Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
36s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
17/09/2024, 04:01
General
-
Target
2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
-
Size
54.8MB
-
MD5
8799c59f0eb8cbb37c386c0d5a39d520
-
SHA1
b5b40996731bf002a1434d1b59cb02961db3ea1a
-
SHA256
3245088846756009e9827fcda64556aca75b64d8b05fd63241f4ea6b7f20f540
-
SHA512
16ce94cdb2482a49513ce92b81f120ba256fced7ff0d097656900305a3af0161d687d77397f0d2364c87fbb287caa9607a3c3334fca50711909d09411dd24f3f
-
SSDEEP
786432:ALOrbJjdcRWz/9kl3uu2F0tA+6liWmP3YhMfuwSk+D3wBCQXrzu2Y:ALOrJpzVA3uu2etPQiWmoh8r+78CQG2Y
Malware Config
Signatures
-
Cobalt Strike reflective loader 1 IoCs
Detects the reflective loader used by Cobalt Strike.
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
ModiLoader Second Stage 1 IoCs
-
XMRig Miner payload 44 IoCs
-
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 25 IoCs
-
Loads dropped DLL 26 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 54 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks for any installed AV software in registry 1 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 64 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\!m.bat" "2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\anti.exeanti.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K fence.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\doc.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff96f0446f8,0x7ff96f044708,0x7ff96f0447184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3400 /prefetch:24⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\butdes.exebutdes.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-I4U5S.tmp\butdes.tmp"C:\Users\Admin\AppData\Local\Temp\is-I4U5S.tmp\butdes.tmp" /SL5="$501BE,2719719,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\butdes.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\flydes.exeflydes.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-ETUL3.tmp\flydes.tmp"C:\Users\Admin\AppData\Local\Temp\is-ETUL3.tmp\flydes.tmp" /SL5="$20194,595662,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\flydes.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\i.exei.exe3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\gx.exegx.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS479F5887\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS479F5887\setup.exe --server-tracking-blob=MzY5Njg4ZTc1OTE1MjcyMTMxZmYwZTk4ODU3ZWE4Mjk0NjQ0Nzc5MjcxMWY4OGZhOThlNTU5YmNlNzA1NmJiOTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9OTF9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD0wNTgwYWM0YWUyOTA0ZDA3ODNkOTQxNWE0NWRhZGFkYSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRnJ1JTJGZ3glM0ZlZGl0aW9uJTNEc3RkLTIlMjZ1dG1fc291cmNlJTNEUFdOZ2FtZXMlMjZ1dG1fbWVkaXVtJTNEcGElMjZ1dG1fY2FtcGFpZ24lM0RQV05fTkxfVVZSXzM3MzYlMjZ1dG1fY29udGVudCUzRDM3MzZfJTI2dXRtX2lkJTNEMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZ1dG1faWQ9MDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmZGxfdG9rZW49NzAwOTYzNzgiLCJ0aW1lc3RhbXAiOiIxNzI1ODAyMjIzLjgwMDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI4LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyOC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9VVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ODkyOGFmMC1jZDc3LTQ0NDctYTQyNy1kNzY5ODRmOGQ5NGMifQ==4⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS479F5887\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS479F5887\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x6f001b54,0x6f001b60,0x6f001b6c5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170402191\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170402191\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170402191\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170402191\assistant\assistant_installer.exe" --version5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170402191\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170402191\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0xb94f48,0xb94f58,0xb94f646⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\bundle.exebundle.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\rckdck.exerckdck.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-F5JLQ.tmp\is-35K99.tmp"C:\Users\Admin\AppData\Local\Temp\is-F5JLQ.tmp\is-35K99.tmp" /SL4 $20162 "C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\rckdck.exe" 6123423 527364⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\avg.exeavg.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\ajD70A.exe"C:\Users\Admin\AppData\Local\Temp\ajD70A.exe" /relaunch=8 /was_elevated=1 /tagdata4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\telamon.exetelamon.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-MT0FB.tmp\telamon.tmp"C:\Users\Admin\AppData\Local\Temp\is-MT0FB.tmp\telamon.tmp" /SL5="$200B2,1520969,918016,C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\telamon.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\~execwithresult.txt""5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\tt-installer-helper.exe"C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\tt-installer-helper.exe" --getuid6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\telamon.exe > "C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\~execwithresult.txt""5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\tt-installer-helper.exe"C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\telamon.exe6⤵
- Executes dropped EXE
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\stopwatch.exestopwatch.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\gadget.msi"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\g_.exeg_.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\t.exet.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\g.exeg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\e.exee.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\GAB3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\dng.html3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96f0446f8,0x7ff96f044708,0x7ff96f0447184⤵
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 103⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K proxy.bat3⤵
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" "C:\GAB\11525.CompositeFont"3⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\GAB\11525.ini3⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\System32\fontview.exe" C:\GAB\11525.ttc3⤵
-
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\System32\fontview.exe" C:\GAB\11525.TTF3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\cobstrk.execobstrk.exe3⤵
-
C:\Windows\System\lywFHjS.exeC:\Windows\System\lywFHjS.exe4⤵
-
-
C:\Windows\System\UBCgEmo.exeC:\Windows\System\UBCgEmo.exe4⤵
-
-
C:\Windows\System\jcpLlie.exeC:\Windows\System\jcpLlie.exe4⤵
-
-
C:\Windows\System\PTVhtHJ.exeC:\Windows\System\PTVhtHJ.exe4⤵
-
-
C:\Windows\System\wNPrARS.exeC:\Windows\System\wNPrARS.exe4⤵
-
-
C:\Windows\System\oALCVPj.exeC:\Windows\System\oALCVPj.exe4⤵
-
-
C:\Windows\System\kGnhgnP.exeC:\Windows\System\kGnhgnP.exe4⤵
-
-
C:\Windows\System\QlZcvHh.exeC:\Windows\System\QlZcvHh.exe4⤵
-
-
C:\Windows\System\RYiIwsj.exeC:\Windows\System\RYiIwsj.exe4⤵
-
-
C:\Windows\System\FBQzIlg.exeC:\Windows\System\FBQzIlg.exe4⤵
-
-
C:\Windows\System\nEFtMlb.exeC:\Windows\System\nEFtMlb.exe4⤵
-
-
C:\Windows\System\OwrBaII.exeC:\Windows\System\OwrBaII.exe4⤵
-
-
C:\Windows\System\VxOwNFO.exeC:\Windows\System\VxOwNFO.exe4⤵
-
-
C:\Windows\System\ycOYiGw.exeC:\Windows\System\ycOYiGw.exe4⤵
-
-
C:\Windows\System\nPAlkaL.exeC:\Windows\System\nPAlkaL.exe4⤵
-
-
C:\Windows\System\HTUYWSl.exeC:\Windows\System\HTUYWSl.exe4⤵
-
-
C:\Windows\System\LyygaSo.exeC:\Windows\System\LyygaSo.exe4⤵
-
-
C:\Windows\System\CEjMuan.exeC:\Windows\System\CEjMuan.exe4⤵
-
-
C:\Windows\System\OqWtcHq.exeC:\Windows\System\OqWtcHq.exe4⤵
-
-
C:\Windows\System\MLxJfIV.exeC:\Windows\System\MLxJfIV.exe4⤵
-
-
C:\Windows\System\QOTdIse.exeC:\Windows\System\QOTdIse.exe4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\jaf.exejaf.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K des.cmd3⤵
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x338 0x40c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD58f64a583b0823bfc2fdf7277e67b5e16
SHA1f8029c828d0aef58f8818b866f1f7f1ec2f095b8
SHA256b637a0f9031088d08147f397836fe1c16b15c70db696db4ddea05ec5b95b4f91
SHA512e8c7941c8a42f6408b0071c7f0ea06a226757d3a07e3943738296c5dd5e5e60d682424182f0d788f42a5758f1c76ef1ec89901acc43799833234f09f3b4278a2
-
Filesize
61KB
MD5e7bed05c30089838608b1c37988d78e7
SHA15da70eae06a01da6144f5b0d51d8c88d1f6b1de0
SHA256efef0fa6138c648f9b5694f11d3372cf2733ae6126c91dbc7b2327c00546a699
SHA5120140f75bc15b64f4f913715409febf4209e21b890cdce51f8e2246f6bf1e40ec9d0ae072db0fcdce1e613abc2ec1309f96651f9fb25665865c5c9829a4352307
-
Filesize
1.7MB
MD578ba0823d72b677b9a4b9a984d07a6ec
SHA19dbd43e3cbb9e69fcac79a78305da81fb29d4342
SHA2566d1c083814f13e844c6d9d8a0cabcc45d7179a72c4b08348f0deb4598f83fed0
SHA51231ced6aeab175e2bd14ff6478b0650f1571f94758b1506c9bb8d22062b59943cd25275bb76106e3d7b9b1e53107fa11c51e46a3138afd41531726dcfa1fc5a55
-
Filesize
128KB
MD5655b6c1f90a30e9b017f2e695d1327fb
SHA189c7a3dd9aa4c1dae61b8e6552a0d96bf49effda
SHA2563c0964cc4d549b6b87fe3ee61a4efa7ad60296d82cc6b900ad1c536e6a09513c
SHA512f5ec5effe68b6550c1ab10cf10360281876ea6b6cdf4caa7ba871b6389df4af6ce58c8628a6467d61857fea2942584021fc1a61c5747a3e5d3a6d9931f34649a
-
Filesize
327KB
MD564027c0cbe356632029a1e54542f12fe
SHA1a11e572ae82005c01cfba8fee2c90a869f47c575
SHA256f56f3c5a1c1896f83c977f90bf7ab39729f7ea2c39f4d7484b06635c7c6fc0bd
SHA512ffeaa54c97701240189e0a0cf50951d06999f99f6a9f7ad16db8268d711fa6bee0c2c6781791400e97fec592210f137646f02334cf17cb4769be24636954659c
-
Filesize
217KB
MD50723999ddc6b4b922ec011b475f07d9d
SHA103aafc4a9496cd07d35952efd101312f6328bb16
SHA2561da9b5ace583a0a52e85280264d84917630ff6d600caea9a1b99cbd7e8b7c07f
SHA5120b1d1b2b994368d391195aa3d59c4ff647d6744f4f2240dcbc059c0a444e3a1b22b397c8c146349fa5b4beab9ff3cae5ce09d5464d0e6b71fbda593be822b711
-
Filesize
456KB
MD54962baf0f08d7f7d8a55834867d89cd8
SHA138964cf6ffce458ef7b68e1cd70946d43aef9f7d
SHA2563ad16a936a5072c2237a627142ea82289673702802ef08818089dd76b94c7558
SHA512b3dfd353a375043b75b07c4155859878ca13257eff093b5305c6eeb7c0c96481383f0e8e66108931d4e3ec280dc8e6f2a39de880dc414a0d7214e523b81a57b2
-
Filesize
447KB
MD53f0b609427347ed7f9d60c8c2f0b2e14
SHA131537e64597f92de4c89355a684b379c12e358bc
SHA2569959977d9fcf8ebc5fe48f6ee418f05378132b47d21bd5dcc798ad7cff274006
SHA51214421c45776afb477b0a0200e591e2698518510ff906ad833b7a3b07416b8546af6042b2e9b6e81c0d6cba0da2ad5e5db671e9ebd99a4164e00c79c2898309a2
-
Filesize
224KB
MD58924123111f4a88ec9a4541aa713db53
SHA1342cd5a4ce1d036d72ead842478d3ac2514760f9
SHA256d71f81c83ec63eaa32d36d5df7be1d9e71d3ea9150f47cebda2924923cbbf18a
SHA512c02ee1f193fb9f5bf1adee4bf6fea02db1f718ec74c6900419cccdc52e4d1ad6e5c540716c717655153f69b0a4daa6b3832ec9222f803efb181ac8954a032c8f
-
Filesize
64KB
MD57125ae1839a5dfa2dd8b32e22928a5c0
SHA143a51052dc18372b9c7b122c6dec94646abc078d
SHA256b4cdcd98edd11806931a466f50f957b3f62278814927f506f708519d018deb83
SHA512c8d11a02411313030b265bbc2ac12ca9c984c8ca273172b0d194b8737a5087b6c943d91e0ee7b48c33a71146b5077c61275defbd784bc3778c2f0cc39bffb102
-
Filesize
34KB
MD59e2ee65661bee40438d514fe592bfcf8
SHA1140a77e69329638a5c53dc01fbcfe0ce9ab93423
SHA256ac9ee085920a3d8b076d5e0c61dc9df42c4bac28d1fc968344f9ceddb3972f69
SHA5123b3c7ff00d8f12cea48008a2e95c194f7fc64ee96425a3cfefb8b65a9f7dad66fa16104ec1cf96ac6892426e5e8ab59dab91e3d56d76f58753b80f8ac48f2612
-
Filesize
151KB
MD53efd8e6a45b3f893f54399c6bf4aba68
SHA10252ba9399d4faac75b26f245905854f0b6cd9be
SHA256c019f155a0004760f32079c22c29ef0ddd223d0c2c79e2487122e66d38a53b32
SHA51206691ccf1014311ff1f06bad835db123abd726cb07da462967c2e1d6aa9cce63be40b426264861f7fdcb4e59c98ecc013074580bf57e72e1c782c0b2f9bf2c7b
-
Filesize
195KB
MD5e3dfc3b909e09b89da3297899d9035c3
SHA1fa576ba64e0c606b1900f9044a8390c8c2b725e1
SHA256d6d8dc12613c35149a4c693fdfe2fd8217fc622cbec4f9a1ea32f7bf943a98a1
SHA512d11d0cc5114ef589e69977123fbaa824ab2bf7b74fe537dc907c35485bcd1b14ad1c83a6407b8154e7d58b25656f3437634a6c3cf24c8f6b17756674ecebceb0
-
Filesize
37KB
MD5fdb4c5d869ccb8b4230a3f0e162dcb22
SHA13085fa5c2c6c42ded66f8ca77f3e366a0c1bb867
SHA2568f51432ddde758e386ac1c3f5c2a02278b1a0134ea30ffa879794087ff1d4d3f
SHA512babff722c300f752ec71c055ed89564c74c0188059033e13a9d529bdb4f23b5b399a97b5bf5f670d5ccf6b8dccddf91e0df3f5551436e5c9db4ac8288b0d9615
-
Filesize
7KB
MD5ad75fb38d57de96a18fd5fcad4a282cb
SHA12689835e7573d1ea8cfdf6ae7fd77b671baccbc7
SHA256c7b31d6d41b52ea093fc845bb51f5fc8bb772b278a0cd8d0dac980dc9e6b08eb
SHA512ef3e09211a3e58428b94bda0f84d84e83e1e76f40b6f633a6a0e4121cfbdd4cf5253627be285e853d8c536a611f8abf6b2cfdff69033e596c56aaa5b625b6bc2
-
Filesize
12KB
MD5dcfe71d27bf49ba16fde0d1945bfb4a2
SHA186b3d8696b5da354ef42c8ab4a9d21cdaaf0dda1
SHA256eacbfca9a5ef05a108ef5337c773d82a43398bb8ea177e5ebeef62934dd75811
SHA5124da8efcfd4a77e230c61a527eb96b5193b9f5ddc0d476dfca8ce6ba7143ac5c8a1fd8b673cc2c7b554dae42ec01364a178f64532b6de17d44dce07b3089869c3
-
Filesize
82KB
MD55972eeea7971170eb72cab2fc85c2b17
SHA1d327d96bd78c5e851e065d053829abbb370c0c09
SHA2569677467feb714a89de457e262ff6647708b7de66127671b77f7e1e92aa0c2f41
SHA512c55c5217271f29bd3a7a130daa5e5711eff65630127f90112a26bb4ba3dbf416059f9424606bc1998ff4eec874c18767a395e20c3dc516a00079b2c5a7221ed3
-
Filesize
12KB
MD540f8022c3fe4e1cc97bb794e1b519b3f
SHA17ff107451b67b2d432db4706c697a9391c13a6f4
SHA2566b16818c057024f588f4f423cb1f50d24e092fca3c9b5c8c1943cf5b3ea70759
SHA51208a85d0203a0534067538ba0c1f40273409f61f212269cb3095df1defc114ff007efcb4c3c4897a345cda17db16c98b88ae61100b9e4636862d26edb8a402ba3
-
Filesize
7KB
MD56ce87c9b9d03998f4492dab3c79f027b
SHA119647e5aebcd0f6fd23f15cc82863e25aa0d2c7b
SHA256b47e74ce7a0f656a9490b4522d3617b9977a941af72ff2cf66f6fb1251438e00
SHA5123e1bc371dcd2787c2b360049d654be2c206d6e5d9de75a642583e6a16d7b8aeaa1f0e08fc3dbc40a23bc3d88f0f34f9d37976a7a208b59f01a3dbe67219c5179
-
Filesize
6KB
MD58a5dbabcb9b11e3e0c527b93e69d5e4d
SHA1c47add614ece5ed16ca456bac08b1f2cbaccfec9
SHA256824ea3f5eabd9c3b8e0041e78935feb65545f58760ce0c47a0d938ad75f8e241
SHA512ddcb3520d68321e6372630cb34473c7b310ffed1263cde8e1059837e63e42e7a7e644537044dee774e9ea3e912e485f2630bc106233e039ea925355ec29921c0
-
Filesize
35KB
MD51252c22a700c6c0319481971a05839fd
SHA1c88ad6672619e7a35c11d0a466329f7579016e46
SHA2568afa403942185a52a0a670f6ac09bc5b61a21280f2157dc7936b7cfe79bb6280
SHA5121f54864f01f7c4b501e028b6d708e798ac08c0539172945105f2cd9b36afd31dc61dd7bf4bacb159f2bdff05232727984a722f40ad0dafe6282a39e080fe5c17
-
Filesize
32KB
MD57a6a1e781b1716ec989a9c9d32db4f10
SHA1ea9c2fad201de94c08bc101f70707712544c1f10
SHA256051aa1902f28a005a4f39bb0ca9c907518c426de90f4a26e0f9026e37d8a8e08
SHA5129544b06d552015f844af7a4e59dad6296c2218dbd4247191a0fc1b078b3b92dcae50ecd426f016e82607f71c9ad5a3f17f73c2a2f48ce52fc0ad2b1f979679b7
-
Filesize
5KB
MD521475b17405b86f37a2c15a1df2733b3
SHA1e640903a5fa2a800a27b74c73a02ea855dcbd953
SHA2566e7a86167874f989433a264345e5ea6c0e000861cbca8153858b23d7d35d5ecc
SHA5125752f5cdd3d6e56de8d6382dced5b7425fead8cbdb21755fb504320157a4aad3a713fb8d5d4d52e843d60b0251b3c14ee6e7720824ace97b9fd8a5dbf7e0d8f0
-
Filesize
13.0MB
MD5e868c731ec770c425dbc74881b3ca936
SHA1a8dc99a2e0bc3360f8441243aab13fe7279a759a
SHA2561e5a4b342c6417bb9352e8c29cb839413987a06438e7b48fd0320925827f289c
SHA51251bbdbcd06bc41c1ef6a589ca2b6300f1f9350d11b8bfa60605c7a68a0d6a714998bec6060cbc3b27dd2d1485d57f344890b0278d7313dbdb5593334ceea3b49
-
Filesize
1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
Filesize
230B
MD5b787ea97273cdbee9a70c1ac642b3303
SHA1040139946fd2dd5a3dd586d0feed36a0e60214cf
SHA25621f05c2346ab2f5b2f39aeb20753fd2fc7dc6448e6653f1c4665576075bb0c5b
SHA51207faebc46e8ae43f4262537976abac754f86cc5fa93f9bc5960fb31136616d4f68284c50a6d8b85e125052410e4ac59cf0e3bb7bf625a21bec818302f6efc5cd
-
Filesize
328B
MD50a7cd88a5712be8237fccfcceb9f8b47
SHA1b91ff681a7ce215bece07f7209be41391ecf4254
SHA25697993e1f50db41734ee879b439d401211de5de2ab3c09d0fb8ea6ca29836794e
SHA5125e115be046b0f98373b82b653656690aa9d78042d4927faeb679336e287435714321d28c1232e028c96a3b389b6386693065adb4fb9588600a29c40a125f2cf1
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
Filesize
144B
MD59bc04803f50bcacae5917478f383e2cd
SHA10df365367acee8efb079c05fcfec863086e22ce4
SHA256217eefdf454f634e5c1602fd0655ebc88a07e30c438d9478e5a25be4ffe8ef6a
SHA5128403dc8de85587572f684519803d116bc142ccc6c708716b2cc22cd01fa5822bac54cb9efdf693202ee6273030e0e6b7736ef5927bcf0df7d768d3068d023534
-
Filesize
3KB
MD5ff82e0413d6bd29d207a1023ae5794ce
SHA1e9dd169a105adef430b5b41ce31799632f528f96
SHA256c0afd216f80988cc449543a609107f14ccdaff2ac43ad0122aa6633499cffb82
SHA5129a1ab3fffacec0beb35747a03084061ce1dfeff2ed98c13cae0b15a494295f79e8fe4d119c2325dfc26018a45a7f706d3df092ababac9ef047c5786ecafe1d4c
-
Filesize
5KB
MD53f4cebfd19dd8768fc166a295f7a38f5
SHA135b867ee90e090f7b2c36ccd823ff98afd6c0c8c
SHA2568fa152b364c8312ce6c14fd41de0649f684ba2c76192a540d9af8b8b57cd3b45
SHA512804928bd3b878fc1bfadacace5509c2175fc8e05653baef9f286eee462d7939486a9a64f8846c4fa384f83c7fbd12368b4cb1bf6063de32d67ecfd6e0a15b07c
-
Filesize
6KB
MD5179908b417183f588a6d7420bd49d3e2
SHA17a6e8e0bf01ef6803ad564f536c4904db5ac3163
SHA2568d28084b6381fa6396c770bd6719cd3cf31ef731c7ade022d90892f02ed018cd
SHA5121e992b6d3f129edf288b4da80ebd266ac640866668430f636cc0feb05068dc478a442208d6d7a74b68c68a9d96e4f55e62ee5a274295acdabe70ff8cf07bbec0
-
Filesize
10KB
MD5f52265f5584e351b7e48328236fbdc2f
SHA1cf3823231d70e2d17df079dc06a7f5fe706cdc05
SHA2567e4ec1b259d9fee126ba14bce88315b65bdb4c6c15deae025b68dcf8a75d595c
SHA512d119fd551355d1744a9c325a9187d7628fd4d68406233cf65b8e5aea399850d8b9486de66d77a4976b1407ee8f841dc07b7c678ffa1e8f31715dbc6faee19cfc
-
Filesize
10KB
MD5e87235410e9340f68c99dc173076a42c
SHA14586b5ff83c81c317854593d427860547b06653b
SHA256ded64ea81aca74d6e0dceefdc4363a2ac5311b7151720f3429600039704ae5b1
SHA512032245653bb0b25657a62f0dc546dd02e314b0fbc3c0fe9642f539bf147285d2e2680623866f11aa575f6cb0e7e7ab0d3a22703086beb8a2eb628d2fc1aa8f3b
-
Filesize
1.4MB
MD5e9a2209b61f4be34f25069a6e54affea
SHA16368b0a81608c701b06b97aeff194ce88fd0e3c0
SHA256e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f
SHA51259e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5
-
Filesize
6.4MB
MD5defd30ea336650cc29c0c79fad6fa6b5
SHA1935d871ed86456c6dd3c83136dc2d1bda5988ff3
SHA256015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4
SHA5128c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54
-
Filesize
824B
MD534668f54b0b37f99ad7cac2b2dfc143c
SHA1191f0593c1567e21d2bc3f6e426a6105b45fa048
SHA2567073d936dcf38170c8d0d3ca33130c70920bfe304650621dd1ed18b9e2e1829f
SHA51264313be755d28f660fcd27fb9e813e94d906b26f1451c9d8a5b4970b210e69b5d27f2e51d1b14f0574f349f29a5db498c3c9072e3a5bea7f86c2ad9f4856a892
-
Filesize
1.9MB
MD5cb02c0438f3f4ddabce36f8a26b0b961
SHA148c4fcb17e93b74030415996c0ec5c57b830ea53
SHA25664677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3
-
Filesize
5.8MB
MD50dc93e1f58cbb736598ce7fa7ecefa33
SHA16e539aab5faf7d4ce044c2905a9c27d4393bae30
SHA2564ec941f22985fee21d2f9d2ae590d5dafebed9a4cf55272b688afe472d454d36
SHA51273617da787e51609ee779a12fb75fb9eac6ed6e99fd1f4c5c02ff18109747de91a791b1a389434edfe8b96e5b40340f986b8f7b88eac3a330b683dec565a7eff
-
Filesize
429KB
MD5ae4581af98a5b38bce860f76223cb7c9
SHA16aa1e2cce517e5914a47816ef8ca79620e50e432
SHA2567c4b329a4018dc7e927a7d1078c846706efae6e6577f6809defaa51b636e7267
SHA51211ad90a030999bbb727dbfde7943d27f2442c247633cde5f9696e89796b0f750f85a9be96f01fa3fd1ec97653a334b1376d6bb76d9e43424cabe3a03893ecf04
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
Filesize
4KB
MD5016bf2cf2bad527f1f1ea557408cb036
SHA123ab649b9fb99da8db407304ce9ca04f2b50c7b4
SHA25617bb814cfaa135628fd77aa8a017e4b0dcd3c266b8cdca99e4d7de5d215643c0
SHA512ac2d4f51b0b1da3c544f08b7d0618b50514509841f81bc9dad03329d5c1a90e205795a51ca59522d3aa660fb60faae19803eceeeea57f141217a6701a70510e7
-
Filesize
15KB
MD55622e7755e5f6585a965396b0d528475
SHA1b059dc59658822334e39323b37082374e8eeaac4
SHA256080cb8ef0cbf5a5de9163b365eec8b29538e579f14a9caa45c0f11bc173c4147
SHA51262f5abda3473ca043bf126eed9d0bcc0f775b5ac5f85b4fe52d1d656f476f62188d22cf79b229059a5d05e9258980c787cb755f08ca86e24e5f48655b5447f8e
-
Filesize
8KB
MD501a5131931ef35acecbe557ba13f3954
SHA1c7afc7590d469432704d963ffcee31ad8bcfc175
SHA256d364872ddde28d81d23bb3b08f9e86f921b542f3a35fcaf12549cf5666462bd0
SHA512ce32352484d676bd0f47c24808707c603fe9f09e41afd63d90f07599f13a5e32c73b0970a9964632f76f5843dda87a033340ee12fadd87b9f219329d0c69b02e
-
Filesize
167B
MD56465a5431e01a80bf71aca9e9698e5b0
SHA1d56ed108f13a6c49d57f05e2bf698778fd0b98dc
SHA2561c5f05fecfc1f4fd508f1d3bbb93a47e8b8196b9eded5de7152a6fa57ca7580f
SHA512db7f64b8af595d0bf6fd142471868df6d29ec7cfbb49a7e0da63d9bc8ca8f319e4c41f2c7baeafe17a3679861163400ccb36c18617982b244aaf482e9c264e55
-
Filesize
833KB
MD5b401505e8008994bf2a14fdf0deac874
SHA1e4f7f375b1e88dd71a0274a997ed5d9491bde068
SHA2566bcf6b84d71737787e3cc8d9d0eed9720f388cc2d0337832a7e8ca3c6f455a41
SHA5121bca98547ecf5a98d42b1d77cff50ca79ee560c893b2470aeb86887fef6e40a5ccdb72956f04a1d2a862827eebd3b7746e3043f3e6209597dcde9385ed55cc11
-
Filesize
12KB
MD5c4d9d3cd21ef4de91abc95f99c4bc7dc
SHA1b2cf457237c44c824068727b8440fe6a352a360c
SHA2566fd1c3bde9a6a478e39d1cf2121e980c0bcf59454fe1673d707aa70170953bc9
SHA512d10fbb0bdfb30160484950aa58bd2f97c38cf2d0914550b4041c9acd273e8013920ef1ee74216f92437a44ab81111a4c70ed3dc2df680ee4d187c22557900ee7
-
Filesize
69KB
MD53cb72c753dd5e198792d1e0be81f7e2b
SHA18a55b72a998bf8362a12f68ee8c4801a5a24754c
SHA256be9d8772b360ca8054929e5f057413b69932ca8e521e6c696e0fb6b371e8cb97
SHA512008ed2e26fb4f41e9bb245130cc8f285744ccf737adeffc4c78cb11c03261f906cfd50b5b9e78f2c17dc2b8a01d83554e93f4960370064af87e84322cc78ee70
-
Filesize
23.4MB
MD5906ad3937f0abd2e5383dc162340496b
SHA1d63fe621af79e1468ee0cf52e119ffd21775ca8a
SHA256821e33cf757bd01bec6703796c01726e6674b8de3bc1e7ea834318039e46909e
SHA512624d76f7905f57679b647cfc676aa8c55cac72d6baa60db7d5ae45662de5da55f856f64adca382b315810088e757903f6c051685fcc83fe330016a8a95754d79
-
Filesize
3.1MB
MD580bf3bf3b76c80235d24f7c698239089
SHA17f6071b502df985580e7c469c6d092472e355765
SHA2562b95e56af10406fbd3ecee38dab9e9c4a9b990d087f2ad2d7b1981c087829da2
SHA512076b8b6a80ea15738ce682cc715792546582d7a74f971f94f6b5b9cf8164f01280322baec7f72894ac4b8d63b9f2f6074e8fc5e47880ef6c0b57a47beef3581a
-
Filesize
12KB
MD5cea5426da515d43c88132a133f83ce68
SHA10c224d0bb777f1e3b186fdf58cc82860d96805cc
SHA2562be7a0865ded1c0bd1f92d5e09bb7b37a9e36a40487a687e0359c93878611a78
SHA5124c1f25147222c84dff513bebf00e828719454ad634ef9380cfc7835f0457a718b4b437ecb60c1fa72a7f83fbb67e1ddfcd225194eedda77034c72f8c752c642c
-
Filesize
13KB
MD549f4fe0c8646909c7cf87adf68d896fd
SHA19193264c38e5ed9fa0f5be1d79f802cf946a74cf
SHA2569292dfcddc9e88e5dbc095ceeb83ce23400a3405a4d47fffc80656941c87d5ec
SHA5129df4db8c958110cea66f627170919346ed673d3c13aa55292484fc74ebac2864b0292cd4d66d35957b4b2740b2fe30ddfb9d9e04115d655fb58bf39e100d285e
-
Filesize
32KB
MD5e40209599b592630dcac551daeb6b849
SHA1851150b573f94f07e459c320d72505e52c3e74f0
SHA2563c9aefa00fb2073763e807a7eccac687dcc26598f68564e9f9cf9ffdcd90a2be
SHA5126da5895f2833a18ddb58ba4a9e78dd0b3047475cae248e974dc45d839f02c62772a6ba6dfe51dd9a37f29b7ec9780e799f60f0e476655006dec693164e17eec2
-
Filesize
6.2MB
MD5a79fb1a90fb3d92cf815f2c08d3ade6d
SHA125e5e553af5e2d21b5cfc70ba41afb65202f6fd5
SHA25643759b0c441fd4f71fe5eeb69f548cd2eb40ac0abfa02ea3afc44fbddf28dc16
SHA51282aa45337987c4f344361037c6ca8cf4fbf0fc1e5079ac03f54f3184354792965f6f3b28bd2ab7b511d21f29859e2832fc6b6122a49ddecde12afc7e26fd62dd
-
Filesize
68KB
MD5338a4b68d3292aa22049a22e9292e2a2
SHA19595e6f6d5e18a3e71d623ac4012e7633b020b29
SHA256490d833205f9dfe4f1950d40c845489aa2d2039a77ab10473384986f8442ea6f
SHA51206bc6463b65508d050c945d5bf08078eecd6982c74c7bab2a6722b99523189d24f530c10c05577e0dbd5b46e896d472112d036023ef5e576e2a8f9401b8668a5
-
Filesize
62KB
MD59e0c60453cdea093fa4c6762f9b1fda9
SHA102dfa74e42739c4e8a9a0534273f6a89b51f1dd3
SHA256269c6da90935306778f4f76005d1f00b49703f8819b60e2764cc14a5abc9a781
SHA512fc499cb6b98529c7a856c9ec7198f2a6d00d0c0d6b16e826913ab8dca2602f6700e3956749d3316484b94e6867f54cf99aa77f23375ea6c5ea75daa88c91aa96
-
Filesize
2.3MB
MD56a80889e81911157ca27df5bc5ac2e09
SHA102ac28dd7124317e294fac847a05b69411c9cdb2
SHA2560b74c13914f712fce5bb41c25a443c4214a97792bdbb6fea05b98350901405ff
SHA512329ec105834f4531386090074994e5c4ddbdaf4cc4801956b675e258e9167f9e70cf31b8d636d119b59b57af0912decdc259d12999842008cec807a967c89aef
-
Filesize
1.7MB
MD5c3130cfb00549a5a92da60e7f79f5fc9
SHA156c2e8fb1af609525b0f732bb67b806bddab3752
SHA256eee42eabc546e5aa760f8df7105fcf505abffcb9ec4bf54398436303e407a3f8
SHA51229bab5b441484bdfac9ec21cd4f0f7454af05bfd7d77f7d4662aeaeaa0d3e25439d52aa341958e7896701546b4a607d3c7a32715386c78b746dfae8529a70748
-
Filesize
130KB
MD5ee7fbf8768a87ea64ad4890540ce48f9
SHA1bcbc1ebd5a592c2df216d3211f309a79f9cd8a9b
SHA25603eafdf65d672994e592b8acc8a1276ccae1218a5cb9685b9aa6a5ffe1a855fe
SHA5120cbf346d46b5c0b09c1f3fb4837c8df662bf0c69de8c4ae292b994ec156c91b78dbaad733226d765b1ca3ee1695566dc90bf85086e438fa15b9eb32058abce80
-
Filesize
5.9MB
MD5640ed3115c855d32ee1731c54702eab7
SHA11ac749b52794cbadfec8d9219530e9a79fc9427c
SHA25629b4cabc7a0e9dffbc2395b976749be0aad88357dd3b1d7e0cfc9b0c645421a3
SHA512bebe55fdbb363b78c4a6371304f65b89e03a03cee5a8ebceee1681261d8df64a0de36888ed763c3a607ae2732ab54e2e41edb624f37a7fdf8755c40e6bb96f53
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
Filesize
404KB
MD55b4c8e63be988b83b09e13e9d1d74bb9
SHA1bcb242f54ee83f232df6b871aebc0f3d44e434c6
SHA2568ae877bd5f45975d827280bee2e19021c3401b5ba069df0e556f6911798adb4d
SHA512a31f9e24a4a27847516808b24f312d4df6b865eb421f84d8d4fc022bdb309e08e5648c52c13772a48456c578f3771d232539c7d30132a82a08e8ebbabcbffa0b
-
Filesize
77B
MD5e107314aed6c701cf1a69b729aa68ea6
SHA1278946e4ac0f58a5c4c213dfa5f5603bf24c817a
SHA2561961601fb2b16817ac82ffd472243e112538d8214231c244a3e7395c0279ff4d
SHA5123af27b0d1e705a5cdcad140af9175763b992dc6413eb5ba4f16129a2cad1ec8bc71c05316d3391920aa2634a1aae41feb01214953051335032b7f1be51e884a6
-
Filesize
659KB
MD55aa68bb2bf3b994bda93834ad34e7963
SHA10156732d5dd48feacfab3aa07764061d73b9116c
SHA256a90bfd9874c3e60650dba4c286b97ccdb375a456b95556feb38f3cba214770aa
SHA512e52fecbba96aa911552ef0e11d5d044ec44caf6e0947f64c9a17b04d846a3e86d19e4dfa5ac981fc98d44f941fda3a697c1d23ac6e8ef162f4bcdde9142f22f7
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891
-
Filesize
3.1MB
MD5292d91bef15a5a5d5f5c06425a96e0ee
SHA15f4400c94ceebf54825e94cb5d9f616850331e96
SHA256b6f6cbd03951a6feee4d4766443ce0b7623db000cbfe774146ee43f5a5831373
SHA5120aca0538ce4c94ef9a8008846add36f51db001905f6cdb373a0348094f11762269aaf92928c6761eb41b1b22cd045ece325b9cd71c67944a1e6c092a72fca200
-
Filesize
2.1MB
MD5d21ae3f86fc69c1580175b7177484fa7
SHA12ed2c1f5c92ff6daa5ea785a44a6085a105ae822
SHA256a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450
SHA512eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f
-
Filesize
195KB
MD534939c7b38bffedbf9b9ed444d689bc9
SHA181d844048f7b11cafd7561b7242af56e92825697
SHA256b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0
SHA512bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953
-
Filesize
127KB
MD52027121c3cdeb1a1f8a5f539d1fe2e28
SHA1bcf79f49f8fc4c6049f33748ded21ec3471002c2
SHA2561dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1
SHA5125b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c
-
Filesize
36KB
MD5f840a9ddd319ee8c3da5190257abde5b
SHA13e868939239a5c6ef9acae10e1af721e4f99f24b
SHA256ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a
SHA5128e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a
-
Filesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
5.0MB
MD5199d82d11c3c57b35976685dd2c6135f
SHA1b95c80c6766745ca4049acd19d25e9e60d55871c
SHA256d1e83b9f571cdd8087d0ba5e2de31ad98ebf2c1156eea86de6ef8dea5fc2adcb
SHA512972db73c22a683a2a68043f53a388978b72f20b2c1411bc69b662b1e66c31dbcb60f142748c6960242da7c58dcabac46b056f6c612612d062b54e38dbf44c14b
-
Filesize
126KB
MD52597a829e06eb9616af49fcd8052b8bd
SHA1871801aba3a75f95b10701f31303de705cb0bc5a
SHA2567359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87
SHA5128e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35
-
Filesize
93KB
MD57b4bd3b8ad6e913952f8ed1ceef40cd4
SHA1b15c0b90247a5066bd06d094fa41a73f0f931cb8
SHA256a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754
SHA512d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2
-
Filesize
5.7MB
MD5f36f05628b515262db197b15c7065b40
SHA174a8005379f26dd0de952acab4e3fc5459cde243
SHA25667abd9e211b354fa222e7926c2876c4b3a7aca239c0af47c756ee1b6db6e6d31
SHA512280390b1cf1b6b1e75eaa157adaf89135963d366b48686d48921a654527f9c1505c195ca1fc16dc85b8f13b2994841ca7877a63af708883418a1d588afa3dbe8
-
Filesize
5.2MB
MD525b8b9d7456b10a98f7229affa2f8b3f
SHA1367b8ba69755bb2e3664c2e489d65e6acfbb0323
SHA256644ecf2359ff362d124156f1c835fba76ba686b373703cc06dcf550e7298e3c0
SHA51251976520575fb0fc13469957f4f2654575a7f80a8e18d360bdb4cf1aaaa58520e899c9c9f2e99527e7fec26f3f4046a1e43ae9528b5e35d361778bec8d0844d3
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
1.9MB
-
Filesize
624KB
-
Filesize
40KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
720KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
296KB
-
Filesize
5.6MB
-
Filesize
144KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
948KB
-
Filesize
948KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.2MB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
156KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
