Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
25-08-2024 14:30
General
-
Target
WaveInstaller.exe
-
Size
2.3MB
-
MD5
f80723c7062d0414bfd23249a943b330
-
SHA1
0996049a3da01ef925e954867aaa302d82279639
-
SHA256
6ac30aaef20c25564eebdbfd55db25f61ff6c84204ecc30241c0cf2332a0d04b
-
SHA512
f99821c40a3c1d19403b7cd21a2434293d2d23c92a716312e4bbbfb433b1c4b2ec4c90ce9750d4b574d0a802108191621a3b018ab2ebff65f535d843929278de
-
SSDEEP
49152:XJAFOSG/TBqwnbetRXZRAL3Wa88eVuN6yCQhJolninbT:ZAo3/T5bQRpRAL3denin
Score
10/10
Malware Config
Extracted
Family
xworm
C2
127.0.0.1:19121
goods-flex.gl.at.ply.gg:19121
Attributes
-
Install_directory
%Public%
-
install_file
calc.exe
Extracted
Family
phemedrone
C2
https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument
Signatures
-
Detect Xworm Payload 4 IoCs
-
Phemedrone
An information and wallet stealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"4⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"5⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"6⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"7⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"8⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"9⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"10⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"11⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'12⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"12⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'13⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"13⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'14⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"14⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'15⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"15⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'16⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"16⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'17⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"17⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'18⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"18⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'19⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"19⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"20⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"21⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'22⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"22⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'23⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"23⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'24⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"24⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'25⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"25⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'26⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"26⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'27⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"27⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'28⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"28⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'29⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"29⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'30⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"30⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'31⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"31⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'32⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"32⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'33⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"33⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'34⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"34⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'35⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"35⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'36⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"36⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'37⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"37⤵
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'38⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"38⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'38⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"38⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'38⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"38⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'37⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"37⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'37⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"37⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'36⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"36⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'36⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"36⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'35⤵
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"35⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'35⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"35⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'34⤵
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"34⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'34⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"34⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'33⤵
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"33⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'33⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"33⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'32⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"32⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'32⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"32⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'31⤵
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"31⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'31⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"31⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'30⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"30⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'30⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"30⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'29⤵
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"29⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'29⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"29⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'28⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"28⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'28⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"28⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'27⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"27⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'27⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"27⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'26⤵
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"26⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'26⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"26⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'25⤵
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"25⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'25⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"25⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'24⤵
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"24⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'24⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"24⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"23⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"23⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'22⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"22⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'22⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"22⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"21⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'21⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"21⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'20⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"20⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'20⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"20⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'19⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"19⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'19⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"19⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"18⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"18⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'17⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"17⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"17⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'16⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"16⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'16⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'15⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"15⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'15⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'14⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"14⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'14⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'13⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"13⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"12⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\calcc.exe"C:\Users\Admin\AppData\Local\Temp\calcc.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calcc.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\calc.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "calc" /tr "C:\Users\Public\calc.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2532 -s 6403⤵
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E0094799-21C9-4AA2-949D-CD6A3ED200B1} S-1-5-21-2257386474-3982792636-3902186748-1000:CTBHAMHL\Admin:Interactive:[1]1⤵
-
C:\Users\Public\calc.exeC:\Users\Public\calc.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Public\calc.exeC:\Users\Public\calc.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD57b6c19c2c8fc4ff9cc5b136f22cf490d
SHA1e557a697a268c54a73aaffd02d25e54c4f601719
SHA256cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353
SHA512afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b
-
Filesize
71KB
MD536686a659c023c60d85630ef9080ee34
SHA1c26facc03073d700fc65af33eb2d8a6215f065b6
SHA256eadd6fd65960900c14dd8e18a16348ec4c6f766e6316428f8cf659d02b43fb49
SHA512236eab23ae8a565532ffd063a7e31ecc9aa835c63ca243c15ddba652f639dc5249589340812299e523156ac8695571877d1af78c2a481f0b2527d90aa00c3587
-
Filesize
7KB
MD5dedff30cbb6f17542b034097f2532cc2
SHA1420a974174c304453767f75d8fc9214d0bfc7798
SHA25676b6f4131e116d82601db7eac77eca5a3c1d5b4fdd5d7eb889f1566b0b1d11c7
SHA5123ad5d729ac042ea16adbd04ea34eff12d120d7bfbb1f8898cf83a624ca2f50709102df144db3d187d42a677e2641e06725f814d45e95c9fd65668a8796ea34ab
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
144KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
2.4MB