Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
284s -
max time network
287s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
-
submitted
24/01/2025, 18:29
General
-
Target
https://github.com/imperiska/lekers/blob/main/bobpaertw.exe
Malware Config
Extracted
vidar
https://t.me/sc1phell
https://steamcommunity.com/profiles/76561199819539662
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Extracted
lumma
https://kitestarepatt.click/api
https://toppyneedus.biz/api
Signatures
-
Detect Vidar Stealer 3 IoCs
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Meduza
Meduza is a crypto wallet and info stealer written in C++.
-
Meduza Stealer payload 1 IoCs
-
Meduza family
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 5 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 2 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 50 IoCs
-
NTFS ADS 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 57 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/imperiska/lekers/blob/main/bobpaertw.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ff8537c46f8,0x7ff8537c4708,0x7ff8537c47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6d7115460,0x7ff6d7115470,0x7ff6d71154803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5780 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6508 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7208 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7476 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3820 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1700 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5556 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7648 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7836 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7092 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6208 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7952 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,4446666861570255616,10737174662607335824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\bobpaertw.exe"C:\Users\Admin\Downloads\bobpaertw.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\otyhojpsedfjk.exe"C:\Users\Admin\Downloads\otyhojpsedfjk.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\Downloads\noyjhoadw.exe"C:\Users\Admin\Downloads\noyjhoadw.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\nyoihjkawd.exe"C:\Users\Admin\Downloads\nyoihjkawd.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\Downloads\uthjasjedf.exe"C:\Users\Admin\Downloads\uthjasjedf.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\ProgramData\GoogleUP\Chrome\Updater.exeC:\ProgramData\GoogleUP\Chrome\Updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d4bc32eb841f2b788106b7b5a44c13f4
SHA127868013e809484e5ac5cb21ee306b919ee0916e
SHA256051cdf1896c2091e9ff822c2118fda400e2de25ee323e856bf9eb0c64c7a7257
SHA5127a4963ea09832503179642ee750b1c8024373c66b4fce2bd316b782d1fc670c1c77cdb31f9316b34c78b6f3f1c99d90fb50e0500b72f4a647adf7653c44d242b
-
Filesize
152B
MD5c8eb7d84aaea5c0c37cdce43d1ad96dd
SHA10a27d004b734e4c486372c6888111b813e806811
SHA25627ec491fe2b7f0eb567a44deb50c74408376ff3addf6c88a2b1060adc4a5976e
SHA512f39070a20583f7ff33b7b3c0e97c08da2a3ff36049e256bbe0d0031bf15579c6d9c3da8d1f9daac1073519b648a1d005a8fa195ee2232b2962516e9aa14dac3f
-
Filesize
20KB
MD5edff034579e7216cec4f17c4a25dc896
SHA1ceb81b5abec4f8c57082a3ae7662a73edf40259f
SHA2565da4c64f6c1ff595779a560e215cd2511e21823b4e35d88f3ba90270d9244882
SHA512ab2dcd1628a0d0cadf82eebd123526979e8cf0a2a62f08f1169d4c03b567eca705bd05a36e5ffa4f6c3df393753b03e3daa18122955dde08fd8e5b248694e810
-
Filesize
62KB
MD5c813a1b87f1651d642cdcad5fca7a7d8
SHA10e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b
-
Filesize
67KB
MD569df804d05f8b29a88278b7d582dd279
SHA1d9560905612cf656d5dd0e741172fb4cd9c60688
SHA256b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608
SHA5120ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e
-
Filesize
19KB
MD51bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA16dd8803e59949c985d6a9df2f26c833041a5178c
SHA256af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
32KB
MD51f141e4097306b6426499335f3fd0845
SHA1ae58db70b3a5c649eed2d3416202c5b33409d28c
SHA2569b4ed803cbac8d9320140c6b5daf14661b865a22787034737816e375b0fc182d
SHA5124923eb24be77cfa64468dc990085ea17247ff32b074f34c3a87ef50bbcf6316927f2527f85d122e61dd3747e114e7e07216c1cadc0bfff475a7ae39113864419
-
Filesize
51KB
MD5ced352553fc5d6112e84684d4dc6d6ef
SHA1c8126a8c71e9207082e8d9c5f970be0eb1531f9b
SHA256b502852e3cb9a0c47b1b333a22465948942a60a1428701fc4c269cf6794fd330
SHA512457845ca26c87a95bf98965f56a7c1fd443362d53562a00448ae4c70f6a08dad3e9055b75b7e2fb76c5d1b0563c5965c156efb4e7494679d6676112f6a4818bc
-
Filesize
49KB
MD51b826898f22699b82093d2a379eb6925
SHA1efc22651c035173392cc36e528bcc61b44d713d1
SHA256d313c1bd2f9c32e1374d9ea3fb688bd7635acc6429e14319ce60fb4d363f1cb0
SHA5123fe396fdee8d85d94644f438cf12719e7d0be394725058da3611d2cfe2d11e448c9a9b8909d78501b3d57eaeee5fdaa7befd4ccc1ad0fd8e7396e5a98e598bf7
-
Filesize
28KB
MD51752326ce45c039f4c5e81ea24c27c35
SHA14a22a9151c3c94d170cd3d23659e8e1a5a6f0070
SHA25613dac981c708b9d1c6d7be7666ab5ff34718fe7d1362428217e88c75530774ad
SHA5127ca5eb8b11184b97b7ecfed373420f7b9926839edcd36ea6bcc37a09190478175c49d7cfdb6dcbf1ecc8f2570feec9a0ac8aae08442fddef7986330043ff2d08
-
Filesize
3KB
MD580adc62d8e22de847071734cd2c4ca2d
SHA175cd3cef1a1b896114c8634b4d51d4552e9d135d
SHA2563791ad2094e6335c1929b77033bf9f70a26b28e66ab58429382a340eb0b17c1b
SHA51257b3e7bbc1ab3027cf7a35a680589682bb7d6c9c8dcf4bd986b2d9d8301d78104db2d202610667cea2823e0d79991f7c4f8510ce740cc5946105efcf04453c54
-
Filesize
3KB
MD5624a2b3c64a6b107784a8c5e2a5ec51a
SHA1ababb418deb34450f9dc982648d9780adb798c20
SHA25682429d9b90c7ee3467a4f8c06c262f38b677f89670b8170584d5f094235b0ca4
SHA5123f60c3641caa3418e87f2a0839edf304a42b9a0dcf80215b041fb39717d8ebb2b7b015a4f317cd973d5240df620e4e824d7a6515b71b470e0b37c731e386b9d5
-
Filesize
3KB
MD5173ef8f9655aadad713622ad997bca44
SHA1087997547b7e4beea245f1e329ee7de525ce9047
SHA256f7831b92999b088ce44063b6a76a6234283bd1cce01c9f9f671edd034180daea
SHA5124a3933c4178f7dfa9113c3176292943e8ddd804c67280c980cde5ecca3395737fd73658eacfe3e59a41c190c6b7fe3bc13e2690817c609fca4983078997c9e02
-
Filesize
48B
MD554ecb5d42c1d81fbb956d3c573be0ea5
SHA185b0e18980edccef010b82291ae79a4b3bfdbded
SHA25682a91cbd4e2c7133696e6dd0790e1130633472de35b58d42e0f9a3c93ca36c98
SHA5121bc7d2eb21fc1975408e56f0e2b29dde0fa09793c93cba3b4aa7726bcf6261c8297dddcb26041be2ea5918c823b54bdac389c1f0a57ba72cec3c0acc67166227
-
Filesize
32KB
MD50c5088004a84b091d0f2b24b265d8ce4
SHA1890653b324b30de569aebb55c691abab83e79236
SHA256395e6e8625d2f4d552012117e3ecd59e7f95c0fcffb412cee999bdd56f19f23e
SHA512a3966c2b35c98dbf5e66d9660bcf8cd8c6706155122d0cc4ee8aca2bfeedda4e1cf40a418cfb422ffe2b11d5df023b3b634053bb1aa2d97fa821ca55e0fe699e
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
124KB
MD5cc6533ea87b3a3b26dbdd5d1c22c14b7
SHA1b90b89ebc7e085f4b6b83605a3f557112fc1bf7c
SHA2568ca0203b7e3c865864996144d6f391c074e7190b719bdc684fa6e9f7843ca1a5
SHA512081cfd904a3cd9ab0a34dc7f5e6248b6ca26d8eb28910bd0d53cd85b3e39fb122532d4c31f267f520362737d1fb4cc01b6e440c27cf4b026a04619b74f28a480
-
Filesize
11KB
MD5166c0cf54ba5098b1292231c9c2100da
SHA13bba319421ead1847c1a10c55cf5e9e9e18aaa91
SHA256d177176faeb24e512574072e81ac0a9659c52394c516a7d66055c97ffba470c7
SHA51255821e69b6ec7d30c1ee1406c2595047f3f4a4b9d357bfd84839a2a4a3d6d9fa52216ed0b21f8ac65685b073b164f2150dad717dc0b58763fab5e8681def8437
-
Filesize
293B
MD5b732397fa17d512cbe62d5b5b3851884
SHA197d079c13f19bb62250497e434924031f880a69e
SHA2568e52b385be6ebeebee46edc6e8cd635afc7e97fc6adaa5f0b16a72ab1b8954bc
SHA512c158b47004eb543ebad77b8f47276e4a02596e8a57158a771d795c75dc7b08cf305a3cdb55e60b5c25e4930f884c88c831f0e0b84917fea587ff78a4db8c8f2c
-
Filesize
2KB
MD54f7fe2dc336ebfc52f6c8f9238e70500
SHA1ffa1efb163e9119680a6e709c0a52a07853b5222
SHA256eba5b7884ccd9d73102d83497a5d5ca0010ac9358ff17d5907b02217c7dd3393
SHA512aceb24f2f3f2d59f5c15ac86f0050c1b4ac12180166448d61a732f0639c12227acfb7f7261eb51a834c19fd847118376d9f5fef8c71d54834f55217b7b4bd3a5
-
Filesize
2KB
MD58227ec18fbcac8e40005ab67aa6f61fc
SHA1417bf04d038b43a016dd4438bfe5aedc641be25e
SHA2563a2dc587f48f59efde7986f1ede7f9d476b9f31010429e3f018ad4733dae7505
SHA51256703ef3c645459f4b85b52cfd72c156d01b580fb36611ea800955f55c076a9ca4bae7cf24c392e427dbffccbc3b0e8477f5a7114f153938d287eb3e7767f919
-
Filesize
2KB
MD5c8a41bf0555e3913bfcc44f2368e6665
SHA1ab37e4cc3c5115c6d5cadd4344f3c8360d5c0781
SHA256650a2fb49a05487c67d9708166e0874a0dbc2d6936e2d7690ded3a7b47eb5274
SHA512493d80c23c66383e3577f011dce2e9407b1d5411b6c02f8a0fa2995a906dc44aa56d76b25265e56325065427ba01907ab52281afa5962339cca67e57f0761d74
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
8KB
MD55b034869c3007c4a09b571fc74355901
SHA1a8297a84b38bb408af943eeac7f10799bb93cfc1
SHA256313ab301d73abe334c4479c300acf712440108db7eaecc477ddb626b5cd2388f
SHA512e595332bf6fac3cac5986ba3f3659e1240409d93a10f8abe7f718937996409015341e5bb9277a65060f129b8312ded2e149a1dc4be98bd525e746371b14155bd
-
Filesize
5KB
MD57328b8e1c8730edc9b9dd8bb906534cf
SHA1573a4c69bb8c012bf425381dab32594a8d7928b0
SHA2560651fcc90ab2f7ef8e389de0f9bd5b36709448525391deeccd14a0ad52069eb2
SHA5126a2fae8aa7e92aefdece6e5af00273c08930437c55be8a4ea69e3379315fc21f460008a35bf2b6c376eae5a49be0dfbdbd37aaafe82653c2d7c681275ae43444
-
Filesize
7KB
MD5fd8d733216229ba010962176c3a059da
SHA1bfac0247aab67aae077b1832c39592189c89639a
SHA256e93e5dd5d697c637d05488d28015db996e3edbf407098c592e4b39f3a5c001eb
SHA512e7d2b3303d1efe01caf1b39fc9d8a197a0c1947c37693991362a579120e87b25b14eb1d578cdef91b99c74593fb722dd6da6284e7a69976e83120ddcf5404615
-
Filesize
8KB
MD53d21ad5678b4ef9bb7f2d39777ab1c4e
SHA15ec0456097d4a8c71677ed161c7dc3de31ee8883
SHA256cc8f7b1b701bc435268d8f825d31e4a18a3f9da888c33364029850a67a52b14f
SHA512b0396195190e83ec61faa2454011e6d83dd6e8611d2e10661a1d65ca2348c36aab6dbc1d7df79762b4b6102867335eadfb534bf9b8535dccc4ccf2d8c3b36b72
-
Filesize
5KB
MD54e0d772f16e32cfa7baf71aba11f5542
SHA1fbe770756d560fbf8ebe1939aa1e67029ad944aa
SHA25694b03dcf5a59f3575b4d2927e2b1dbbd3f1fc031546df02b892e3bdffc11cc0e
SHA512e418500cb777c8bf8c249d177765c313e552264958e26976d0922fc7337fc22aa1ba3b504ce2088b1b5bb82a3149d0fbe067a643bb078a1af1661dc9b87cc6e5
-
Filesize
6KB
MD5a2a743eb315d62130b399772566ecb91
SHA1f4a4f7cdf7da9ed78fdd730383558b08cf8b02e1
SHA256008be67c1ad274cb55b6772214fd911547a6df7085f2c8f4e7bc5639c0066eaf
SHA512b23a073e6db45e9eb8436c22554ef99d93327d373e90ca982e6537d6b5b3b0f83dc8cfbf167189cb5f29c1fef28ff80cad5369feed75f7f317da1a50ac476a24
-
Filesize
24KB
MD56338e51cf2d1cb4bfea21c7d81cb3dc3
SHA10049d2863f309423d889fed141ef1f146246ac82
SHA2562636a794e74289532973b8f1f9c62a0009520dad49951c956dceba846835e0ac
SHA512ffcbb8f086de4ca9b51f2a86ff75f283afd9a08ba7fdfc16b119f4b80e452579fed0c7d5eb02cda11e6d7c6762ca8d5a1e542e90e106020f530d755933fb3ea2
-
Filesize
24KB
MD5b321aef296129848c0c2c5c77ee69951
SHA1402afa01ec8a6990a78514994f9648aedead5817
SHA256e44d575c1dfcf221b68c84c2cf1d4f1bea45a7e32cd8010228acff6120daff1f
SHA512cbb689d400fceb2f59d67e9e9d28007d2bb7562cf18f806420a9adbb08e0be5825153a44d4199ed03fc8e87311c2f5d4ab9aec5f3667984572070487475e8642
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD52b8e9d20a536b04a10cc4a5149d00432
SHA14a75f062d3d19a9024b896a281631308c9f7443f
SHA256dba094869f5de2b5d7697155c908e5ab44578a62368e419a5b15bf740e32711b
SHA5128df0a591af134c05342a98dd2f94a8ef088158b88c39bf9f5369c73368bbd33821f454bf1b012ed1df055928310edd34fb53f829bc84bf8b24a803a41a217da4
-
Filesize
1KB
MD5f20e2fedc68b3dda429749c6482d1f89
SHA1de7ae3a6134f8fe1954ccb815f863f4485563bf0
SHA25667f1bff828882ec58538285c6593dc63a3cb51c0a912cf949d02eb26accb620c
SHA51287f89fe672f55a1a1d5d5262fc07ddc79f534d78716e6159ca375a470f552c6bb1d425c0d789db6e6a57ed39579bf04db083afaafe1d59353d88b958a5df7e8d
-
Filesize
1KB
MD5d4996dc23caabfc459512922c5419351
SHA178c75b8499eee07f2377ff97db63ad2cbded2a0f
SHA256426929f49eea8b6a50b88995ba6b4f0da035d832593730144872af85724ab6c0
SHA512b89cf05b094778736acc48749ba52379851b2ad482bcf2da6b44670c8b7d8b419be5f7bd23cfdfa7edaa278fe4686da8958cdbbd858a2a679c73106282fa3ca5
-
Filesize
1KB
MD55a6ae8e5d1a59a9f6d31157c00e58bef
SHA13ad72dc1f814c901b839934a905c8ebefe57cae2
SHA25655366195f0a5178e4a6edee91494a81479a6dbdc78a13217226d16ccdb628b89
SHA512178cc9880252aca26834903decbc6b83c9dfaea8e28f6d0648cd2da234dbe73bd6b0ec8197df8b37142a092937db3a3bbd039085e6c099775749484bb96df8ea
-
Filesize
1KB
MD54756b7e5f6bd476ecffc26dcd7cd219f
SHA121e4784e683ddc7d6aa8b325831500bcf2bd922e
SHA256a75347befae1f060f45e3900ffcd290ba7b3920275d8e6d0cb8dd6ed917ea3ba
SHA512a63c5765e9f27a210ae19907efd410dd1be54e96e30ab3b669e127b5e92313bdb9a0d7b260fe16eed9bed65aa6bfce5fd40ebbd84bec5baf8f1dec33439d6ccc
-
Filesize
1KB
MD50c3e0e8f2158d8cdf8d58b1b9c16d6a5
SHA1e5b794f5dacb1a81e9d5bb8b2c05688f5b082d14
SHA256f411698a2d1e0106f5dd834831215f129378681e4916c80ed92ca9ba4053f6ef
SHA512fc581a8a512ca7f0c8683d14d10fa46e5ca476631ed9fefbdd495e65eb9c727acd3e47d63b1a3adbefeb99eaf2f778c4193645a7e08abe78825815fea0be075b
-
Filesize
1KB
MD5dbabc050872e39cb130fcc55f84526bb
SHA16e9966aea3c61c27a629133ef6c456f35b15362e
SHA256aaba15c91b7f2d2dcf05b7730a00f2ac5e80433a84d9c7bc247bd5b13ca6485f
SHA512f919660bcda0bb6f7557d02a6f9c6bd49bcd427d40d01e06bde8ed504942ae04a64b3b0fbc0ddd2487071e9518492ade65353e9c0c67aa6cc5ebb638a858f3f8
-
Filesize
1KB
MD5fdaf75f791d26662c549378522975b30
SHA157d13ff640b73e35d39900284edd70750009ebb9
SHA25624b3f2fee14ebb7ef1d366d60ac67cca380e223c2c7eff86435589224b7ddc60
SHA5126804e84c73e4acdb7947dfb802ab173ffe2d8bd0f597d1cc1877890c95bb3ced8ac807caba10ce383560913f0aa54b578cfcdb1fc015a81d189da40bc0439bc6
-
Filesize
1KB
MD5744ddc319f832b45c6822f9bc2f68c50
SHA182c61eaea9c096d328973cc68dbb8cab4b803495
SHA256a1f76b4d7558e4c781fb04b05fc91c4c87e9a3237a83c83155d57167e8bdca5e
SHA512de6dfd10ddbd49e8f86dcaf8e81ab83570bf41d1f1c15558da2972a46fe364b59293121b991f60922a0488305cedcfa9cb45b9a2df67ac2fa83816fcac18632e
-
Filesize
116KB
MD51efbf34179607c3b7e21b3bb7d6746e2
SHA129b381a18c03a4955b55262684fe62c418689393
SHA2569b34e33fff996d7368d8b1224a7d848bdbd485db04cea47f21196a20ebb1ed70
SHA5126a00eb219c68f5f598521ea1bb1d25a948dfac15c5d541f304bfb08b8bec278ed172abddd6321a5a7f7d283e15e6a1df7ad5c1202d0624f9b03f35a216385092
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD52bfc6fb183502467d5144e854df4f89d
SHA1fed77bc4e8f4f66b3d17ca791244b1c4efbf84ba
SHA2561b622df65ab29caedd561655054851e9f4adf93d6e94dcb31c65de513ddd400c
SHA512ca1114553d94ac97565d7b13fee4400e309e4c8a27708b540926b5bf143616eb20dbe6092c153e499f9e6e4a22b05d7be388fc1480392764bb3b845d20fd1d37
-
Filesize
11KB
MD5922a9631716b0a30a785f15e10cb6822
SHA1ace9ad465f742bcc9656be5bfdfc757d5daaa17e
SHA25696c07eb1ce7700b0be8cfa5997377c05a73d2b5b290d7a30e285306d11929f41
SHA5124b1f4c0b30cbab869254ab310f8e50ee457b8a23210b8357d3ef8fd0c438346d0ea7506328f3c1b609c13376858b4f52bda1d24640078b924062d63a27f86894
-
Filesize
11KB
MD5fdb44e21378f326a981b720edc2ffa7b
SHA172f616e1ea6724701fb5f3ff67244058e8ee48ae
SHA2567cfd17614c336303679424c92e3df427108117fe071ef7eaeeddad1abbc39bc2
SHA51266164183cf4e265a38aa6f509eafe2541ad98b85334505401de661be32e14cbaac8f38223f56c4ee5cc52ad3d70411e09da5437a31372d83d917c60d72bf26eb
-
Filesize
8KB
MD55f2b0524edd6f49eb37721f81740bb0a
SHA1807389e5998455821da1b67a55653d478df83699
SHA256788300519def0298c3f0c5d164b2405eb478e7c2c12c8faf14d6ac0548927700
SHA512525fd1d4e8798638292d1cd11c894eb71cd830a72719781cfc0662bf3c55a7d7071d82783b9d657393ddab204f9ed85b77939f2112bdf4e377c9a7b449787df0
-
Filesize
10KB
MD5d1093275427aeccd5ec2d7d1cc6a882f
SHA1ba5b83b1a6dc7d87ebf591126f189eaf59b4649b
SHA25624c34c8d62acc6177b227894b5d48f7e798ebf8d36981b23bbf3c776490609c5
SHA512e4ee4a88fb7ed974f62aa8f79d214acbb9a4bcc01a57968990cd74370ed195c2673c7f7f94a79730b89d9a94f3bb7c97c5012b8d580bd2b5de3064a2c12f0064
-
Filesize
11KB
MD5d6e90029919ee33c130e53a2c295d384
SHA19880ab7b75e5f838ae47c706970eab52f00a0a4f
SHA256197934ffc38b74ac7a0a3916d2dcf735ed6246b8e40121062fcb06314f14ee3c
SHA512ccd895f1eb3a3e5bc9fa3664a25a41a6b9ccbe58cdba42f0017f6ddddc03078826df6481c0e15347df287435237d70687b7ce807d4c5d0549ca82d2696d03a58
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD59c2eaa8054d4f30fc6805fc9f97b6850
SHA1025b85cf22bc160a13d6eebe828fbad4d8897d51
SHA25693b80a36ff929a992382c27d1d48b4d471d73f55eef9f6a0283325a1418a0c9e
SHA512f0c9407f3c8283a5da3037db86d897976d47cab4980adf620450b9d5d76a8824fab7d823918de6e8677089170222454e9a957dbb86287cc223061e8512b327e5
-
Filesize
3KB
MD51a74122b046e8de29a5b5eb96872ebc3
SHA1370e5f47e09249046aba43278a6feb1b76eaba33
SHA25695c6659b23ae143f6dca9aa76d7652a84699146cf4333dfa5f3e341401bb001f
SHA512670c24ff343c9554131e9c3abaffb30baafa2e651291829527d92b265ff4eacebfcdb798c4cffba4b33a62f3fef9a88ed843771285be74b5aabf04209428c45f
-
Filesize
119KB
MD565cc23e7237f3cff2d206a269793772e
SHA1fa3b354d2a7a4a673d4477ddcf1e1f2c93bb05fd
SHA256a57a8a3c3c073632337bb870db56538ef3d3cebd1ada4c3ed2397ea73a6923fb
SHA5127596ec7aeef7fcf446328dc928a835a54fa1060264b170baf2413252977bb0ac0b8da96867895530601cc098516e7bb82d1edbabfcfccd29d24619fe89f49613
-
Filesize
1.2MB
MD55ea1a7c969eb2778d356f08863626ebd
SHA1240a8b380bdb18b07ab9c1e82c5f382f30433ab3
SHA2562b06ceffdcd7df97acd3da6e93ee5e85a6228c0557d029c4d5e3b9357a2b7557
SHA512f6517d923cbfd8bc5afd97a31e3b45b39ec2dbce4660cbd75fd788bd675479ae9414786bf48c13d945798d82f9e020f0da7fbc6e0533151970cd59ee1a2ea857
-
Filesize
28KB
MD5753175a2a378c1448b5e6946d2421599
SHA11a856255b7868a050cebc02845e4af6acb3912ef
SHA2562a216550fb6ef956beb4029c2c18049a1c66cc271470a09c3b0b6103440e7280
SHA51207e2c0c976c288d3ed0ffe370f6b5538df2c89edc52a21f6025996135d8e4143341e8a0322f7acbb83b9a6c7bae7c88a492aa39c73c88b21bcce19404f133fb3
-
Filesize
5.2MB
MD56f163d9cd94d4a58ad722301cf9847d0
SHA1ffcf6d1a5956dfb60a0fd7267039e30fbe2fd981
SHA256827642649f28e190ac328f026c6c1a332d45b2be4af76bd8f6c8e85838c90b11
SHA5125503fefd77a87f8030dbd468168abeb3b778857bd770720942f3f1b41cf498f79a3f9138bb1cb7b24b52f55d67724de31aeb42225ee21c8712719323d45e7d67
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
1.2MB
MD582b458869553d5314ec2d7bcecd8d380
SHA1541fc9fb1384ffc8e1f024695a7eace668ad5ec6
SHA256fd4203e487f88fd893d2c2ce3dd1ddea934c93d8f29cae146cdadab813bee7d5
SHA5126551dcdad84a019bedf104a8862a28c712ce8758c54df189583f0763ed93062ca2918cef290f619efeda15bd8091096671b425ea7f9f3e4bbaae47297d5529d8
-
Filesize
40KB
-
Filesize
724KB
-
Filesize
112KB
-
Filesize
136KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB