Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 01:01
Behavioral task
behavioral1
Sample
0924b9eca922c9227c4f426be5174bae.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
0924b9eca922c9227c4f426be5174bae.exe
Resource
win10v2004-20231127-en
General
-
Target
0924b9eca922c9227c4f426be5174bae.exe
-
Size
4.8MB
-
MD5
0924b9eca922c9227c4f426be5174bae
-
SHA1
8d2abdecd0fc744ee836d75ad5c3b52585d8041f
-
SHA256
e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8
-
SHA512
47a234ac042b01fdd3d9eaf33f80d932386c841ad64cb8453e9c2e56a71d869eac632e0a8b5af029a9187e8367147ec1afcc337bc9249f253ddff6a743ba9de2
-
SSDEEP
49152:wZ52zVeXI03Z6wg8NEoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9BA:YghQjZ6wt2W6eW8WAh2DQyC0q8G9wyQ/
Malware Config
Signatures
-
DcRat 55 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 1120 schtasks.exe 2268 schtasks.exe 3024 schtasks.exe 2056 schtasks.exe 2192 schtasks.exe 1332 schtasks.exe 2240 schtasks.exe 1884 schtasks.exe 524 schtasks.exe 2552 schtasks.exe 2512 schtasks.exe 2164 schtasks.exe 1300 schtasks.exe 1460 schtasks.exe 1148 schtasks.exe 2096 schtasks.exe 2680 schtasks.exe 1892 schtasks.exe 1948 schtasks.exe 2308 schtasks.exe 2376 schtasks.exe 1956 schtasks.exe 2612 schtasks.exe 2976 schtasks.exe 1844 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winRefMonitor.exe 692 schtasks.exe 2064 schtasks.exe 2008 schtasks.exe 2520 schtasks.exe 2624 schtasks.exe 2804 schtasks.exe 2800 schtasks.exe 2312 schtasks.exe 956 schtasks.exe 868 schtasks.exe 584 schtasks.exe 1508 schtasks.exe 2200 schtasks.exe 2356 schtasks.exe 1412 schtasks.exe 2584 schtasks.exe 2480 schtasks.exe 1644 schtasks.exe 1552 schtasks.exe 2644 schtasks.exe 276 schtasks.exe 1972 schtasks.exe 1872 schtasks.exe 624 schtasks.exe 2652 schtasks.exe 2760 schtasks.exe 1916 schtasks.exe 1996 schtasks.exe 1360 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\driversessioncrt\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\driversessioncrt\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\spoolsv.exe\", \"C:\\Users\\Default User\\Idle.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\driversessioncrt\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\spoolsv.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\driversessioncrt\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\spoolsv.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\dwm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\driversessioncrt\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\driversessioncrt\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\spoolsv.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\"" winRefMonitor.exe -
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 524 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2328 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2328 schtasks.exe 33 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe -
resource yara_rule behavioral1/files/0x0007000000015223-16.dat dcrat behavioral1/files/0x0007000000015223-19.dat dcrat behavioral1/files/0x0007000000015223-18.dat dcrat behavioral1/files/0x0007000000015223-17.dat dcrat behavioral1/memory/2304-20-0x0000000001380000-0x00000000016EA000-memory.dmp dcrat behavioral1/memory/2304-22-0x000000001B190000-0x000000001B210000-memory.dmp dcrat behavioral1/files/0x0006000000015c6c-62.dat dcrat behavioral1/files/0x0005000000018695-99.dat dcrat behavioral1/files/0x0005000000018695-98.dat dcrat behavioral1/memory/2884-100-0x0000000000810000-0x0000000000B7A000-memory.dmp dcrat behavioral1/files/0x0005000000018695-116.dat dcrat behavioral1/memory/1552-117-0x0000000000BA0000-0x0000000000F0A000-memory.dmp dcrat behavioral1/memory/1552-119-0x000000001B2D0000-0x000000001B350000-memory.dmp dcrat behavioral1/files/0x000600000001873d-124.dat dcrat behavioral1/files/0x0005000000018695-132.dat dcrat behavioral1/memory/2568-134-0x000000001B1B0000-0x000000001B230000-memory.dmp dcrat behavioral1/files/0x000600000001873d-139.dat dcrat behavioral1/files/0x0005000000018695-147.dat dcrat behavioral1/memory/2440-148-0x00000000000A0000-0x000000000040A000-memory.dmp dcrat behavioral1/files/0x000600000001873d-155.dat dcrat behavioral1/files/0x0005000000018695-163.dat dcrat behavioral1/memory/2176-165-0x0000000000E10000-0x000000000117A000-memory.dmp dcrat behavioral1/memory/2176-166-0x000000001B1B0000-0x000000001B230000-memory.dmp dcrat behavioral1/files/0x000600000001873d-171.dat dcrat behavioral1/files/0x0005000000018695-179.dat dcrat behavioral1/files/0x000600000001873d-187.dat dcrat behavioral1/files/0x0005000000018695-195.dat dcrat behavioral1/files/0x000600000001873d-202.dat dcrat behavioral1/files/0x0005000000018695-210.dat dcrat behavioral1/files/0x000600000001873d-217.dat dcrat behavioral1/files/0x0005000000018695-225.dat dcrat behavioral1/files/0x000600000001873d-232.dat dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 10 IoCs
pid Process 2304 winRefMonitor.exe 2884 Idle.exe 1552 Idle.exe 2568 Idle.exe 2440 Idle.exe 2176 Idle.exe 1512 Idle.exe 2300 Idle.exe 2464 Idle.exe 1400 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 2632 cmd.exe 2632 cmd.exe -
Adds Run key to start application 2 TTPs 34 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winRefMonitor = "\"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\driversessioncrt\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\driversessioncrt\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\driversessioncrt\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\spoolsv.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Help\\mui\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\driversessioncrt\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\driversessioncrt\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\driversessioncrt\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\driversessioncrt\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Help\\mui\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\winRefMonitor = "\"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\driversessioncrt\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\dwm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\dwm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\spoolsv.exe\"" winRefMonitor.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2732 0924b9eca922c9227c4f426be5174bae.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\spoolsv.exe winRefMonitor.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\f3b6ecef712a24 winRefMonitor.exe File created C:\Program Files\Windows Media Player\Media Renderer\Idle.exe winRefMonitor.exe File created C:\Program Files\Windows Media Player\Media Renderer\6ccacd8608530f winRefMonitor.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe winRefMonitor.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\101b941d020240 winRefMonitor.exe File created C:\Program Files\Windows Journal\es-ES\wininit.exe winRefMonitor.exe File created C:\Program Files\Windows Journal\es-ES\56085415360792 winRefMonitor.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Help\mui\winlogon.exe winRefMonitor.exe File created C:\Windows\Help\mui\cc11b995f2a76d winRefMonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2240 schtasks.exe 2552 schtasks.exe 1300 schtasks.exe 2520 schtasks.exe 2584 schtasks.exe 2652 schtasks.exe 2096 schtasks.exe 1508 schtasks.exe 2624 schtasks.exe 1872 schtasks.exe 2612 schtasks.exe 1844 schtasks.exe 868 schtasks.exe 2164 schtasks.exe 584 schtasks.exe 2200 schtasks.exe 1892 schtasks.exe 1552 schtasks.exe 524 schtasks.exe 2644 schtasks.exe 1996 schtasks.exe 1956 schtasks.exe 1948 schtasks.exe 956 schtasks.exe 2376 schtasks.exe 2356 schtasks.exe 2064 schtasks.exe 1644 schtasks.exe 1360 schtasks.exe 1916 schtasks.exe 2056 schtasks.exe 2512 schtasks.exe 2976 schtasks.exe 1332 schtasks.exe 1148 schtasks.exe 3024 schtasks.exe 2312 schtasks.exe 2268 schtasks.exe 1884 schtasks.exe 2308 schtasks.exe 624 schtasks.exe 1120 schtasks.exe 2760 schtasks.exe 2680 schtasks.exe 2800 schtasks.exe 1972 schtasks.exe 692 schtasks.exe 1460 schtasks.exe 1412 schtasks.exe 2192 schtasks.exe 2008 schtasks.exe 2804 schtasks.exe 276 schtasks.exe 2480 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 768 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2304 winRefMonitor.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe 2884 Idle.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2304 winRefMonitor.exe Token: SeDebugPrivilege 2884 Idle.exe Token: SeDebugPrivilege 1552 Idle.exe Token: SeDebugPrivilege 2568 Idle.exe Token: SeDebugPrivilege 2440 Idle.exe Token: SeDebugPrivilege 2176 Idle.exe Token: SeDebugPrivilege 1512 Idle.exe Token: SeDebugPrivilege 2300 Idle.exe Token: SeDebugPrivilege 2464 Idle.exe Token: SeDebugPrivilege 1400 Idle.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2732 0924b9eca922c9227c4f426be5174bae.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2772 2732 0924b9eca922c9227c4f426be5174bae.exe 28 PID 2732 wrote to memory of 2772 2732 0924b9eca922c9227c4f426be5174bae.exe 28 PID 2732 wrote to memory of 2772 2732 0924b9eca922c9227c4f426be5174bae.exe 28 PID 2732 wrote to memory of 2772 2732 0924b9eca922c9227c4f426be5174bae.exe 28 PID 2732 wrote to memory of 2476 2732 0924b9eca922c9227c4f426be5174bae.exe 29 PID 2732 wrote to memory of 2476 2732 0924b9eca922c9227c4f426be5174bae.exe 29 PID 2732 wrote to memory of 2476 2732 0924b9eca922c9227c4f426be5174bae.exe 29 PID 2732 wrote to memory of 2476 2732 0924b9eca922c9227c4f426be5174bae.exe 29 PID 2772 wrote to memory of 2632 2772 WScript.exe 30 PID 2772 wrote to memory of 2632 2772 WScript.exe 30 PID 2772 wrote to memory of 2632 2772 WScript.exe 30 PID 2772 wrote to memory of 2632 2772 WScript.exe 30 PID 2632 wrote to memory of 2304 2632 cmd.exe 32 PID 2632 wrote to memory of 2304 2632 cmd.exe 32 PID 2632 wrote to memory of 2304 2632 cmd.exe 32 PID 2632 wrote to memory of 2304 2632 cmd.exe 32 PID 2304 wrote to memory of 2884 2304 winRefMonitor.exe 88 PID 2304 wrote to memory of 2884 2304 winRefMonitor.exe 88 PID 2304 wrote to memory of 2884 2304 winRefMonitor.exe 88 PID 2632 wrote to memory of 768 2632 cmd.exe 89 PID 2632 wrote to memory of 768 2632 cmd.exe 89 PID 2632 wrote to memory of 768 2632 cmd.exe 89 PID 2632 wrote to memory of 768 2632 cmd.exe 89 PID 2884 wrote to memory of 1216 2884 Idle.exe 91 PID 2884 wrote to memory of 1216 2884 Idle.exe 91 PID 2884 wrote to memory of 1216 2884 Idle.exe 91 PID 2884 wrote to memory of 2868 2884 Idle.exe 93 PID 2884 wrote to memory of 2868 2884 Idle.exe 93 PID 2884 wrote to memory of 2868 2884 Idle.exe 93 PID 1216 wrote to memory of 1552 1216 WScript.exe 94 PID 1216 wrote to memory of 1552 1216 WScript.exe 94 PID 1216 wrote to memory of 1552 1216 WScript.exe 94 PID 1552 wrote to memory of 2108 1552 Idle.exe 95 PID 1552 wrote to memory of 2108 1552 Idle.exe 95 PID 1552 wrote to memory of 2108 1552 Idle.exe 95 PID 1552 wrote to memory of 1500 1552 Idle.exe 96 PID 1552 wrote to memory of 1500 1552 Idle.exe 96 PID 1552 wrote to memory of 1500 1552 Idle.exe 96 PID 2108 wrote to memory of 2568 2108 WScript.exe 97 PID 2108 wrote to memory of 2568 2108 WScript.exe 97 PID 2108 wrote to memory of 2568 2108 WScript.exe 97 PID 2568 wrote to memory of 1460 2568 Idle.exe 98 PID 2568 wrote to memory of 1460 2568 Idle.exe 98 PID 2568 wrote to memory of 1460 2568 Idle.exe 98 PID 2568 wrote to memory of 2376 2568 Idle.exe 99 PID 2568 wrote to memory of 2376 2568 Idle.exe 99 PID 2568 wrote to memory of 2376 2568 Idle.exe 99 PID 1460 wrote to memory of 2440 1460 WScript.exe 100 PID 1460 wrote to memory of 2440 1460 WScript.exe 100 PID 1460 wrote to memory of 2440 1460 WScript.exe 100 PID 2440 wrote to memory of 1788 2440 Idle.exe 101 PID 2440 wrote to memory of 1788 2440 Idle.exe 101 PID 2440 wrote to memory of 1788 2440 Idle.exe 101 PID 2440 wrote to memory of 1000 2440 Idle.exe 102 PID 2440 wrote to memory of 1000 2440 Idle.exe 102 PID 2440 wrote to memory of 1000 2440 Idle.exe 102 PID 1788 wrote to memory of 2176 1788 WScript.exe 103 PID 1788 wrote to memory of 2176 1788 WScript.exe 103 PID 1788 wrote to memory of 2176 1788 WScript.exe 103 PID 2176 wrote to memory of 2600 2176 Idle.exe 104 PID 2176 wrote to memory of 2600 2176 Idle.exe 104 PID 2176 wrote to memory of 2600 2176 Idle.exe 104 PID 2176 wrote to memory of 2232 2176 Idle.exe 105 PID 2176 wrote to memory of 2232 2176 Idle.exe 105 -
System policy modification 1 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\driversessioncrt\winRefMonitor.exe"C:\driversessioncrt\winRefMonitor.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2304 -
C:\Users\Default User\Idle.exe"C:\Users\Default User\Idle.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2884 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f496a16-fc3b-4cc0-8652-ae7f58aa0eaf.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Default User\Idle.exe"C:\Users\Default User\Idle.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1552 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d14c06b-8378-4731-b165-4807a2518949.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Default User\Idle.exe"C:\Users\Default User\Idle.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2568 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24a0d647-ff7e-49cb-9934-340a5d72a931.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Default User\Idle.exe"C:\Users\Default User\Idle.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2440 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d7fb275-0fc6-42a5-9b5f-1c8c08fc1351.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Default User\Idle.exe"C:\Users\Default User\Idle.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2176 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d35bec90-31dc-46b3-8696-fb9d5f90b5cc.vbs"14⤵PID:2600
-
C:\Users\Default User\Idle.exe"C:\Users\Default User\Idle.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1512 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a591c9e4-ff40-4f7f-aa46-d91683971f20.vbs"16⤵PID:2412
-
C:\Users\Default User\Idle.exe"C:\Users\Default User\Idle.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2300 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4386507-e143-426a-8a68-8e9952d04003.vbs"18⤵PID:1428
-
C:\Users\Default User\Idle.exe"C:\Users\Default User\Idle.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2464 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b08d09c4-c313-4eb6-8a44-8c465bbbbe03.vbs"20⤵PID:1596
-
C:\Users\Default User\Idle.exe"C:\Users\Default User\Idle.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1400 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41113b90-1b69-459b-ac26-23d086d89439.vbs"22⤵PID:1600
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d34ebc9b-80a3-4361-afb8-3067b4282ee9.vbs"22⤵PID:2456
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71cde320-ff3e-4e44-b296-91a77191491a.vbs"20⤵PID:1980
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9114eb4-1a01-47a1-8f54-3c71d0b607fd.vbs"18⤵PID:2904
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f46b3da-4289-4cd9-a01f-e769fe45c79d.vbs"16⤵PID:3016
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b58bb03-84ed-41ef-9258-91ec62b1f6a5.vbs"14⤵PID:2232
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\910e23da-a579-4e41-9d81-7afe33bd8605.vbs"12⤵PID:1000
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fb7e341-36b1-4fa3-aaa1-61cb70739857.vbs"10⤵PID:2376
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1bbcefe-454d-44af-8024-914c7d82a315.vbs"8⤵PID:1500
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9fdf753-e3ad-46b6-9559-ee2e7e90e770.vbs"6⤵PID:2868
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:768
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\file.vbs"2⤵PID:2476
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Media Renderer\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\driversessioncrt\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\driversessioncrt\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\driversessioncrt\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\mui\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Help\mui\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\mui\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\driversessioncrt\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\driversessioncrt\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\driversessioncrt\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 13 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winRefMonitor.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winRefMonitor" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winRefMonitor.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 5 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winRefMonitor.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\es-ES\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\driversessioncrt\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\driversessioncrt\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\driversessioncrt\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\driversessioncrt\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\driversessioncrt\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\driversessioncrt\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\driversessioncrt\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\driversessioncrt\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\driversessioncrt\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD5803097664d2b47bb181ad16b1efd0265
SHA15bd24cdf0730739e4c592a740d6fd9c7c81f2429
SHA256da99f178cf10eb76265fa315799d1c616895db5347af425bc74624d52bd6b665
SHA51222664bb345d1ff6b9d6748f4e7b7962cfdee39ab58f68c59ec729502e582a98d2a39b7144857a1d5514eba771598762eb6b2155b517d61ff2d1afa8b1e8ead42
-
Filesize
706B
MD5af14cd157ea3cd99f86fa101a56296dc
SHA18d003127e77b51e4a4839071ff57edd682a9c614
SHA2565a3c5e310dfb2869a2bd25eca2593834f6d99bef899eae91c2ff87f59b9f5c78
SHA512b4ce19496e962c1e5894482c82bd0b926b0c9d4350563b2ff706fd2a7376fece52aa17359d93ae6eefbd8da9df960576feb938c1ea95a94f9931093bee6c75a8
-
Filesize
482B
MD5f67289236d89602515d18e962b5fc536
SHA1508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA5123d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877
-
Filesize
706B
MD5f7fe6de5015506801350a7bccedb0c66
SHA19ed234ac8dd6a064cfc2d4f5496cc5d0b422ba28
SHA2569840921768030374b20bc9e61420e07440b8a6f2f3e38ab62bcb998c0fd7c600
SHA512ba5047e541e53a6af553b4c7e97059d83f89449dc12bb18f82780eda41a87a467fcd20af804f1a58531582201c4a47773ba66f23af5281466f0c6e0cd51f48de
-
Filesize
706B
MD50fc91bda12256de30d9feacc9a3947c0
SHA16fa4bae559c5aaf586bc5f16230e0cb7820c62af
SHA25645847ac06526de9eef77d8bded1595488875633b851c7a591e6143a0b8f1eb0a
SHA512d14ed2f29556d2b1cb3eff47365b3b0bc2ebf384a7a09cfffc7330f411db3192cf09da3eba859eebb4a27ee2b4fe968e615104567fcffe8450ca193d49f82aa3
-
Filesize
482B
MD5f67289236d89602515d18e962b5fc536
SHA1508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA5123d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877
-
Filesize
482B
MD5f67289236d89602515d18e962b5fc536
SHA1508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA5123d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877
-
Filesize
706B
MD5c575ea1bab586499ed030a88b0b032f9
SHA198cedd108b82c5fab3e60a09c7174abcf14acc6e
SHA2568b77d8bfa8e93ecd9b35b6957c2e162ab54a39bf53fe3133083d082566bbfc4a
SHA512c2d144668a478f82bfc781dfc69669911de2a5eb01ad4c7c464ead2c5b3d7bc8c864c7ec98768c7054395f92b9eb4654ec87ffea72a3b1ec8a89d648d6a7e1ca
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
482B
MD5f67289236d89602515d18e962b5fc536
SHA1508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA5123d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877
-
Filesize
482B
MD5f67289236d89602515d18e962b5fc536
SHA1508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA5123d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877
-
Filesize
482B
MD5f67289236d89602515d18e962b5fc536
SHA1508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA5123d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877
-
Filesize
482B
MD5f67289236d89602515d18e962b5fc536
SHA1508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA5123d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877
-
Filesize
706B
MD59ee13cbb111f6d31347095a54d366596
SHA155ec550aaed63fb331c55d4c0afa3c4f87d81500
SHA256ff634b14e2bc36852410165f3f0a2cd2c1c2faa4f41a10d0e459799e426bfa96
SHA51259ad95306617853f2cf0c3cd619af307a170e6bdefdd775a78fe61cc44df24ce0f213a628136dfc640e8670722f29e84d9dbbdb584b5a1d8fae70761a91da266
-
Filesize
706B
MD55254277bb8994bafb66633a81d58e3e2
SHA141675568a9a2d669d64b81d0d1fd3d3dab815204
SHA256c33ae29b8af1929c835b868f6808923c77b0388b7cb229de405c40b8757f13d8
SHA51239bdc00189ec74c8cdcef1c20460badb4f2153a511ad18c4df4af777075171bb25b07c5879447e7f6518af9ef678f0e0e3ceaefdb1b2ce5c8f3e54c0441d652c
-
Filesize
706B
MD542ba3b0ea5e6ffd5edd8d99b60a1d238
SHA13cbd7f766904ca13be699fa343d4a99051dd0e14
SHA25676a865fbf6da8b850b74c9c529e285d706c5c2699646ed5357187eff18012a31
SHA512b3f44c6a230f7b47510636197a7b8816993fb80dc297aeb20d3f4aa189457661bd26c94b3f2aac857cb649a0c5057c23b3ac0dffa2f54e9d51ffba308eb0152c
-
Filesize
482B
MD5f67289236d89602515d18e962b5fc536
SHA1508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA5123d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877
-
Filesize
482B
MD5f67289236d89602515d18e962b5fc536
SHA1508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA5123d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877
-
Filesize
482B
MD5f67289236d89602515d18e962b5fc536
SHA1508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA5123d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877
-
Filesize
706B
MD5cc73c785ea800bdf94275a01d492b44b
SHA1d3c5eeb4bedac2aaa5f2c8ff23c815ab54e8d373
SHA256f44370a461586be250e1e4083744e6632a26e4013c94ac74017f9c8a22601cc4
SHA51235eb31f7d5027d80650f43048571ab4921097bb8c39d5e3945aafea8bf9e40f453e6dd779b9e02a0378a0b072f66f3893c323bcffb861f4fd23e74923c8b66b7
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
151B
MD540a5023d150998b4ba256dd94ea31230
SHA136702bfd3e71b3495e61ea589003bb856b959aca
SHA256e9706a7a4d0fda27dac28f357e20d924779b307b0222c9a34f18701e5b78fbfc
SHA5126deca418669bf26c67cbcc67f97478a445bf87ba3e1a886d479ee9a4ad736b0b47b196ed77e40f31ad2292ecbd43ec0129c0ce6a7b0915cc787f598577f26a15
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
223B
MD5d7664d494b1b6e05334ada9accc57d06
SHA12cc50d284a600e30287fdef5efe56a586199eb28
SHA256531da88fff8963b42512583a711381b3ceef16ff6ff9763547e6eabf5665f9d6
SHA5127e73fc680bd8aab94b89724c81cfd8e0b679ba0a9a4abca8dc522f1169f4123a8f2844677819190f1faba5df19c584fb1a7e7f2e361e57463050b7d3dc3eccb6
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44