1447.dat upx behavioral1/files/0x0007000000023528-1445.dat upx behavioral1/files/0x0007000000023526-1444.dat upx behavioral1/memory/4520-1483-0x0000000074470000-0x0000000074588000-memory.dmp upx behavioral1/memory/4520-1482-0x0000000074590000-0x00000000745B3000-memory.dmp upx behavioral1/memory/4520-1484-0x0000000074460000-0x000000007446D000-memory.dmp upx behavioral1/memory/4520-1481-0x0000000074BF0000-0x00000000751C8000-memory.dmp upx behavioral1/memory/4520-1490-0x0000000074300000-0x000000007430D000-memory.dmp upx behavioral1/memory/4520-1489-0x0000000074310000-0x000000007431C000-memory.dmp upx behavioral1/memory/4520-1488-0x0000000074320000-0x000000007432A000-memory.dmp upx behavioral1/memory/4520-1487-0x0000000074B30000-0x0000000074B40000-memory.dmp upx behavioral1/memory/4520-1494-0x0000000074770000-0x0000000074785000-memory.dmp upx behavioral1/memory/4520-1493-0x00000000742A0000-0x00000000742AA000-memory.dmp upx behavioral1/memory/4520-1492-0x00000000742C0000-0x00000000742CA000-memory.dmp upx behavioral1/memory/4520-1498-0x0000000074250000-0x0000000074260000-memory.dmp upx behavioral1/memory/4520-1497-0x0000000074260000-0x0000000074273000-memory.dmp upx behavioral1/memory/4520-1495-0x0000000074290000-0x00000000742A0000-memory.dmp upx behavioral1/memory/4520-1496-0x0000000074280000-0x000000007428A000-memory.dmp upx behavioral1/memory/4520-1499-0x00000000746F0000-0x000000007471E000-memory.dmp upx behavioral1/memory/4520-1491-0x0000000074790000-0x0000000074B23000-memory.dmp upx behavioral1/memory/4520-1502-0x0000000074220000-0x000000007423F000-memory.dmp upx behavioral1/memory/4520-1501-0x0000000074240000-0x0000000074250000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\\\.exe" Lexyvirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 42 discord.com 43 discord.com 44 discord.com 45 discord.com 46 discord.com 47 discord.com -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x000a0000000233ac-274.dat pyinstaller -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 3320 taskkill.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3944 msedge.exe 3944 msedge.exe 3728 msedge.exe 3728 msedge.exe 4072 identity_helper.exe 4072 identity_helper.exe 4808 msedge.exe 4808 msedge.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 4520 Lexyvirus.exe 3644 powershell.exe 3644 powershell.exe 3644 powershell.exe 5924 .exe 5924 .exe 5924 .exe 5924 .exe 5924 .exe 5924 .exe 5924 .exe 5924 .exe 5744 powershell.exe 5744 powershell.exe 5744 powershell.exe 5480 msedge.exe 5480 msedge.exe 5480 msedge.exe 5480 msedge.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 2852 OpenWith.exe 4956 7zFM.exe 3612 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: 33 5080 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5080 AUDIODG.EXE Token: SeRestorePrivilege 4956 7zFM.exe Token: 35 4956 7zFM.exe Token: SeSecurityPrivilege 4956 7zFM.exe Token: SeDebugPrivilege 4520 Lexyvirus.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeDebugPrivilege 3320 taskkill.exe Token: SeDebugPrivilege 5924 .exe Token: SeDebugPrivilege 5744 powershell.exe Token: SeDebugPrivilege 3612 taskmgr.exe Token: SeSystemProfilePrivilege 3612 taskmgr.exe Token: SeCreateGlobalPrivilege 3612 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 4956 7zFM.exe 4956 7zFM.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe 3612 taskmgr.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 2852 OpenWith.exe 5924 .exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3728 wrote to memory of 4852 3728 msedge.exe 78 PID 3728 wrote to memory of 4852 3728 msedge.exe 78 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 4688 3728 msedge.exe 79 PID 3728 wrote to memory of 3944 3728 msedge.exe 80 PID 3728 wrote to memory of 3944 3728 msedge.exe 80 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 PID 3728 wrote to memory of 4592 3728 msedge.exe 81 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1096 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/YL0E1LwZ#ueyXvmDCNzdDwOjyh301hRPRHUpJ6pW8ysTw2wjk9Do1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa632546f8,0x7ffa63254708,0x7ffa632547182⤵PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:22⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:82⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:1288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:3916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4848 /prefetch:82⤵PID:4088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵PID:4872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵PID:3396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵PID:3336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4732 /prefetch:82⤵PID:1152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵PID:748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,14314915715257409809,9964173384587891226,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3100 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5480
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2628
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2432
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x39c 0x3081⤵
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2852
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5032
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Lexyvirus.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4956
-
C:\Users\Admin\Desktop\Lexyvirus.exe"C:\Users\Admin\Desktop\Lexyvirus.exe"1⤵
- Executes dropped EXE
PID:3004 -
C:\Users\Admin\Desktop\Lexyvirus.exe"C:\Users\Admin\Desktop\Lexyvirus.exe"2⤵
- Enumerates VirtualBox DLL files
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\\\""3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\\activate.bat3⤵PID:3452
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h .4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1096
-
-
C:\Users\Admin\.exe".exe"4⤵
- Executes dropped EXE
PID:1564 -
C:\Users\Admin\.exe".exe"5⤵
- Enumerates VirtualBox DLL files
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\\\""6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5744
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "Lexyvirus.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3612
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
Filesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
Filesize
17KB
MD5950eca48e414acbe2c3b5d046dcb8521
SHA11731f264e979f18cdf08c405c7b7d32789a6fb59
SHA256c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2
SHA51227e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD56db2095601f23f113e46d1299f8303ec
SHA1e654ddd98a9922613186963221307c9087daf818
SHA256c2b8540fdcc693d9853d7a2c1266ae4a860e3fd75f2509a29cc0c97e02d9cc09
SHA512fcdbc44cd32c03286971e3728072806cad8b8d9a4a9eb8264a9019fcd790b859b7efa92e545b0942f367dd76966a5774a935cc612e79436e45f3254a53f34498
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
6KB
MD55d554df900f225759717af682bdc2071
SHA1b9ea43309f6c44bc7ec64dffc755766bdfd88c67
SHA25601d796e469cff8de9e92c75b0c6f3ab6f3867b28d75d36c4fe86dd651571909f
SHA512391167460f8d074a0014de4312039ddb29d5f492d4c29d5db9a42ca5479942ab3ab2d8d3de61cf0473245909b8c76b9663f9b9decbe8dde4ad3a98b5fd7bf2d4
-
Filesize
6KB
MD593b8b54b6cb0ed92ea50d7af37fd10ca
SHA159f6724b3b3410d86b090b43b921c2cc5d9ff488
SHA2563ee57df0edc85313bca5bf5d74d29891848419df269642d218a5629c5a70c09e
SHA512346c1149cb908978bdc91a9bde73f697a7ea30e046e6f218d6e63a5b999a9ed8820fae1004dbc08b3ca439c590c7451aca878f512472c861139794805a7fef78
-
Filesize
6KB
MD5a5b58c457d6570686664d3d5c959965e
SHA18b210985986f8eef385fe47f0214f95c9cc9d1f6
SHA256552369a3b3afa0dd2f4d78487e1a0694943a892b399a039830840dea69471422
SHA512a8984bb78f80d837d3b65383c3277b7df73f5a525af32df94d3befbbbf26473070f2b9fb97dfb41e1caa829e4d7c359124d477d188347ab61864d0f700a3e09c
-
Filesize
6KB
MD506e0bfeb1423c657e055b815f3b79ae9
SHA1af7ebd2d46dd9ab97c065a4fbfc7e21f63a9005e
SHA25614999558a6040c60a909cfad7eac35f06d34be7f4e363a202fa03eec67a9e585
SHA512861a19687d28e6a0aff3a46a40f1be1f014df42adb61f36a8a50d6043522a2177ee92de3563fa204ecfcbd12204b44af2e439c5b17676eccb8d20c0d32f045c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD512ec9a2576f26f666fcd5d190203a0d1
SHA15c2f7ada82dc355efa7a982f5a3a45694aa5bee5
SHA25648a76841c98628fb8a0e345b00d5891f6b93a304956b07ca45de9783920f928d
SHA5122176c20619c26f55a4dd025bc120b0f4fd79796dbf0d43ee1ef249a7d7103439128967514b5189382cfb7fce1ebd74db4b4ffbd5c1531785a6ea59246fd51099
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a7e8.TMP
Filesize48B
MD5b28fd5ff8a4ac7848b25b9c2501f4e7b
SHA1985e25bfe345931f0a2a9e567ad3665d422abc72
SHA256e8d77d0185a07f8a4465e0391e6594c6f839a0a179cfda3e9f4f1a74cc1aa1aa
SHA51240a349b625edbbc6d59f482810706ac6ab307e71a90fea9fd89c251fcd26a41d2b96f27f83e2b994df735e84e8b7e7fd9437cc5be1a5e2527fb5463338042bec
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
12KB
MD5a8539dfd7caf4b6fd66c26f25a78eede
SHA1d69e3855301ea5dfc832de460724684cda4d4ec0
SHA256855903a586d5d562c921be73a79f8b3a9a88b7a93ff045ef242dfd8ae804d263
SHA512c74bf00c4381d8fd3bad045a6ad7b9a140b57e9cde630d82c26a29225c71599abd1d3150db80fef07aaa81a441184aa0b4489c1a0ce9d77c5336dcf75da2b569
-
Filesize
11KB
MD506977a6e9cfabc406ac144d0a748d232
SHA189b8aaf3003353d0d7d5fe93d2c4255bfebee7d6
SHA25614ac0d916268050104d99ba505d81a339b43bb250e87e9176710dfcdbbdac487
SHA5120802600eead44d2ea12c402558162f02e041f264367c4b02fb2fa9d797a15eb266bdd04dd20f4c717f82ebcf2c6e5b6c413bde163ea87e098b7cbdc890d9effc
-
Filesize
547KB
MD501efe5b9351fc7297febda89b7955750
SHA1fc0543b48adcfa30fe9e59ac7eb1ad53a8567dba
SHA25640bed47e058633a2f36ef56558c00f4442b88d7f972db93c34cd079753c015c2
SHA512921aff8e7894594654d18d4677939dc455f2cd86933fcde6b76efb13d87bd17abaa3d47f6307947bd0a2a89493d43ca8413bca81c811c2f171522cd592512d99
-
Filesize
53KB
MD5068d2313bfc24a317d345c14015b9082
SHA1e18eb26214ba3a23558b41a3a7678875baf6eaa5
SHA256d0dcfcce991144283a588665524bc0367e1629c9959f4d0dc46665d8246950f9
SHA51271e8aed870ea4e09336335eb79a8ca1410ecb521776115a8b9e96f56390671fd44f088becdffb1488e94ba49311625e71d75cce18f1e87c1bd0df058e5967afc
-
Filesize
117KB
MD55974c6c01d15c6d1cb0f910c2583ef1c
SHA1ebc95211c09d8fa3536c011c032675d93d4dc519
SHA2566db866aaf38686e77f1c63270044e6ea7de4e42984adc409df0a430ff535802d
SHA512714246faca8395a950aa45d591c0ad0731cab66f6f7e85e0a2f31c3c6fc367d95bd83b8ba410ed47a07e53ff21e7a8f646d6cad1003aedfae0bc75e8c01cf567
-
Filesize
571KB
MD5a842d2cd49e48c6ca9dcd7a0b80a6ba3
SHA1ba11d9468fc9f0f2950ed5a42fb3f7e356402a0a
SHA256539d876de6f27cbf565eef64c69bf721a5ea81536880a52c800f167cc2dda421
SHA51265fcb2d9289c04934922842b61e29867f409f27f34412c3bfc1decd7e0d5e1240ab4a5e5afa97c88a9d418d1480e438ea714ebc0188651917bbff798c93b2e93
-
Filesize
88KB
MD517f01742d17d9ffa7d8b3500978fc842
SHA12da2ff031da84ac8c2d063a964450642e849144d
SHA25670dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e
SHA512c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0
-
Filesize
34KB
MD511386a63d589b3aa5a5106495034deee
SHA10883fea178180a39cf0da52752ff9ab868efad46
SHA2561e5b063c5fa58dac409b26a2a9518ab73fdee265663856ddf1adc863e6cb7c77
SHA512dc1f183d571d27ada2943cdac7c7b921f7741772ce685dea614f1185dec5cb8518c10f0a83b9e072c25d2adab6b8287bb326d739c418a8c8fe85be23924f75a1
-
Filesize
44KB
MD58ca03012fe499bb52c55a0f52aaf5d11
SHA1133813cd3d6181e6731126eecef9c41c77c0f0f4
SHA256cd38b8d6dda3549d2f5ed34c5ab0437fd1b441d86b0c924b7fd3bccafc6cca53
SHA5127d7a6b40201a565a91436f52fbe2959f6c0570af8f4bf33154b8c04f20a0cb6bb9d0a5d820e9a96c363dcf01004ab6d0a453e7fe2169bc7d1e87b52c48e17d9c
-
Filesize
62KB
MD561130345d096d18dcfaedce1e6dff622
SHA13b7cb7adbfdb9e9bd0f0a0991715baa5ca8242c1
SHA2565a1df0dd23c9e280083419827aa5a91eb4ba268616af94a1b9ab358b1634fc30
SHA512a270b1fc1c2de9493a957055de6e441c6503639c4801cc9815637da8c8c878f894aa5e3c9d63eff3812ed3075c24aa2d403a15c92d52618d3beb5f09b4b44628
-
Filesize
53KB
MD531667c8aa65af33d23cf7f7d03e99d1c
SHA19b6504fce81e64f6927bb32718663e5dcba4d002
SHA25681d6d1c5d3d321e6521d8662233b78f117871e62392b057557fc61d0fdb34b28
SHA512f271fd29de9af2ee629b5e421f0ced4744e99f6f8ab2af4268f81e7fbb4aff22b3f5383893dd7cc13575ce895a4182f10c357c659ac4a1f32ad85e86560f8806
-
Filesize
79KB
MD5d9541261192762e1676135d3d91ab611
SHA12426a94cc179d996a36d408e4e065f0ad3bec581
SHA256ba83677dc75343e46ef913875d03c637fc0855d04bf2dee0784c4bdf5d1b60fa
SHA512e55f41a70441440f8503f450b2c2ae28bedd9a8bffaa425447d8945daa0e858727d55fb888dc8deaa710eee6d24ab8048749400691ef2d5f2e2b085c3188cb4b
-
Filesize
52KB
MD5a9fb45f9b6819170c352406be1bbfb59
SHA14e21c0ab0100ce3605d06364a08367baabd77eca
SHA2561f64517751e23803a815f495cdb21db7a4716b995f548ad20a9ce0edff53e5f7
SHA5127ae0f67a3b2129d0b5e22973f93eaf52d0b66554fa9f2d6620e517afd1af25de2f0061345be28653ab79b5cb3c84d3f8d6f64ca6357caee8560afd2227135e62
-
Filesize
30KB
MD5a6d9cc3460caa34325eb3f4f62fd6d08
SHA1e9c9b5e80a16f9fc966a9da0b1ee6f1acd3f822c
SHA2561070152cd927c80ee8bc67029cf0fa9ae1a7ff61060f4d0efe98c84d3c736aca
SHA512468846b6d9dbf09b36ae052a782047d7fc7c0281b0fd85a42f7b82cf2a9bb036bde9fc858fab0251ab0cf8d417a80811edd145f75b63da0fe30f6b18ba050d09
-
Filesize
79KB
MD51e514dd2dde7f3a9a305e950dd74275a
SHA113a2990b67216b701fc7889085e462843c4f58df
SHA2567d5258f32d310e9c90917c754d842f4e4b5579347e69ae3cb4a7481aa77518fc
SHA512bd9ceabdcb6c3e5949fea268c8780c9c87faabb960122f55aa6f8075a629fa64f1f7579b23d0f17c8947e626495e7035ff03e50d385a2aff88f685a1bda23d58
-
Filesize
25KB
MD583eb5a7e98f3611fbbcd744cf9167088
SHA14b2fa4a482c61dbe190681001918f38c2e57f6e1
SHA256639363cdd17e6823a21cba447354e7f1f004fde143cbaa165ad7091eb0d68804
SHA512d618c50a38097607d52d9d030e123a59d5da9a6f879f4e9b225f272f83a3b011d247e708306cc7e1ddc1a48bd31efe5dc444bf60eea54b67bc7822eb86822640
-
Filesize
29KB
MD5ca2be59ba6558991a37fd992ffea7a3b
SHA1aa0375ad758210efa5154aac975d84b4a245f92f
SHA256b8b126f196414d1e0dbf99ac8b0f84737ca8070b509bd698bed9dc086fb13bc9
SHA51287179e5a7795fea15ec6d1819a3bee0ccd2884a9bd464a73235fadbee1fc3a8e3290af654f0921dee554392bc83185d03f30e218535c203aa51e6bf294f58ce9
-
Filesize
24KB
MD527ff281f951e4c090c9decc3901cefdb
SHA1a3aff5bf06e1df2759b5af4824a9614e98ca6b30
SHA2566bf99367532509590aef75d3473040b4f19cd510664b68d29a5cceff0a46cdbe
SHA512481a854811c0a70e2ddf4913458d995798d09dc946fff4e30b66220827985b5bd29f136216a7a771beb327263c8bd4e0324fd6f23c1a06bb90b2173912e7c13d
-
Filesize
1.3MB
MD58dad91add129dca41dd17a332a64d593
SHA170a4ec5a17ed63caf2407bd76dc116aca7765c0d
SHA2568de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783
SHA5122163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50
-
Filesize
250KB
MD55f205b8fc4d2a836072b5bb2e0fa06dc
SHA1d2b79733993cfefaa493587f40696d8291ec6d65
SHA256a66cf338573ebcea5c91f5a8c203a88751c93649571867c8c5491551ef867983
SHA512bc42808b5823b52d529fe3f2e792ca7111ac6844a328211c8456a74eba65f4721c5155268ac357af1d84c52af52dfd997e4e785dae402ac61272d08354087f00
-
Filesize
1.0MB
MD514bf47bef4ede406d422265bd7ccb9db
SHA1ef373c3e06b7c0c3f095cfcae99f2e82c1f37563
SHA256fe82dc30e3662af42f33464e4098eaed14e3fdb708aa3a6141c2cc69b19d8789
SHA512dedc4e78f1917ce988559725f6aa6fc34c088930eab304165adb8c01e853073493a7057a6873e666f2e88a6bae469f6cf8c66d3fc9849b3af3c42bff802a104b
-
Filesize
28KB
MD5cafe0a27f8f2cc6f5e4a4c6233bb954f
SHA16f8b66056d058a02b05e61b9090762ed7acced6f
SHA25697ccb8542e8bbaf8c949683e8aba21b85e496a237c5543f8b2f6d90d9855b389
SHA512dc2221584fc54f6c9e423f212294614a447f6a8274a61138910f2364ca7eae041c15c8d224c6b7f3f79581626a3151a27bfcedee95e65784d6e16e94ccfe6330
-
Filesize
101KB
MD5574e2c562c1c858798b318df21c7ca50
SHA16cc7d5d54b47298715925aa3591941f664feea6a
SHA256d8dbd584dd9997da553d735f07820992698fef59ad28dc1141e50a6ed95fd58d
SHA512cf1213b0a8d82b72019265d6d87cde3f9d767c935c1429fe954a7ae53e77b5917ae4933472494af7a335c7c3693c692d03c41c5ee52e306b32d1c38914723096
-
Filesize
110KB
MD5f3cb4e12f761415ca474f2b8c4c88d94
SHA15111a67c03742c0a8d40b98500634a0ec43ac3b2
SHA256f6f3d0f77619426ac01d6a5a5634bf0911138b879e528e27f71b21858b029404
SHA512af04a800b15a5824d9d282bc8116d9e468bb3a890fccbe03a428fdcdd996c8e0731288707e017c21a0e958739bc6ed1439062a382d9856a262e3384c5fc20773
-
Filesize
16KB
MD5d14468143cc34dfe95509a8aa83bdecc
SHA1644fde846df9ff25a959104fa0b69121cd4bf8a3
SHA25678748c5933af2322953394795572704b3fbee99cab7fff04a4ec609714478757
SHA512a3064b2b858d4d932404f25d805524106a3cacf14638e297d982e0ff6137eb5f59210554916c9be8ba3a5a05d761b5c4d858dd5f6a23ceff1faed09c1753ba62
-
Filesize
169KB
MD54d8f9129c930088db9b520fac13b0cf4
SHA191a5bb1a153367d4fd1e1e04922010cdf5ef006d
SHA25668a60d3eaba31deb093986a74891cd052428b5e88337162f66aa5ec90595d096
SHA512efe8df82c87f8b436a76c5e07f24a7130767a1bbd0c3ed1f4d91c53b311c97e95f0f2927db971e22cb75fa631a8cf2e5a3012df3e661b0579c7b9ebe9747e42a
-
Filesize
28KB
MD5c79b4e5d4e7c313d58c2c64b7b89dad7
SHA1e8816f7173fe4e90782ef00d6bd4c17921d1592b
SHA2560542e21d671c8c711a9940d8265351010a4125a2ecaba988d0134d30c53efb7d
SHA512e3bdcd4f61121f0156e6633bb4816375fde62535f4deb61f616e80133a74ba96016bddcb5a5e9d5b52a7e79769caf500ea2bfa92c25a0efb0da4896a9b5e0655
-
Filesize
94KB
MD54081f400e7e4e0a271c8793fb69da433
SHA1fdc167a0dd384601c83608bc0b244cbef092bd70
SHA25677f7ca1f67bbf01cb89676ff7e1ed0e136f40b2e7dd295f835792f6818d96a56
SHA51262f4901222e08965676b7e1494ba1e24b7b228b5d8bc8e02fb95a1bf06f42a377e71652f9b11714762ea0b6167aa7c4196914a7fbf1729b2384e4ce64c1c39e0
-
Filesize
189KB
MD5fed9f1da2f51f7c09db583d5cb92886c
SHA11dca294432eace681a0277907bb802025fd89044
SHA2564b427f6543001965cc3cf8cf08e1ca73a27c9951c66703b42f179db93957853b
SHA512124d0644b2197929082e32eb0dc3e20206d5183667903f8e8bc90c5dd64790cc03e3b64719a1ef131e6087f8f6b1912746dab2543173b05c26358984b84f3e44
-
Filesize
128KB
MD5e80feff04b7e942a596d3c180f10163b
SHA17b9bbb30ebaea80b501089989d96a8c01bd920de
SHA2562c946a716c700b8cb9c1bac2085d83b4d015afdf1fd823b294193d2c882477dd
SHA512cf58e0cec22661e00d68c654a808295fb9b4294233f185af65a3e6a15bdd3752f098253180e281a2d5f7feb75f0169e8ea72f07f16f6bf21b24b7aa80c43e1a2
-
Filesize
180KB
MD59e58f1809a8a01f2f3d3153b310ee59d
SHA13c7d44336296cb83091e18116d653cc1d683dff6
SHA256ca2d560c75d38ba3060b39d3759f12ed4c3e513983bbd87f0b7f5fcd15f2197d
SHA5120d7954df16666ef5f3e003a25ea2d4fef687896ab55e3c685cfef43684bba8f2faea6102e9f93689a414e55b38f135a3c4fa19ad06a8a6f83c464bdd3217f5a4
-
Filesize
16KB
MD5d95e5514046562c8dd36cad4e7c2a545
SHA16aba08ec8c7547a79ba8b35fe6414e27db668eef
SHA256c1f187f5ef27490922490d5932277f62d039011041b9f3ec28e673fe3b066a7f
SHA5125d8c3a57b25e42f9d89e71f03122a68369d1362a1c3057b35afaa1f9b8e96322d9449b96d00ebecd023933919b51c66ed7d5ff95b48a56f8c1b8bf9e1ddbe2be
-
Filesize
73KB
MD5595642ffeec3f6244efd1051cf367b45
SHA15113e91a78af88fcfc62287ba59b3889cb06b292
SHA25600e5021e222db01963a2fe6f3652e18939fd270cd70c27318452d0a6c3b25629
SHA512b7c30d872552d47d4c3887c7fa17cb7f22a73b7931f456401de3cda7768392cd8650fda48ef90d2000770acdb94853155c74c517ce0ff2c8766f25a88b056bbf
-
Filesize
66KB
MD597386f12a1c19e14451f5e4697e5fdc8
SHA16bee5f0a7b8863779a02491c93cb46cd8b6916ef
SHA256130632508b1a7f6293bb67e13441e0e21164a5df8e5dabaec9ebe73a35544bad
SHA51266dbf574585bd72f2487f341026a811533740241bea1a33395f8967c4b9283aa35c7d765a03337cdec4f56ea5940ef02491d9fdee497a2deb5fc4296d19261e2
-
Filesize
1.5MB
MD5a0c0336fa0576d1380fbd6f4d29084a2
SHA1e418d67bd6252ba06937467edfd9257fea1c5028
SHA256ade3a8a4c8e87ce5dd2775f4456c12edbf865b538f0190fd5ba1b376f5d281d0
SHA512158e982f49e8c6485db3501800d038fe615c8f1a699ad3531894eb1d73794fa903e8ffe50cace78f084bee828cda6f96af1d36163c056ef2257548c417223a1d
-
Filesize
24KB
MD5138fd2710e2b397efbb3f14c19b0d02d
SHA124c637e8d55b2a8b2fe56ffe7ac539d08de99b10
SHA256dde8f67de7a4e6544aec75e3785c08a8e30559537063f76c27e50513f8edd371
SHA51207c7219c294f61bd5cd48ca33d543ef9b825cc2ab11947fd6774e74b3ed7fc6716d4db7efeddb7d5cbf07d7f2d7f87bc979de1fed22bb9715b5066e698f84865
-
Filesize
523KB
MD5b3d14e0a675aab996297ddfc8ea3aee6
SHA1fc867e4cbc538d9310a178b8cabae9094a16d914
SHA25634f1d706c4a2d289a4270dbd2894aaf780d440ef33b1df2e89819aa1dbdcfcbc
SHA5127be0e31be5be6366e95e09f5cb49e207780ae24a4e57abc0e5a7381274edb2d2de96f42f6d9cf82abf856a647c450ebf5dc387ce9d7f66d3b766954b647d22f6
-
Filesize
502KB
MD5ce075df8e1e783ad2140a1e9ed133c8f
SHA16fdc0000be4b70e0bb7f072d72c29f0835f58c7f
SHA256cd08b5b888fa01d51b53ba2534649396a537967df58950679236374931f93899
SHA5125d2e40217c4b8d8fba456f2e23321e5386958017e400aa11061916057c0be6a6e68580ca89eea97315922e1d5f4e07cdad873bd1c6eed98b549781873a5f999f
-
Filesize
509KB
MD5ed93e3d1e1bcee84602643fd1eae4b16
SHA12290123ee4fb95db2e6b3c5695394816b440fc16
SHA256122b7617a3903c19bbc3a0326d4922f1f5bf52b75960080bf7510c64ed3199d4
SHA5129678aaba8e3f5b303d11390d27e30552df37c5dcd4033728ec935305a92d740e6710f0c4a997f1cafc665a8408705426176bdce2e89a1a7f3beb4e5c3369f075
-
Filesize
292KB
MD52944322ed47ba7d9aa3aef3447615ca4
SHA12249c595efe82209d93effda26a1c6f6dfeb28a3
SHA256a25921209bc1e1b52f22ae5c9128b628b64e95017ebfa8f74fc5166b5e384868
SHA5123331d5b27cd4fe99fbe7a457d6517cd2c403a5da256ee4f083880ecc0f32eb2945aac3de2e10ea27cc1e9c52a1084b05dc56671db586416104f3234170ee00d2
-
Filesize
50KB
MD59c0713c65faa4ed19cfc327cc281527b
SHA17431fa2599916af847cefce85247e6ab6d0eda97
SHA256549de67df69f6cefa2e1f596d157711eabf46b72aad09b50b9460532316c719c
SHA512572af4c67428d721bea6078fd428913f381fc3dc7d99d8d3031dbdf5fa4f240e29a31193571de6c9faf9a2b6abba331b89afb99dd341fe888b0516c707ec4986
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
43.0MB
MD54508296fbdbd07746ab61808d278a2af
SHA128759e94200509c34a28ca1aa7e60af51b49f7e7
SHA256f7d9d303b1513be4b027b4205220ff32f9c7d261fc1a6372a71d8fedb0c24696
SHA5127173bf124be6899a4ff37b0e46685ff648047f3449858aebd5c4ba6456d54b8bf1c25353edf122e639ff403a44cd733aba088b9c109c0a4121a2e12535779f73
-
Filesize
40.3MB
MD555375091215a132b8aadaac0d055dbc5
SHA12da65fa622dca25fa6bf889f965ff9e7d59d743c
SHA2562921a602754491ea38dbf892a5d8a7df1004ea75fdfbc1157b0848f210f2e654
SHA5126e03bdf9c4e7a3b21869f30b4471a33096d4b7ef6c4a1eb6258f09f59f3ddd3022efb18547dfa6b92f6e77555f634b5bf71d76138406b3386992827601d0041b