Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 01:01
Behavioral task
behavioral1
Sample
0924b9eca922c9227c4f426be5174bae.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
0924b9eca922c9227c4f426be5174bae.exe
Resource
win10v2004-20231127-en
General
-
Target
0924b9eca922c9227c4f426be5174bae.exe
-
Size
4.8MB
-
MD5
0924b9eca922c9227c4f426be5174bae
-
SHA1
8d2abdecd0fc744ee836d75ad5c3b52585d8041f
-
SHA256
e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8
-
SHA512
47a234ac042b01fdd3d9eaf33f80d932386c841ad64cb8453e9c2e56a71d869eac632e0a8b5af029a9187e8367147ec1afcc337bc9249f253ddff6a743ba9de2
-
SSDEEP
49152:wZ52zVeXI03Z6wg8NEoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9BA:YghQjZ6wt2W6eW8WAh2DQyC0q8G9wyQ/
Malware Config
Signatures
-
DcRat 53 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 3816 schtasks.exe 1360 schtasks.exe 976 schtasks.exe 2760 schtasks.exe 4472 schtasks.exe 4716 schtasks.exe 4216 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation 0924b9eca922c9227c4f426be5174bae.exe 2532 schtasks.exe 1636 schtasks.exe 4676 schtasks.exe 1700 schtasks.exe 4588 schtasks.exe 4864 schtasks.exe 4076 schtasks.exe 964 schtasks.exe 4468 schtasks.exe 4876 schtasks.exe 3356 schtasks.exe 1316 schtasks.exe File created C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\38384e6a620884 winRefMonitor.exe 4224 schtasks.exe 1736 schtasks.exe 3492 schtasks.exe 4976 schtasks.exe 2984 schtasks.exe 4912 schtasks.exe 3160 schtasks.exe 2092 schtasks.exe 4804 schtasks.exe 1172 schtasks.exe 740 schtasks.exe 3892 schtasks.exe 2044 schtasks.exe 4544 schtasks.exe 4312 schtasks.exe 3560 schtasks.exe 3852 schtasks.exe 4580 schtasks.exe 3444 schtasks.exe 1436 schtasks.exe 3864 schtasks.exe 2384 schtasks.exe 1740 schtasks.exe 2660 schtasks.exe 3012 schtasks.exe 3240 schtasks.exe 1820 schtasks.exe 4452 schtasks.exe 5108 schtasks.exe 1932 schtasks.exe 3952 schtasks.exe 4612 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 17 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\cmd.exe\", \"C:\\Users\\All Users\\Start Menu\\dllhost.exe\", \"C:\\odt\\TrustedInstaller.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\cmd.exe\", \"C:\\Users\\All Users\\Start Menu\\dllhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\cmd.exe\"" winRefMonitor.exe -
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4716 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 976 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3492 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4312 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3864 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3892 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3816 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4676 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1172 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4224 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3852 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3240 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4452 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3356 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4216 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 4092 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 4092 schtasks.exe 101 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe -
resource yara_rule behavioral2/files/0x000600000002322c-17.dat dcrat behavioral2/files/0x000600000002322c-18.dat dcrat behavioral2/memory/4064-19-0x00000000000C0000-0x000000000042A000-memory.dmp dcrat behavioral2/files/0x0009000000023240-61.dat dcrat behavioral2/files/0x000600000002324f-100.dat dcrat behavioral2/files/0x000600000002324f-102.dat dcrat behavioral2/files/0x000600000002324f-116.dat dcrat behavioral2/files/0x000f000000023284-123.dat dcrat behavioral2/files/0x000600000002324f-131.dat dcrat behavioral2/files/0x000f000000023284-139.dat dcrat behavioral2/files/0x000600000002324f-147.dat dcrat behavioral2/files/0x000f000000023284-153.dat dcrat behavioral2/files/0x000600000002324f-161.dat dcrat behavioral2/files/0x000f000000023284-166.dat dcrat behavioral2/files/0x000600000002324f-174.dat dcrat behavioral2/files/0x000f000000023284-180.dat dcrat behavioral2/files/0x000600000002324f-188.dat dcrat behavioral2/files/0x000f000000023284-195.dat dcrat behavioral2/files/0x000600000002324f-203.dat dcrat behavioral2/files/0x000f000000023284-210.dat dcrat behavioral2/files/0x000600000002324f-218.dat dcrat behavioral2/files/0x000f000000023284-224.dat dcrat behavioral2/files/0x000600000002324f-232.dat dcrat behavioral2/files/0x000f000000023284-238.dat dcrat behavioral2/files/0x000600000002324f-246.dat dcrat behavioral2/files/0x000600000002324f-260.dat dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation winRefMonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation 0924b9eca922c9227c4f426be5174bae.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation sppsvc.exe -
Executes dropped EXE 13 IoCs
pid Process 4064 winRefMonitor.exe 3944 sppsvc.exe 1884 sppsvc.exe 3176 sppsvc.exe 4432 sppsvc.exe 1716 sppsvc.exe 4676 sppsvc.exe 532 sppsvc.exe 740 sppsvc.exe 3520 sppsvc.exe 1548 sppsvc.exe 1760 sppsvc.exe 964 sppsvc.exe -
Adds Run key to start application 2 TTPs 34 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\cmd.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\cmd.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\odt\\TrustedInstaller.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\driversessioncrt\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\CbsTemp\\sppsvc.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Start Menu\\dllhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Start Menu\\dllhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\odt\\TrustedInstaller.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\CbsTemp\\sppsvc.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\driversessioncrt\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\WindowsRE\\cmd.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\WindowsRE\\cmd.exe\"" winRefMonitor.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3052 0924b9eca922c9227c4f426be5174bae.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\Windows Security\BrowserCore\Idle.exe winRefMonitor.exe File created C:\Program Files\Windows Security\BrowserCore\6ccacd8608530f winRefMonitor.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\backgroundTaskHost.exe winRefMonitor.exe File created C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe winRefMonitor.exe File created C:\Program Files (x86)\Windows Multimedia Platform\088424020bedd6 winRefMonitor.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe winRefMonitor.exe File created C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\SearchApp.exe winRefMonitor.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\SearchApp.exe winRefMonitor.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9 winRefMonitor.exe File created C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\38384e6a620884 winRefMonitor.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\eddb19405b7ce1 winRefMonitor.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\GameBarPresenceWriter\unsecapp.exe winRefMonitor.exe File created C:\Windows\GameBarPresenceWriter\29c1c3cc0f7685 winRefMonitor.exe File created C:\Windows\CbsTemp\sppsvc.exe winRefMonitor.exe File created C:\Windows\CbsTemp\0a1fd5f707cd16 winRefMonitor.exe File created C:\Windows\DigitalLocker\en-US\fontdrvhost.exe winRefMonitor.exe File created C:\Windows\DigitalLocker\en-US\5b884080fd4f94 winRefMonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4612 schtasks.exe 3816 schtasks.exe 4876 schtasks.exe 2660 schtasks.exe 3012 schtasks.exe 2384 schtasks.exe 3492 schtasks.exe 4544 schtasks.exe 1360 schtasks.exe 4976 schtasks.exe 3852 schtasks.exe 4864 schtasks.exe 3864 schtasks.exe 1700 schtasks.exe 4224 schtasks.exe 1436 schtasks.exe 3952 schtasks.exe 5108 schtasks.exe 2092 schtasks.exe 4716 schtasks.exe 1316 schtasks.exe 1820 schtasks.exe 1740 schtasks.exe 1636 schtasks.exe 4312 schtasks.exe 976 schtasks.exe 3892 schtasks.exe 3444 schtasks.exe 4472 schtasks.exe 3160 schtasks.exe 4216 schtasks.exe 2044 schtasks.exe 2532 schtasks.exe 3240 schtasks.exe 1172 schtasks.exe 4468 schtasks.exe 4804 schtasks.exe 740 schtasks.exe 1932 schtasks.exe 1736 schtasks.exe 4076 schtasks.exe 4676 schtasks.exe 4912 schtasks.exe 964 schtasks.exe 4452 schtasks.exe 4580 schtasks.exe 4588 schtasks.exe 2760 schtasks.exe 3356 schtasks.exe 3560 schtasks.exe 2984 schtasks.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings 0924b9eca922c9227c4f426be5174bae.exe Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings winRefMonitor.exe Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings sppsvc.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4540 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 4064 winRefMonitor.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe 3944 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 4064 winRefMonitor.exe Token: SeDebugPrivilege 3944 sppsvc.exe Token: SeDebugPrivilege 1884 sppsvc.exe Token: SeDebugPrivilege 3176 sppsvc.exe Token: SeDebugPrivilege 4432 sppsvc.exe Token: SeDebugPrivilege 1716 sppsvc.exe Token: SeDebugPrivilege 4676 sppsvc.exe Token: SeDebugPrivilege 532 sppsvc.exe Token: SeDebugPrivilege 740 sppsvc.exe Token: SeDebugPrivilege 3520 sppsvc.exe Token: SeDebugPrivilege 1548 sppsvc.exe Token: SeDebugPrivilege 1760 sppsvc.exe Token: SeDebugPrivilege 964 sppsvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3052 0924b9eca922c9227c4f426be5174bae.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3052 wrote to memory of 1364 3052 0924b9eca922c9227c4f426be5174bae.exe 89 PID 3052 wrote to memory of 1364 3052 0924b9eca922c9227c4f426be5174bae.exe 89 PID 3052 wrote to memory of 1364 3052 0924b9eca922c9227c4f426be5174bae.exe 89 PID 3052 wrote to memory of 1820 3052 0924b9eca922c9227c4f426be5174bae.exe 90 PID 3052 wrote to memory of 1820 3052 0924b9eca922c9227c4f426be5174bae.exe 90 PID 3052 wrote to memory of 1820 3052 0924b9eca922c9227c4f426be5174bae.exe 90 PID 1364 wrote to memory of 4852 1364 WScript.exe 102 PID 1364 wrote to memory of 4852 1364 WScript.exe 102 PID 1364 wrote to memory of 4852 1364 WScript.exe 102 PID 4852 wrote to memory of 4064 4852 cmd.exe 104 PID 4852 wrote to memory of 4064 4852 cmd.exe 104 PID 4064 wrote to memory of 1636 4064 winRefMonitor.exe 158 PID 4064 wrote to memory of 1636 4064 winRefMonitor.exe 158 PID 1636 wrote to memory of 4580 1636 cmd.exe 160 PID 1636 wrote to memory of 4580 1636 cmd.exe 160 PID 4852 wrote to memory of 4540 4852 cmd.exe 161 PID 4852 wrote to memory of 4540 4852 cmd.exe 161 PID 4852 wrote to memory of 4540 4852 cmd.exe 161 PID 1636 wrote to memory of 3944 1636 cmd.exe 163 PID 1636 wrote to memory of 3944 1636 cmd.exe 163 PID 3944 wrote to memory of 1376 3944 sppsvc.exe 164 PID 3944 wrote to memory of 1376 3944 sppsvc.exe 164 PID 3944 wrote to memory of 4564 3944 sppsvc.exe 165 PID 3944 wrote to memory of 4564 3944 sppsvc.exe 165 PID 1376 wrote to memory of 1884 1376 WScript.exe 167 PID 1376 wrote to memory of 1884 1376 WScript.exe 167 PID 1884 wrote to memory of 812 1884 sppsvc.exe 169 PID 1884 wrote to memory of 812 1884 sppsvc.exe 169 PID 1884 wrote to memory of 5064 1884 sppsvc.exe 170 PID 1884 wrote to memory of 5064 1884 sppsvc.exe 170 PID 812 wrote to memory of 3176 812 WScript.exe 171 PID 812 wrote to memory of 3176 812 WScript.exe 171 PID 3176 wrote to memory of 3592 3176 sppsvc.exe 172 PID 3176 wrote to memory of 3592 3176 sppsvc.exe 172 PID 3176 wrote to memory of 4976 3176 sppsvc.exe 173 PID 3176 wrote to memory of 4976 3176 sppsvc.exe 173 PID 3592 wrote to memory of 4432 3592 WScript.exe 174 PID 3592 wrote to memory of 4432 3592 WScript.exe 174 PID 4432 wrote to memory of 4160 4432 sppsvc.exe 175 PID 4432 wrote to memory of 4160 4432 sppsvc.exe 175 PID 4432 wrote to memory of 3396 4432 sppsvc.exe 176 PID 4432 wrote to memory of 3396 4432 sppsvc.exe 176 PID 4160 wrote to memory of 1716 4160 WScript.exe 177 PID 4160 wrote to memory of 1716 4160 WScript.exe 177 PID 1716 wrote to memory of 2852 1716 sppsvc.exe 178 PID 1716 wrote to memory of 2852 1716 sppsvc.exe 178 PID 1716 wrote to memory of 4492 1716 sppsvc.exe 179 PID 1716 wrote to memory of 4492 1716 sppsvc.exe 179 PID 2852 wrote to memory of 4676 2852 WScript.exe 181 PID 2852 wrote to memory of 4676 2852 WScript.exe 181 PID 4676 wrote to memory of 1384 4676 sppsvc.exe 182 PID 4676 wrote to memory of 1384 4676 sppsvc.exe 182 PID 4676 wrote to memory of 3704 4676 sppsvc.exe 183 PID 4676 wrote to memory of 3704 4676 sppsvc.exe 183 PID 1384 wrote to memory of 532 1384 WScript.exe 184 PID 1384 wrote to memory of 532 1384 WScript.exe 184 PID 532 wrote to memory of 4852 532 sppsvc.exe 185 PID 532 wrote to memory of 4852 532 sppsvc.exe 185 PID 532 wrote to memory of 4052 532 sppsvc.exe 186 PID 532 wrote to memory of 4052 532 sppsvc.exe 186 PID 4852 wrote to memory of 740 4852 WScript.exe 188 PID 4852 wrote to memory of 740 4852 WScript.exe 188 PID 740 wrote to memory of 3012 740 sppsvc.exe 191 PID 740 wrote to memory of 3012 740 sppsvc.exe 191 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\driversessioncrt\winRefMonitor.exe"C:\driversessioncrt\winRefMonitor.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4dawC7zntr.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4580
-
-
C:\Windows\CbsTemp\sppsvc.exe"C:\Windows\CbsTemp\sppsvc.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3944 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c03230-0cda-40b9-a22a-7eb2ef881c70.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\CbsTemp\sppsvc.exeC:\Windows\CbsTemp\sppsvc.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1884 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6255feca-8eea-48fe-9e78-c46733273804.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\CbsTemp\sppsvc.exeC:\Windows\CbsTemp\sppsvc.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3176 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d82c474-4950-4bb2-b272-cc4be1f5bfd0.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\CbsTemp\sppsvc.exeC:\Windows\CbsTemp\sppsvc.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4432 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d1d2063-8252-4ead-8920-eaad7f8e1802.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\CbsTemp\sppsvc.exeC:\Windows\CbsTemp\sppsvc.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1716 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fda44d9-cde8-45a2-bd63-2adb96f3b438.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\CbsTemp\sppsvc.exeC:\Windows\CbsTemp\sppsvc.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4676 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\647596ca-851c-4574-a46d-4443b39e168e.vbs"17⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\CbsTemp\sppsvc.exeC:\Windows\CbsTemp\sppsvc.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:532 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fac16e73-ff57-44f5-9727-f60b606e5f90.vbs"19⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\CbsTemp\sppsvc.exeC:\Windows\CbsTemp\sppsvc.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:740 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b703ae-ae96-4a51-9cd5-ad50b596d704.vbs"21⤵PID:3012
-
C:\Windows\CbsTemp\sppsvc.exeC:\Windows\CbsTemp\sppsvc.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3520 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16dac168-a431-4c4f-b6a2-8ee789555481.vbs"23⤵PID:4256
-
C:\Windows\CbsTemp\sppsvc.exeC:\Windows\CbsTemp\sppsvc.exe24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1548 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a272f8a2-f8fa-4713-8e62-1a5a30d51efc.vbs"25⤵PID:4644
-
C:\Windows\CbsTemp\sppsvc.exeC:\Windows\CbsTemp\sppsvc.exe26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1760 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5c137ff-c275-4a22-89aa-44938c686f1a.vbs"27⤵PID:2760
-
C:\Windows\CbsTemp\sppsvc.exeC:\Windows\CbsTemp\sppsvc.exe28⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:964
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0174bee6-d263-4e4f-93af-522f35c4b8fc.vbs"27⤵PID:2000
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\620f32a2-4845-4af9-b69a-1e3027b0a8c0.vbs"25⤵PID:3900
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64905966-98d5-4adb-8756-374607d03e5f.vbs"23⤵PID:2244
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a55438d-bcc8-4712-9c67-735eac7b212d.vbs"21⤵PID:4240
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d82b782-fe67-48fc-8ec6-01bb1840bd9b.vbs"19⤵PID:4052
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f3a2a3b-4646-4bf7-a541-1f79980fddc3.vbs"17⤵PID:3704
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55b888ed-d9a6-459d-ac45-6d9713b76875.vbs"15⤵PID:4492
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\073f376f-ded4-40b9-b7fe-d46f112e1884.vbs"13⤵PID:3396
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0adcba0-2998-4cc3-a212-0e965ded242c.vbs"11⤵PID:4976
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\547ec857-57a5-49fc-ada9-8c05654c2f21.vbs"9⤵PID:5064
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34bd29d7-a25c-4cd3-9463-8b98a96b2958.vbs"7⤵PID:4564
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:4540
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\file.vbs"2⤵PID:1820
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\driversessioncrt\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\driversessioncrt\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\driversessioncrt\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\CbsTemp\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\TrustedInstaller.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default\Desktop\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\odt\TrustedInstaller.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
481B
MD575fe9a54cb7e3a10162044b51a648ea4
SHA11ee335a8b62888134098c978796e9b04f154c98f
SHA25654dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6
-
Filesize
481B
MD575fe9a54cb7e3a10162044b51a648ea4
SHA11ee335a8b62888134098c978796e9b04f154c98f
SHA25654dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6
-
Filesize
705B
MD5efaa724b56bc41736f4d8a924ecbf4ae
SHA1f26f602ace9fba99400a83248a0dacc54ca48405
SHA2563373f944abf5b7d677c519d43fe8a5c569d9108625ed4d59caecd01c1e175024
SHA512b37e705c5ebd9a268404fab6d8ab68681da438db6f7eca90a87029d54e06b5e840e10096c43ba6ca091971b47ee2e9df6521d3e4fd75f16b3a3f911356051ff3
-
Filesize
705B
MD5f0c39e58d1c922d42f5e6d6995a549e9
SHA1b5b2ddc8250238891fbca778114efa273d77d79d
SHA256c2ae7bbce1b936285eb02ae052c78c504c204dcddecebb0a48478e89155290e1
SHA512db860f937adcdfae724e61a47b5705772f63b30dec2e6175c6e48ebd74a3d71f1bf2b1a8e99e2f65e608ff6ec1b41aa3da49581f688110ea750d3317aefe2d9d
-
Filesize
705B
MD5226086e0b064c005fde1eeff83f159c6
SHA130c9c8b259fbcf65d12cbeaea5b452dad258b429
SHA256f04132abf5325cd38a7ebb1f1d20cc0dae15ba680646dc27ea227955aab34295
SHA512fd279aefc20bf6d3ff4ea0bccf3c178e324288ea15c8d183fb1703aecf6d5e04f7ff856f950c9c01972089cafa009d5ba5c550d774802818afd82c909149d8a0
-
Filesize
481B
MD575fe9a54cb7e3a10162044b51a648ea4
SHA11ee335a8b62888134098c978796e9b04f154c98f
SHA25654dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6
-
Filesize
481B
MD575fe9a54cb7e3a10162044b51a648ea4
SHA11ee335a8b62888134098c978796e9b04f154c98f
SHA25654dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6
-
Filesize
705B
MD5fd181e405acd701fa96881d4ce0bcc9e
SHA1e072a5f5c607e68792e1c8654273604697cb8a2b
SHA2567245e0da5f770c70306b0f59c71a317c4a592538a9568b208fac638c341646b0
SHA512d9effdba34777efbeeab43d1eff646f1e6709a9e975f6ec59cabad2997555123032fc172a7c2f668f4ec69372971ee2006084292237b6188925973b05cf40da7
-
Filesize
194B
MD5bf703388a4b39ef8a948394b8775f6e3
SHA1d240f2900c87b932d6db7889164248df288902c3
SHA256a494b811cd994efdb6471818578373fa96246bcc2e0dcde0abbe6df7a64dcdd2
SHA5120716772857217ff92dd35c5bfd648f70a7d1483ef95a6aeb1f1bb66e5102fe0b68eb1cac65ba8d5bf690bdb5177d45d3d68d0614c6ba160adc2bff6b7eb9f8d8
-
Filesize
481B
MD575fe9a54cb7e3a10162044b51a648ea4
SHA11ee335a8b62888134098c978796e9b04f154c98f
SHA25654dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6
-
Filesize
481B
MD575fe9a54cb7e3a10162044b51a648ea4
SHA11ee335a8b62888134098c978796e9b04f154c98f
SHA25654dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
481B
MD575fe9a54cb7e3a10162044b51a648ea4
SHA11ee335a8b62888134098c978796e9b04f154c98f
SHA25654dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6
-
Filesize
704B
MD57e02b28556e955178620a4920de922eb
SHA1431bfedf4ee084592410826a1c1353e9b505a8a6
SHA256d43954359edb407d78127fef7fdfe2ec87fd0f48c6444176d9475e3ae377eaf6
SHA512dc8dc444df3ca6f1428714f5213501392fbd4c2fbd6e7a55dd640009e5083ac627dd9c442c5668ada06c5cc90bc36858818e20c80188b74142b133525e826ce5
-
Filesize
481B
MD575fe9a54cb7e3a10162044b51a648ea4
SHA11ee335a8b62888134098c978796e9b04f154c98f
SHA25654dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6
-
Filesize
705B
MD5836eb0eb0627d4ace3c50c48098e08b5
SHA1b5db99c9b166b354f84f5919b130c088f3e595b5
SHA2566eba10f0c75e6c7854f60d3bbaa7f5645cccdb15aff0d47432fccb7760ee6259
SHA512fb72a7f53bf18738f84c13e852f656a60fc2853a565640786d0402438c2b69fd975f3a3d772265eb3a14fc16f3b5d1a3e3f28bd8d8ee782349d26b79eacd293a
-
Filesize
705B
MD57bdb6ec84b384161ad22b02b62815228
SHA12c191a2bf0238a9ff3a651997952895118da6c61
SHA256085b24de0e5ba69c59489b8e4af9db6c01d1ad3e3238b74df141f403d8551593
SHA5129b9bdec3627b206e968292555a6fbbfe5431861cefc4efc85c93afc0dc6286beb61210b31e4909f5af9162599972c35175bff5f5686ca8a53be8d70c3acbdbcc
-
Filesize
481B
MD575fe9a54cb7e3a10162044b51a648ea4
SHA11ee335a8b62888134098c978796e9b04f154c98f
SHA25654dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6
-
Filesize
481B
MD575fe9a54cb7e3a10162044b51a648ea4
SHA11ee335a8b62888134098c978796e9b04f154c98f
SHA25654dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6
-
Filesize
705B
MD51bdc160398e3e6b1a1d4ebe9d8967fc8
SHA1aaff089f4474d168ee17cfe6416920237706f8ef
SHA256d32c8b9cb646f52095b5a15cf6852e682aee2a4aa48a490b1d9144e1f1e480d0
SHA512e461847bcc048f9c1a35785c12bd916652760444b1fad76c8d3e63fac734100af803e461743fb6f0f7ad271f2f22350e8ae469960594d499aaafabf842f59160
-
Filesize
481B
MD575fe9a54cb7e3a10162044b51a648ea4
SHA11ee335a8b62888134098c978796e9b04f154c98f
SHA25654dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6
-
Filesize
481B
MD575fe9a54cb7e3a10162044b51a648ea4
SHA11ee335a8b62888134098c978796e9b04f154c98f
SHA25654dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6
-
Filesize
705B
MD5553136ac84406057d285bf24e7c3716b
SHA1d4348d5677b4991b010e83440e3035f558656bbf
SHA256aac2345cbd6bd428ffddfeb07550b1f897c38f8874a2f4616b442c49adceac3b
SHA5124f366a4cb692a765bb1bc0c3809f5016353db9f72fd1375034ada166f4329dd0da17b38ea5efbd20e9eb66e5231ea8ecb981a3bf427ca4912129870f1ab4b790
-
Filesize
705B
MD57514c53493f24b8bd438620d805807d1
SHA145b267248f0da0e873fd8aa30f487dc31e22b757
SHA256b57ce882ca1069f7e0b95960f197b2483fda794b5d13aceeeb6d0fb75846b893
SHA5126131a050b704b1cf1b1d11ce57b7aa033513d87e20a7fa7d2950a6e371dc2284bed1c745f39585d59af7a06c3c3010b43df385b63d35cd847d767ef029dea881
-
Filesize
704B
MD585e9d47282a9082a6efa7b600fce6995
SHA188995d07d4ade929030c712aa95ff58f11e5b051
SHA256c2be94438c2270a44c0f75bb5ae3647532fbc3743982b635303b39a277058a27
SHA512ee70a0f6664bade0fb498ab72d2edb89c20dd00a373ac824ac2d19a8285d754d9da008b9f6ea6b16fb1ec1c93d28c47630e49da2dfc1f8fa4b48b963e28cf808
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
151B
MD540a5023d150998b4ba256dd94ea31230
SHA136702bfd3e71b3495e61ea589003bb856b959aca
SHA256e9706a7a4d0fda27dac28f357e20d924779b307b0222c9a34f18701e5b78fbfc
SHA5126deca418669bf26c67cbcc67f97478a445bf87ba3e1a886d479ee9a4ad736b0b47b196ed77e40f31ad2292ecbd43ec0129c0ce6a7b0915cc787f598577f26a15
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
223B
MD5d7664d494b1b6e05334ada9accc57d06
SHA12cc50d284a600e30287fdef5efe56a586199eb28
SHA256531da88fff8963b42512583a711381b3ceef16ff6ff9763547e6eabf5665f9d6
SHA5127e73fc680bd8aab94b89724c81cfd8e0b679ba0a9a4abca8dc522f1169f4123a8f2844677819190f1faba5df19c584fb1a7e7f2e361e57463050b7d3dc3eccb6
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44