Analysis
-
max time kernel
1800s -
max time network
1324s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
08-11-2024 19:13
General
-
Target
http://enableall.com
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
-
Modifies firewall policy service 3 TTPs 25 IoCs
-
Modifies security service 2 TTPs 6 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 58 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Boot or Logon Autostart Execution: Port Monitors 1 TTPs 12 IoCs
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 51 IoCs
-
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Boot or Logon Autostart Execution: Print Processors 1 TTPs 2 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
-
Modifies system executable filetype association 2 TTPs 49 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Using powershell.exe command.
-
Indicator Removal: Clear Persistence 1 TTPs 51 IoCs
remove IFEO.
-
Installs/modifies Browser Helper Object 2 TTPs 5 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Launches sc.exe 36 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 64 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 56 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
-
Suspicious use of SetWindowsHookEx 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://enableall.com1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98695cc40,0x7ff98695cc4c,0x7ff98695cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,10505503154748192443,4276426080192680203,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1728,i,10505503154748192443,4276426080192680203,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1968 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1976,i,10505503154748192443,4276426080192680203,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2436 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2992,i,10505503154748192443,4276426080192680203,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3020 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3012,i,10505503154748192443,4276426080192680203,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3044 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" irm https://get.activated.win | iex1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd" "2⤵
-
C:\Windows\System32\sc.exesc query Null3⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd"3⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver3⤵
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c echo prompt $E | cmd3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "4⤵
-
-
C:\Windows\System32\cmd.execmd4⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd" "3⤵
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵
-
-
C:\Windows\System32\cmd.execmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"3⤵
-
-
C:\Windows\System32\fltMC.exefltmc3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\find.exefind /i "True"3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd""" -el -qedit'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd" -el -qedit"4⤵
-
C:\Windows\System32\sc.exesc query Null5⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "5⤵
-
-
C:\Windows\System32\find.exefind /i "/"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver5⤵
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV25⤵
-
-
C:\Windows\System32\find.exefind /i "0x0"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c echo prompt $E | cmd5⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "6⤵
-
-
C:\Windows\System32\cmd.execmd6⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd" "5⤵
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"5⤵
-
-
C:\Windows\System32\cmd.execmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"5⤵
-
-
C:\Windows\System32\fltMC.exefltmc5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\find.exefind /i "True"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev5⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\PING.EXEping -4 -n 1 updatecheck.massgrave.dev6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "5⤵
-
-
C:\Windows\System32\find.exefind "127.69"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "5⤵
-
-
C:\Windows\System32\find.exefind "127.69.2.7"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "5⤵
-
-
C:\Windows\System32\find.exefind /i "/S"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "5⤵
-
-
C:\Windows\System32\find.exefind /i "/"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop5⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop6⤵
-
-
-
C:\Windows\System32\mode.commode 76, 335⤵
-
-
C:\Windows\System32\choice.exechoice /C:123456789H0 /N5⤵
-
-
C:\Windows\System32\mode.commode 110, 345⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s5⤵
-
-
C:\Windows\System32\find.exefind /i "AutoPico"5⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s5⤵
-
-
C:\Windows\System32\find.exefind /i "R@1n"5⤵
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts5⤵
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts5⤵
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts5⤵
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts5⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type5⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "5⤵
-
-
C:\Windows\System32\findstr.exefindstr "577 225"5⤵
-
-
C:\Windows\System32\cmd.execmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\find.exefind /i "computersystem"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul5⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn6⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd') -split ':winsubstatus\:.*';iex ($f[1])"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\find.exefind /i "Subscription_is_activated"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "5⤵
-
-
C:\Windows\System32\find.exefind /i "Windows"5⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 20)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value5⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE5⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE6⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net5⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\PING.EXEping -n 1 l.root-servers.net6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s5⤵
-
-
C:\Windows\System32\find.exefind /i "AutoPico"5⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s5⤵
-
-
C:\Windows\System32\find.exefind /i "R@1n"5⤵
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts5⤵
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts5⤵
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts5⤵
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts5⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type5⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "5⤵
-
-
C:\Windows\System32\findstr.exefindstr "577 225"5⤵
-
-
C:\Windows\System32\sc.exesc query Null5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start ClipSVC5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query ClipSVC5⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type5⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start wlidsvc5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query wlidsvc5⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type5⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query sppsvc5⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type5⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start KeyIso5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query KeyIso5⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type5⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start LicenseManager5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query LicenseManager5⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type5⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start Winmgmt5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query Winmgmt5⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start5⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type5⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start ClipSVC5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start wlidsvc5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start KeyIso5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start LicenseManager5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start Winmgmt5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query ClipSVC5⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵
-
-
C:\Windows\System32\sc.exesc start ClipSVC5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query wlidsvc5⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵
-
-
C:\Windows\System32\sc.exesc start wlidsvc5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query sppsvc5⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query KeyIso5⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵
-
-
C:\Windows\System32\sc.exesc start KeyIso5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query LicenseManager5⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵
-
-
C:\Windows\System32\sc.exesc start LicenseManager5⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query Winmgmt5⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵
-
-
C:\Windows\System32\sc.exesc start Winmgmt5⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState5⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState6⤵
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_eb663c61-af2c-45f4-8992-6940d1dc3382.cmd') -split ':wpatest\:.*';iex ($f[1])"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "10" "5⤵
-
-
C:\Windows\System32\find.exefind /i "Error Found"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul5⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID6⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"5⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\cmd.execmd /c exit /b 05⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value5⤵
-
-
C:\Windows\System32\find.exefind /i "computersystem"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0" "5⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440"5⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"5⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"5⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"5⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"5⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"5⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul5⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"6⤵
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul5⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore6⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE6⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"6⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "5⤵
-
-
C:\Windows\System32\find.exefind /i "Ready"5⤵
-
-
C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f5⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"5⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"5⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"5⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"5⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE6⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "5⤵
-
-
C:\Windows\System32\find.exefind /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"5⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"5⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 05⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul5⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Name6⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul5⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Nation6⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))6⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "5⤵
-
-
C:\Windows\System32\find.exefind "AAAA"5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 10 | Out-Null"5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\ClipUp.execlipup -v -o5⤵
-
C:\Windows\System32\clipup.execlipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temB198.tmp6⤵
- Checks SCSI registry key(s)
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "5⤵
-
-
C:\Windows\System32\find.exefind /i "Windows"5⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate5⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 05⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value5⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"5⤵
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f5⤵
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 10 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\temB0AD.tmp2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\Desktop\Enable All.ps1"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Desktop\Enable All.ps1'"1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff98695cc40,0x7ff98695cc4c,0x7ff98695cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1816 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4436,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4584,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4272,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4320 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5244,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5256 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5032,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5332 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5196,i,2768186272359383224,6200516466010445745,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc"2⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\regedit.exeregedit2⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\reg.exereg /delete "HKCU"2⤵
-
-
C:\Windows\system32\reg.exereg /?2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Manipulates Digital Signatures
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg delete "HKCR"2⤵
- Modifies system executable filetype association
- Modifies registry class
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im chrome*2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\reg.exereg delete "HLM"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HkLM"2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies firewall policy service
- Modifies security service
- Boot or Logon Autostart Execution: Active Setup
- Boot or Logon Autostart Execution: Port Monitors
- Event Triggered Execution: Image File Execution Options Injection
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Indicator Removal: Clear Persistence
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
-
-
C:\Windows\system32\reg.exereg delete "Hku"2⤵
-
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
5Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Browser Extensions
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
5Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Indicator Removal
1Clear Persistence
1Modify Registry
9Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
5Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD567a8abe602fd21c5683962fa75f8c9fd
SHA1e296942da1d2b56452e05ae7f753cd176d488ea8
SHA2561d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411
SHA51270b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6
-
Filesize
40B
MD5405dd156f0b697f2d0702afedb827b80
SHA141e7bd95b48a39edd67e751abf94c92b6617271a
SHA256a764eb30b54d11ded5b23807bca8dee0a2a36b921de032d8923b11b5eb835e77
SHA512981f35b0c8c9261a4ad7c6c4cf01c5e062f510c7e58affeea3d541510a8bff28f124a0a0142ced89502b4540b50161d201e61a5a0ba08b7504cb6560f5627d4b
-
Filesize
649B
MD54cd61b28c326b541e61524b6ab71f4ab
SHA1ef36b731cb6acff2d01fed6c86f162b8f5b62cbd
SHA2566bd8d3f540966ac2e793d9a6d71acf6fc6c5054fb754324e2d5030fdb89900ef
SHA5129535868a3db9cb16ebcbbb8c45b96bc9cfc2b5d38f15cb72f13fe614935ec037fb8079d9783b9138a78e36ebfbf622fb254a3c62dc845c91f64bf8ded264651a
-
Filesize
600B
MD5ae5107dbdc84e612e6b9d9d173ba295d
SHA1551e8282cb31ea6d839d6c9a4de700191714dc7e
SHA256340456ee2a6fa30731b7b5248c137c98648c91c0df01eb2a8a78df32c5aa08bd
SHA512fd69ab97762227fdd07303b0d0b8ec4828053f77f26b8371449035da8845e9c567dc682cd6884e5c5a5f9ca2b355f8d7ef559bb808351a2540fb1e262d0aa187
-
Filesize
432B
MD5c42d67c6abd949b5f21fd2638f0b91e7
SHA112633e9a286e422a7dc36e82d957574c8afd059a
SHA25613bc4249bf34d518da6a900ad9a1cce30a581a06936bb9035eb6fbe8e50843ef
SHA512e32af89f00f5e0d84001e3c9052b9f0005ddc3dc9ecac45e1e806d7817ddfd7f06068fc2887a7518cced0ee0a4d66dc40fc08f15535f4b3556eeb9d20acd73f9
-
Filesize
851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
Filesize
854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
4KB
MD557a2d00e180f67d189fd9c820fdd414f
SHA15352690fd28e2877fbf6bd16f19f96b1b5950c09
SHA2569fd70b0c116a15169af65e76fb187ea449dff15cb582d21fa2af894c29aa620d
SHA51220c73be53b44f2a4c8923d27c67631e47a8081c08d1637d86d08d23cd3d81be60e60fdc4891230f4fccf4b93e71fc1de9c98109161fc2aafea503f34a91e7d97
-
Filesize
1KB
MD5e2825631436fa687b1b21bacf7ef6831
SHA1bc2cc19524cd1888064610cb28dafdb41a543f0c
SHA2565face3f3526ef1f209875708c0a274d2435f44bc346e2555d714daca4077a35a
SHA512bb4c2998c48d5460a72ac46e79ec1f21b5a6a32f04342791846cce680c239b7bc5386df588e87e4addea4120d4a98ac7bb9bcede90b33ef4c7d24578c8620f01
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
522B
MD5e46e135aac057e043d9cc7adf366cb51
SHA171e61ab6b9e00139d503e1845d8e24b0ac2bcb63
SHA2564d06ed8c1d669aec50fb0bb6c47480b84b5a37f55df06d229d820daea728ceba
SHA5126eb0ca722bca17f065a472465687485c367b61ccdd08675b791d4e7f62bdf6dae323ccabdec3a7a29de2fa89e515517cd1529ced231687f0d54af1ee60547056
-
Filesize
522B
MD58bed7562170927d4f34d9140639aeeaf
SHA1e7c3994db165648b89b5ee67edd5dc17bc6dc75b
SHA2569246e529744bd591960c5ccc083ee0243746e0dd524a653e2cea4f119959a9a6
SHA5126eba54d6fd0131825e26f6fba1c4b760baf8ef0b863df6265a660bb55461118f1db20a600ed4a39e17d79ad23bcf7fd647e78543d3007db963ca4e2fc02c0d4d
-
Filesize
522B
MD55922fa9868b9a955c85612501a0f6cf6
SHA181fec37c74ac7396a4d3200583a9bf1b2bb23e04
SHA2564569f997705c27ea1902f1bdb18d9bb47ed69a6ef5be75e9500d25a200d148a0
SHA5126d606ccd2112adce9212d5c3cb9e09ba12bcd2c8e15202a658893174eef39d4e7752ec9c1474b3162544cc7c96589fdef2010e97c650aa74ac219259ac502bc1
-
Filesize
354B
MD57ba33f6dc1e063a5dc94e2343a3742b0
SHA1c91cb5a270ee7bb9bf28fd35cdc36e78e7aa9e7b
SHA25664498d4043f4f61f6c39d8f7aee9c56501a93c77c6e39a9b52bcdd88422a1403
SHA512b4e95ecda8abce99f62889b19269911e55139227d3117df0e79b1359ca61a3f914a383110bcebea773f90673d32bfed0a322e02f609549ce1fad4fe12324b8a0
-
Filesize
354B
MD5bba2d73690c27bc87c531edbd55d3ebc
SHA183de8aab3635e708a8ee6ad61c087ef1fb7fd2b6
SHA256b88460485d91e01a861a8c75e270481dff67f28efbd479bae60441f4e2d5e2b2
SHA512e0f07d7520cc0c7a8d90685eb104b6e8d4ff5500b5f8a8d35a6329b2d9d0d5739ca6e5a9f476a880d6198544674611533780ee4556c81d8dff703e85c10fdc2b
-
Filesize
9KB
MD5eea9dcab75b73a1b4c87bcb44a0f8f52
SHA1cd554f5761f6d857dd10bf6199f2e61c9d98c5eb
SHA256ef5234caf40da4218f9c8e34eabda3bed632bbb7024824189f4939406360fa11
SHA5128a1494ed0183a42f8b01712a7fd97a024a88084ef380cdbb8990167c2d4d071a01eed9e329f2c1a902e84df0db3777f7707b4763029ea75b7f6c7282a45f3dab
-
Filesize
10KB
MD51fb83199a7845247d0368f9a9451d96d
SHA1c67ec758e803515370162f534c4ef31cb02bc259
SHA256b63e84803e7043569e0ceadfbff084fc835e2144ddc1f5cd0c74fd99cb2c8fca
SHA5122930473b8f085a0f90d810d28c5e258f9255acfa832dd172a22cd5ec286881e00e6c06322825aa2d7fe187ae8ee4d2d7eedb88c446d0e2c784c23d0f443ba941
-
Filesize
9KB
MD5ad835494026e821563e19362dbb7c926
SHA1c9406a7832b6170ac47e6d6abb4c7d8cf8003978
SHA256eea7e5754be8630f0829416c62892717d9aa70c00a8a143fe28383aa66b68176
SHA51231b4cc62b1d291c73a050b2c07ecb5ee53628cb4619f52ec859a0722fe0e5875ac8a70772118b9c8bdfae6ff9deab662842ba1d540f049c59fed1d59fcbc7bc2
-
Filesize
9KB
MD56fd807b08d6c9db2373f5dc23048819f
SHA1bfe54b498c0c2cf2b9c2e484f18d560b6454bc48
SHA2563e6167868883e9fb7076240ca68c92504bb85fe4bfeedbd14efa8e1e62aa72ad
SHA512543d7fef26b315be786a13275b8af6bbf7e524b18cfd6ef10687ab8c2d2dc74d4a7d0d66eb1c7339a378d16add1917c7dc84a81acd9a1fd06234f2616182418c
-
Filesize
8KB
MD55cd66781c8007344d6e533533e3605c1
SHA1a4a843e9730fab1becc6433152b33fd13ba2108a
SHA256c1e5de816b52a47247dc93f7301f792787095e0afd0b64de3537154d75632974
SHA512bdfaf04298a706db6f89c071cd378c66c21f97e636f866be9b36f1b7e818f67c753ddb69326d2452977dec6b9c8d7130664e00564130199fd02fd44b859312b3
-
Filesize
9KB
MD5f7b4976c7b13210314a8aa157e115da5
SHA1cb4eee8bc053861013f0f9a7cef2a795a48cdca8
SHA256775abb72e07efdfc4109bc3e8858f38ea5aa199de3ce957d071fab7305567e3d
SHA512ca1ab31d9a87d2191a8df13206c0112a2bbfff635974e4090a5c4286e477b48e51841be1c40cfdd8fa3996945464de59c56fe9fc2787188ce50ef218dc845fd6
-
Filesize
15KB
MD586454bd70456b8615316bafea8096e69
SHA1a3339dc814d39cced09f2ead4c89da54a3b3aaa8
SHA256e54f0b92a441df27353170cbc049161e239750c36b43b935bc1eae991243e821
SHA5120c8dfcf8059eebebc62c125d8430fa9d897f4756591dda5e92ea7a3a97239da85726e41f04b63cb94af1d9a54a72b131a84ed07bccc8f37271329eeb7335db6d
-
Filesize
72B
MD52f5a78ed39fcd33d245006307eb09993
SHA11b1387256be7db0c87b1b39f99f1e3968f7c6eba
SHA256c7c819df4abbf217dce0f6d6fe8c23b8dc486a03965c8738a2f91b57515c25b4
SHA5120a57e143303220dbd174a0dde3bd74f7382fb4a3ec302b1b579e6857f9ab95511dfecd85c848aca4e9d9fa9a8889d385a166eaec9418cf5c97598e70a0a71255
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
232KB
MD5a08a38643b9e8fbaaa41d9c789d47d4b
SHA1a1c8fde796b97b560675052c8b54999590a3a802
SHA256952e036fbfcccb3e57d6199e42ec78a9a4f57383e108c199c977c21fc69b0f35
SHA5128950063347c3c70e9d2a46fe736f0807a9bc7af5676f1c89dd145ccce24ad2ae5d6f2b84b4b7031b1618c8edf50cc12e1e08559f2887302127a0f7aaabe0779d
-
Filesize
232KB
MD5e3ac3318c642d6ad278037e3b51dcb7f
SHA1e0fce6463f0cd9772be9e37cd53a12af8ac3da71
SHA256a3a67c9bf6488e537c03822623153cbb637d646379c4b3f4d6ca4bb2787f2890
SHA512bfb64ef95a20c0e8e0e0169222018a901af007aa3cb48d7e57cfa529cb52dfc6735e535b797c0774b735a3dbdab65e360adab8df6fd41ec073f2eaa09adc5bc7
-
Filesize
232KB
MD5ddff03269898c1b16ae01c03da6d8508
SHA1090fde503db268441c6da160da2c8cdcb6ae9e54
SHA256f7694c9e9705998301153d43158b37a91bfa40acfe2a52c93c8c7052c56b9f57
SHA512405dbdea3d83e0af7c3c562dd765ef5e6d4b4dc9674ab6707e6a2636618a1cfe11b0b8c3b66028e586d2b7c89c8e12082ef8502745439c3930ffa661c5b3bc19
-
Filesize
116KB
MD5abd8642e2cd6827c442f12260c3626ce
SHA1081c9585ceabe04a07095dea0b9618d5a0647378
SHA2565b6d49f4a18a7c8a3f68d622224bcc6107dfb34cfe3e498a0058a3512ed30edb
SHA5129841de7191ad7aac4dd8fe3a9efe4f92cd866eaddbb91e25a9b1239dadf9d0785fa05bcc059bf02b56fd8bd51dc89f2f7c11f5861a81faeb240cd342cb183910
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
1KB
MD5bee1758a485085bb8a121eb74ba7e96f
SHA18024492e1126b17f832e36c932d433200180b693
SHA256edcad5b1ce8a304b70b8c9ea57d4aeab740d979ffa59243b943011cb1ba4d57e
SHA512bb1fe94a523ef108c49f75da187fcc28bbf80d72233454c329134bee2e12268d3da344a622987b081612aa2a1edac8b91eef27619c7309517ac52e7aebf32f1a
-
Filesize
3KB
MD5a726593a8261930e4786375106fc6bfe
SHA113916b1e1825549e9c36c64e35baca204a83ef95
SHA256e6bfdfbb9a0649ea9d38de4255c355c581097e6a1035a54943260b22ad45f172
SHA512b093a2513b2c4f8544093d6e983ec580e14625e1529bc3db22c4011980cdf44a78443c22289b11a6ed0afae2786d480f94b354b71496ee022e439d2bdefbedd2
-
Filesize
62KB
MD5d65252e53a5e3644223e2006dde4e3e6
SHA1bfe4fcdb1096715c03ccc680ba6c44ef0b64dc6a
SHA2569139d8e6a0b81a2981ce23da1fae130052df1ab4bf7faebeded293a128a9b3ff
SHA512f3ab3b2ce152512af14e41368a829651a2a1bf664560464de03792ee9d5b6dec7bdca32087f3279040e558c0cff641ede893b845b5db8f0b106e48f16c8f14af
-
Filesize
1KB
MD58a9ce637f47cb4acdbef782b0c075292
SHA161c4f0209f159fae19220a78c4428848c90d0e01
SHA256fd949ff64bc93b6bcff447de4f7307dbd4cfb391faf81efe2a845f8349d9b10c
SHA5126452ea5fff0d3139dd61de41cb37738a228bd13f7b039aa519acb8ab5f2084c10473415f0d3631a68829e81da3dc6018e37cff3618c48ae358c9a94fa91eb122
-
Filesize
1KB
MD5a766b59cb8764029e0daa42ff2d21c3f
SHA19ca2e4735a93ab8ddf2d8e6928f1c570aa4ff80b
SHA25692d5a76ed593d1450f8f5309d806ef2ec37be8839f1e0e20763e75180345feac
SHA512e92fe19a450bc93cfcbaed70586d580470d239cd41997e0bdebdb45f1b6ba02604b4e839ab6ee40d5112ba683c647ecd10751183ab2f89226994e17680c52eae
-
Filesize
944B
MD59e9cde84e97360fb39f64e3697c25587
SHA102f67f54c54a08320a5331e464dc77b2816fbc97
SHA2561bdc4f0e8c0845ba527337f1e791da5873c34dff15eb33c71a5aba89e4db4c80
SHA512c719f5adf610599f0e57df5241da9b3fb595839fcbf955acbf4007ebc75d400916cec75cf9f24f72be6118237641c7800ae9b4c28b585b71a63d02a5789ca044
-
Filesize
1KB
MD58117d1162c008cf731fe668d81f95ac0
SHA11fdce919b160546d65f946726794b3331de06938
SHA2561081c6b484e3ce0572ea539029bc598ee7870cf099c5585bd52fbeee220c56b7
SHA512711cc338d15b6b36cad3e8ca1a57b0595991f060d24f39faa2b24a2c4ca08c07c82497ed8b1bfbc998452778d75fb24558d72062ef5ee6848d99e35068c5f188
-
Filesize
1KB
MD5b702e7354d9bae2e5485acd81cd0eb1c
SHA14fae318f01720d25ca9f963dbc00d3daeecf0aab
SHA256df7ea65165bbba49c274bd893fdd9dd8a57a97279f590bbe0307162e7fe5b22d
SHA512b5ce79e12987fc2cde5a8f5b5a4ed9598c06b3dc7a5ff8f0d2d7743c026df23e1d814b898889475da4a2c30b8764035d685760398a222ee37a08aa9df091a2e2
-
Filesize
1KB
MD56bcbfbff9560016ac11b1e8dbb0406c6
SHA1650f8c7f23bc53abc80b8195384fc1328e90e843
SHA256651fefd249b769f134b8545c78e367ff865968253087085158c41bcad6f66668
SHA5127f526aa91274b4dbb10fa94730fd747e7ebc851074f90fda9f95cbe9216aa26445195aa83784ebad916f693b7767379c0d07f011a7298e77c6d4092c83d63f0f
-
Filesize
1KB
MD5e0f198f2b42831545b9bcdfcc2807105
SHA1ce14f1dd9859d0b2193a15511d12b7d89fc2b26e
SHA2566f03c732fe57f62dc0b5211fdeae8591897a2914e57c094e50bdc56fb1ed7176
SHA5129c7f94aad9cea00b7451b3b04b9cf9a92a8e67c479d8852e0217e7d94efad6388ad480b176ceb9358fe58d1480622c50d63c2db9cc2728c835980762ed400954
-
Filesize
1KB
MD5639bb3aa3e185072b05b097dc6873564
SHA1192c23c0bdf0bfaee5e03a247ed44b366eff01ef
SHA256063a7b64f8415e5ee379bfe5992aa05d601248a6c267ab6bd43e8fbea632c6c6
SHA51284f90eb686be08be49c2907e49f392bcce9b99590232dd13b53d8ce6371cba2c3dbef9d948e7dfc41cbfa2ec6e304c3f26d21189935e61c2e6ac2f39469795a0
-
Filesize
1KB
MD5d942feb15f8628ee6c63bde417216fca
SHA1a48ece419a788bbf0cab75ece316884876a3b6c0
SHA2564659a56d5c61f0faa84d94c896404c25b391f9d248c9f55143184f377fd9a498
SHA5123eeb05fe2c5f861bae9e61b4642281837a786078de287a0d68b03798cc7e988d60b4abe7766357b73211190af52f4ac582b4de6f4cb87c180318fa9b56395865
-
Filesize
1KB
MD56484e60597dfd895e6750bb19c58aa93
SHA13e4858e8a01d9e5200926a1caa9a734a248b1024
SHA25610b69c52178f8a486794665323da2234d3a1e7b145fa88494c26c092c7509ecb
SHA5127d298aac6a905c2ef5ae658157e89fb13663983cd22106f7187e9bcb8e3de4f531e3c06bd4a183c9db19d2f0ae8e861af899cd369dc9037face643ef2829a240
-
Filesize
948B
MD5eb6bbad04121efc4b28aafcfb2098c9b
SHA1874882a3749c41301505e95510f761491c465073
SHA256bdd1eb4ef60661fd7570aa4f6454ffe1072f57d213dd7263f89dafceee0e5bd5
SHA5127ade89430b42f124403449f4b8146ea4daad3bf87a53fe6aacdb28d759ad759ad6ea88db61723c1fa9c728d0d3c7aafa13527d15cf7149abbb4fa4fb4eb459d3
-
Filesize
1KB
MD58763501687bb4a9fe9c1e5cf46300f51
SHA1707ffedee9090e87f84cecbdfb2e56301369575d
SHA2566c48610e3f917711bb88c066f6cdcfee4a7bf6aaa46f07c614bae0bb964ae848
SHA51268e95316361fd88c665c0561a222e1e9c1580f90ddd545d5e72cda892413bd010195dde0804a3585785aed7a48cbcadf64b62e42b87535d3bef36497c559b0f2
-
Filesize
944B
MD584719b15e20ae559c6f29dba7a3d0097
SHA188345454b1eb5c1f39dcad5dfad4ecc268bd6f50
SHA2564910d430710a79f88662d02e7e2bea4b2e4a8ec4748283871e670b2a32a7bf3f
SHA5125d5fb11d6a6ee8a4bb2f85a3e8c709ef4024f9d523900b1ae22af5facfc8dc503b3be4203658ea5f4ea59143c68d1dd1080faee8b20961f45de367778e640bd9
-
Filesize
1KB
MD52eb0516581f575d665c8f25ee96d69d9
SHA1d041bc23b9053c09588c4feb81f9a145aa24aec3
SHA2561d5fa257306338d5c41cc387525ab4ecc6677a5896858b76e2272156269cd5df
SHA512382e8e90451eff13a6ce3d4e6f979c69612016f634d6e884579e7b6d2ee93b6b1b3b21294a161099e33d4d81aaa5cda5582e6a28a799e726e887e409b54ca245
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
582B
MD50409d81153242c17e077f1694efbf0cd
SHA1f1d0ccda7f104c7e3f42b5c297146af61401bff1
SHA2569a28e37bb0eb7e2269c512ad0c55a9fccafa690d253b92a45dbac4f51ec1f85d
SHA51239476d3ef24447cdf1e68de368871168e11d67af72261516f5d4384aad1ed51a6a499cd79868392ca100b5c8e52903e124b8e58f4e3cdfe1d0943843863feb5c
-
Filesize
6KB
MD5812ae7a8c1397ca6e0e87a4f0a499b5c
SHA1c809129c505cf0c05ceb0f7ebf5402eae922f9e6
SHA256078f44c04a793542cacd47b550a56dc0aaee4e4e56ab2ab496417ac04a9fb43c
SHA512fd47704ec9f6982e773adbd911e30c20d41cd55d68a4d19bab0c82c97b7e0681f7f8b70fc356186f4bc62c4e9c30cf33dd590ce056e423bf8944163faee7028d
-
Filesize
6KB
MD55906b7b402a19a9bb7e91c07489e39d1
SHA17141aac542fd8b3dabdff462879e2b754acb2f1b
SHA2568c5a46f3ea667224b74dc08e9997d531e3ed0ca0a9acdaaf8e442ff386c8f8a6
SHA5128accee22de4b1cffa9565129b94a104cd1e6d21f176cd124f66dde91e8237a741964a0369ba3435056f9ded71ea441a9eeacc1c817f9f3012e39a1caab14715d
-
Filesize
281KB
MD524925abcd1effdfa3c951975e4ace922
SHA1d1362f50f75587f8152ed0e0aad0c50b1d5dd01c
SHA256af3d81e4c0c261b4212b131e82b0d849458f3a0753a1150b88c12a7449742604
SHA5128b782cb5ed839eb076c6111ab93c9edb19523cc0b53d594c6a79df6841faace398a93e04dddf7dafb7b02761fa751109af39f8621bce33d560442cd04fb12273
-
Filesize
120KB
MD56c821e6e2a720f6e597f39a97204c1b8
SHA1972caeef7a96570f0dfc722f627917a69ecc38d3
SHA256200b4dc245092d422ad838a5cd0cd64662643c49066b110ba0fac6893f42f790
SHA512abb67a666f895f3b63f32373a4925e192ba027a92809f9b6a732c622d791fe4d06e1240c0406edd2b8c0f5bbbf5249925aff715e2e946efe43df2d2fb51b47b2
-
Filesize
252KB
MD5e0e39fb70afaec0c9940bd2f039e414b
SHA1996f1854effe540cfc74dd5de48378e0c270ea88
SHA256e4bb4c118b62afef3101fb33fda45ba34e5f5fd3b605fe4608ec531360487e57
SHA51287b6f23130436d9954b2114b4f155d685da262b5b39714a52f7196056d01e910f93d5b6260dd0b7dc22c7d7103ada61eb6492ccbf5d5616ad5c9844ee6e591f9
-
Filesize
186KB
MD5e1924caa5d28dd253147c9a14306da9e
SHA19a46337f3bb50f274955bbb9964b2f39c9a85440
SHA2565632148d2d583f53e5700d8579a8518d7be2bc3252bc9e73893dc3f60cfe7fcf
SHA512c3d9fdd14bfaf238e69330cc6cebcdd43f0f5d59449437ddb9e4734d3f195184fc9f6ee563486ec259b4a337eceb3729e61e9673e4d2553a99b86655a2eb9fe4
-
Filesize
200KB
MD5a3a0404642009eadc6639cb34cdc085d
SHA189a5e72546df0b6dadcfb8eca23f7441840eef67
SHA256de563f6a7cfb0e7d3b7969c7c1313ba45de4d8478e863979f03d1f0f3b9f8ffd
SHA512968bf21ce20710ec1c04b0cfa92a109b7eb7ede0db93897b7ec89d0adea6a29bcb0926c3326f3b0d0139446fded3f5ca2d8551699a3ff505c11786b4a67b791e
-
Filesize
171KB
MD598095f7a7c06b6796fe02caa2ba34b28
SHA1ace52bd3a832eb208b0a4002d40e366f87351515
SHA2562ac88ac52b0adcb9a530c23babd462a209ed60a7ffcce9371be8dfb4039e8340
SHA512bab9c6c9da3f55ddd596fb964f381039225a5e1ab449cea0838269b572400cbd34262edacad37fce1bd5b77c3a92109d3251feb668db7a3b7d3011c9394e2bcd
-
Filesize
288KB
MD50d60c5dcf33d4851db625458057c5357
SHA114fbbdbc3deca69c33e44c090a7a384bf847dfd9
SHA256ca7937da95e71fd30f6899e8c55f38c8c326aad479c47e1154e224ab2b512d44
SHA512907e97048d7f627599dc83506d12c977fde9d8596d84fb5282cd9799f81583b031acd6e9a4d36bd7b6bd5cc909ce5971f18094d5e8f4c68f4bf51ab8ae42ff5d
-
Filesize
193KB
MD58a12625bfab74a79e11e37f59b0a8830
SHA1d4deb1bdf33ac46765f3e21feeed9e16cdc2cc52
SHA256cfdf1c0ceaf2574f434f4f60e0190a926608dc6d48da53ebcfe59d9a9581f168
SHA5127752aa886da2404b19fcdeeea28f8f08a5cabc553d5b64f5e3c2ccb5886d09995aa2434503e918da6dd12d557736e0edee2c5900011f1fd40dd553b0255e37aa
-
Filesize
113KB
MD55e11cba73f1eaf0f5e0993a04065b413
SHA1ce3fba4af5e64ca8d4d1879684a3287faeaf1d94
SHA25684257f2abc570d82a3494d9c3e78eb350e0791af035280f852d2b362b320bf97
SHA512ee8a28513bf72d63bdbd893b5c9b580f58957cb7863b84bad70da7fc81e442bf021f4ea2d92ebd07965dbec3a6b6ab9a0ffcfafe08296bb3541ee27537fbfe0f
-
Filesize
215KB
MD5bd0640c6872305a1ba3ebf6d967f9a4b
SHA1799677a0188508611f2c1ebaa35ae514e8672ed7
SHA256bd3aac944c1c2287e0aaf265544f2a35e90a6d3a3805731e652eba3ecaf05d13
SHA512deb9756f0715974a64d417b48f473f71634761971746fece20e15b9aad6879c16c30d996746f5c4de3448f3c9017d3e28cfc91309a1781782da299cf5b2efae1
-
Filesize
222KB
MD55bf89529bdd4ee68c40991fd90bbe8ac
SHA1aae34a4091a3eaa8812772a4b34ca186c264ce20
SHA256d551414f3d088972772c77e3fbed88837504520890852d26a2f9236fe62889a4
SHA51269bf1a65d08430c5e02f8c8eacce5ab1bc5221a5805d22028695e22f709dcb7a63a81744dcdc8b018268588fab7903db2d0e1e1b6381c06c074feaaa00c9192e
-
Filesize
416KB
MD56fe7931251215ee8241645d85f8d6c07
SHA19698609cf449a1e65ba9487760a963646a0182e7
SHA2566880b0766d4789cedd88b5a76e8deca3c1bb157a5e25fd4d22f204f0a84e76c2
SHA5121c685aa6ff70c564cf9b308ea059bb043f97ffdc99c6e4173abcfe10bce297146c0c4f9948f581fca72c15e5b30ba93ee1bb49038296a88a440c0b986e46bfc9
-
Filesize
244KB
MD55dbc30ddcb3320abdae62005cd2f6a66
SHA1a09401e0d4bb4757f57a92b3c50ebee04cf941ff
SHA25627b04046c60ed85e85b6b2fcd9af683ab66bd9d81b22a6bbd224a00e6b1116d6
SHA512d65315e98d274320f2202c8c38a6d807238faea1e65abcd3f956704d7089b3d92f221bae2d6761628e274c297e61f95fae82adff7587de2c37e0057635b32339
-
Filesize
273KB
MD58909cd12906ea0d53defb3b4bd3a0a33
SHA125fa1760d2baf4ac0c0d5557463755445896298c
SHA256e0fbbeaa48a277132e6009f1bace097039f8ef91dddd2e42db67999af1c9f7c2
SHA512ef3726e5935b31c07da15d8b5e56df098b01db8357ba5fb71810d6cc12fc180076f74c74c53bf7ca7e5573c1f14201b9953654e483b59257f0bdbfd197d930a7
-
Filesize
10KB
MD54af269b2f52872238047f95f64c608e0
SHA1ad2fed3f9a87973a97eee1c937769af4f632eed0
SHA25645b8608289ed0d662b7b18c19aa96f9b27364487c02eda22bf69727cfddbdb0a
SHA512d860de5d2ad60003b1535b3ac19d138d284ca9e7f51a1812759c016686de6e79eaa797d5ae21f3de889786fa8c0829b632ef98e505e2c34fa07ea48de1d282cd
-
Filesize
266KB
MD5e8d3d10436e7ac8249bed082f39fd846
SHA13bf76104270027a796016b5de561eadc6bd8779d
SHA25641737d673cb36ba82ed58d4afddf39f2bd28f40c2770605be93451e1305327b0
SHA512d65acc5044633aaaf185f213c8dfa4b404446a4a402f8711382ec952e3f9ea026c27c084817183f7e7781dbbae7c05aa150cd1a5e215c3a297d2caa4c5dec4ba
-
Filesize
208KB
MD52050cf34e6414bf0ab86d38994f62e37
SHA138c0434709b188577d4b562d58beb4eeaf2a9da9
SHA256b3e957ac9f8af24e066d26aadee2f03347de9822d769bba213dfe2acef27cd1c
SHA512a837c552289fc3e27cd925ee4dba77487ee22750c2bcfc920fdf44a685e7fec7218980b922e33285e38b73d9051466e3eaacf40861777ca7c279e9b8fd879bb8
-
Filesize
105KB
MD500fdda308f74109fda9831afbef89837
SHA1d9f61007cfa98862480484838cc80197720bf293
SHA25673bef4f0bc8fe4bb86eb87e14a8fa924866982ce3445210992a38fdf2591ea5a
SHA512e8afca5653dac50737b61ce3afcd2d5b904d96368bf749fa0cdaa530e1461ac7fee8cba541caf7f455da94e17c3e04f94fc5a64783a3ab813b16b41747047a1c
-
Filesize
142KB
MD5cc7976a5074d1fce6718e9353a27750d
SHA1ff8f12422b6a416fdf3bbc7b4156a7d665e58da0
SHA25646f6485706b8ca1e59da519a7f811b678a2d39569730853d06d4bd58194e8bef
SHA512ba29049c7edf18503f786810038c86f0518d016a6f351e43773a3f3dd6ea1b3ddbb253aceee8cddd4a8ac99a97a3f633827b17ed049b6495dde4165718ddcc22
-
Filesize
230KB
MD5c58fd074404e88c917a8f0060e4dda37
SHA1cb20a3f71d866db0c8cc298a90be08c94a0b5a20
SHA256e6d87468542ca4bbfbc21846cfdbd160411ee8beeaa94c0343eb53c948e4fc68
SHA512174c24adccc792024e75d740ac6ae4e0024e63c7ffb1bf34471cca4896b9a1db4123961c8b55696779a4ea58327670620fe1966909dbdbae2eb0c6258dec5ae7
-
Filesize
149KB
MD51a0e3d8e930e1285c6b81fb2397ab77f
SHA1718943b065c253336377b1a39a88664d83d884ab
SHA256046b97b89789bb8a035968ab9aaf32ee1f8edf997352035dc83753c872058689
SHA512e2caf77a7f37197050df32f127c80df4cdd008eee431a110063d0dc33765cc116326e19c01d8d2ffbcba67f94de392eff0fa7b3a176da13fa62b3fcbd00329c7
-
Filesize
135KB
MD549e869e168a575df06340dc9d2fde936
SHA1013e7f7cbe8a03cf398910a28fa6c6dfdfbc6250
SHA256e5e6a0669d232d7cda545aae33a1759b4ef31303fef666edf97bafdc23124c0a
SHA512fa50ecffc04d30fbe2287adb0c442dcf67c10e513bb88daafcfe018d92ce09cb46e608806e667ab2e1ea362e430a0362905e719c0ea54236516e58b90e540810
-
Filesize
303KB
MD58bee1f7712221eeb08d81a00897d4723
SHA14f36ccac1fee52857bf654163847943fcb72b226
SHA256f081c618dccde0d110f99a62cb74656292c9d2176c6bc210873ca2bd203376a0
SHA512a78f49b19f4d8108880d4e4bb8e2183ca515de2ba837dade7f8fadd1d1978689d0a55dfb0bce3676b18dba0023e5f82d15e862fdc762bae2635076fc4628c4ba
-
Filesize
164KB
MD58738392357b4633e13340f0564775639
SHA12f41e0bb2ecb69f09289981676ac8d2faaa435c7
SHA25674abf2b38fde5af0dc4bf5a0c106f508e3f8567c1d39140cacfe2767edbf9207
SHA51207c7ca7a07ec89d705b93c624e7b7e08e1ba78fbe4a9cd828b1cd27dde1e90a1816f1b007ec4ffe11bba8b9a72b2913c5793f29cca2bab70ea68ef034f0ac528
-
Filesize
178KB
MD59d9dfb06710c3562251656fcaf93b049
SHA15ce3cc412f83f43c1823ce300139c9626bc19b3d
SHA2563bc1a45e96c337ab44b400f62c27921cedc37faff7f3ae81d426d275d96c44c7
SHA5123fec3e13212ae9e85e15e752f0e4ac630a51c28a2c04fc266aba17e6911eb83884a89949c261036e6012a99c1bed7971ffe597de812b45094ac5e4b30c7f9ec9
-
Filesize
295KB
MD593efd13ed7a23851b110a4044d257f0e
SHA1efd37293344b1d5772259401a8aaa510472aaa4d
SHA2565cb6b63493d0b2a373ed167986a370c1ee5727ed4325084e4e1140072fcdf1f8
SHA512dd693e1315356818c3ee5f0fca9a96ed40a2fef0e6321fe5cce29401c1ad6d598fd8fb75204d40d19cc280efeeab47c577a3f6dd12675b4dbbb18d223edb7aa6
-
Filesize
237KB
MD5538d482a6f4a6beae95dafdb8dd12c80
SHA127999ac339fa52648e090067d81e2ce3b307524e
SHA25661a052c08c4426220bedb9fb6f6f1bd789553c1c22ac5ae72f4616dff854b120
SHA5120f424c697151b293c7baefecb59a7eb4cdb948845acbb4847371ae7c77bb5305af152336c9b84dbaf50c259422177fe122adf945a11cebe28b9aae4f11275b90
-
Filesize
259KB
MD5ecf14d142223c23b98212940e7da6824
SHA1044bee8b1f060b035931226b604cd60471a108c7
SHA25687852f545ffde5decfa645f1276d4a11f2518f4664037232a6341186bf448bb1
SHA51262d677da25e979a565d0c4f7f0de4ba43f05a09b018ad85a08839c063234ca0a75ec52d619cda9fbd84938605b16173e07ea0a2aa250572836abaf3a7432f2ef
-
Filesize
157KB
MD5652571a054a80934f73c47c1488092df
SHA17bf11351a52b80f4ddff4b5f0aeb868e053d0014
SHA2560c725ca3e32f9590aa2bdad2d10735bf815b186b4d55b5a0aa232d457b94ba84
SHA512f115f0d3e141ef612a5b2dc3b527529da74025cd38c71552595a371b60aaf2eea6757a1a654d4d211c28d0504ce42e48f1c11e7c2e6cef452605a9c5e55fe138
-
Filesize
127KB
MD53668144250d15c11e227012ed44551c5
SHA191ea66292d2827496b42b809b5134289b60e48d3
SHA2566332e58b84171b9a02c95de5a46412f100f60b287dc9cdee2ef2345cab138cf1
SHA5125d0b0575ce08f6d8e53f8368830ab58b533eb6fca6f0d4f3d674dc0ec52c90bc5022b262824956330d32b008af1157396fdaa5835a80df1d48cc7693c855844f
-
Filesize
14KB
MD54225c892edf89c058b370e8426c87295
SHA1af4863fd41514b36bda16d3073d26353094ae3d6
SHA2561e2b4d5e4aa8f3ed10c834d346a4ec606c84e769b51186fe959ed7104f7b2567
SHA512f07a625343412d8447ebfb68f91812433294adf483b706c7319833b11d8590b7566fd754e3c1e7dc3132c6c3c19e0b5a1978b6a2db0528b012b8e2372916b922
-
Filesize
206B
MD5b13af738aa8be55154b2752979d76827
SHA164a5f927720af02a367c105c65c1f5da639b7a93
SHA256663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b
SHA512cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4
-
Filesize
426KB
MD5113056fb603b8c6eeece5a67759f229b
SHA1396e69666d50f4b31ad17de3c098e831a6506558
SHA25653575cf8eb1ce355b1f2b3dc1b7ae2b645501ef4ae0761929e9e531f97043197
SHA51227ef1da9aa8a6a35e9f8344b8e85ef2f5baa5afeba6befe3ac71cff500f24e5b887f2cae7e7c113eb9e7b8b423ad38c32fc78467189bb19a89a25957835f29a3
-
Filesize
472KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
224KB
-
Filesize
296KB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
152KB
-
Filesize
120KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
212KB
-
Filesize
1.8MB
-
Filesize
212KB
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
1.5MB
