Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2023, 17:28
Static task
static1
General
-
Target
file.exe
-
Size
876KB
-
MD5
6259a452b7dd8c8d9e3b5a3fcb14b332
-
SHA1
ed819813e16ee2133bacce142c4b31df5c2be4eb
-
SHA256
aad3b2756d7b28f0deaec73b52c134f8f9367c27ee9ab1a9b79be7ddfbca170e
-
SHA512
ba809fb174074042c40f455c855d23f07a55ff6e0fc6f32ff0781bc2f01453003f63542accbc8a1a30522400c7d4decb0b6b4d4436c36a22adfd2bdd9c384275
-
SSDEEP
24576:KyO47GmTD/eVflOdxGf+IbTOpPCRCsuv+mPOV:RP7G+yVY3+TOplVe
Malware Config
Extracted
redline
jordan
77.91.124.55:19071
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
larek
77.91.124.55:19071
Extracted
smokeloader
up3
Extracted
redline
@ytlogsbot
176.123.4.46:33783
-
auth_value
295b226f1b63bcd55148625381b27b19
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 1460 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe 5696 schtasks.exe 5988 schtasks.exe -
Detects Healer an antivirus disabler dropper 6 IoCs
resource yara_rule behavioral2/files/0x00070000000231f0-26.dat healer behavioral2/files/0x00070000000231f0-27.dat healer behavioral2/memory/4000-28-0x00000000009D0000-0x00000000009DA000-memory.dmp healer behavioral2/files/0x0009000000023265-312.dat healer behavioral2/files/0x0009000000023265-315.dat healer behavioral2/files/0x0009000000023265-314.dat healer -
Glupteba payload 11 IoCs
resource yara_rule behavioral2/memory/6076-502-0x0000000004AF0000-0x00000000053DB000-memory.dmp family_glupteba behavioral2/memory/6076-532-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/6076-631-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/6076-637-0x0000000004AF0000-0x00000000053DB000-memory.dmp family_glupteba behavioral2/memory/6076-641-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/6076-838-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/6076-869-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/5352-962-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/5352-1061-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/3764-1063-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/3764-1079-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" FAFE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" FAFE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1AD84Eo7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1AD84Eo7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1AD84Eo7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" FAFE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" FAFE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 1AD84Eo7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1AD84Eo7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1AD84Eo7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" FAFE.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral2/memory/2720-48-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral2/files/0x0006000000023261-340.dat family_redline behavioral2/files/0x0006000000023261-341.dat family_redline behavioral2/memory/5600-343-0x0000000000860000-0x000000000089E000-memory.dmp family_redline behavioral2/memory/5380-534-0x0000000000940000-0x000000000099A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2628 netsh.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation FD60.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation explothe.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation 105D.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation kos1.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation kos.exe -
Executes dropped EXE 41 IoCs
pid Process 4468 RT3Gs31.exe 4640 vn6YO89.exe 4620 uQ6ye90.exe 4000 1AD84Eo7.exe 4560 2js8162.exe 4928 3qD33DG.exe 3036 4VD091IM.exe 4656 5Lg1Yh7.exe 2980 F58B.exe 4564 lj0HJ4rC.exe 3300 F6C5.exe 1552 HD5ki2cd.exe 1724 LK3FM7cm.exe 2784 Qd3cZ3Ut.exe 2580 1Dy66dA8.exe 3680 F9C4.exe 5124 FAFE.exe 5348 FD60.exe 5552 explothe.exe 5600 2uh893mB.exe 5864 105D.exe 5908 ss41.exe 5984 WerFault.exe 6076 31839b57a4f11171d6abc8bbc4451ee4.exe 5160 kos1.exe 5240 toolspub2.exe 5216 1494.exe 5380 1754.exe 5740 set16.exe 5404 kos.exe 5716 is-7ERF7.tmp 5584 previewer.exe 2856 previewer.exe 5108 explothe.exe 2088 ugatwev 5352 31839b57a4f11171d6abc8bbc4451ee4.exe 3764 csrss.exe 5784 injector.exe 760 windefender.exe 4336 windefender.exe 4368 explothe.exe -
Loads dropped DLL 6 IoCs
pid Process 5716 is-7ERF7.tmp 5716 is-7ERF7.tmp 5716 is-7ERF7.tmp 5380 1754.exe 5380 1754.exe 6068 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" FAFE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1AD84Eo7.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" uQ6ye90.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" Qd3cZ3Ut.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" RT3Gs31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vn6YO89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" F58B.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" lj0HJ4rC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" HD5ki2cd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" LK3FM7cm.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 4560 set thread context of 4056 4560 2js8162.exe 98 PID 4928 set thread context of 4600 4928 3qD33DG.exe 103 PID 3036 set thread context of 2720 3036 4VD091IM.exe 111 PID 3300 set thread context of 3720 3300 F6C5.exe 152 PID 2580 set thread context of 5140 2580 1Dy66dA8.exe 159 PID 3680 set thread context of 5468 3680 F9C4.exe 166 PID 5984 set thread context of 5240 5984 WerFault.exe 193 PID 5216 set thread context of 5964 5216 1494.exe 200 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe is-7ERF7.tmp File created C:\Program Files (x86)\PA Previewer\unins000.dat is-7ERF7.tmp File created C:\Program Files (x86)\PA Previewer\is-G6EVS.tmp is-7ERF7.tmp File created C:\Program Files (x86)\PA Previewer\is-LEC58.tmp is-7ERF7.tmp File created C:\Program Files (x86)\PA Previewer\is-9K70G.tmp is-7ERF7.tmp File created C:\Program Files (x86)\PA Previewer\is-TH29V.tmp is-7ERF7.tmp File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat is-7ERF7.tmp -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3352 sc.exe 3120 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 3380 4560 WerFault.exe 96 3424 4928 WerFault.exe 101 1404 4600 WerFault.exe 103 4756 3036 WerFault.exe 108 3960 3300 WerFault.exe 143 5308 2580 WerFault.exe 150 5404 5140 WerFault.exe 159 5592 3680 WerFault.exe 153 5152 5380 WerFault.exe 197 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5696 schtasks.exe 5988 schtasks.exe 1460 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" windefender.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-492 = "India Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4000 1AD84Eo7.exe 4000 1AD84Eo7.exe 4056 AppLaunch.exe 4056 AppLaunch.exe 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 1648 msedge.exe 1648 msedge.exe 4420 msedge.exe 4420 msedge.exe 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 1212 msedge.exe 1212 msedge.exe 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3152 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4056 AppLaunch.exe 5240 toolspub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4000 1AD84Eo7.exe Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeDebugPrivilege 5124 FAFE.exe Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe 1212 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3152 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4256 wrote to memory of 4468 4256 file.exe 85 PID 4256 wrote to memory of 4468 4256 file.exe 85 PID 4256 wrote to memory of 4468 4256 file.exe 85 PID 4468 wrote to memory of 4640 4468 RT3Gs31.exe 87 PID 4468 wrote to memory of 4640 4468 RT3Gs31.exe 87 PID 4468 wrote to memory of 4640 4468 RT3Gs31.exe 87 PID 4640 wrote to memory of 4620 4640 vn6YO89.exe 88 PID 4640 wrote to memory of 4620 4640 vn6YO89.exe 88 PID 4640 wrote to memory of 4620 4640 vn6YO89.exe 88 PID 4620 wrote to memory of 4000 4620 uQ6ye90.exe 89 PID 4620 wrote to memory of 4000 4620 uQ6ye90.exe 89 PID 4620 wrote to memory of 4560 4620 uQ6ye90.exe 96 PID 4620 wrote to memory of 4560 4620 uQ6ye90.exe 96 PID 4620 wrote to memory of 4560 4620 uQ6ye90.exe 96 PID 4560 wrote to memory of 4056 4560 2js8162.exe 98 PID 4560 wrote to memory of 4056 4560 2js8162.exe 98 PID 4560 wrote to memory of 4056 4560 2js8162.exe 98 PID 4560 wrote to memory of 4056 4560 2js8162.exe 98 PID 4560 wrote to memory of 4056 4560 2js8162.exe 98 PID 4560 wrote to memory of 4056 4560 2js8162.exe 98 PID 4640 wrote to memory of 4928 4640 vn6YO89.exe 101 PID 4640 wrote to memory of 4928 4640 vn6YO89.exe 101 PID 4640 wrote to memory of 4928 4640 vn6YO89.exe 101 PID 4928 wrote to memory of 4600 4928 3qD33DG.exe 103 PID 4928 wrote to memory of 4600 4928 3qD33DG.exe 103 PID 4928 wrote to memory of 4600 4928 3qD33DG.exe 103 PID 4928 wrote to memory of 4600 4928 3qD33DG.exe 103 PID 4928 wrote to memory of 4600 4928 3qD33DG.exe 103 PID 4928 wrote to memory of 4600 4928 3qD33DG.exe 103 PID 4928 wrote to memory of 4600 4928 3qD33DG.exe 103 PID 4928 wrote to memory of 4600 4928 3qD33DG.exe 103 PID 4928 wrote to memory of 4600 4928 3qD33DG.exe 103 PID 4928 wrote to memory of 4600 4928 3qD33DG.exe 103 PID 4468 wrote to memory of 3036 4468 RT3Gs31.exe 108 PID 4468 wrote to memory of 3036 4468 RT3Gs31.exe 108 PID 4468 wrote to memory of 3036 4468 RT3Gs31.exe 108 PID 3036 wrote to memory of 1828 3036 4VD091IM.exe 110 PID 3036 wrote to memory of 1828 3036 4VD091IM.exe 110 PID 3036 wrote to memory of 1828 3036 4VD091IM.exe 110 PID 3036 wrote to memory of 2720 3036 4VD091IM.exe 111 PID 3036 wrote to memory of 2720 3036 4VD091IM.exe 111 PID 3036 wrote to memory of 2720 3036 4VD091IM.exe 111 PID 3036 wrote to memory of 2720 3036 4VD091IM.exe 111 PID 3036 wrote to memory of 2720 3036 4VD091IM.exe 111 PID 3036 wrote to memory of 2720 3036 4VD091IM.exe 111 PID 3036 wrote to memory of 2720 3036 4VD091IM.exe 111 PID 3036 wrote to memory of 2720 3036 4VD091IM.exe 111 PID 4256 wrote to memory of 4656 4256 file.exe 114 PID 4256 wrote to memory of 4656 4256 file.exe 114 PID 4256 wrote to memory of 4656 4256 file.exe 114 PID 4656 wrote to memory of 3864 4656 5Lg1Yh7.exe 116 PID 4656 wrote to memory of 3864 4656 5Lg1Yh7.exe 116 PID 3864 wrote to memory of 4312 3864 cmd.exe 117 PID 3864 wrote to memory of 4312 3864 cmd.exe 117 PID 4312 wrote to memory of 3676 4312 msedge.exe 119 PID 4312 wrote to memory of 3676 4312 msedge.exe 119 PID 3864 wrote to memory of 1212 3864 cmd.exe 120 PID 3864 wrote to memory of 1212 3864 cmd.exe 120 PID 1212 wrote to memory of 3088 1212 msedge.exe 121 PID 1212 wrote to memory of 3088 1212 msedge.exe 121 PID 1212 wrote to memory of 2264 1212 msedge.exe 122 PID 1212 wrote to memory of 2264 1212 msedge.exe 122 PID 1212 wrote to memory of 2264 1212 msedge.exe 122 PID 1212 wrote to memory of 2264 1212 msedge.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RT3Gs31.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RT3Gs31.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vn6YO89.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vn6YO89.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uQ6ye90.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uQ6ye90.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AD84Eo7.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AD84Eo7.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2js8162.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2js8162.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 5926⤵
- Program crash
PID:3380
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3qD33DG.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3qD33DG.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:4600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 5446⤵
- Program crash
PID:1404
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 5965⤵
- Program crash
PID:3424
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4VD091IM.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4VD091IM.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:1828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 5924⤵
- Program crash
PID:4756
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Lg1Yh7.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Lg1Yh7.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A383.tmp\A384.tmp\A385.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Lg1Yh7.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa74cf46f8,0x7ffa74cf4708,0x7ffa74cf47185⤵PID:3676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,11458449860045771510,9297466029397723618,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:25⤵PID:892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,11458449860045771510,9297466029397723618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4420
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa74cf46f8,0x7ffa74cf4708,0x7ffa74cf47185⤵PID:3088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:25⤵PID:2264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:85⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:15⤵PID:1728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:15⤵PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:15⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:85⤵PID:2980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:85⤵PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:15⤵PID:4076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:15⤵PID:1236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:15⤵PID:2596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:15⤵PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:15⤵PID:5876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:15⤵PID:5324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:15⤵PID:5252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8001494730788773907,13481265591748387358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:15⤵PID:5200
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4560 -ip 45601⤵PID:5028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4928 -ip 49281⤵PID:1624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4600 -ip 46001⤵PID:4340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3036 -ip 30361⤵PID:2828
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4640
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\F58B.exeC:\Users\Admin\AppData\Local\Temp\F58B.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lj0HJ4rC.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lj0HJ4rC.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HD5ki2cd.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HD5ki2cd.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK3FM7cm.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK3FM7cm.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1724
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\F6C5.exeC:\Users\Admin\AppData\Local\Temp\F6C5.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3300 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 1522⤵
- Program crash
PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qd3cZ3Ut.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Qd3cZ3Ut.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dy66dA8.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dy66dA8.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2580 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:5140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 2044⤵
- Program crash
PID:5404
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1563⤵
- Program crash
PID:5308
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2uh893mB.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2uh893mB.exe2⤵
- Executes dropped EXE
PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F80E.bat" "1⤵PID:180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login2⤵PID:5776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa74cf46f8,0x7ffa74cf4708,0x7ffa74cf47183⤵PID:5816
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵PID:412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa74cf46f8,0x7ffa74cf4708,0x7ffa74cf47183⤵PID:5296
-
-
-
C:\Users\Admin\AppData\Local\Temp\F9C4.exeC:\Users\Admin\AppData\Local\Temp\F9C4.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:5468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 1482⤵
- Program crash
PID:5592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3300 -ip 33001⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\FAFE.exeC:\Users\Admin\AppData\Local\Temp\FAFE.exe1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:5124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2580 -ip 25801⤵PID:5216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5140 -ip 51401⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\FD60.exeC:\Users\Admin\AppData\Local\Temp\FD60.exe1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5348 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5552 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F3⤵
- DcRat
- Creates scheduled task(s)
PID:5696
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit3⤵PID:5736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:5948
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"4⤵PID:6056
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E4⤵PID:5380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:5476
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"4⤵PID:5504
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E4⤵PID:5444
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main3⤵
- Loads dropped DLL
PID:6068
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3680 -ip 36801⤵PID:5504
-
C:\Users\Admin\AppData\Local\Temp\105D.exeC:\Users\Admin\AppData\Local\Temp\105D.exe1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5864 -
C:\Users\Admin\AppData\Local\Temp\ss41.exe"C:\Users\Admin\AppData\Local\Temp\ss41.exe"2⤵
- Executes dropped EXE
PID:5908
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5240
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵
- Executes dropped EXE
PID:6076 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:5928
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5352 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5712
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:4664
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:2628
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6052
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5736
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:3764 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5684
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:5988
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:5260
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5344
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4752
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:5784
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:1460
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:3520
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:3120
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kos1.exe"C:\Users\Admin\AppData\Local\Temp\kos1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5160 -
C:\Users\Admin\AppData\Local\Temp\set16.exe"C:\Users\Admin\AppData\Local\Temp\set16.exe"3⤵
- Executes dropped EXE
PID:5740 -
C:\Users\Admin\AppData\Local\Temp\is-LETA0.tmp\is-7ERF7.tmp"C:\Users\Admin\AppData\Local\Temp\is-LETA0.tmp\is-7ERF7.tmp" /SL4 $130184 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 522244⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:5716 -
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 85⤵PID:5416
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 86⤵PID:6008
-
-
-
C:\Program Files (x86)\PA Previewer\previewer.exe"C:\Program Files (x86)\PA Previewer\previewer.exe" -i5⤵
- Executes dropped EXE
PID:5584
-
-
C:\Program Files (x86)\PA Previewer\previewer.exe"C:\Program Files (x86)\PA Previewer\previewer.exe" -s5⤵
- Executes dropped EXE
PID:2856
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kos.exe"C:\Users\Admin\AppData\Local\Temp\kos.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5404
-
-
-
C:\Users\Admin\AppData\Local\Temp\1494.exeC:\Users\Admin\AppData\Local\Temp\1494.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:5964
-
-
C:\Users\Admin\AppData\Local\Temp\1754.exeC:\Users\Admin\AppData\Local\Temp\1754.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 7922⤵
- Program crash
PID:5152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5380 -ip 53801⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5984
-
C:\Users\Admin\AppData\Roaming\ugatwevC:\Users\Admin\AppData\Roaming\ugatwev1⤵
- Executes dropped EXE
PID:2088
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:5108
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4336
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:4368
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3352
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
Filesize
152B
MD56351be8b63227413881e5dfb033459cc
SHA1f24489be1e693dc22d6aac7edd692833c623d502
SHA256e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b
SHA51266e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5f495886379ce6ca57ce38dcbf7f5c46b
SHA124deec6dae11bbce3f6836cf17c794b696ce062d
SHA25601185645b33d7fc9fa514e5132f1c23cff92b8faa017dc4c783a63ce8c0d16e7
SHA512f9fed6258b56e38f75f0d5dc6672c7a48d5035908fd858eedd4c2e81fc79deef3667c359d8b4880e5ce5045107ba9004f82a01ce3b624d9baba7dbd284e509a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5bec36bd112c3d3737af8ca5ecc40d158
SHA1b3c91c73cd5394e7a825d5a410c5f145453e5b65
SHA2564d3579636e53777bd61093b625137913b44b8c5f4b70bbcb466e346f1a42a760
SHA512260c47e39fac6d160de91185fe208a776c9a413096e0be5f43d167c4552c1ddbf2efc046576f4adee092a8d9174590bf5ec44fe131a3e1aa98c85222396cd4f2
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD5124a5855a088b763b47b6907354e22b2
SHA19cebf9f09f9d6d42252f83c5f0369f913b08c7e9
SHA256ac22585e3592a9960d474d004af874a5592329904a6457e30a0932c270bd30e6
SHA5124f356058fda2f96ce03a8806ab1b7b8c9135a66d773e0c7dd6802be79ca4c2196d71fb3be68ebb46354c8b6acad8b9c607c24369da891ea6c3a839829814911b
-
Filesize
6KB
MD513533e76e33add87914d4489128e9b41
SHA1f2c32362f6e120c13563ab5b48a68c0edd936f11
SHA2563df9b08aa490e36a729f92f35d1f3b3d8777af8061a5c4b54354efe67f9a8f61
SHA51240d612238a3188043acc99d936fe772d3a4f3da9ffe6d9ac4817dbd9c33bd2d1b95e06b7e97106c81d1bac4acc692923e3618fe7b42eb1bbf7341d49d0cc6524
-
Filesize
6KB
MD5da11bc89652f88a6a8b83432da5272c3
SHA11f59f6dc8ace47e96f601388d60cdb4e27fcc5f6
SHA256d6e5a8a55953fcc6fb1d765a47727a7a15cd110eb640a682c4eabbc5550b62f6
SHA51299146937f7823cf88bf380f5d2ccc9ab53d060f880d5fe7ce8c49d15089fa3ec74335274ed8085207e832d27999fa2b837454f9e2082d440815c1804681912b6
-
Filesize
7KB
MD57d135cbaf48e3c3ab0ecc8bea885d5e8
SHA1680620371c350467a3898c7aa1308d6ab8395273
SHA2567afb7c64eb68e47d117bd949b021bc7b8a8974f84515943964378aae95b70d1a
SHA5127b64e57c7dcd74c7144df7016d2cc04cccfa88e8aa07ffce696b3298f6475507157dd78faf8852b7a66dc9607cd02180ae1efc7d0ad846b3d1e9482af8936f37
-
Filesize
5KB
MD52ab30adac24396fbb2d989755b22b8a3
SHA1cc17e518332ed0484811a59bb9d4ad52c034f74f
SHA25602b742a656e9e58c6bfc2d2f7628de80228a0bbaa689600fd43f0671cde0333a
SHA5122dc519f61ee7f3d0cf74e62d6a1b87fedaabb66e4ecaf38fbf0f9b15cd22ff1dbc39a0880105b9c11ede7177ec8c6e7da57d2d3cf22e555e60c75bd196539421
-
Filesize
24KB
MD5699e3636ed7444d9b47772e4446ccfc1
SHA1db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA2569205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51
-
Filesize
872B
MD5214815d7e2d74b7b11e1f90268980496
SHA10b0f1a20d15182cafa84e8e78454c3af56df20e4
SHA256f772141d7f898630ea51ab4327615ac1687d2c87aabbf450cd93f75cf3c3f83d
SHA512b68db961d4ace87b6f5d3200676001c2af0f6d1649d5c88ebcd2f82a5a215abc4c18beef1aefda469f7bdd05dc23358d5b10dce91541a8e107791d1f008fcabe
-
Filesize
872B
MD589533e88035174828c6c98b62968581e
SHA1bd8d7f096f6d320bc70dc5d7372b478316036df0
SHA256211d8a18923d7ebb38322b48864271897524fc5d10a44457201023c463ce43c0
SHA5120991c72f91fa296af87dba7b332949034e38481e2134030da8961b8367505d186b0a1f18569dcb65b3838377dc7901cf745bb84b62d9f51b79a316e1e1a43a55
-
Filesize
872B
MD540eaf4b5bc11210f02d55256ae7a0ef7
SHA1147f580272160a6a5e8896db77b52e324d26fc3a
SHA25663604e2fe6e7d82f84424ac0d510a5e45c5cff39b2e472e13fa60ae7965e8b93
SHA512458d02a5f8b76e1cf5bb0d111dd22df73144c02c891d08b7402c2e4ab6d0e8a82c03c3c793ccdc4c8e5b3cc42dbbd665bb707b33d42aa17f4987fbb386e4794d
-
Filesize
872B
MD5424c0ec337e8ffc80d41c56c17755292
SHA159719e2e3ecb9fac365fadea836192591993c774
SHA2562d8c7707366350f20f7f95c71935247b8c806d9acdaf01acd66c0ff5aafc9e00
SHA5124623722dece49a2b451ded3fcd7430a62ee974f978cd0403ba7b9126a3e88e1f4ba78133f7d235edd8713e1765e739a50bc88808fbaa6db956616984ae6896bf
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD53b01956d41656210e6cfa7f642efe65d
SHA169ea4fc8808ad68dceed7547e9486453ffbce7af
SHA256e04f1bf107a15496e6f8510b33d33fd06354327469807f72daa5bccc87c8e3da
SHA5121b2eb39ba79f3abd364d309a9c1d1fdc4a1b7d0bdc708edf94231a0ef8ae771c7f372178bbcaf5bebbe681af1e2b78cce3fc9936d2ad0492fc04ca65e97cf8bf
-
Filesize
10KB
MD52c88214587e6b3b9d9b842646cfaf315
SHA1e5554c8922238317f18d15c121655351213fa8b8
SHA2566b3e9f613668801e83749f9ef7b2b9754c490d58011000074cee85060f4ed53b
SHA512ee39492a772699025d8c9dab884bf0510666415774d14db3dc5035871e56962ccfb374080e92e700268150969e292a1bb818e2191be387189f62528bcbe3bac2
-
Filesize
2KB
MD53b01956d41656210e6cfa7f642efe65d
SHA169ea4fc8808ad68dceed7547e9486453ffbce7af
SHA256e04f1bf107a15496e6f8510b33d33fd06354327469807f72daa5bccc87c8e3da
SHA5121b2eb39ba79f3abd364d309a9c1d1fdc4a1b7d0bdc708edf94231a0ef8ae771c7f372178bbcaf5bebbe681af1e2b78cce3fc9936d2ad0492fc04ca65e97cf8bf
-
Filesize
10KB
MD5b9f835c7449cddd7c144a281b553e8df
SHA1c36cc6b4a4cca32069bd2ece34ecd01e4c6ef15b
SHA2567022ebfec1f83b56cb5a4c6e0e15cac9a407cbb3884dd06f616baf77c419afd9
SHA5127326cf207034b278ab7089ac08d59e77f614150c1c906a24e9bfb14dd9c886af38993fa03d774eb4278b3f9b75412429b7a65aedb49aa241a27e8b9783e7ca95
-
Filesize
4.2MB
MD57ea584dc49967de03bebdacec829b18d
SHA13d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA25679232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0
-
Filesize
90B
MD55a115a88ca30a9f57fdbb545490c2043
SHA167e90f37fc4c1ada2745052c612818588a5595f4
SHA25652c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d
SHA51217c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe
-
Filesize
1.1MB
MD543bd005d9ae6370d5902072baa67b82b
SHA180d78912f526196d55e22bee1042cec08d101a60
SHA256f26a2c4355da50ab5b04d99ea0490cb8ccf761a31cf60681906f03007b2a4292
SHA5129ee0b7551f4d8aa95dec3b7507a9d3baabd5a202f50e943982dfe9749302844eb6b09c11753a3f22232610b40ffe3032a98c2bf1151f55344c0a80ceea4d27bc
-
Filesize
1.1MB
MD543bd005d9ae6370d5902072baa67b82b
SHA180d78912f526196d55e22bee1042cec08d101a60
SHA256f26a2c4355da50ab5b04d99ea0490cb8ccf761a31cf60681906f03007b2a4292
SHA5129ee0b7551f4d8aa95dec3b7507a9d3baabd5a202f50e943982dfe9749302844eb6b09c11753a3f22232610b40ffe3032a98c2bf1151f55344c0a80ceea4d27bc
-
Filesize
285KB
MD50f54d4d0ef737f182362bb20a07878ec
SHA123c31a68cb26b45f0b794ca04e8d27ee3b977961
SHA256bb2d9ac88ba2320fff0d366ca17328d8c461b91c32b1f56a2754e9f1fc5fba5f
SHA5121cb7266a170653b320f45a9eab8f63919d3ba2568df74d474fb2172d60ae80116f1b6e95548eba1508d7b01d17e33660142af5cf87c6d2a55781ed64470f7952
-
Filesize
285KB
MD50f54d4d0ef737f182362bb20a07878ec
SHA123c31a68cb26b45f0b794ca04e8d27ee3b977961
SHA256bb2d9ac88ba2320fff0d366ca17328d8c461b91c32b1f56a2754e9f1fc5fba5f
SHA5121cb7266a170653b320f45a9eab8f63919d3ba2568df74d474fb2172d60ae80116f1b6e95548eba1508d7b01d17e33660142af5cf87c6d2a55781ed64470f7952
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
367KB
MD50e7c5b73ea587b1b83040366cf896dc7
SHA18df5c2abf692f0db40a8423989318499594d571b
SHA256668443b62b1deba60f3e19f4f90fb55991abc8f0e97c8802d27f427bf393660e
SHA51212718db6e073b5502fe42962f19b8c4ce645b03ffb4753ccd7b176d2567aa6a518555c7f8f222a300e258f1e7774b79717f2dee1f2eefafd65d2e9230c421ddd
-
Filesize
367KB
MD50e7c5b73ea587b1b83040366cf896dc7
SHA18df5c2abf692f0db40a8423989318499594d571b
SHA256668443b62b1deba60f3e19f4f90fb55991abc8f0e97c8802d27f427bf393660e
SHA51212718db6e073b5502fe42962f19b8c4ce645b03ffb4753ccd7b176d2567aa6a518555c7f8f222a300e258f1e7774b79717f2dee1f2eefafd65d2e9230c421ddd
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
89KB
MD504076b14c2c299ebeccfe1b54008ccb2
SHA1699940d5fd88cd95b3ad93ee799d889e208f7b39
SHA2562ef3e07fdba46261fa36163d3afb424c883085452c39fba316b46b018fb810f7
SHA512af356df845eae452489dc6dfe61622cf0ade30257373e9e3741f0ea648556d88c6a8e91b43e55ea0ee1b4071e6c21587006c4335b7ee24049216340eb43ba9a6
-
Filesize
89KB
MD504076b14c2c299ebeccfe1b54008ccb2
SHA1699940d5fd88cd95b3ad93ee799d889e208f7b39
SHA2562ef3e07fdba46261fa36163d3afb424c883085452c39fba316b46b018fb810f7
SHA512af356df845eae452489dc6dfe61622cf0ade30257373e9e3741f0ea648556d88c6a8e91b43e55ea0ee1b4071e6c21587006c4335b7ee24049216340eb43ba9a6
-
Filesize
89KB
MD56e84a60bcf4a05b4fffd194a384e3e5f
SHA1aecfb9ae0b76e1c5c82b30e79850b61748fae37c
SHA2562f6de82b5a12485b33a3a0c1f2062ad939b13fec22c4bdc40adc48c59a903e1b
SHA5120a41f22e93a63930b27cf66f0b609a4b1b40005ddeec28153a547c6f7700ce88bb8d0b56d9bcee6bb14762f026b55ad3d17c635af4d3fcc5e09c59292870c174
-
Filesize
736KB
MD53dc84c561678b358f74900e98c46b03d
SHA1c18edbbcc0fe89e69f7074ae365989d29c6355bd
SHA256d1d1896eab8dee20e0aeb217ad25a9a59f2c47c3fdac4154dc85929864637bf1
SHA5128249e0c0059028b76a0503bc3167c4a12c19c186b9481db059eda57901ac6d11c2529f5621281fc63056d04c691c22fa9bc9d7f311a29a6434c2b6e06aa21179
-
Filesize
736KB
MD53dc84c561678b358f74900e98c46b03d
SHA1c18edbbcc0fe89e69f7074ae365989d29c6355bd
SHA256d1d1896eab8dee20e0aeb217ad25a9a59f2c47c3fdac4154dc85929864637bf1
SHA5128249e0c0059028b76a0503bc3167c4a12c19c186b9481db059eda57901ac6d11c2529f5621281fc63056d04c691c22fa9bc9d7f311a29a6434c2b6e06aa21179
-
Filesize
960KB
MD57c13b7130bdba9dceea6cbffcdf81794
SHA1ee9e34af52da6bc67007da61a9090e8e92b6eae4
SHA2562f9e706a0e74a8cb0151727c97027484536b2a17988460ccf2a4ed2ac88ed305
SHA51232351ffb171b18492ff964cb71b0a4a7c41ae565693d3794d6e959ad7eaec494a6442bf6dd5750383090d4d9f748f2c499fd866db26de890316e27f1f1768a56
-
Filesize
960KB
MD57c13b7130bdba9dceea6cbffcdf81794
SHA1ee9e34af52da6bc67007da61a9090e8e92b6eae4
SHA2562f9e706a0e74a8cb0151727c97027484536b2a17988460ccf2a4ed2ac88ed305
SHA51232351ffb171b18492ff964cb71b0a4a7c41ae565693d3794d6e959ad7eaec494a6442bf6dd5750383090d4d9f748f2c499fd866db26de890316e27f1f1768a56
-
Filesize
367KB
MD5affa37f81ddb062a08de748570081cd7
SHA1d0c34f09cc76e9d6e1f2775459c2dd4ebc05416e
SHA256cfcb45a011bbb4d14694f8cfcdb1d55653be033d546146297d2c4b0ec22f7fe1
SHA51280668133d282e311dc8d383fba9d0ddcfaef17c055b31c1b08b84c1256efd2ea76e59686cab4fa77c9530e53400f4e6ed0f3a813b4c8cc378422c126e5be1780
-
Filesize
367KB
MD5affa37f81ddb062a08de748570081cd7
SHA1d0c34f09cc76e9d6e1f2775459c2dd4ebc05416e
SHA256cfcb45a011bbb4d14694f8cfcdb1d55653be033d546146297d2c4b0ec22f7fe1
SHA51280668133d282e311dc8d383fba9d0ddcfaef17c055b31c1b08b84c1256efd2ea76e59686cab4fa77c9530e53400f4e6ed0f3a813b4c8cc378422c126e5be1780
-
Filesize
489KB
MD528d2132b41e20633ef10feb752211578
SHA12ab585dd2d36a18d8e9a59bb5e87d1f0adcf6ba3
SHA25631ebb88eb5421ecd10fe03111c7d7e1bb957d5e97cf590fa6054b0947102b57a
SHA512ff6564aa6c084028353b671254cb40f5c71db1923cb44a53663e012f2a9731d2646295f50f0f5d0db59601abacb09eca44d882d26f30426a73dcfe0146b8197a
-
Filesize
489KB
MD528d2132b41e20633ef10feb752211578
SHA12ab585dd2d36a18d8e9a59bb5e87d1f0adcf6ba3
SHA25631ebb88eb5421ecd10fe03111c7d7e1bb957d5e97cf590fa6054b0947102b57a
SHA512ff6564aa6c084028353b671254cb40f5c71db1923cb44a53663e012f2a9731d2646295f50f0f5d0db59601abacb09eca44d882d26f30426a73dcfe0146b8197a
-
Filesize
285KB
MD553180069088e07f1a208fe9b7813904f
SHA134c5fc1fd65040d9db134589d66d3f52b43107ce
SHA256071ed7957b25bf8d6a85810fce6f9a6967341c67a38367f643f453e6c12357c3
SHA5125bbbfcd0aaaf7a6593cb43c19055230103ea5bbfdea78b4d6d6a7c9311bac02ccda2ed5247ec80a625589c24d0ea4d29b2901219a2fc740a72391e9979d23312
-
Filesize
285KB
MD553180069088e07f1a208fe9b7813904f
SHA134c5fc1fd65040d9db134589d66d3f52b43107ce
SHA256071ed7957b25bf8d6a85810fce6f9a6967341c67a38367f643f453e6c12357c3
SHA5125bbbfcd0aaaf7a6593cb43c19055230103ea5bbfdea78b4d6d6a7c9311bac02ccda2ed5247ec80a625589c24d0ea4d29b2901219a2fc740a72391e9979d23312
-
Filesize
778KB
MD592f08cdac57c0e4648479cca29af7c7f
SHA1e4d99c2e06d4dce225a12bbda4807e787a34ecac
SHA256420c353be0c9850dd5fae67876555b9fa550ed5a05e575bd6061f4bad4b0cb21
SHA512af669b9172f177e89432c79f5b11ae9901eabb2e4e74fc6c1e1976fb9060de8cf8555f5c5b6b3f2da8ec4db2ad33b243e6a70bb715c0aee4c73ada4f08d66294
-
Filesize
778KB
MD592f08cdac57c0e4648479cca29af7c7f
SHA1e4d99c2e06d4dce225a12bbda4807e787a34ecac
SHA256420c353be0c9850dd5fae67876555b9fa550ed5a05e575bd6061f4bad4b0cb21
SHA512af669b9172f177e89432c79f5b11ae9901eabb2e4e74fc6c1e1976fb9060de8cf8555f5c5b6b3f2da8ec4db2ad33b243e6a70bb715c0aee4c73ada4f08d66294
-
Filesize
248KB
MD57c7ac1901c5187d8d3dd656089dc1cfb
SHA1a017f32b5633cccb1bd6006911ba72b5742798ab
SHA25631f38b34d07605531d741d235efa79f578c20ca385414377c1dd8b06c8919915
SHA512114b4414333756f640ca73f72f6b92ab1e1b1cb8004e0dbf23229aa1ccdc40f201e34aeaf2edfa10f7ea36130960a8c6bd4fbaa3e07c8e0628fb83e9f58b8243
-
Filesize
248KB
MD57c7ac1901c5187d8d3dd656089dc1cfb
SHA1a017f32b5633cccb1bd6006911ba72b5742798ab
SHA25631f38b34d07605531d741d235efa79f578c20ca385414377c1dd8b06c8919915
SHA512114b4414333756f640ca73f72f6b92ab1e1b1cb8004e0dbf23229aa1ccdc40f201e34aeaf2edfa10f7ea36130960a8c6bd4fbaa3e07c8e0628fb83e9f58b8243
-
Filesize
12KB
MD5f680b969bf21ae1cae5f4e636e8ec4e8
SHA15795e20206b8c798f9faedf2fccac9b48db8b75e
SHA25695cd759c2f84d75a255f46705185f6eb042f2e13c98bb9fa7e69f0eda8f7fa1e
SHA512dda764869213a1eab9cb1fe74e4947072e8ffe598ed99690ca5ab3a1daa0c264739647a8ad63041b48dc43f4af79992cc3f40e41fc7fa3e384be85b4dfe98854
-
Filesize
12KB
MD5f680b969bf21ae1cae5f4e636e8ec4e8
SHA15795e20206b8c798f9faedf2fccac9b48db8b75e
SHA25695cd759c2f84d75a255f46705185f6eb042f2e13c98bb9fa7e69f0eda8f7fa1e
SHA512dda764869213a1eab9cb1fe74e4947072e8ffe598ed99690ca5ab3a1daa0c264739647a8ad63041b48dc43f4af79992cc3f40e41fc7fa3e384be85b4dfe98854
-
Filesize
175KB
MD593e8d0075a5a92e08a8f776806cdf5b2
SHA1c23c30f52335137dc38d6a34c75a0e36b639ab25
SHA25693eb15d51d32c11b1921c68eb4adc5b45bb0a87a2948816286eed51dfb744ae4
SHA5122cb375162cb8684011b36d2bf9b36a82aecfaa2b0d0d45b0f135b6fc3b899c94b46463244e0200ef5d94dbb1ccb05ef4ad08152f0dd8f2a701c86f9129c5d4fe
-
Filesize
175KB
MD593e8d0075a5a92e08a8f776806cdf5b2
SHA1c23c30f52335137dc38d6a34c75a0e36b639ab25
SHA25693eb15d51d32c11b1921c68eb4adc5b45bb0a87a2948816286eed51dfb744ae4
SHA5122cb375162cb8684011b36d2bf9b36a82aecfaa2b0d0d45b0f135b6fc3b899c94b46463244e0200ef5d94dbb1ccb05ef4ad08152f0dd8f2a701c86f9129c5d4fe
-
Filesize
531KB
MD568e0cac2718a2eb9869dab3486893061
SHA11f298a8f79c629fefe4143918c9459d66dd2ec43
SHA2569c74f1b9fd271a888f681fba970dc8f6d227bc7f4a32b973e1fb7d81a4a67958
SHA51258f5448b2e3b9fed1bf5002a7ebcb24120597206e4f8702de57ffe8da0beb16ed9560afe2d150b674c7cf56abdcfd905990cb44cc726958a1dfdd0a382219cb7
-
Filesize
531KB
MD568e0cac2718a2eb9869dab3486893061
SHA11f298a8f79c629fefe4143918c9459d66dd2ec43
SHA2569c74f1b9fd271a888f681fba970dc8f6d227bc7f4a32b973e1fb7d81a4a67958
SHA51258f5448b2e3b9fed1bf5002a7ebcb24120597206e4f8702de57ffe8da0beb16ed9560afe2d150b674c7cf56abdcfd905990cb44cc726958a1dfdd0a382219cb7
-
Filesize
365KB
MD5a33b6dcead88d8d1a998285f90aa633e
SHA15fce03aaf4c3f0b652eed69b4aa11d156deb18f9
SHA2562e6d867e475c28ec823a353c647307e64829678587bc4e2a82f34b04a986d506
SHA5127d772ca14b530036efa4db29d9bd1c8515eeb7461c82579ee6876945a8f94c4b796d34159d8ef4d33d3560176c0497788664e55470bc5d86f6e28ba91a361e44
-
Filesize
365KB
MD5a33b6dcead88d8d1a998285f90aa633e
SHA15fce03aaf4c3f0b652eed69b4aa11d156deb18f9
SHA2562e6d867e475c28ec823a353c647307e64829678587bc4e2a82f34b04a986d506
SHA5127d772ca14b530036efa4db29d9bd1c8515eeb7461c82579ee6876945a8f94c4b796d34159d8ef4d33d3560176c0497788664e55470bc5d86f6e28ba91a361e44
-
Filesize
285KB
MD535cdad08842737bb6e246b7c6dec5771
SHA1d7b4d82a04a3041ea95fbae907c74590313ddc98
SHA2560cb88e7e4e3437dde3a63a8041456fcbb7766aadb250ea958579b6b0c4af1874
SHA5121db9b93340f87c622ba95440f62827e12c6a7141450e81e59759933f0574d4830626f0c470fe868a40f7eafe83a1b3887f57064621d418a696d0ee15940606dd
-
Filesize
285KB
MD535cdad08842737bb6e246b7c6dec5771
SHA1d7b4d82a04a3041ea95fbae907c74590313ddc98
SHA2560cb88e7e4e3437dde3a63a8041456fcbb7766aadb250ea958579b6b0c4af1874
SHA5121db9b93340f87c622ba95440f62827e12c6a7141450e81e59759933f0574d4830626f0c470fe868a40f7eafe83a1b3887f57064621d418a696d0ee15940606dd
-
Filesize
221KB
MD543d7061f6de6e9fb42d9fb1d51338887
SHA12e2f3294a5db7fb032990273b21c33ff9e2cedf0
SHA256fa34ff3dd540feb130565969f173dd992adeea758f1aeb474d098753f43f5dff
SHA5125d6e0f12a7171c4746c80bee9c10c7a8fa6a7ab590a8a71459907b8b048bcfab7a4cf5174ff9611daeb0b8d265612cadcaed49d79ae837e16373da9542e5bbcf
-
Filesize
221KB
MD543d7061f6de6e9fb42d9fb1d51338887
SHA12e2f3294a5db7fb032990273b21c33ff9e2cedf0
SHA256fa34ff3dd540feb130565969f173dd992adeea758f1aeb474d098753f43f5dff
SHA5125d6e0f12a7171c4746c80bee9c10c7a8fa6a7ab590a8a71459907b8b048bcfab7a4cf5174ff9611daeb0b8d265612cadcaed49d79ae837e16373da9542e5bbcf
-
Filesize
116B
MD5ec6aae2bb7d8781226ea61adca8f0586
SHA1d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
8KB
MD5076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA17b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA51275e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b
-
Filesize
1.4MB
MD585b698363e74ba3c08fc16297ddc284e
SHA1171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA25678efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA5127e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796
-
Filesize
1.4MB
MD522d5269955f256a444bd902847b04a3b
SHA141a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c
-
Filesize
416KB
MD583330cf6e88ad32365183f31b1fd3bda
SHA11c5b47be2b8713746de64b39390636a81626d264
SHA2567ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908
-
Filesize
338KB
MD5528b5dc5ede359f683b73a684b9c19f6
SHA18bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA2563a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA51287cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9