Analysis
-
max time kernel
905s -
max time network
777s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/11/2024, 11:39
Static task
static1
Behavioral task
behavioral1
Sample
AfinionSpace.zip
Resource
win11-20241007-en
General
-
Target
AfinionSpace.zip
-
Size
32.5MB
-
MD5
058995d9a15d6573082b6b3d41307874
-
SHA1
0629e1dcdb071095d749d684a769411996833b57
-
SHA256
7ce87873e4c97dff6d65e238cec88caff8780ac8edd9d264ce55b33498d27a9a
-
SHA512
8132e29ce2af7cc97993319e2d998ac83c393ae37eecd8aedaee1ba6a4cdc6583ee12b8dc71c22272b6c7f4fc1dbf4856ec50c30841297d845d7d9f2d2aac7c3
-
SSDEEP
786432:lQG1UexEkLuBoFO2EF4tp6nRf+68OBqCzRx7C:lQm5DiwsRfz1qgx7C
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
pid Process 2656 CentralArabic.exe 1424 Lolita.pif 560 CentralArabic.exe 232 Lolita.pif 3544 CentralArabic.exe 1604 Lolita.pif 4624 CentralArabic.exe 3508 Lolita.pif 2092 Lolita.pif -
Enumerates processes with tasklist 1 TTPs 10 IoCs
pid Process 3048 tasklist.exe 4040 tasklist.exe 1492 tasklist.exe 3408 tasklist.exe 4532 tasklist.exe 3928 tasklist.exe 420 tasklist.exe 4664 tasklist.exe 3256 tasklist.exe 2460 tasklist.exe -
Drops file in Windows directory 20 IoCs
description ioc Process File opened for modification C:\Windows\ExtractionPart CentralArabic.exe File opened for modification C:\Windows\BedsGeneration CentralArabic.exe File opened for modification C:\Windows\SpermCommitments CentralArabic.exe File opened for modification C:\Windows\NavigateCreator CentralArabic.exe File opened for modification C:\Windows\ExtractionPart CentralArabic.exe File opened for modification C:\Windows\SpermCommitments CentralArabic.exe File opened for modification C:\Windows\TrialsTales CentralArabic.exe File opened for modification C:\Windows\NavigateCreator CentralArabic.exe File opened for modification C:\Windows\SpermCommitments CentralArabic.exe File opened for modification C:\Windows\NavigateCreator CentralArabic.exe File opened for modification C:\Windows\TrialsTales CentralArabic.exe File opened for modification C:\Windows\TrialsTales CentralArabic.exe File opened for modification C:\Windows\BedsGeneration CentralArabic.exe File opened for modification C:\Windows\ExtractionPart CentralArabic.exe File opened for modification C:\Windows\SpermCommitments CentralArabic.exe File opened for modification C:\Windows\NavigateCreator CentralArabic.exe File opened for modification C:\Windows\ExtractionPart CentralArabic.exe File opened for modification C:\Windows\BedsGeneration CentralArabic.exe File opened for modification C:\Windows\TrialsTales CentralArabic.exe File opened for modification C:\Windows\BedsGeneration CentralArabic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
System Location Discovery: System Language Discovery 1 TTPs 45 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolita.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CentralArabic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolita.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolita.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolita.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CentralArabic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CentralArabic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolita.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CentralArabic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 39 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "287309825" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings taskmgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings control.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e00718000000000000000000000e1a40ed25739d211a40b0c50205241530000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Key created \Registry\User\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\NotificationData explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39050000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4892 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1716 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1424 Lolita.pif 1424 Lolita.pif 1424 Lolita.pif 1424 Lolita.pif 1424 Lolita.pif 1424 Lolita.pif 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 4840 osk.exe 1316 taskmgr.exe 5004 osk.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeRestorePrivilege 3568 7zFM.exe Token: 35 3568 7zFM.exe Token: SeSecurityPrivilege 3568 7zFM.exe Token: 33 3088 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3088 AUDIODG.EXE Token: SeDebugPrivilege 3928 tasklist.exe Token: SeDebugPrivilege 420 tasklist.exe Token: SeShutdownPrivilege 716 control.exe Token: SeCreatePagefilePrivilege 716 control.exe Token: SeDebugPrivilege 1316 taskmgr.exe Token: SeSystemProfilePrivilege 1316 taskmgr.exe Token: SeCreateGlobalPrivilege 1316 taskmgr.exe Token: SeDebugPrivilege 4664 tasklist.exe Token: SeDebugPrivilege 3256 tasklist.exe Token: SeDebugPrivilege 3048 tasklist.exe Token: SeDebugPrivilege 4040 tasklist.exe Token: SeDebugPrivilege 1492 tasklist.exe Token: SeDebugPrivilege 3408 tasklist.exe Token: SeSecurityPrivilege 1316 taskmgr.exe Token: SeTakeOwnershipPrivilege 1316 taskmgr.exe Token: 33 4616 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4616 AUDIODG.EXE Token: SeDebugPrivilege 4532 tasklist.exe Token: SeDebugPrivilege 2460 tasklist.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3568 7zFM.exe 3568 7zFM.exe 1424 Lolita.pif 1424 Lolita.pif 1424 Lolita.pif 1716 explorer.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1716 explorer.exe 1716 explorer.exe 1316 taskmgr.exe 1716 explorer.exe 1316 taskmgr.exe 1716 explorer.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 232 Lolita.pif 232 Lolita.pif 232 Lolita.pif 1316 taskmgr.exe 1316 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1424 Lolita.pif 1424 Lolita.pif 1424 Lolita.pif 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1716 explorer.exe 1716 explorer.exe 1316 taskmgr.exe 1716 explorer.exe 1316 taskmgr.exe 1716 explorer.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 1316 taskmgr.exe 232 Lolita.pif 232 Lolita.pif 232 Lolita.pif 1316 taskmgr.exe 1316 taskmgr.exe 1604 Lolita.pif 1604 Lolita.pif 1604 Lolita.pif -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4840 osk.exe 4840 osk.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 4840 osk.exe 4840 osk.exe 4840 osk.exe 4840 osk.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 4840 osk.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 4840 osk.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 4840 osk.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 4840 osk.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 3568 7zFM.exe 4840 osk.exe 3568 7zFM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2656 wrote to memory of 4860 2656 CentralArabic.exe 90 PID 2656 wrote to memory of 4860 2656 CentralArabic.exe 90 PID 2656 wrote to memory of 4860 2656 CentralArabic.exe 90 PID 4860 wrote to memory of 3928 4860 cmd.exe 92 PID 4860 wrote to memory of 3928 4860 cmd.exe 92 PID 4860 wrote to memory of 3928 4860 cmd.exe 92 PID 4860 wrote to memory of 2860 4860 cmd.exe 93 PID 4860 wrote to memory of 2860 4860 cmd.exe 93 PID 4860 wrote to memory of 2860 4860 cmd.exe 93 PID 4860 wrote to memory of 420 4860 cmd.exe 95 PID 4860 wrote to memory of 420 4860 cmd.exe 95 PID 4860 wrote to memory of 420 4860 cmd.exe 95 PID 4860 wrote to memory of 1052 4860 cmd.exe 96 PID 4860 wrote to memory of 1052 4860 cmd.exe 96 PID 4860 wrote to memory of 1052 4860 cmd.exe 96 PID 4860 wrote to memory of 5052 4860 cmd.exe 97 PID 4860 wrote to memory of 5052 4860 cmd.exe 97 PID 4860 wrote to memory of 5052 4860 cmd.exe 97 PID 4860 wrote to memory of 4600 4860 cmd.exe 98 PID 4860 wrote to memory of 4600 4860 cmd.exe 98 PID 4860 wrote to memory of 4600 4860 cmd.exe 98 PID 4860 wrote to memory of 4656 4860 cmd.exe 99 PID 4860 wrote to memory of 4656 4860 cmd.exe 99 PID 4860 wrote to memory of 4656 4860 cmd.exe 99 PID 4860 wrote to memory of 1424 4860 cmd.exe 100 PID 4860 wrote to memory of 1424 4860 cmd.exe 100 PID 4860 wrote to memory of 1424 4860 cmd.exe 100 PID 4860 wrote to memory of 4976 4860 cmd.exe 101 PID 4860 wrote to memory of 4976 4860 cmd.exe 101 PID 4860 wrote to memory of 4976 4860 cmd.exe 101 PID 1716 wrote to memory of 1316 1716 explorer.exe 108 PID 1716 wrote to memory of 1316 1716 explorer.exe 108 PID 560 wrote to memory of 656 560 CentralArabic.exe 111 PID 560 wrote to memory of 656 560 CentralArabic.exe 111 PID 560 wrote to memory of 656 560 CentralArabic.exe 111 PID 656 wrote to memory of 4664 656 cmd.exe 113 PID 656 wrote to memory of 4664 656 cmd.exe 113 PID 656 wrote to memory of 4664 656 cmd.exe 113 PID 656 wrote to memory of 1184 656 cmd.exe 114 PID 656 wrote to memory of 1184 656 cmd.exe 114 PID 656 wrote to memory of 1184 656 cmd.exe 114 PID 656 wrote to memory of 3256 656 cmd.exe 116 PID 656 wrote to memory of 3256 656 cmd.exe 116 PID 656 wrote to memory of 3256 656 cmd.exe 116 PID 656 wrote to memory of 1620 656 cmd.exe 117 PID 656 wrote to memory of 1620 656 cmd.exe 117 PID 656 wrote to memory of 1620 656 cmd.exe 117 PID 656 wrote to memory of 1280 656 cmd.exe 118 PID 656 wrote to memory of 1280 656 cmd.exe 118 PID 656 wrote to memory of 1280 656 cmd.exe 118 PID 656 wrote to memory of 992 656 cmd.exe 119 PID 656 wrote to memory of 992 656 cmd.exe 119 PID 656 wrote to memory of 992 656 cmd.exe 119 PID 656 wrote to memory of 1420 656 cmd.exe 120 PID 656 wrote to memory of 1420 656 cmd.exe 120 PID 656 wrote to memory of 1420 656 cmd.exe 120 PID 656 wrote to memory of 232 656 cmd.exe 121 PID 656 wrote to memory of 232 656 cmd.exe 121 PID 656 wrote to memory of 232 656 cmd.exe 121 PID 656 wrote to memory of 4784 656 cmd.exe 122 PID 656 wrote to memory of 4784 656 cmd.exe 122 PID 656 wrote to memory of 4784 656 cmd.exe 122 PID 3544 wrote to memory of 2232 3544 CentralArabic.exe 124 PID 3544 wrote to memory of 2232 3544 CentralArabic.exe 124
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AfinionSpace.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3568
-
C:\Windows\system32\osk.exe"C:\Windows\system32\osk.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4840
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:3588
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004E41⤵
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
C:\Users\Admin\Desktop\CentralArabic.exe"C:\Users\Admin\Desktop\CentralArabic.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Nightmare Nightmare.cmd & Nightmare.cmd2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:2860
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:420
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:1052
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1845053⤵
- System Location Discovery: System Language Discovery
PID:5052
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "InspirationAspectsCPacks" Shades3⤵
- System Location Discovery: System Language Discovery
PID:4600
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E3⤵
- System Location Discovery: System Language Discovery
PID:4656
-
-
C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pifLolita.pif E3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1424
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:4976
-
-
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:716
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:2436
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1316
-
-
C:\Users\Admin\Desktop\CentralArabic.exe"C:\Users\Admin\Desktop\CentralArabic.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Nightmare Nightmare.cmd & Nightmare.cmd2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:1184
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3256
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:1620
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1845053⤵
- System Location Discovery: System Language Discovery
PID:1280
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "InspirationAspectsCPacks" Shades3⤵
- System Location Discovery: System Language Discovery
PID:992
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E3⤵
- System Location Discovery: System Language Discovery
PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pifLolita.pif E3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:232
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:4784
-
-
-
C:\Users\Admin\Desktop\CentralArabic.exe"C:\Users\Admin\Desktop\CentralArabic.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Nightmare Nightmare.cmd & Nightmare.cmd2⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:4644
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:3364
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1845053⤵
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E3⤵
- System Location Discovery: System Language Discovery
PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pifLolita.pif E3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:1604
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:5084
-
-
-
C:\Users\Admin\Desktop\CentralArabic.exe"C:\Users\Admin\Desktop\CentralArabic.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Nightmare Nightmare.cmd & Nightmare.cmd2⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:648
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1845053⤵
- System Location Discovery: System Language Discovery
PID:1964
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "InspirationAspectsCPacks" Shades3⤵
- System Location Discovery: System Language Discovery
PID:4900
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E3⤵
- System Location Discovery: System Language Discovery
PID:1412
-
-
C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pifLolita.pif E3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3508
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:1020
-
-
-
C:\Windows\system32\osk.exe"C:\Windows\system32\osk.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:5004
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004E41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:752
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Nightmare.cmd1⤵
- Opens file in notepad (likely ransom note)
PID:4892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nightmare.cmd" "1⤵PID:4668
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
C:\Windows\system32\findstr.exefindstr /I "wrsa opssvc"2⤵PID:1656
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\system32\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"2⤵PID:384
-
-
C:\Windows\system32\cmd.execmd /c md 1845052⤵PID:4000
-
-
C:\Windows\system32\findstr.exefindstr /V "InspirationAspectsCPacks" Shades2⤵PID:3956
-
-
C:\Windows\system32\cmd.execmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E2⤵PID:2932
-
-
C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pifLolita.pif E2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092
-
-
C:\Windows\system32\choice.exechoice /d y /t 52⤵PID:4908
-
-
C:\Windows\System32\6dmwvd.exe"C:\Windows\System32\6dmwvd.exe" C:\Windows\System32\aadauthhelper.dll C:\Windows\System32\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll1⤵PID:3412
-
C:\Windows\System32\6dmwvd.exe"C:\Windows\System32\6dmwvd.exe"1⤵PID:3684
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵PID:4316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5c5d808ccedff4a58af2e05b4fcf2de4c
SHA12adc6d7e7fbcc4e096049acf67e2074b2c035481
SHA256e09a280a6a31bea9108d7efe6f87d5deaea5dfd2e1bed9881374fba767e1dfa3
SHA512e5a9c684b87515354e4cb5668fe01ba315b10788937cda2e49f37ce39d27b3e0ed24caf2a377a9238aa801e63c635696e9d3991e22c03ade5329357a8d74bb22
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\7f141080-da94-4c0f-ad25-abb98d2f0825.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
460KB
MD50b7c1007d2058647d271612b92d31979
SHA175adadc761a879e3b39aae75ad8bfdc5f5181507
SHA256754257fdf6f4c5f3230d7e1220193a9a11bcf886ee0ef7569aadc6bb075180a1
SHA512af00b9a9c84ceb548297f7b97c654eb741fc2df71b9cdf8d10cfef52e28f3a6f3decbb89c89d0402148cd9fc6e40be6e65f064921ae6b524787b30530e5c5d19
-
Filesize
11KB
MD54b022009735384c31beb9d149294c70e
SHA1fe8629594cfd84edef2a69af50ca7af6735e79be
SHA25606ceca7b781ffda2bcbd6b15f950cf07d1784567065067a27ceb5d131cc1de58
SHA512a2f38937766210386a3855c4015db4e8e30b2718129a87d54704165b07e632257fa09fec0554c9a837a9653e3936b132b06b020bc4a8d674240346d831782d84
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
153B
MD51e9d8f133a442da6b0c74d49bc84a341
SHA1259edc45b4569427e8319895a444f4295d54348f
SHA2561a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA51263d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37
-
Filesize
66KB
MD58d45f386a648197a5543532983bc1995
SHA140be6c5b05f9b917aecad76167489aff164130d4
SHA2568ce56aa0c7745cba7af8d16d468cf4a6f2344d896f2c7086503ad7addd33a765
SHA512c288368fd5c0e7d0d84f74af1ae9d7cf8fe02e4c87eea71b6da26644c0809613f46b825caf0f7efb5b32136d3614271c4adba7afd13a78d2e01bdb2e2d187ab7
-
Filesize
75KB
MD5fbdfd758f036132a599352591e398970
SHA18b03c69f3eaac10a1f7483582bb48a437470ae01
SHA2569839d8f498cd16e217a83409c3dcff7589d6a5e4d3a3abd0514a0ed178f2c887
SHA512487bac38c911bc866068b8aa0b5d0f97fca14046fc2d3f3a07a66666293def444068e435c5c9b2ebe6f2d98ad05761f3b0410a2f16d43a58bbd97f83eeb248de
-
Filesize
79KB
MD5072704f36ed86fc1c3202dc48d8934f8
SHA15991c1f7a0341e020234b2097ccaaf793eb5359e
SHA2563bd377435f6a14d74e00e388a00235509af975c0342a117347895952c8542f1f
SHA5122751157140cdfc43c579a2ce07892d5212a9623e409da4326a3db9c7ff115637e59d70e97255c93cf8f0c90d6cd3b18b83823c270f35ef728a18854e5dbd4c23
-
Filesize
52KB
MD53a5bec7bb24a4653ca89dec18a86a76d
SHA12238cb5005af83e4ce98fa2a59acc20fdea1bc30
SHA256f751fad6cac01e4337469d5d82f1962af8d1e46dbe5c413de00b65fc35fea785
SHA512831072bdd6eb0c15b7533daab8be4221909188f54bf2b6427a4a91cddaa9a65bd09e1996ac77ec61569e46fe8f36f8148b95a3bd3d165d594ffb336744c12c65
-
Filesize
84KB
MD5e0fcd934294f3deb0c21008fb28dfd8d
SHA17098ed2119795de43d29b6e9336713c1642cc7c3
SHA256f1e3b977433f07f818cad332035dd395e2c155e7aeef4cfd002918833557586c
SHA512e617bbb7c92785aed8a3635f61e31d9faf7c924de9e6f2be732929c390186448a06e8df17dccf8c13676b2acdc0bf2d9ce818929ee34140386c2bde812ca5e49
-
Filesize
14KB
MD55be1a61a9f4798c739d6f3cbe7ea5748
SHA196a5283481a57e9024673bc1b4a7f6bc1ac2a309
SHA25638c37cbb40080d407dd0e5df4184305ae8f1ac2c7647ded22109973ea87bac9c
SHA5127af630fd7b49df79d6f0de0fd41966b2727a030c5ef609d69a0d65e4b258d0960d89fe2c33136e639de07e9e45b06369d20c51c9987e4bb86032c80a62bf748a
-
Filesize
61KB
MD559d4bde743d02c60a0daf83ac4244046
SHA1911938158bda8ef5615535e834447cf368d432c3
SHA2562024c4be8a4caf84ae93982adb00f2067029542ffdb46ff8e10c3ce327067b56
SHA5125a9ceeb11212a05a1f4567675d46d3018dc3a22e18bbc4eb07fe4a5b47d3c1f4d1102bd554a277fda6108460968429f6480a4952dd926d9a1418f62b67c6216c
-
Filesize
11KB
MD51233620eece744aa93d7d2371452c880
SHA15a6bb316a848eabb9503602e3900ba37d6f3a87a
SHA25638538e40173ec10489b0a1f715fd8182f772e817600540f6699dc477be142848
SHA5126f007866b1bc16fb124ef2ed4072a97fbf425d8ff78ac3a6d604cd8d70cf30926ce705e940dc5ed0d2233de1a5dea2c489e34c0b5a4596d5d718a19ab5a975d1
-
Filesize
910KB
MD5355b6edb86bd5173634fa844416d3a1a
SHA13ad0d11c5f088d993e4cfde52841d5a42c9821c8
SHA2568fb90ba9f9d9f62a67bf04cd08984f7adffbe5cb49526d58e434353c83048061
SHA512b58f923d75685e8461eae408f1be38d96ae40c5f433feb66d70ecf6199a3b1bf21fa1f0fe9454744c7f67d5291a4ff73098c11f9b8d42c278ce55c2a7c2b2c09
-
Filesize
43KB
MD575683076ef4c58222df20180f1f4a0e6
SHA10a56aad3b4b6972d140d68228f1dbd32a82d10ec
SHA256125f330f2e8d3c7350519ef01c265b928713d95a2cac2218dd036b4a80d26b49
SHA5120c8c748a62a99b994e9f158b2c755d80a51a5028f6b8a03bfc6f7b6075c179016366b9d3137e04888e658b93ed8c01256f56b42f064c9c6cf1c1d851af39a1fb