Analysis
-
max time kernel
995s -
max time network
1001s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2023, 14:13
Behavioral task
behavioral1
Sample
SLOVOPACANA.exe
Resource
win10v2004-20231127-en
General
-
Target
SLOVOPACANA.exe
-
Size
1.2MB
-
MD5
cd027faaa16d14fe7aa370c8057225d5
-
SHA1
0054f01d667b7e75c5a255f8ee4d77b177373c08
-
SHA256
c248d6ee2cf5cd6ca386c7a358abdd8ec408c6a63f998f22cbf896809568d90f
-
SHA512
ac7bd57bc19ccca405027135ef07a7f475286ed96c00479eebccf725edda6c8ba94e91268aa8e0e812e15dd206f30dd30512ab99b6f8bd0b5ee6e7b26f042751
-
SSDEEP
24576:g2G/nvxW3WfvxgCEe8FjqoCsq9/a75E6PyKP7g2:gbA3BCDujl0+2Y
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4412 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4652 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4852 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3104 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3292 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3464 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3904 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4332 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 336 schtasks.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 336 schtasks.exe 96 -
resource yara_rule behavioral1/files/0x000700000002321d-10.dat dcrat behavioral1/files/0x000700000002321d-11.dat dcrat behavioral1/memory/1796-12-0x0000000000110000-0x00000000001E6000-memory.dmp dcrat behavioral1/files/0x000800000002322d-17.dat dcrat behavioral1/files/0x0006000000023254-61.dat dcrat behavioral1/files/0x0006000000023254-63.dat dcrat behavioral1/files/0x0006000000023250-124.dat dcrat behavioral1/files/0x0006000000023250-125.dat dcrat behavioral1/files/0x0007000000023243-130.dat dcrat behavioral1/files/0x0007000000023243-131.dat dcrat behavioral1/files/0x000600000002326c-132.dat dcrat behavioral1/files/0x000600000002326c-133.dat dcrat behavioral1/files/0x000600000002325c-138.dat dcrat behavioral1/files/0x000600000002325c-139.dat dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation SLOVOPACANA.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation blockbroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation winlogon.exe -
Executes dropped EXE 22 IoCs
pid Process 1796 blockbroker.exe 3780 winlogon.exe 744 OfficeClickToRun.exe 1244 StartMenuExperienceHost.exe 2844 SearchApp.exe 788 TextInputHost.exe 2956 sihost.exe 376 OfficeClickToRun.exe 3092 csrss.exe 2988 dllhost.exe 4032 blockbroker.exe 1788 TrustedInstaller.exe 640 SearchApp.exe 4400 StartMenuExperienceHost.exe 3592 TextInputHost.exe 4384 spoolsv.exe 460 dwm.exe 1328 sppsvc.exe 2912 sysmon.exe 4812 winlogon.exe 2988 OfficeClickToRun.exe 3632 sihost.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe blockbroker.exe File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\5940a34987c991 blockbroker.exe File created C:\Program Files\Windows Security\sppsvc.exe blockbroker.exe File created C:\Program Files\Windows Security\0a1fd5f707cd16 blockbroker.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe blockbroker.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\e6c9b481da804f blockbroker.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe blockbroker.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\22eafd247d37c3 blockbroker.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Offline Web Pages\66fc9ff0ee96c2 blockbroker.exe File created C:\Windows\DiagTrack\Settings\55b276f4edf653 blockbroker.exe File created C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe blockbroker.exe File created C:\Windows\Downloaded Program Files\cc11b995f2a76d blockbroker.exe File created C:\Windows\Fonts\sppsvc.exe blockbroker.exe File created C:\Windows\Offline Web Pages\sihost.exe blockbroker.exe File created C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe blockbroker.exe File created C:\Windows\PolicyDefinitions\it-IT\0a1fd5f707cd16 blockbroker.exe File created C:\Windows\Downloaded Program Files\winlogon.exe blockbroker.exe File created C:\Windows\Fonts\0a1fd5f707cd16 blockbroker.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4852 schtasks.exe 3568 schtasks.exe 384 schtasks.exe 1504 schtasks.exe 4836 schtasks.exe 1444 schtasks.exe 1008 schtasks.exe 2232 schtasks.exe 2612 schtasks.exe 2340 schtasks.exe 4568 schtasks.exe 5004 schtasks.exe 960 schtasks.exe 3012 schtasks.exe 4500 schtasks.exe 4412 schtasks.exe 4252 schtasks.exe 3956 schtasks.exe 4400 schtasks.exe 4924 schtasks.exe 4348 schtasks.exe 3904 schtasks.exe 3048 schtasks.exe 1984 schtasks.exe 3228 schtasks.exe 4652 schtasks.exe 4260 schtasks.exe 2556 schtasks.exe 1008 schtasks.exe 788 schtasks.exe 2016 schtasks.exe 1984 schtasks.exe 3104 schtasks.exe 1356 schtasks.exe 3292 schtasks.exe 3464 schtasks.exe 2632 schtasks.exe 1468 schtasks.exe 628 schtasks.exe 4072 schtasks.exe 212 schtasks.exe 1604 schtasks.exe 936 schtasks.exe 552 schtasks.exe 2972 schtasks.exe 1744 schtasks.exe 2040 schtasks.exe 5080 schtasks.exe 2016 schtasks.exe 1404 schtasks.exe 664 schtasks.exe 1112 schtasks.exe 532 schtasks.exe 4868 schtasks.exe 4464 schtasks.exe 2416 schtasks.exe 4332 schtasks.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 1 IoCs
pid Process 4528 taskkill.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133463460008644647" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000a1e16d385721da01a34005c96221da011410ef744f28da0114000000 mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000a1e16d385721da01bbaf67cf6221da01bbaf67cf6221da0114000000 mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" mspaint.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3" mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 mspaint.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "2" mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} mspaint.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" mspaint.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell mspaint.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" mspaint.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg mspaint.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings SLOVOPACANA.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU mspaint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff mspaint.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4208 reg.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 1796 blockbroker.exe 1796 blockbroker.exe 3780 winlogon.exe 3780 winlogon.exe 3780 winlogon.exe 3780 winlogon.exe 3780 winlogon.exe 3780 winlogon.exe 3780 winlogon.exe 3780 winlogon.exe 3780 winlogon.exe 3780 winlogon.exe 4540 chrome.exe 4540 chrome.exe 2924 chrome.exe 2924 chrome.exe 4692 mspaint.exe 4692 mspaint.exe 884 chrome.exe 884 chrome.exe 3780 winlogon.exe 3780 winlogon.exe 3780 winlogon.exe 3780 winlogon.exe 3780 winlogon.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe 2988 OfficeClickToRun.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3780 winlogon.exe 2988 OfficeClickToRun.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1796 blockbroker.exe Token: SeDebugPrivilege 3780 winlogon.exe Token: SeManageVolumePrivilege 512 svchost.exe Token: SeDebugPrivilege 744 OfficeClickToRun.exe Token: SeDebugPrivilege 2844 SearchApp.exe Token: SeDebugPrivilege 1244 StartMenuExperienceHost.exe Token: SeDebugPrivilege 788 TextInputHost.exe Token: SeShutdownPrivilege 4540 chrome.exe Token: SeCreatePagefilePrivilege 4540 chrome.exe Token: SeShutdownPrivilege 4540 chrome.exe Token: SeCreatePagefilePrivilege 4540 chrome.exe Token: SeShutdownPrivilege 4540 chrome.exe Token: SeCreatePagefilePrivilege 4540 chrome.exe Token: SeShutdownPrivilege 4540 chrome.exe Token: SeCreatePagefilePrivilege 4540 chrome.exe Token: SeShutdownPrivilege 4540 chrome.exe Token: SeCreatePagefilePrivilege 4540 chrome.exe Token: SeShutdownPrivilege 4540 chrome.exe Token: SeCreatePagefilePrivilege 4540 chrome.exe Token: SeShutdownPrivilege 4540 chrome.exe Token: SeCreatePagefilePrivilege 4540 chrome.exe Token: SeShutdownPrivilege 4540 chrome.exe Token: SeCreatePagefilePrivilege 4540 chrome.exe Token: SeShutdownPrivilege 4540 chrome.exe Token: SeCreatePagefilePrivilege 4540 chrome.exe Token: SeShutdownPrivilege 4540 chrome.exe Token: SeCreatePagefilePrivilege 4540 chrome.exe Token: SeShutdownPrivilege 4540 chrome.exe Token: SeCreatePagefilePrivilege 4540 chrome.exe Token: SeShutdownPrivilege 4540 chrome.exe Token: SeCreatePagefilePrivilege 4540 chrome.exe Token: SeShutdownPrivilege 4540 chrome.exe Token: SeCreatePagefilePrivilege 4540 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeDebugPrivilege 2956 sihost.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe -
Suspicious use of FindShellTrayWindow 53 IoCs
pid Process 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 4540 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4692 mspaint.exe 4692 mspaint.exe 4692 mspaint.exe 4692 mspaint.exe 4692 mspaint.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4704 wrote to memory of 868 4704 SLOVOPACANA.exe 89 PID 4704 wrote to memory of 868 4704 SLOVOPACANA.exe 89 PID 4704 wrote to memory of 868 4704 SLOVOPACANA.exe 89 PID 868 wrote to memory of 4504 868 WScript.exe 101 PID 868 wrote to memory of 4504 868 WScript.exe 101 PID 868 wrote to memory of 4504 868 WScript.exe 101 PID 4504 wrote to memory of 1796 4504 cmd.exe 103 PID 4504 wrote to memory of 1796 4504 cmd.exe 103 PID 1796 wrote to memory of 3780 1796 blockbroker.exe 162 PID 1796 wrote to memory of 3780 1796 blockbroker.exe 162 PID 3780 wrote to memory of 4424 3780 winlogon.exe 183 PID 3780 wrote to memory of 4424 3780 winlogon.exe 183 PID 3780 wrote to memory of 4984 3780 winlogon.exe 186 PID 3780 wrote to memory of 4984 3780 winlogon.exe 186 PID 4984 wrote to memory of 2764 4984 csc.exe 188 PID 4984 wrote to memory of 2764 4984 csc.exe 188 PID 3780 wrote to memory of 1040 3780 winlogon.exe 193 PID 3780 wrote to memory of 1040 3780 winlogon.exe 193 PID 4540 wrote to memory of 2824 4540 chrome.exe 202 PID 4540 wrote to memory of 2824 4540 chrome.exe 202 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 1120 4540 chrome.exe 204 PID 4540 wrote to memory of 3188 4540 chrome.exe 206 PID 4540 wrote to memory of 3188 4540 chrome.exe 206 PID 4540 wrote to memory of 4064 4540 chrome.exe 205 PID 4540 wrote to memory of 4064 4540 chrome.exe 205 PID 4540 wrote to memory of 4064 4540 chrome.exe 205 PID 4540 wrote to memory of 4064 4540 chrome.exe 205 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe"C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComAgentSession\J1Z3KeWJB1lM.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComAgentSession\FU70pek1lKzqNpW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\ComAgentSession\blockbroker.exe"C:\ComAgentSession\blockbroker.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\Downloaded Program Files\winlogon.exe"C:\Windows\Downloaded Program Files\winlogon.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\\3gUlVaPHfz.bat"6⤵PID:4424
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owd0vlhs\owd0vlhs.cmdline"6⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD994.tmp" "c:\Users\Admin\AppData\Local\Temp\owd0vlhs\CSC9EB42EC220444172B7EAC49DE9996981.TMP"7⤵PID:2764
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wl1t251s\wl1t251s.cmdline"6⤵PID:1040
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ezapyabp\ezapyabp.cmdline"6⤵PID:1224
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1264.tmp" "c:\Users\Admin\AppData\Local\Temp\ezapyabp\CSC8743270E222B43319E1254467B67EFC.TMP"7⤵PID:1404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f & taskkill /f /im taskmgr.exe6⤵PID:4064
-
C:\Windows\system32\reg.exereg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f7⤵
- Modifies registry key
PID:4208
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe7⤵
- Kills process with taskkill
PID:4528
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "blockbrokerb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\blockbroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "blockbroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\blockbroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "blockbrokerb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\blockbroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:5032
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:512
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744
-
C:\odt\SearchApp.exeC:\odt\SearchApp.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exeC:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:788
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb132c9758,0x7ffb132c9768,0x7ffb132c97782⤵PID:2824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:22⤵PID:1120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:82⤵PID:4064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:82⤵PID:3188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:12⤵PID:2104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:12⤵PID:1064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4672 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:12⤵PID:844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:82⤵PID:4668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4996 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:82⤵PID:3964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:82⤵PID:3240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5284 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:82⤵PID:1868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:82⤵PID:4836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:82⤵PID:1800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:82⤵PID:3764
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1604
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2924 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb132c9758,0x7ffb132c9768,0x7ffb132c97782⤵PID:2292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:82⤵PID:2832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2880 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:12⤵PID:2424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:12⤵PID:3376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:82⤵PID:4484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:22⤵PID:2960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:82⤵PID:4544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4732 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:12⤵PID:4068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:82⤵PID:3448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:82⤵PID:5024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:82⤵PID:4632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:82⤵PID:4384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:82⤵PID:2236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:82⤵PID:4208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:884
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1800
-
C:\Windows\Offline Web Pages\sihost.exe"C:\Windows\Offline Web Pages\sihost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe"1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:784
-
C:\Windows\system32\dashost.exedashost.exe {7a9b72e2-86d9-4028-8c086fd90d6660f6}2⤵PID:2144
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"1⤵
- Executes dropped EXE
PID:376
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe1⤵
- Executes dropped EXE
PID:3092
-
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe"C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe"1⤵
- Executes dropped EXE
PID:2988
-
C:\Recovery\WindowsRE\blockbroker.exeC:\Recovery\WindowsRE\blockbroker.exe1⤵
- Executes dropped EXE
PID:4032
-
C:\Users\Default User\TrustedInstaller.exe"C:\Users\Default User\TrustedInstaller.exe"1⤵
- Executes dropped EXE
PID:1788
-
C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exeC:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe1⤵
- Executes dropped EXE
PID:4400
-
C:\odt\SearchApp.exeC:\odt\SearchApp.exe1⤵
- Executes dropped EXE
PID:640
-
C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe"1⤵
- Executes dropped EXE
PID:3592
-
C:\Recovery\WindowsRE\spoolsv.exeC:\Recovery\WindowsRE\spoolsv.exe1⤵
- Executes dropped EXE
PID:4384
-
C:\Recovery\WindowsRE\dwm.exeC:\Recovery\WindowsRE\dwm.exe1⤵
- Executes dropped EXE
PID:460
-
C:\Windows\Fonts\sppsvc.exeC:\Windows\Fonts\sppsvc.exe1⤵
- Executes dropped EXE
PID:1328
-
C:\Recovery\WindowsRE\sysmon.exeC:\Recovery\WindowsRE\sysmon.exe1⤵
- Executes dropped EXE
PID:2912
-
C:\Windows\Downloaded Program Files\winlogon.exe"C:\Windows\Downloaded Program Files\winlogon.exe"1⤵
- Executes dropped EXE
PID:4812
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2988
-
C:\Windows\Offline Web Pages\sihost.exe"C:\Windows\Offline Web Pages\sihost.exe"1⤵
- Executes dropped EXE
PID:3632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36B
MD5db5bc92a508253027eeb8b1703425243
SHA1f17f65ab6ee1d0d59092eecd0c9c89288adbb355
SHA2566a48edfa769d6420962994aa84e6b261734fd289860251c12eff0d6b9994e153
SHA5125637eab1c2f15f80b7a62694a27d0cd2649c183625119b3bd0cfcc42d49c9693b5708b098f18d0084509079601f1893f09079d7580d3b01d74fa9095101e4521
-
Filesize
207B
MD5f83a0a294a0f7c5ec97371c705cbfec9
SHA14cf78ab1616432c1f8c714f122a79350af8a53f5
SHA2565a23f943e2e3054bbfad3f9b71c5c03498c78a510a758511bfca0f34f287724f
SHA5129e127673927c5a69d1ab4022046c57135f961ed1ce1b8974a47550d1555b43762008a7b6ce3ba220ab917cb2466703dddda3add1ca784b4c8d5b5d0cdfb1c620
-
Filesize
829KB
MD52f055355f956c24ffc2276a84e1f24b5
SHA1e8c6619057c583077b0f171280212c548f54d263
SHA2560ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1
-
Filesize
829KB
MD52f055355f956c24ffc2276a84e1f24b5
SHA1e8c6619057c583077b0f171280212c548f54d263
SHA2560ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1
-
Filesize
829KB
MD52f055355f956c24ffc2276a84e1f24b5
SHA1e8c6619057c583077b0f171280212c548f54d263
SHA2560ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1
-
Filesize
829KB
MD52f055355f956c24ffc2276a84e1f24b5
SHA1e8c6619057c583077b0f171280212c548f54d263
SHA2560ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1
-
Filesize
829KB
MD52f055355f956c24ffc2276a84e1f24b5
SHA1e8c6619057c583077b0f171280212c548f54d263
SHA2560ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1
-
Filesize
829KB
MD52f055355f956c24ffc2276a84e1f24b5
SHA1e8c6619057c583077b0f171280212c548f54d263
SHA2560ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1
-
Filesize
829KB
MD52f055355f956c24ffc2276a84e1f24b5
SHA1e8c6619057c583077b0f171280212c548f54d263
SHA2560ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1
-
Filesize
40B
MD566a053d6739fe940ec8c86d7d7edf5ca
SHA17bca498903f551bd30fadaff9aea89f69be58890
SHA25634f812910e594035498af16fd84f5da4e2380f7ad86f77ba2b4aa8942550ccd1
SHA512e15d98456693fe4cafebbbe5a0a60259b9b44e086269efcd375366e6a043d20c7c585a4f550720fe96548a535df1a606a7d606bf2c0c12b8a1eaecfef40ef740
-
Filesize
40B
MD566a053d6739fe940ec8c86d7d7edf5ca
SHA17bca498903f551bd30fadaff9aea89f69be58890
SHA25634f812910e594035498af16fd84f5da4e2380f7ad86f77ba2b4aa8942550ccd1
SHA512e15d98456693fe4cafebbbe5a0a60259b9b44e086269efcd375366e6a043d20c7c585a4f550720fe96548a535df1a606a7d606bf2c0c12b8a1eaecfef40ef740
-
Filesize
44KB
MD551668952c3a3ab36426b1944f3728e46
SHA1fab8bd955484c9bfe2670adf2eb9c58b63006788
SHA256357976c65f912707b145efd874990414a2722f485f3410f91bfd22c8969ccda9
SHA5120ab04d7ef2e8102dcf5cb173c3d52e2ac5a5c2c5259ecf385589b2537bbc4e2f95661d46be5a5ea147a6b9d07d61c95ff5f65badcff446a29acc2b24fdc7a31d
-
Filesize
264KB
MD5d980d17895283a0e1d8d8a256269d284
SHA1005260b0d7167a7444a7a38631d828b49f5292db
SHA2565ef8424c5a73a9a074e2ad202f3f37fc7ee6d733b38a4695c168f1c09a5885f9
SHA51216adc23fe985cdafda6edf4cdd0d3263b2dd043397dfff018339a084cbefbba77f5b1ff271da486eccc88ba9f6ca06170770e3a9f085d25f2bb242c42da83e71
-
Filesize
4.0MB
MD5c400056b2ea08acaae9db4bb506bcf76
SHA126c5760d7c7f7f37ac3211c6d5a491fa002926b7
SHA25601e0b5c234c9ed4fed2d1eb9bb6c1e22cbbcc47efe737632a0bbafdaa99d5cf2
SHA512c61391c3cc6db7683039fd113e7aeaa5e9357ccafc1701b9ff49354699aba58ab43fd3c35916aef6a954209c2bb7f4dbd1fbdc946b53c90c1ba1d952e4a81835
-
Filesize
52KB
MD5344195b3134218414f9ec76d65c462b9
SHA113e80dc8ae020fb91259d072d939cabd038fa2ab
SHA256e9305ffbcf6a27bac5113d58d0f491b8caab480c22d3d63268e14f6d59a45782
SHA51266e8c955f8272ef785536a7e8cc3a3b160cd27520f5a835a3846cc513c5956d022a683089a42320dfd8c04e09998ddfc759a9d33aea271b88355765ed315f175
-
Filesize
37KB
MD5f5118dd18af12aba720339dd42830c08
SHA10ed013d68aea57a1f587fe47e72464f84dc3994a
SHA256c977fccad202c62d07cca71375b7f710cf97a2679d71e9083f529a38d4e68dcc
SHA5128a33bbfe4488d06b47c9664df2832292adc6060a99baf8bda68a751e501a7f61f15825a0e0fba85064f574539de09279b48927d154f4f366de5fec2400c673d9
-
Filesize
58KB
MD55d05ba495d37acd79c70e5b557a0c16c
SHA1e96ad98168fa375dea9c37c8a3263437224300a7
SHA25621b00ea3a3278814e1e425f24bdeb0fdd79f9cbef6a4417648e711c90fb1660d
SHA51290e9777de33256df5104001b3c76ba5c52dd71c883661e0cfb02426d45bfd805cff05bae308589f3d1a451f5163afe59ca6a3107ef0b9343c10b5c436cfb2cae
-
Filesize
40KB
MD5929729aa7cff46b3dad2f748a57af24c
SHA181aa5db7dd63c79e23ccd23bf2520ab994295f2e
SHA2563c63e6c7fa25849799d08bf54988bfb3b77b1d1eebb1e55a94b64995850cba2f
SHA512a10eaa6f2708b683bd43295b9c3da5840c0eb6d8a6b9e1922a534270fecbc0dcdb4cdcc28768df292a06f6210885b510254bdca17e5b3c507b0337fe7dc3d743
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
329B
MD5d118ac27f5c37c6511a9490ba6ac454e
SHA1ec400e0eb0a480a052f0bca2ec87d23e3f84c936
SHA25677e3ba641f04eb473d234d3bdba450ac0a2559a6dd5dcc02399e69625fe07365
SHA512e150e7e7a853ad68d27cac44026fb76a8d25aaeb47fcdf2e78ff9d5bcfe97629ee97fff7afa37e5799c70912d0d860abdcd88a406e23bea38bc3e9b61f28f0c2
-
Filesize
1KB
MD56e5a0fb5efdcc035796b1e6e203bbbc1
SHA1fee75b4967e6cfd4f06c36270f273f167a05b047
SHA25676afc4a4e96879c25debe396e33347191b89b953a3ef9c6e01c97440cca96d99
SHA5129c84371aa89ef3aaadcd45f8095ad79f84d7135bf1f83009bf85fd3377f3c33a65873abb1202b3e6e45e5c757efd5a46b7a71d16e5ef4a29cb512865892760c8
-
Filesize
1KB
MD56e5a0fb5efdcc035796b1e6e203bbbc1
SHA1fee75b4967e6cfd4f06c36270f273f167a05b047
SHA25676afc4a4e96879c25debe396e33347191b89b953a3ef9c6e01c97440cca96d99
SHA5129c84371aa89ef3aaadcd45f8095ad79f84d7135bf1f83009bf85fd3377f3c33a65873abb1202b3e6e45e5c757efd5a46b7a71d16e5ef4a29cb512865892760c8
-
Filesize
1KB
MD55ad0ab3cf0f7dda6ca4e3f90bcb19154
SHA167eaa1b3e9bfe098fd3b4173398c14f52b86cee5
SHA256f143ff02e7e0bdb1f81e2f86869e0eceddcb01f7c81116a8dc8d53867cfaa6d7
SHA512668654b4a308a0b517e666e5e0c64ad9e814e27c6dd144b7f480b312b05328147672d150048be84d7b585065c501285bcc57a951aa36d151fb94848f8fd14afb
-
Filesize
1KB
MD543a86868b757012518d4963cb542d5fe
SHA1e79c4540f89d45f526ea5c8ca189b31f39fbb338
SHA2562f927cce18ea6bd2b9094704ccfca95d5b4de7c02254b1d899ef9f4029357e28
SHA512f1cef761b22d4ad3ec24769c65e12ff1ebd4727d2a6a8c22c530cc1f13c110ed684cdd9e535726890b1969222e008e0d4574a5a4f284f2a8090c5b9a87f6cb90
-
Filesize
1KB
MD5d5e535e98350bc9b20b09f97ef91564d
SHA10406e87bcf4650599496a11286874a5197e47014
SHA2562d6a58669e655683d6ada04fabf0f9370a55e685956bd90f5361db69db618400
SHA51291f091554a0437d5c2c0124dca2990aebacfe664bda149d77adff32ed87c56b1a0a5f28dc462c334b290264ddfb52205923175ce96e01e53a0be5ed28c4277e9
-
Filesize
36KB
MD58dd8360a04d0627d6ee2f9c8c2b6d233
SHA14367fbe3fa5374554a29f239b0eca798d408c5aa
SHA256efd13aaf071384b65a9e13b39ac2e0a95f6b4123ed97a7f32be4ef7cfa5236d8
SHA512e6ba8202016b8f83ef301277ddb24a3417220c3eebffb1413f40f5e689d8ca6ac8f26ad8ff223652c1cc8b6d06f83202171a7456d92d37d9ee086d9b96559d87
-
Filesize
371B
MD55e82967f9315957f704c066ec7a860d9
SHA14e2fa8f5e8eebc714ba54958019f0f45517bbc70
SHA256daeb6266dc42a3209f5ddbf6cb86c4c5097236690f0dbe672dd462c014d98532
SHA512d1cbd0f484ab1da92a1e129a961bdf5d5d844d5835ae47cfb121f534b3bb1e2615b2300e60029b2bb322dd34a1dc0741b66aeeb4d9510fc1833cb2a47c1a5e7f
-
Filesize
371B
MD57df9378cd068117811256fbd614f1cca
SHA1f970084108e2b2020b73f8bb4b53f235a3f20149
SHA2567135e9def2674879e71527bd66db955711abef935673bdbde08cdad398bef493
SHA512f8cad8b16e908cb7541ebd2fc23d3eae4fe79f88bb5c334a85c244a330abad0f7f785824a4540ee8487f6cc96249f0058b2dc442b55a7f941312216306ee1729
-
Filesize
371B
MD57df9378cd068117811256fbd614f1cca
SHA1f970084108e2b2020b73f8bb4b53f235a3f20149
SHA2567135e9def2674879e71527bd66db955711abef935673bdbde08cdad398bef493
SHA512f8cad8b16e908cb7541ebd2fc23d3eae4fe79f88bb5c334a85c244a330abad0f7f785824a4540ee8487f6cc96249f0058b2dc442b55a7f941312216306ee1729
-
Filesize
6KB
MD50134421278bd8196c677004e39af44d1
SHA14c225a95b716ad79b2cf28c09e11b7592a46eb41
SHA25684d732f79aa2d96d704a697f394b1b9fce6917ffab648423e26269d69424c3a8
SHA5128248eab16c4f35469ee6dbb7fad0dfd7c9e2f4a6ccaf6be040f6d34952942c6d9b6f1b3c28c1dcf1d04b77a285eec0c8e507c78e352239bb988f5c6c4210a262
-
Filesize
6KB
MD50134421278bd8196c677004e39af44d1
SHA14c225a95b716ad79b2cf28c09e11b7592a46eb41
SHA25684d732f79aa2d96d704a697f394b1b9fce6917ffab648423e26269d69424c3a8
SHA5128248eab16c4f35469ee6dbb7fad0dfd7c9e2f4a6ccaf6be040f6d34952942c6d9b6f1b3c28c1dcf1d04b77a285eec0c8e507c78e352239bb988f5c6c4210a262
-
Filesize
6KB
MD5e0fca882f352b1f9152d986cc304d217
SHA1faa3bececc3486288643cc12b1a25920a42f3749
SHA256036cd8dbf47cfe76e985ae3054692155f9beab812b81a2b8c71f91764edb6cd7
SHA5120cacd787d3d579a7ba778b744fdd032bf10d04fa11c9c67c0975ad9cf7e7865f48415dd4a2bc5eeda2a1b6a6d6ec8c36e78c9777cecc3d852d42422278928438
-
Filesize
6KB
MD595055c1bfc7002c46e872e65649db4f1
SHA1d752df17205c45608cc6eb60560fcc2a12591221
SHA256dffe9d282d6d6c7e87242224de65c98d3e0bd92eccb7dac4be217091d33b6bc4
SHA512db39055e77e1d1f20c9135becf7957634479257170c422e78eedd9ec33237c3660e47faec43c99e9c2586fc8010793490cbc14326e4690005b33ac5682c6fa90
-
Filesize
6KB
MD5ca0f788e62d611d48989651496d0362b
SHA1625725b3b1f71c2e3d2cbfc15c9488090049a76f
SHA25659981c1aa6ee94a24b2aca33ebf581d69c2cd4cf3d5f86217961a07fab442219
SHA5120c75767f4ba3c95273de18c51fb1d50e9795e97daf23fd99acf31079583befde873d9c7ab2db7793aa1a9e7babbc02679cd658d6e8c3b05c65d224b04a8808f3
-
Filesize
6KB
MD5f45910e8ebe9f0df6e5ef903df0657e1
SHA1f924a2c44cfa1412c05d9e4da383934da2a1ba9c
SHA25618f41bf18c4df300bc34ecde651f6b6b47d5378776bdc1e369d2def06e510aec
SHA512aed953f6cffcf893d48264b5c6429f1edbe8c815e7f8180827529b5df1dc5f53c69fc1e47da624c0bc6c94c2b0981c8dd221dad89be023f3fc48d1176fd451f4
-
Filesize
15KB
MD52a1a540b49c7b8cc78b580848772ca36
SHA10befd7cce06f97f3b62dd7b75f331aa3240b990f
SHA2569f7fd5be2ed08f1955745758422d7e3cc8f5c249de32d3932c58093560892921
SHA512bf0dc17dd0bcdc2cae7827989c8f98b62962e4002f4e93e8f8161173d27089a21afd7d4a102d432a7b19bbdaa7864abee6988dcc590176d7e7a393c2e419005c
-
Filesize
15KB
MD52a1a540b49c7b8cc78b580848772ca36
SHA10befd7cce06f97f3b62dd7b75f331aa3240b990f
SHA2569f7fd5be2ed08f1955745758422d7e3cc8f5c249de32d3932c58093560892921
SHA512bf0dc17dd0bcdc2cae7827989c8f98b62962e4002f4e93e8f8161173d27089a21afd7d4a102d432a7b19bbdaa7864abee6988dcc590176d7e7a393c2e419005c
-
Filesize
345B
MD586efaf1a8666926f0e6efa7f7a27bb6c
SHA1f39351820a7d988cf72852c886565ee895f9917d
SHA2567738f249275e5133c18d8006e56e540ff78a32f22d7d2ddddb24bf9b95e0b9c2
SHA51296ed49f9a23cbb314cfb14129dbc1fc707b37fa9fce57787ef9a9682d6f51c1a6b7b3fe379dfad22c50b7231eaa8613f1d0ad8c1df5fcd238ba897c1919b1030
-
Filesize
8KB
MD5f98defe17a8e79ea97a0ea9e1f2fd717
SHA1c09a3b2399f00f62915b97d5e8f04ffdbb9ff200
SHA2565474c5a6cbf3c417b8fa8202aeed419d12038b81449674aad6cb20781843a81d
SHA5124bd52e7581c40b63e41df8d6521a3eb38ba8f1573ee193e4878a4af0f56db239b68e0faa1b0c31c8d7a9dfea8798be5649a42a604b0a25961e5a31caf3fb735e
-
Filesize
321B
MD5935f2136b75f27769ccc7e5cda60eb27
SHA1480047af7d8b544cb45e713283ff3c39d9470340
SHA25610d421e27b815c3835ccff890a2be9fb834014a37bce460dfd22ceb9e2cf00f6
SHA51245559bb83faf2a8d615e5cc7b88e44ab3ab796a65828dd995bb0497591fb7b29aff0ff41c8892e370e112443a6744237bd1707ca2204ae282c55c9fbd761c810
-
Filesize
14B
MD59eae63c7a967fc314dd311d9f46a45b7
SHA1caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA2564288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8
-
Filesize
221KB
MD5223954b6b921b05bf59b57f3db55c370
SHA1d5213e96c5f6c8cf104eed7ce56c50d22e84519e
SHA256f518330912fbb405e648111e511c48b73c375b911a322be9f8498727d8a45cef
SHA5120421e9076193112fa0a5c17591eb1bc8174048f97de37be8601e782add7ad326c541fbe95f65b9b09967e7d946377f9f276cacdb2c90f356ded9dbb58134686a
-
Filesize
221KB
MD50c7058e843c3cf4b0f485b9f526db6d0
SHA1fc8779e60131c2c8bdcf212e85f531083e3debfc
SHA25663c2ff80e29363b8d3647bbbed66932346620c9c98b79120f8156c194cd5080e
SHA51277db9c3f702e287c3686b68ee1eefd7d0c00465ec88cf7b47ae1d4e9e82d67840f80fbab20d2892a46096fb8a2ebe04f6a2ed5f24dbc2f65401d5fc23ce64822
-
Filesize
109KB
MD5b387506d1d609cdeaacf83ed5064deb2
SHA16b0593bc8f4c07496cd6baab6298b5b6086310dd
SHA256bf9944b7bebe993bf81246722865fb2d0060408f3ec4c111f2eeb8fef1a78997
SHA512fc18fd97f40b1ce05cdc7d286de08fa15c1474633ebffa912bd7018d6c1085a66dd028a9ea53a98f219de4f1e99de489847f5dcde46efaad46f1cad8c3056a1c
-
Filesize
221KB
MD50c7058e843c3cf4b0f485b9f526db6d0
SHA1fc8779e60131c2c8bdcf212e85f531083e3debfc
SHA25663c2ff80e29363b8d3647bbbed66932346620c9c98b79120f8156c194cd5080e
SHA51277db9c3f702e287c3686b68ee1eefd7d0c00465ec88cf7b47ae1d4e9e82d67840f80fbab20d2892a46096fb8a2ebe04f6a2ed5f24dbc2f65401d5fc23ce64822
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
85B
MD5bc6142469cd7dadf107be9ad87ea4753
SHA172a9aa05003fab742b0e4dc4c5d9eda6b9f7565c
SHA256b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557
SHA51247d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
91B
MD53df5329028ec13c367e1283a462b0dab
SHA14294d5cb78c980c90cf4da0a540943d931aed884
SHA256945cbff2edfc91f9dc83d777f498d9168e3ff0b9495ca91c97abaf85e226a85c
SHA512b7a8f8117d82737ea9506285f4524ca2053bfbe7f24009b2036ebdc8ab6b4b99d9181889a318a3c284c4310be5b39fdbda9cd312bf2a02459d3b90acc06a6f49
-
Filesize
1KB
MD5d0faded3acf408ebb97a11c352c760ef
SHA1598ea636de9569e4aba34bdaba0a4b8f7ec9d7bc
SHA256da8cb33f5a58c362620386d472bcd555da42dd58f28afa453f3e358fdc9a5cd0
SHA5122352bce292715ea07487f060ffe13696a754ede18353366c5f69441561c80271992afe47a16faf9cc1fb49c25eae7ce5a845fa7a04559253209958fe0a2ac98a
-
Filesize
3KB
MD58b54f4a71994d75f03d925e39b270266
SHA11cc3fb083cecb12eb9ea7a2296c88e68cd8ce7f8
SHA2568fa966daba967f094792660843018f290ff549dbed28a9c02e8cffd795f08c76
SHA51216291f11162869bb7a9958b851f79bad6af4c90376fb98d111debe4536c9d4eda9738be0b82d1bb9f26e45a881987f901d1b14f806ccd1f411dc2e75acdd72be
-
Filesize
3KB
MD5a33e031116fc91cd8f03aa3850e395a0
SHA11e4466087f9acd00dbd7987572e6d77893e34296
SHA25663da7180b93899c5c144f865f239d3a51812055620e7a204be6534661f5de073
SHA5125955c5f6f73e23a637a139b4530ebb2b47f9bddb78db7f7b78eadf507342a35c34625f244ba08d03eb8dd35fe7cd9da9e81d72a9635a6de78e768f8bae33a1e8
-
Filesize
829KB
MD52f055355f956c24ffc2276a84e1f24b5
SHA1e8c6619057c583077b0f171280212c548f54d263
SHA2560ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1
-
Filesize
829KB
MD52f055355f956c24ffc2276a84e1f24b5
SHA1e8c6619057c583077b0f171280212c548f54d263
SHA2560ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1
-
Filesize
829KB
MD52f055355f956c24ffc2276a84e1f24b5
SHA1e8c6619057c583077b0f171280212c548f54d263
SHA2560ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1
-
Filesize
829KB
MD52f055355f956c24ffc2276a84e1f24b5
SHA1e8c6619057c583077b0f171280212c548f54d263
SHA2560ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1
-
Filesize
829KB
MD52f055355f956c24ffc2276a84e1f24b5
SHA1e8c6619057c583077b0f171280212c548f54d263
SHA2560ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1
-
Filesize
829KB
MD52f055355f956c24ffc2276a84e1f24b5
SHA1e8c6619057c583077b0f171280212c548f54d263
SHA2560ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1
-
Filesize
652B
MD53ed69fcf43025df50e7ff3fa77a8dd97
SHA10bc73e7407ae4e7743f84bf0e285413a53000548
SHA2560466286ef439f17314d6ad63c99f2d217c2c67cc40052b0a15347702936d0f49
SHA512452ce93216b6d5e95d095623fd2e2c113b3bd91b49904346c7367550cac28969953b2f256d8e6d70fda6ccac1944c9f8d35c43a449b00d7b46f33c21e7f1c4b2
-
Filesize
435B
MD5ee98b18b7a7a0cb24a9564ee3b770530
SHA1a9d5245c3a1835eae87d8e98faf1dfbd33e2a633
SHA2563a72cbbb3032641f66650d753f9dd4c61659fc9e0e1f94bf7fce8b41a5ce767a
SHA51239f2a571431d73eb627094afac4ccbdde7acef284c623e21ef7c7e1d6d12f4d897610479c9eaec206472d8ff9c03232c6385895a8cd1766e44f733bb5f7f9037
-
Filesize
334B
MD5a6743587a682bc9723b2f65c041be508
SHA168d08bb35141c5b7be1796fe373c294bd156b665
SHA256d7292c7d79337214d67a68961cc174fc321b6f30484a64eec270d8204bcce874
SHA51297bcb92168c3afc01cf77ef44267bdc28e8f23cb0706794c8f6955a7cc64ddc4eedeb9f8bcbd56a085f1d40de94b904103e949365f4c429b1e5f2bb06d83f15b
-
Filesize
1KB
MD5d4066cc7fa7bb70669af47eac69f3ef0
SHA1642d369cc12b4f33ba97b608df5e511640c1ee96
SHA256cb8e3091cc67c7a0dd5aad57baae2f8b7fb33a83dd7f8a65a39cf44a67684999
SHA512d9d2574ec5a1bb4b871a461495bcb803ddef0f16c72c3532c4cde1b05dd56c0f93f32b3d0f84e0df75dff010d4e080637982a6570e00fc4bd3e68077049086eb
-
Filesize
334B
MD53c7cf5932df62f9cace43369e69c9cc2
SHA16b81ff39623ffa65e4a8f0db83556bd0815a837f
SHA25677746c97acd6d4928c571eea76a10e80fe9c93cf615e3b49cbfe4bdd78d9931b
SHA51299f0c1908d29481730c783b4a12002573719c6df5de5a84909896ac0e301a4ba3c2080a10fc3ed772d3c0b193162b5f18eb18fe91f33d45f29a4773a4ebfe478