Resubmissions
03/09/2024, 12:38
240903-pt3hhawhln 703/09/2024, 12:37
240903-ptre8sxhpg 703/09/2024, 11:57
240903-n4zc6axcmc 7Analysis
-
max time kernel
1920s -
max time network
1870s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03/09/2024, 11:57
General
-
Target
4ddig-for-windows-free_11725364633759053201.exe
-
Size
2.0MB
-
MD5
d3ac2fe920db837547b7409c4f50d0a3
-
SHA1
4b8aa8e053a97ce72e95fd1bfeeb4b9184648040
-
SHA256
80eb332f52c73798ee2737836b45c184330baabd176796fe5568e134de4c1ab1
-
SHA512
d55fb1c0a316e27d406b29410343d05f2823f07b3c703a75a3f973b7c610be74aff87c61218979c452bd280ef12e767379493c3417c072c1697925137819b192
-
SSDEEP
49152:zqU+lyxZS9qgC4ehhOCHPAgjtrr5N7k3oWYLbipxwGy1x9Xq:9oyxZSbmh/Ygj55pk3o/LeyTdq
Malware Config
Signatures
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Downloads MZ/PE file
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies Windows Firewall 2 TTPs 27 IoCs
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 54 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Kills process with taskkill 24 IoCs
-
Modifies Internet Explorer settings 1 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ddig-for-windows-free_11725364633759053201.exe"C:\Users\Admin\AppData\Local\Temp\4ddig-for-windows-free_11725364633759053201.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDataRecovery_4ddigfree\AnyDataRecovery_4ddigfree_10.1.11.exe/VERYSILENT /SP- /NORESTART /DIR="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\" /LANG=de /LOG="C:\Users\Admin\AppData\Local\Temp\Tenorshare 4DDiG_Setup_20240903120024.log" /sptrack "4ddig-for-windows-free_11725364633759053201.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-R8D08.tmp\AnyDataRecovery_4ddigfree_10.1.11.tmp"C:\Users\Admin\AppData\Local\Temp\is-R8D08.tmp\AnyDataRecovery_4ddigfree_10.1.11.tmp" /SL5="$40418,120411152,743424,C:\Users\Admin\AppData\Local\Temp\AnyDataRecovery_4ddigfree\AnyDataRecovery_4ddigfree_10.1.11.exe" /VERYSILENT /SP- /NORESTART /DIR="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\" /LANG=de /LOG="C:\Users\Admin\AppData\Local\Temp\Tenorshare 4DDiG_Setup_20240903120024.log" /sptrack "4ddig-for-windows-free_11725364633759053201.exe"3⤵
- Checks computer location settings
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "Tenorshare 4DDiG.exe"&taskkill /f /t /im "ParseRecord.exe"&taskkill /f /t /im "DebugRecord.exe"&taskkill /f /t /im "VideoRepairService.exe"&taskkill /f /t /im "PhotosRepairService.exe"&taskkill /f /t /im "UpdateService.exe"&taskkill /f /t /im "DocumentPreviewService.exe"&taskkill /f /t /im "DocumentPreviewServiceEx.exe"&taskkill /f /t /im "MediaPlayerService.exe"&taskkill /f /t /im "MediaInfoService.exe"&taskkill /f /t /im "TaskbarTest.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "Tenorshare 4DDiG.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "ParseRecord.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "DebugRecord.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "VideoRepairService.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "PhotosRepairService.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "UpdateService.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "DocumentPreviewService.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "DocumentPreviewServiceEx.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "MediaPlayerService.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "MediaInfoService.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "TaskbarTest.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /t /im "ffmpeg.exe"&taskkill /f /t /im "DeviceViewerService.exe"&taskkill /f /t /im "docsrepair.exe"&taskkill /f /t /im "doc-repair-office.exe"&taskkill /f /t /im "lib_USBFormatSDK.exe"&taskkill /f /t /im "PhotoPreviewService.exe"&taskkill /f /t /im "PicturePreviewService.exe"&taskkill /f /t /im "DataScanService.exe"&taskkill /f /t /im "DataPreviewService.exe"&taskkill /f /t /im "DataRecoveryService.exe"&taskkill /f /t /im "Mp4FrameScanService.exe"&taskkill /f /t /im "Mp4FrameRecoveryService.exe"&taskkill /f /t /im "MsgSupportService.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "ffmpeg.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "DeviceViewerService.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "docsrepair.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "doc-repair-office.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "lib_USBFormatSDK.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "PhotoPreviewService.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "PicturePreviewService.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "DataScanService.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "DataPreviewService.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "DataRecoveryService.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "Mp4FrameScanService.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "Mp4FrameRecoveryService.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im "MsgSupportService.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_NetFrameCheck" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_NetFrameCheck" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_NetFrameCheck" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_NetFrameCheck" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\ParseRecord.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\ParseRecord.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_ParseRecord" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\ParseRecord.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_ParseRecord" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\ParseRecord.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_ParseRecord" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\ParseRecord.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_ParseRecord" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\ParseRecord.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_UpdateService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_UpdateService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_UpdateService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_UpdateService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\preuninstall.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\preuninstall.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_preuninstall" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\preuninstall.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_preuninstall" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\preuninstall.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_preuninstall" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\preuninstall.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_preuninstall" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\preuninstall.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DeviceViewerService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_DeviceViewerService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DeviceViewerService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_DeviceViewerService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DataScanService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_DataScanService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DataScanService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_DataScanService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataRecoveryService.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataRecoveryService.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DataRecoveryService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataRecoveryService.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_DataRecoveryService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataRecoveryService.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_DataRecoveryService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataRecoveryService.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_DataRecoveryService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataRecoveryService.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MsgSupport\MsgSupportService.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=all program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MsgSupport\MsgSupportService.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_MsgSupportService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MsgSupport\MsgSupportService.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_MsgSupportService" dir=in action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MsgSupport\MsgSupportService.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh advfirewall firewall add rule name="Tenorshare 4DDiG_MsgSupportService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MsgSupport\MsgSupportService.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Tenorshare 4DDiG_MsgSupportService" dir=out action=allow program="C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MsgSupport\MsgSupportService.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe"C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\NetFrameCheck.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe"C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe"3⤵
- Checks computer location settings
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MsgSupport\MsgSupportService.exe"C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MsgSupport\MsgSupportService.exe" ga_pipe_4248 QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxUZW5vcnNoYXJlXFRlbm9yc2hhcmUgNEREaUc= 10.1.11.64⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MsgSupport\TaskbarTest.exe"C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\MsgSupport\TaskbarTest.exe"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f /q "F:\4DefaultTemp\37dd60b6bad04a5bba10d66e2d18b7a8.json"&exit4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cbs.tenorshare.com/go?pid=6731&a=i&v=10.1.11&cross_end_id=11725364633759053201&rnclid=117253646337590532014⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffdbc0346f8,0x7ffdbc034708,0x7ffdbc0347185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,14739321710369628766,9507794410071489858,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,14739321710369628766,9507794410071489858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,14739321710369628766,9507794410071489858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14739321710369628766,9507794410071489858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14739321710369628766,9507794410071489858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:15⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f /q "F:\4DefaultTemp\5224acc04da14cc2acbd7c88d7eff5b3.json"&exit4⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir /s /q "F:\4DefaultTemp"&exit4⤵
-
-
C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe"C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\UpdateService.exe" eyJVcGxvYWRFbiI6MCwiVXBsb2FkVHlwZSI6W10sIlRlbXBQYXRoIjoiRjpcXCJ94⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe"C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DeviceViewerService.exe" 4ddig_Win 42484⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f /q "F:\4DefaultTemp\HotUpdateConfig_x64.rar"&exit4⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c fsutil behavior set disabledeletenotify 1&exit4⤵
-
C:\Windows\system32\fsutil.exefsutil behavior set disabledeletenotify 15⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cbs.tenorshare.com/go?pid=6731&a=c6&v=10.1.11&cross_end_id=11725364633759053201&rnclid=117253646337590532014⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbc0346f8,0x7ffdbc034708,0x7ffdbc0347185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:35⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3048 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9213172913274430239,1121950086271166123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:15⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cbs.tenorshare.com/go?pid=6731&a=c7&v=10.1.11&cross_end_id=11725364633759053201&rnclid=117253646337590532014⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbc0346f8,0x7ffdbc034708,0x7ffdbc0347185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2899281680547319629,12062725174139782622,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,2899281680547319629,12062725174139782622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:35⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2899281680547319629,12062725174139782622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2899281680547319629,12062725174139782622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,2899281680547319629,12062725174139782622,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3424 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2899281680547319629,12062725174139782622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2899281680547319629,12062725174139782622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2899281680547319629,12062725174139782622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2899281680547319629,12062725174139782622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:85⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C wmic pagefileset create name='F:\pagefile.sys',initialsize=512,maximumsize=20484⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic pagefileset create name='F:\pagefile.sys',initialsize=512,maximumsize=20485⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe"C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe" 42484⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe"C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\DataScanService.exe" 42484⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1File Deletion
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5e2aeb9e9e0be848f65752df75c79cb08
SHA18ffcea64c352e4bf6b4a90bd6aed6271697a5e49
SHA2568e8d4c4208054193c27b4b0006e1202cc86b6ab4cba1a56b1c271d8764a866c7
SHA512475b22f8f37460bb7378c0a2f650b46cdfc029973eac983fbb451e711f6106e43ca7f934cc487171f70417916f7c39003903d525318183f5087d19beab9cdacc
-
Filesize
27KB
MD5bcd1a5c3f01ce50635cfde15e8c6ceaf
SHA1d183725ec0156cfd4b2d9de6eaa87ab4e74b1cb9
SHA2560f2ecc1bc472302fca35c425136fb3d945a3ed682fd75d6ea429eba6ce5e08cc
SHA512f907bb53b62c8d83b3d4c34f3df031a8f941bf75b827597226dbd1641be00771c4c669270c15f0d59b89c312efdb8a50383aee108b355e59bf4b06d5e7973a22
-
Filesize
137KB
MD555a17cce1ab2c39ef55991d9ef4aed6a
SHA170c11e5e928e69079b6af40d7081e46f72b563c7
SHA256e49e3a1760cf33c6d73beb1f5a276863aba8b55cf11e86cbe86a3a7d52bf4ab1
SHA512a5a9a0454b0ce4926e182bec62b56b1ba5bcc7f71a9259f69511e5291db54a9a1ce697e86f5267abc9ae96cf45b2309310e9df976826084877944869cb3b80e0
-
Filesize
1.4MB
MD5fe934c791520fc7df83ace95d84e5f10
SHA117b5a7d59cc06819dbb2217ccbac6da6355a0dac
SHA2560fc613278bba8ac508f629aa97c0c38ae403086feca8da57b34f43f2bf74a261
SHA5122050d6c1a99e309148b057348c76bf2d1a7b5a56aed07ad117bf94f07365eb231212cb94f73e8a41c597b2e7b9d9c70ed7c9b1a9df33b4374f7381b6f8097b5f
-
Filesize
105KB
MD5a0a885bd902a59309bbe4d7d08afada1
SHA10c11373f753c74e732f8a1efa433831298728697
SHA2567b5db936d7af2bb3bbfd6b44310f44806c21391a52a41e365acef4db9a18c8f0
SHA5126f7d1c55df83ca0b07411ba02518afb24cb16b2cb7b33f06690ac459e7839fad58e4c4d6668e5074f43d684f52d1d41a733c1000a1889e6410c3bcffa526bcf3
-
Filesize
166KB
MD52d7d760d12c63407e14cda933446a925
SHA1a2c54ef7712af725200b03d4611c9a5423c7d51b
SHA2566ea7301aee85d7093a288bf0edd902c55ecd51bf68ef3023e58be59b2d18b2f5
SHA512c26cc994c916e11826c8829ffe1be09ed119bc26741f2a3872e5b184a18718a20808e1b31dce8a6881d12a178b2499d4cd9f6e66e6b6c41d2d033c407d2b3397
-
Filesize
190KB
MD53817516fa4b7d564f18f9829e53785e4
SHA11765296800dd2accd19574a6853aef7b590052d7
SHA256503bf0cee99ef5bf8e682f0edef84ad992a17bf7497f243a376da0c78782072e
SHA512a6d849c8cbe97f6ca37ff68d636f603be94b74b845f1c45588548080e806fa16640728f5d1cd49b60ecb61b7ae1089c35c66329d84a46d97729aa33fbdf04f03
-
Filesize
167KB
MD5cb3ab0cc641f76a1338e3426fcbb6e65
SHA19543284b192d556f179dd3136af2a6aa4ff675c8
SHA25637d8ee37b8ef6ce5feb723301e01a30bc0bc0786b47f7a4e7b80cf2bdf8daddc
SHA512f6e72abe62c0f1011405371c54a2e1a3c007394dc57541ad92f4b639723f25263d917c5a1970e48a0d508116c16861b56cc74e85df4fdf36f625d4436796f577
-
Filesize
181KB
MD537f7cb712c5dcebb7323ca8b2d2cab1a
SHA185a7f91fcd3dccc166453daaef0592cd2ca4da84
SHA2567940c1e0286028bf9494124cfb73d3cf4e1b07c12ef3518d69880ab9873abfa5
SHA5125bb3dd69c364afb127d956e714ec1eb7785db00abb0703952998000fea48124f675e754102edcf78b442c95ca4ed18907f8b60e246cab24691d0831a0358868e
-
Filesize
186KB
MD51b111102646470c60cd87c54e54cf673
SHA1d1c595fa08fef2945732169570cffc998e338523
SHA256dc3f0bf603339cafdf9d2fa13c365e965d3510b91a8bd81909f865a928932c72
SHA5122c24a520263b0459ba9ab6fd4467e28fbe110d93b65f5b54376a01b3f7dd860698c01b1821b6c42f421739c2e0eb0fcec14fbff3fa04efefff79557291d2dbe8
-
Filesize
171KB
MD5f50aee71d45e1111071b837547c571a9
SHA10aacccfa94cccc7d15667b67998581d87f91e7ce
SHA256dc2ad380d11b3ade8e3a978ed9b14919dbee3d7a862d401afd05f4e7af7edba9
SHA5124a05e42e248e3195d19cdf90fef4544370d0b931fff5bb517ff23e07d5ed4ff06c5777a92253172b8278408bd9ccb67db5eae9c249365b437e17d4642ac98d58
-
Filesize
181KB
MD5689b30f69fd49881bd8663a7917baaf1
SHA17bf9140038bdb2fc29c149aff27c797e909483c4
SHA2566e8637e1d3a582443dd7dc10f19330dce6cc6e81f713003dfd313c412e317660
SHA512b1c62deb275dd7aeaf742911ddc84df243b177c83b11de205a828c7b0bd7ea1a00769bd90a68f9924f782a88fad2e707e55f2d9cea51ab2e753dbb7c733c9b86
-
Filesize
139KB
MD59872785924b0bfee19d53a02360e21a6
SHA1685a01bd978970a3767ed57072b53c3bf09c16b2
SHA25642af7e765ad8d32fd34805848ae7d9f5fd88ece6e6e2d8323662b13f05957be4
SHA5124f456145b194b1fb84396c1d261295f6b5654b5a70369bfc6196c2a2a7a3e617e772803b8ca32a35929cb79d628274ef314317858897337c447a26d44f18936c
-
Filesize
140KB
MD5e921801b4709002a02f040e62efd1d13
SHA152b6966daf7820543929d92f6a76c9a8403be3a2
SHA256e78888ec7e34a069b973fe9b58de35bc5653e5e21abeee783652616bc28df250
SHA51226881ba1babe252e1d2a689dc53dc4f6222ae9f5ec6f70f165c94e57f197ada866afdadbe85a14556827b57538e91224b13b3f55ec8dd9ec4892aedcd7045c37
-
Filesize
173KB
MD53cbc245ae6ac43416e9d1aeea2d7b8c3
SHA1a74d6cb2bbe39bb68c33a08090dbe98ad073307d
SHA256769febdc3975a3b4ec4a5563c22be979cae7133076c8afa8e1ba062ec6833b3b
SHA5126d80cbf7f9afe09927bc00d8dfcbe7e13d98b6e8ab3ab1d85cb5b6e7d732055adebafa77d78b343f262737d455d9c3dfb25aab2c731eafad44998d6e8ecaeb3f
-
Filesize
175KB
MD5f51afcd20f25e8fa2de4528b81a882fa
SHA1843d50510f302f31e37eca628e8570fc3abcf5ed
SHA256c44fa469725e49ffc5bb8d486f3ca1769449aff9a5ebda6f8a07cfaa6f17e2dc
SHA512a8a6bcc0f4e6ea83489a7720c1806156a44c04916a8fecec1e04c2aae95b2f6ed152d4b69f11cbbaf1f945dab9af95a0908d5edfac93c17dcf2d73a6619c0007
-
Filesize
181KB
MD5b3e807239496bb65d474ecbdb5c47cfd
SHA17a97af980b551a9b9d67b8221a6d17db2a7287cb
SHA256d38ae158e2793db855cccbb5fa25ed3827bb9649b5bc85bd58baa1e5c7a33f10
SHA512aa48035b8b60dd87d4e9929a8bb06fb1264d79c00d53d15af16154f51dd0330f17a015c0e5e7ae0552078d4f3d2068290712b5dd7bbf288da8b5546ef5735b30
-
Filesize
181KB
MD53dd1aff5f32c7ce5bcc48bf2b8a21e3b
SHA172debd0d534fda395006fb1e35514e9affa93961
SHA256881d1c6e9b0066bc5a30493e3e57095f6009279851faa1cdde49562f3237faf8
SHA512a5ff79c73c4e244c08d1cb7d800045b3b224abd4f190c36d8c5c7e450501596509fcf0ea63571b1f0458ca59c9f3f8748640ecd35271324b1e4b27ae9f26d4bc
-
Filesize
160KB
MD5101b80af5942bb2f209ff7068f1c01b7
SHA1c61bc0f243ff3d49271f26b04b48a97cf989ec3c
SHA2568e5b7b2125fbf8083f8f61f7a01c702705d0eb091643b741b62ada940c3aa590
SHA5123a88ad91279d32ebae4d1b8d5518e08f1b38cca3223046fac42114a81d74559e0dded2bd15fb51c732b86990a50e0c8e9d5167fdfc185777c94258131f55371e
-
Filesize
172KB
MD55badd3fa315f99b4d392217c6dfb1304
SHA1dbb19bb167be63756a3a3e3702706786aca95b11
SHA256b46a3ffb075bbf62e5a089e6b7201b1bfaf7007766ee2ca42df23e8335ccfe35
SHA512085928e249b4a76c2ca9db25b6eee726fcf1ca48ee763cda67c0d55dd4f176784d65c945586a959de026c5431894a06f179175966bc2284704b648da9eee60ec
-
Filesize
125KB
MD5ecafd0342fa496b1d2231db075c236f4
SHA196b3105154155c664edad936a4d8ff47b3ea9b16
SHA25667f39869db8a9adea6b1f99e3ab67bb41d546c9b131b3ff42037d41984f1a6ae
SHA512bdcab1bd0046379606610212b44a4e569aa0e356551ccc3728eb106068c26f640b3bba845a4730d65a53ab08f8386d08e07eb1c47a72de01c152f10dee4d5250
-
Filesize
126KB
MD52df399001bc6143544177816f4c7616e
SHA156008296936fb89a035d88639d0803375c92fef9
SHA256b961148869151e429a52704673040c17e10ddc68ca546b579fe6e784b7430362
SHA512cf17b73e696169552028c28bd0f2b5c0625f20b285038e27bacc2576f91f383a2ca2af04e79524f522bfeed93c248d9c652b0a5dc7b17cba90ba0813ac3dc501
-
Filesize
48B
MD5e3ed6b56431c68b53d22a4e2165070a1
SHA13af84337b0aa35e01be715f755d7eb3ffcdfb0a4
SHA256d50cdd0d55398b59de3dd351bdb0ad7c9efc1c5fba68071bd7aff1c172f55800
SHA51255847cb91f17966827a6eade96ced55a977f4e12f001eca491c50ec3014308f08f283927a690dbdb82d6da3dc6d47faa0a88b9ee91665c8c12fafd4b62ca7b92
-
Filesize
83KB
MD59f270bf4d266ca94ac454ace3920f45a
SHA15931e815cf5d46b17ad7852528642b7b97c7fbca
SHA25680859d612e14ac97c79a8dfa80ae2f519a461ddfdd0974745f786137d804df0d
SHA512e12e7b10c0627bd5a6257e1540f5a6d8fc3512169e6c7aa7ce545371134749f78a30a131fd8e376b9616fa42817ede14ad3227aa47f62689a0b4e06199fc79c8
-
Filesize
252B
MD52b0d8bd4e4f74a100ffa7ce59c5c5cc4
SHA1107e3edf99f66ccadba969287c08b00eef812a45
SHA256360745dec9e5f18e51981178619c7ee6819f2e1304cd6ecbecf8af81bd68dc3c
SHA5121a1209b329e55bc357f229645d0b13662e4c12ebe85e054b31181ae0d0c0742cfb2fa05f0f8b94ce62de56b20eba8e1262210f41231164533f7300cf5b5e8656
-
Filesize
926KB
MD5c2615c40c71447ddee879de57e61b571
SHA17d33836b45b5f943af2aa4075b5d751f0a60e1f2
SHA25649b24552baedd5a7a25cc4af132bd0e39e0fd4e711e9822a43ba01493ebeee1b
SHA512b16139556e29c9b84ebf14f8aebae8090fcdfbd09f7b207d0e3a76ca4865453d1aa374028ec577f6c98ccbc7ad666683747c34ecc798c7e49d4b85d1a911fcda
-
Filesize
10KB
MD538c47c5ded5dff9a2df75a9e4dd62673
SHA191a2ac29ff010eaf22f7c178843bf7aba47fe3cf
SHA256de784bf00bc5aaeb18c92ca62e6bce35a14bcace763b3d5cde99d04dd9736521
SHA512bbc082b0d9ef5ee4a2d259d4e6e5f73470dd0c113097b87cce5f8db1dbfa98e1fda1380de0edad2f68c1aadc571a54a64fe2773a8ae49ae10a78e3d9ee6aebca
-
Filesize
5.2MB
MD5aa4739fa6eb1b34d2d08cb9156b52a79
SHA1b5cd0be5e7a3cb0ccb0a5f6f1e55e2cd5186acf9
SHA25689cfe233fc7d95d1c3a84bf1f8bda6ce2c4f2ec065e67cd06c2ee899ed4e4cb3
SHA5122c5209e45bebee6dc7085226e4b37339a2476d6bd24d48954956ca5194463769c470d70f4fe62e8cba7cf4f45a912e933e154b2792a9d7a4f2c33c07ef1fd9ff
-
Filesize
421KB
MD57504ef0c48805c44104ffc5c9fbcb7e1
SHA18f17e722c35c37bc9f7be1289d51c28089bce22b
SHA2562c704c9674b20bccf98c072dc8295a02456229e4751552c8c638aae33860d87d
SHA512f1d3aa30cab6256f3c74a253ba65e3069aa4c51676f4034653422f7e80c01eb052defc2e6abecbdda9876113798b080685a324762e78c22336d4be1dad593f95
-
Filesize
1.5MB
MD56da089ee0a44935de7b206252599fb8e
SHA18f19cbad0bd04f3b8e82262433457251c71b4b3e
SHA25614913a1754f841e0752acf2779fedbdfa028f41e670271e27c7c6fa53d03f546
SHA512be8fd6bf979fba0976317a36abe5708924c2475acf43bd41c4bcb4cedf552025ff5a6c916f0f6a3de469b0aa7fe9cbc01968a3206487e1f21a0f432e25236963
-
Filesize
135KB
MD53d730e9b72167b4561c45fa91079ae12
SHA1279c88beb9b937eee762a8ee4bcfd5b6321ffea1
SHA25652825651c7bee27b598267216f2175250cf8392f90ce1bffa454dc9dcdfcd700
SHA5124af18ba1b36ba92073cf6449d62406e23f993b5e33fa370ca6c053cbd86c603e12c810bb866d0e1dd9adbcd1cb3697402d232c83f9c6106cb5a28c96a280a1df
-
Filesize
17KB
MD5f63d68e8205eb3c89a5d2e502a55c42e
SHA107bee8239b8f27c7b6ec12f9268e71099cca8e1b
SHA256e935d6887eef7448b9f68999251f6cdb48b33aa4b93c171a0386b93b56c2dba8
SHA5120b59ca7aca8b54ba3e2d32da8ffe131e85593f973f615c2db4b592463cdc9dedd6cccd231ed8bb6ddcf10bce7de4d1fc082d26eb16110f1dd88869a1d6a88e13
-
Filesize
38KB
MD532069920487bdc4ddec2609a05e4fa82
SHA105f4498014605619ef2829b17f3481a694ae4143
SHA2569e55caca8a8beec7f36dacbb008935c9a3f5795062782be35869987a09959f41
SHA5126e9b2c62eac97cdbd2fd97a18df0cf8e73025cc2e93eefe871f13f51b540ccae319ba71a2b49a3cb92e0b9f05cbcbd069d42c59df78a8ef838497fdb58312198
-
Filesize
51KB
MD51dbaa34b6bb338e158bc9f704017fef6
SHA1f3a7b5cb3bef2ab2515f4b1b1298aa9411cbd77f
SHA256643e46b45c69c181026ac93d93085ced28db10d344630aab4ba7ef26d82b1d31
SHA5121e2521561d3adfed2e231d735f253779b3d72d7f233c224b69c34a5d46fc859a0dc31ca6aa9d50ff1f6ae6b7edd704b254cbde62e5c5dab4ea0e8cb16b29882f
-
Filesize
460KB
MD5a7eb3189501717f805ce5ae1dcd69d24
SHA1c193eece854efb27a8f9c4212e320aad84d2b465
SHA25687e3c3348fe8eff35b4ca811e0f376a37eaa7830ab8801bf4fac9a9ca3abc7c9
SHA512d82160729b0a2f3f50c7dccce3eccff887286fec0cfb76a7a47aa5d9fd1505829d3c3fb0122bb3e5926fc8dfd66694bc840c67009a89d343e19fc83b6cd1f1a7
-
Filesize
27KB
MD59bd7a1f0bc584f2f53455ac9cb0d5d4b
SHA11b309ec0fceea17e5c3945e1cbbaef182e509ae1
SHA2568ee45bdf4c70b3c3305fcd478ccf4bccdad45a47f1fa420ddf34b86f0b1cb45b
SHA51275c75ab038987221ea3931bc4b390ec27d38075b2cb350edf74267aaa0f40ed10d5e464652afe9d76dad2ae0140bdd5ff119a7a2d492f9efef9093ebb5e7f4e9
-
Filesize
404KB
MD51969e2f3d37b72f6c047cb4c0a4ee073
SHA111f6a68c165832e841f167fcdfdf4e2cfe56e4ba
SHA256deedb015cda2f795aa5c1a7f156b72b2850d3672bdd6cb237997bc7bedd1ad10
SHA51266f3c780a3df2a447914737585bea7fd311a25820bfb9b60d93b324f2ac5162998315d6866315fb0d60fa9f371756061ee6f51f8b6d06303bace281e42f375c9
-
Filesize
27KB
MD54c38ccad7c2e6837d01a86c221280e81
SHA13a523730fb4fb5117b105259b68d11d17e3cddf5
SHA256d79e2e2ca702199d929e5b2c28f1338e672962f243b7ce408a092b4c52427d63
SHA5129a42fa4aec62830d716dd7a85b99f0c87b1853cd6827fd5dfaeafef5687a52572fbb4d713768fccaef19aae9dd82520545ee4f83fbf4d13d145fda8fc0cdabbb
-
Filesize
547KB
MD5d48bad84728e85872fecffa92129409c
SHA11946dbbfbc2ccff38c419a8bbccba82fe732e9f4
SHA256ea5c78cba84cf6cd0dcb19dbf2371f7c0b80bfe578667bec44a545de0e51757c
SHA512320b7836f67975c6340773fbb721f6e44ebe3e54555dcd7ef441162f486d83ab7ca33c016270342a63fb9711717ddca7eb9234f79a4a31d9511db74733ddb430
-
Filesize
5KB
MD55e604c0f93a3316361e530bb23e93eda
SHA16e139629f805fc119057dbe8d55161c991b71a31
SHA256c6102492dc65fcc038f64a3b80c7aa0b57fc658b751f42c7fa9c6a5545e90424
SHA51209f70012712d9a27f921ba7e5d04a837e8455ee50224958a76e040702a5845bf7a7d1ceaa5401ee1b216eb0141dfca1907b35a499f0cacb54edc07e2f63d5eb7
-
Filesize
11.5MB
MD539c74a7e9051cbe9b700bda2956d322a
SHA115cd4bd4fe75c903473f3e821dfd50dd48a10fd8
SHA2569a50ffa1a71e7c09d0ef498b0fe5543782e932746e7cedf0383dd7917ad56c46
SHA5124c38ebee5942f24a96916fdcee98d501bd1a7cd718a70bd04a61579a5a2d405a1fb9138ee85d734eeb6f00eb9831931119c1db625d37dd9fb28b7819663ed079
-
Filesize
2KB
MD5ec84045c8e7c214c91cc1a8d0b56647a
SHA1638b54a6571af97d5944e8ecaaa7dcc66c5f61d4
SHA256de9be9186220739dea04e21b28ea35579a5ae25f92565aac380b30dd8a1d6ce9
SHA5121783f855b4c92d5666e73cd9b867bec8f19584df2654743d4a43b720b00cdcc06d68b3dda87a76a35d875a6ca2324cfdcafb8ab29835f745744cd225c74be2aa
-
Filesize
3KB
MD52c8e30abf50aba648ea0213599787465
SHA10b926076f5dc8b556f6785f105d961b44e20640d
SHA256f5437e843685e62d483e270bb330cc7d984959f5916db57bf6b42ff95c37551e
SHA512744534b613199604087def30f8ce34c08852e9cc111875ee492ee2a3fd6253623da9d1532eebf278a733873ffb5f9def6e17edd81a74f4261568592a469aebaa
-
Filesize
3.3MB
MD51df021dd69480b012c943aee5215c3cf
SHA157b1a432e8a9b09e0dda5c83116a3fd058e28666
SHA2567c3a5d1899a955a01da39a253c2d57d4496956bafebbf5a730388a8fb592b223
SHA51268f2af4665199aebd725b3dc02913b20f0cb8a28fda623a9597fa962e55f3090c7ab593210540ae9683daeeb7bb85f159f55f457ae34a74c85db87f970103d8b
-
Filesize
542KB
MD507ac3e92e0ffd0b5b12f7ade2c310419
SHA17d54530f6641f7ae3b597a3f26139a40bcf5ce9b
SHA256401e9665ccaead776d966b9064e8fb1b51d6cf22b3b134e1515b750714fd6b98
SHA512149154a2d0d360475d6d78738f608a6d22f29605c126e7bddcee365d40a410ef0739feb5c17a1af32899543a34519d2183242968640e29df0e03346e6847c882
-
Filesize
676KB
MD568fda88259572d37d733b6a4c6449ce3
SHA1cb6af4c75e5948dd2f84a8e6ed40066497225293
SHA25657eb8e72bbad676b997fb9616e6e758ef4fbaba92b84735f5bfef5f81821cf3a
SHA5129557a831f31ce1eb74b36ed1b2d4157393f08eaefa26d92458d405413f818798022bcf7825799f985f0f3fc158d20239660f5c6624baf88a755bfea2777e3b0b
-
Filesize
288KB
MD53a802ee9d4110e8e34cf4ebc9e8eab10
SHA1fb11b28b2945b596e935eedb07b9a5fa9fddf400
SHA25671511a9a09cb6bead54635c287b9e3948aa1facc9f21432535561735db8d300a
SHA512ceca1606850475e51638f34280feb485f44f13ac7c098afb141593d195a8d826cc6bb2a70f912c8bb2a447f18c5c012bb0c9d440e620072dcc0500b765860d34
-
Filesize
1KB
MD5cdc3f2ae49f8653587425e0e260bca97
SHA19c96b7cbf934454e8397d9c146fe7f299861acbf
SHA256ad5893b23d96d34a6afa3500b3bcd623ae08c8dfbdac1fbbd662d45e0c5dbf4a
SHA5123dfd48a83fc7f43b7c29338fc07ab30c4c8dbdb41b9d0e5486e6484d6538060db36e4ac684d3c4c09351e2e6ec4afb6dc4d23d66ea9368bc5e10f6d0037b9827
-
Filesize
2KB
MD5bad62c9dc907b58a11ae57247a4191b9
SHA15dedce26714665d422811f4db7010bf3c372536c
SHA25676bcc4edbbebe044a052ca378d069e0714808f3d6a2ffbad5c86ab08b3869f11
SHA512ec8cb8e29a09bb29ef9630adceb22f4a6970e612cd337f10528ffad91ec0dc2990373ceeed8a30209b86f64e8c18478cf2c5d68cf05cdd62fef1cc0bd54a8539
-
Filesize
727B
MD5a414d8ea75af96664484d05fc040cba1
SHA1366fd2710fd1d392351892bc0f264149b460219a
SHA256b916246e235bdd911a045c0775369056e7c4654d069631e7caa0f10ca58f79cc
SHA512afaaea710005375ef7b440925bb43a9da840a859056f0b247e8d6d48123713eb093e592c5d416d6f8d6c456ff24cd99293eb253ae9aabef12984a88f7b7db562
-
Filesize
408B
MD5d97b186c4878b29db0c7ef74a3a8cbfc
SHA10cdd4e46c131bab2e9b07d266263971642bee64a
SHA25631ae40a6e38732501a2e57617a18ecd73658856d8f2baa10a11a12305dbb69d8
SHA5120445fc073bbe2bf71b86f1bceeaa0dca9757ed98f0b9464bd7413cf569c862895c25a3ac435598e92f7d3b02ba871f5170fa79ad3b5758c9c37eca40033da568
-
Filesize
152B
MD53ac8a713b13f0f6283ea9a2c1a4c2d28
SHA15bd0b4b84131db4f1b6c81caa3a478116909afa5
SHA256280949eaa8de7139b63367636abd71a092cf3d7b961407232f039ebca99677b9
SHA51287aef492d07428dace7b616f9f6a1c1443e64d2b840715d59c2ace4e6da60b3d65981311fa580070a41c5fdb0cade8c7c57ef4c8336241b2bf9b7b468385945e
-
Filesize
152B
MD573a1cbf12b5d7c41c27489d795c363a5
SHA1ad09060c80cb97ad6348aabc7d74f57b94fbf1e8
SHA2564805a3d151783e898e822a222472d47ec8e69c723efc915488dc08491e46a72c
SHA512d4cb770ccfe0b92b631ac26088e5c692f571efeba4fea31db0dd9d179ac4cdf7eddd8fe35abfe215ee5bcb96bdf671e53f646d7f53329d0bdd2411b7c25ce290
-
Filesize
152B
MD536ff1c7155b92c423c2d863fe8ac4d6a
SHA1b49119312c75f06dc2521ec10b273e873c85175e
SHA256e32caef76d7f9a2c8b04249c85130393fc365366d74c9e42ae0141b2f8f5ea4c
SHA5121835909782e4a511a4b493a7c090d950c6a76bb972e017640fbf39dacb8eea7b47fab9761da1146d1d1d1b141e6dcb8e1478d9b9eb667bd2f5b25bd3475dabfa
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
3KB
MD5085f11f3cb43d35cd9ced9ce67dabc31
SHA11db347426ff5e9d9bba783d8de26629416f5c186
SHA2562748623d40b82d77f956ebc80525c6718cc505ef53461eb56c975933077a8e44
SHA512addea77421d37a6f78e814c082b7980e8df5f05581b5e3809c47e8579abd02ba89d8a44863cf04ee534b782ade473791f4a658938d33d8fdda618e1995d9a6de
-
Filesize
1008B
MD541a9222b3638f6a452f1e6498825c1e0
SHA17683169d213f338f2e5c5271ce1d90079a511d1c
SHA256080f87ddb78b28445e9a26071c4504b89260034d7f82bb9a528d56dd206184f5
SHA51285161d13cc6f8383b6c10efaeffc5be0b5ca4b0c57bd912abab0e0efdba47932b6e08361a1611f12ef98ebfad59fcb8f76dc69321ef0fe9f9e66e2c72de9fe29
-
Filesize
1KB
MD50b9b49ef3e10e6e4061672bca915d05e
SHA1bed2ac1640112db035a57f1d05e817318df9ede6
SHA256f85ffebf23077a851227f5ff07d58de0001fa4c175f4da3cc2ddab0732987dbd
SHA512543314668f73f5b2f6523d39e96f53fa68bb6e50faa7ae22b96c5cb42b8fb1aca46b43c9333045789223b38928bcef28ea78d71f6c26be861a5117481b402a05
-
Filesize
1KB
MD57deaa1300ea82f3255bc002918076302
SHA1908ad6b99143111b12bed8fa763f3a6e9346fb18
SHA2565e995c7e590ea794eaea991e2233e5f9237ac50ce8b27f90fd088d1b436e5bca
SHA5123cb6bd49dcb66932d430c3e72750c495a76507117fd8f8c2b5014801657bc93ca1dd142eebdb84aaa6c1c0464a8c367c8961c66b6acffca62b698d2f0607cfc7
-
Filesize
5KB
MD5914877bbc875e8ba8f94485143866502
SHA19a3ec84fa3af920badf9a1885d77156ae5749a44
SHA2567a2081b4cbc30f5e496da882651f0ea519c6ec2c5e31865a472576d3b7743592
SHA5127d7618fe034914b7613f11abfe9171a4f0f513c1c69b21f7722d95bdc8ae4e10360f86b5ca36daf1d6de773e7b834d597feee0b6c80d19e15f51949869ec3404
-
Filesize
7KB
MD5d4c4427709af7f504d5011a67ea9e405
SHA1f03e8a21fc3f7c6ff6ba469cf1fb172860c2f1b5
SHA2565d892719950032d3813aef2f810f60c3151e3b34524b883e13792dec44f8c60a
SHA5124b2e4a6342e718e522a31b70c891d0b8ca638a799061cb3c3522ca1ccb00980f2d783af79fd709736ae8880572f413c458781f3908202880cc62b3615addf7e0
-
Filesize
6KB
MD5eb6a56b4613687647bf928c383de0136
SHA168e90e78818002ff67c32d103aaecc1360f583a9
SHA2567b1d6c27d2f407dc8e0265115ce1ac6c5ce7ba58ad8ac990a607d2a56392678f
SHA512a3f0072b75dae1c787b78eafc92391e20d3dd1c36c650cb26302a79a7aed51a7034724a97fb841585b62252f4cb110d97b45b7b0beabb130548c0c7ff166dd5d
-
Filesize
6KB
MD529ec481660e5e1c090e0c57d9854ea10
SHA1210d642d673832c9e5d51d393da0657e51ec1a51
SHA2566ba67f16a1435836d1be2bd8a71d592b8601f4fcf9a2ba91bc06ac0305ecbc72
SHA5124d8b681dc62822e36295262288f7e81b5c83567254222ea46c0febac42a83c768f6473816beb031409848a3edcd171e0d808997ffb8d8c62d3c6bc92b66db0a5
-
Filesize
6KB
MD526cdbcbf6501250e4065096e791326ff
SHA1a9f2f616f7158d0101ecc0f566b33debb3560871
SHA256a3a231c239c5bdd2b6b6da3206c4920dc8aabef69fcc8e941d1ffa9fbffc9631
SHA5121fd20d80f6bb7cc4ec390f6fa0b4839e63b4ed7e7299f3d0dbfc3fafc7707c5df503e11ad656428949f5ed78dcb171d11466f7dca267e4dd4abed2d734708555
-
Filesize
7KB
MD50869e116d27ca770fd3735edc038f924
SHA17eed5a155519f97ee0eed954394f50b316fc1f1f
SHA25616ad78e820ae3e1de0076ebe9275b97e81242aa5df82a2669feb2c630b950bfa
SHA5120053b52583725518100691d799b558629c59ed47ca6892f18d8be7fbc5d479709ac6f3078f2ef2dae81b62b07cc8eacc78096ba004e1db1ce674ef4918f6ff58
-
Filesize
6KB
MD5a7a6d5c176b66ee18604f7d69e320314
SHA1b52c20db12d3f7af705ce98cc39f04846a03e268
SHA25680fff6427b4c82c497132bef823e045c91a4880e663e9b1a22d15c703791505b
SHA512901c3cfb264cc4f2f2c7106bfbf82e39fc3da810cef61edc5a8305c57f7483454a2b3107c5eeac164de9ca0465bbc9f55baa6ccff13d7ab83abe58315f87f231
-
Filesize
6KB
MD59919fc1ba68e745e182a65fc5a4f5971
SHA12b9f3b264f31669c6f04de85163513692cfc22e1
SHA256a3400743c2b846bc51763a03f1110be19a2985b307f7d1cf2274b02e4dea2993
SHA512ac0eb132faf48488f485e549438e4cf16e98436fc9b7a547452ea1ecac503c45e90eca22e723b1cccb7309b44a38acfce1f35685f921d9d1e9901d243cbbde9f
-
Filesize
1KB
MD562dad9a74ae52e1636ae1ff05c892e71
SHA1c23228301363c296507bd9f7e564dfa907d0e25d
SHA256c7e61694e812e5a17895f24e43a5f7a3367e930b472336ddb927b41de158d873
SHA512da9735f3dba5c66a047207d2807bd997a615b1794e3d7b4afcde1c02005b4f8ad9cdc9ed0cb55eb4f2de0cb1475cee3ee7a829f6c7cf1610ec7ec87eb9de7430
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5083ab23ef001f76cf16fca20d4cc0fa4
SHA1def1d05a2217e4c1fa6d397bca7b4a856294c812
SHA25693337a4d4869c897d00b19a6d1b538408c53c138c0c49eadf560b6d393fe2bee
SHA51210f6ed80cf8758d0a044d3a423e7006759c7888327bf0e11d525b1c95e8594ef24596a36935c91072576fbb652016039fdf80bdfb8080aac1f7c7e4ba887ba1c
-
Filesize
10KB
MD5340931b513c27168a074dd70b52a276b
SHA164b6def169ba67b3eeb85443aac5c6878026f362
SHA256d69c9eeded73de7e4ee54cab03b30c1195621a3bf8ac24e0fd2661c242bea36f
SHA512a0c36ede3f7cc23b978a043aa468556d48d89c300ee0c3a814395f71ea7bd53c278443509ed9fb06ac5e3b74d55ba69ab17ac2b90582a0ded1d9191915e796ba
-
Filesize
10KB
MD57b40cc56c756bf362e8b0fe413da227a
SHA1089e0fe85b4b17cc8e898835d87a374f7b23202e
SHA256f597da4f78109142bc8946ea377ba59cad51aa14574f54b9895d8756869308ef
SHA51223183ab69757de8cd4b396883e23a63dab0181b54b65db2dbff1f2a0c333f720fc4f12f11ca6002d637656521ceb3cab7529504fd7030f3348b9bb1d73242447
-
Filesize
10KB
MD5f7028bae639f0f5839f719af7334e273
SHA107f97242bdddd414700f28815d1f5409a4de4ae1
SHA2565016083314427e46ca429e07857ee0480f6c22ab9cd720aae8c5fe3a1c9bdf90
SHA5126ca864fdccc2c15c89c06922fe596b2a61da047547b29af5a39a1df366c2efa1433b716f0d984fbb27916209ca4b0b0c383daa7d0fd3dbb5e68471390153caff
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1.2MB
MD58c1e918c189b1bcf512c22a61dfa5fab
SHA134ca4995996c21d7a06c1e9ca64f7e83e5a8eb4a
SHA25600435bc1b25f7df49d1dc6559a8a77bc9d81eb3a437ee40e069da2f18e38e677
SHA512c32120737352bbbafd16612bba48eb9d3f242fc3c5273305fd566bfeac56f12e117a2696d5be39b5d2d29d2ee25931dab87776bc454a3a927dd639e014ce2d1b
-
Filesize
1.7MB
MD5e14905188b05532183c5edb95ecf5dd5
SHA1404305b55724a385e1531033f39f5a12dfb254f9
SHA256b4e77fda37e556b7b1e9910534d3f6339ff9debd82ccf0f59fdedc02c40b8cc5
SHA512700737c76102d8d5d6cf83889fd6a41adddca0e4aa644387dded11dbb173474e98488355b343c0ea3ed7ed123c7cdeb9366b5c98daeb81f7f5e08304be039655
-
Filesize
7.4MB
MD55f270672a29bfd77f46f7f3851df7ddd
SHA170be74d0a7e5a523d5d0ffc34c0aa234cee92864
SHA256e7f54a2626c734599c70bd04f25006b21f382569e00da1fb2f046ef3bde940ac
SHA512b5c79bbf3349689d2d00c86e5eea908bdc24317b9a495edf25b275ab822e1a832c2a69243dedf26c18d24249009afa26440e0cd95af72af7b3a8eb16b087c85a
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
824KB
-
Filesize
24KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
152KB
-
Filesize
224KB
-
Filesize
40KB
-
Filesize
712KB
-
Filesize
752KB
-
Filesize
40KB
-
Filesize
1.3MB
-
Filesize
544KB
-
Filesize
304KB
-
Filesize
1.2MB
-
Filesize
368KB
-
Filesize
1.2MB
-
Filesize
560KB
-
Filesize
3.0MB
-
Filesize
248KB
-
Filesize
96KB
-
Filesize
32KB
-
Filesize
424KB
-
Filesize
136KB
-
Filesize
1.5MB
-
Filesize
256KB
-
Filesize
472KB
-
Filesize
11.5MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
152KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
936KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
1.3MB
-
Filesize
32KB
-
Filesize
764KB
-
Filesize
764KB
-
Filesize
764KB
