Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 01:02
Behavioral task
behavioral1
Sample
0924b9eca922c9227c4f426be5174bae.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
0924b9eca922c9227c4f426be5174bae.exe
Resource
win10v2004-20231127-en
General
-
Target
0924b9eca922c9227c4f426be5174bae.exe
-
Size
4.8MB
-
MD5
0924b9eca922c9227c4f426be5174bae
-
SHA1
8d2abdecd0fc744ee836d75ad5c3b52585d8041f
-
SHA256
e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8
-
SHA512
47a234ac042b01fdd3d9eaf33f80d932386c841ad64cb8453e9c2e56a71d869eac632e0a8b5af029a9187e8367147ec1afcc337bc9249f253ddff6a743ba9de2
-
SSDEEP
49152:wZ52zVeXI03Z6wg8NEoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9BA:YghQjZ6wt2W6eW8WAh2DQyC0q8G9wyQ/
Malware Config
Signatures
-
DcRat 44 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 1512 schtasks.exe 1240 schtasks.exe 1092 schtasks.exe 1648 schtasks.exe 2320 schtasks.exe 1496 schtasks.exe 3028 schtasks.exe 2724 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winRefMonitor.exe 1936 schtasks.exe 2948 schtasks.exe 832 schtasks.exe 1868 schtasks.exe 984 schtasks.exe 572 schtasks.exe 1160 schtasks.exe 2544 schtasks.exe 764 schtasks.exe 808 schtasks.exe 2656 schtasks.exe 2092 schtasks.exe 880 schtasks.exe 2628 schtasks.exe 1256 schtasks.exe 1156 schtasks.exe 2232 schtasks.exe 2416 schtasks.exe 1600 schtasks.exe 1488 schtasks.exe 1956 schtasks.exe 664 schtasks.exe 2144 schtasks.exe 1440 schtasks.exe 2852 schtasks.exe 3060 schtasks.exe 1808 schtasks.exe 1996 schtasks.exe 2164 schtasks.exe File created C:\Windows\PolicyDefinitions\ja-JP\27d1bcfc3c54e0 winRefMonitor.exe 2424 schtasks.exe 1948 schtasks.exe 356 schtasks.exe 1056 schtasks.exe 1980 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\", \"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\", \"C:\\Windows\\Logs\\DPX\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\", \"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\", \"C:\\Windows\\Logs\\DPX\\System.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\lsm.exe\", \"C:\\driversessioncrt\\WmiPrvSE.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\", \"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\", \"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\", \"C:\\Windows\\Logs\\DPX\\System.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\"" winRefMonitor.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 808 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 356 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2916 schtasks.exe 33 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe -
resource yara_rule behavioral1/files/0x0007000000014534-16.dat dcrat behavioral1/files/0x0007000000014534-17.dat dcrat behavioral1/files/0x0007000000014534-19.dat dcrat behavioral1/files/0x0007000000014534-18.dat dcrat behavioral1/memory/2600-20-0x0000000000900000-0x0000000000C6A000-memory.dmp dcrat behavioral1/files/0x0007000000014534-68.dat dcrat behavioral1/memory/1704-69-0x0000000000C70000-0x0000000000FDA000-memory.dmp dcrat behavioral1/files/0x00080000000149fb-74.dat dcrat behavioral1/files/0x0006000000016c58-104.dat dcrat behavioral1/files/0x0006000000016c58-105.dat dcrat behavioral1/memory/2608-106-0x0000000000180000-0x00000000004EA000-memory.dmp dcrat behavioral1/memory/2608-108-0x000000001AB90000-0x000000001AC10000-memory.dmp dcrat behavioral1/files/0x0006000000016c58-121.dat dcrat behavioral1/memory/1228-122-0x0000000000150000-0x00000000004BA000-memory.dmp dcrat behavioral1/memory/1228-124-0x000000001B3B0000-0x000000001B430000-memory.dmp dcrat behavioral1/files/0x000700000001561c-130.dat dcrat behavioral1/files/0x0006000000016c58-139.dat dcrat behavioral1/memory/1156-140-0x0000000001070000-0x00000000013DA000-memory.dmp dcrat behavioral1/files/0x000700000001561c-146.dat dcrat behavioral1/files/0x0006000000016c58-154.dat dcrat behavioral1/files/0x000700000001561c-160.dat dcrat behavioral1/files/0x0006000000016c58-168.dat dcrat behavioral1/files/0x000700000001561c-175.dat dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 7 IoCs
pid Process 2600 winRefMonitor.exe 1704 winRefMonitor.exe 2608 WmiPrvSE.exe 1228 WmiPrvSE.exe 1156 WmiPrvSE.exe 2560 WmiPrvSE.exe 2508 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2672 cmd.exe 2672 cmd.exe -
Adds Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Resources\\Themes\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\winRefMonitor = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winRefMonitor = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Resources\\Themes\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\driversessioncrt\\taskhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\tracing\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Logs\\DPX\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\driversessioncrt\\taskhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Logs\\DPX\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\driversessioncrt\\audiodg.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\driversessioncrt\\WmiPrvSE.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\driversessioncrt\\WmiPrvSE.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\driversessioncrt\\audiodg.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\tracing\\System.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\lsm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" winRefMonitor.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winRefMonitor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3052 0924b9eca922c9227c4f426be5174bae.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\101b941d020240 winRefMonitor.exe File created C:\Program Files\VideoLAN\VLC\lua\lsm.exe winRefMonitor.exe File created C:\Program Files\VideoLAN\VLC\lua\101b941d020240 winRefMonitor.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe winRefMonitor.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\lsm.exe winRefMonitor.exe File created C:\Windows\tracing\27d1bcfc3c54e0 winRefMonitor.exe File created C:\Windows\Logs\DPX\27d1bcfc3c54e0 winRefMonitor.exe File created C:\Windows\Resources\Themes\lsm.exe winRefMonitor.exe File created C:\Windows\Resources\Themes\101b941d020240 winRefMonitor.exe File created C:\Windows\tracing\System.exe winRefMonitor.exe File created C:\Windows\Logs\DPX\System.exe winRefMonitor.exe File created C:\Windows\PolicyDefinitions\ja-JP\System.exe winRefMonitor.exe File opened for modification C:\Windows\PolicyDefinitions\ja-JP\System.exe winRefMonitor.exe File created C:\Windows\PolicyDefinitions\ja-JP\27d1bcfc3c54e0 winRefMonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1092 schtasks.exe 1600 schtasks.exe 1996 schtasks.exe 2656 schtasks.exe 764 schtasks.exe 832 schtasks.exe 2948 schtasks.exe 1156 schtasks.exe 1056 schtasks.exe 2544 schtasks.exe 2852 schtasks.exe 1808 schtasks.exe 2232 schtasks.exe 1956 schtasks.exe 1512 schtasks.exe 984 schtasks.exe 3060 schtasks.exe 3028 schtasks.exe 2724 schtasks.exe 2144 schtasks.exe 2424 schtasks.exe 1256 schtasks.exe 2416 schtasks.exe 572 schtasks.exe 2092 schtasks.exe 2628 schtasks.exe 1440 schtasks.exe 1980 schtasks.exe 356 schtasks.exe 1868 schtasks.exe 1488 schtasks.exe 1936 schtasks.exe 808 schtasks.exe 1648 schtasks.exe 2164 schtasks.exe 880 schtasks.exe 1160 schtasks.exe 1240 schtasks.exe 1948 schtasks.exe 664 schtasks.exe 2320 schtasks.exe 1496 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2960 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2600 winRefMonitor.exe 2600 winRefMonitor.exe 2600 winRefMonitor.exe 1704 winRefMonitor.exe 1704 winRefMonitor.exe 1704 winRefMonitor.exe 1704 winRefMonitor.exe 1704 winRefMonitor.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe 2608 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2600 winRefMonitor.exe Token: SeDebugPrivilege 1704 winRefMonitor.exe Token: SeDebugPrivilege 2608 WmiPrvSE.exe Token: SeDebugPrivilege 1228 WmiPrvSE.exe Token: SeDebugPrivilege 1156 WmiPrvSE.exe Token: SeDebugPrivilege 2560 WmiPrvSE.exe Token: SeDebugPrivilege 2508 WmiPrvSE.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3052 0924b9eca922c9227c4f426be5174bae.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3052 wrote to memory of 3036 3052 0924b9eca922c9227c4f426be5174bae.exe 28 PID 3052 wrote to memory of 3036 3052 0924b9eca922c9227c4f426be5174bae.exe 28 PID 3052 wrote to memory of 3036 3052 0924b9eca922c9227c4f426be5174bae.exe 28 PID 3052 wrote to memory of 3036 3052 0924b9eca922c9227c4f426be5174bae.exe 28 PID 3052 wrote to memory of 2064 3052 0924b9eca922c9227c4f426be5174bae.exe 29 PID 3052 wrote to memory of 2064 3052 0924b9eca922c9227c4f426be5174bae.exe 29 PID 3052 wrote to memory of 2064 3052 0924b9eca922c9227c4f426be5174bae.exe 29 PID 3052 wrote to memory of 2064 3052 0924b9eca922c9227c4f426be5174bae.exe 29 PID 3036 wrote to memory of 2672 3036 WScript.exe 30 PID 3036 wrote to memory of 2672 3036 WScript.exe 30 PID 3036 wrote to memory of 2672 3036 WScript.exe 30 PID 3036 wrote to memory of 2672 3036 WScript.exe 30 PID 2672 wrote to memory of 2600 2672 cmd.exe 32 PID 2672 wrote to memory of 2600 2672 cmd.exe 32 PID 2672 wrote to memory of 2600 2672 cmd.exe 32 PID 2672 wrote to memory of 2600 2672 cmd.exe 32 PID 2600 wrote to memory of 2920 2600 winRefMonitor.exe 40 PID 2600 wrote to memory of 2920 2600 winRefMonitor.exe 40 PID 2600 wrote to memory of 2920 2600 winRefMonitor.exe 40 PID 2920 wrote to memory of 1628 2920 cmd.exe 42 PID 2920 wrote to memory of 1628 2920 cmd.exe 42 PID 2920 wrote to memory of 1628 2920 cmd.exe 42 PID 2672 wrote to memory of 2960 2672 cmd.exe 43 PID 2672 wrote to memory of 2960 2672 cmd.exe 43 PID 2672 wrote to memory of 2960 2672 cmd.exe 43 PID 2672 wrote to memory of 2960 2672 cmd.exe 43 PID 2920 wrote to memory of 1704 2920 cmd.exe 44 PID 2920 wrote to memory of 1704 2920 cmd.exe 44 PID 2920 wrote to memory of 1704 2920 cmd.exe 44 PID 1704 wrote to memory of 2708 1704 winRefMonitor.exe 81 PID 1704 wrote to memory of 2708 1704 winRefMonitor.exe 81 PID 1704 wrote to memory of 2708 1704 winRefMonitor.exe 81 PID 2708 wrote to memory of 2808 2708 cmd.exe 83 PID 2708 wrote to memory of 2808 2708 cmd.exe 83 PID 2708 wrote to memory of 2808 2708 cmd.exe 83 PID 2708 wrote to memory of 2608 2708 cmd.exe 84 PID 2708 wrote to memory of 2608 2708 cmd.exe 84 PID 2708 wrote to memory of 2608 2708 cmd.exe 84 PID 2608 wrote to memory of 2480 2608 WmiPrvSE.exe 86 PID 2608 wrote to memory of 2480 2608 WmiPrvSE.exe 86 PID 2608 wrote to memory of 2480 2608 WmiPrvSE.exe 86 PID 2608 wrote to memory of 2532 2608 WmiPrvSE.exe 85 PID 2608 wrote to memory of 2532 2608 WmiPrvSE.exe 85 PID 2608 wrote to memory of 2532 2608 WmiPrvSE.exe 85 PID 2480 wrote to memory of 1228 2480 WScript.exe 89 PID 2480 wrote to memory of 1228 2480 WScript.exe 89 PID 2480 wrote to memory of 1228 2480 WScript.exe 89 PID 1228 wrote to memory of 584 1228 WmiPrvSE.exe 91 PID 1228 wrote to memory of 584 1228 WmiPrvSE.exe 91 PID 1228 wrote to memory of 584 1228 WmiPrvSE.exe 91 PID 1228 wrote to memory of 1720 1228 WmiPrvSE.exe 90 PID 1228 wrote to memory of 1720 1228 WmiPrvSE.exe 90 PID 1228 wrote to memory of 1720 1228 WmiPrvSE.exe 90 PID 584 wrote to memory of 1156 584 WScript.exe 92 PID 584 wrote to memory of 1156 584 WScript.exe 92 PID 584 wrote to memory of 1156 584 WScript.exe 92 PID 1156 wrote to memory of 2132 1156 WmiPrvSE.exe 93 PID 1156 wrote to memory of 2132 1156 WmiPrvSE.exe 93 PID 1156 wrote to memory of 2132 1156 WmiPrvSE.exe 93 PID 1156 wrote to memory of 1056 1156 WmiPrvSE.exe 94 PID 1156 wrote to memory of 1056 1156 WmiPrvSE.exe 94 PID 1156 wrote to memory of 1056 1156 WmiPrvSE.exe 94 PID 2132 wrote to memory of 2560 2132 WScript.exe 95 PID 2132 wrote to memory of 2560 2132 WScript.exe 95 -
System policy modification 1 TTPs 21 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winRefMonitor.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\driversessioncrt\winRefMonitor.exe"C:\driversessioncrt\winRefMonitor.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1628
-
-
C:\driversessioncrt\winRefMonitor.exe"C:\driversessioncrt\winRefMonitor.exe"6⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xe7arYpjg5.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2808
-
-
C:\driversessioncrt\WmiPrvSE.exe"C:\driversessioncrt\WmiPrvSE.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2608 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f962c14a-9068-49a5-be27-510a23b75307.vbs"9⤵PID:2532
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\450c16c7-ee9f-4ebc-a927-cf3f8b05165f.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\driversessioncrt\WmiPrvSE.exeC:\driversessioncrt\WmiPrvSE.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1228 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac381064-f986-429a-be30-03b8b45a84bf.vbs"11⤵PID:1720
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\637d706c-a1ce-4ce4-9b33-b227fbbb446d.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\driversessioncrt\WmiPrvSE.exeC:\driversessioncrt\WmiPrvSE.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1156 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5030860-20de-45de-aba2-0db5efd833d6.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\driversessioncrt\WmiPrvSE.exeC:\driversessioncrt\WmiPrvSE.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2560 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d713c53-cb1c-43d2-94e6-a72fad8eb119.vbs"15⤵PID:2136
-
C:\driversessioncrt\WmiPrvSE.exeC:\driversessioncrt\WmiPrvSE.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2508 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6fcf201-70c8-4236-a9f3-8f49afea59e0.vbs"17⤵PID:1436
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1fe53a8-5110-4358-8cd2-25d748242543.vbs"17⤵PID:2456
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f6889d3-8327-4e2e-9322-6ca8dca686c4.vbs"15⤵PID:1920
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b15092e8-533d-459d-a089-5f50c20e1ca8.vbs"13⤵PID:1056
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2960
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\file.vbs"2⤵PID:2064
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winRefMonitor.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winRefMonitor" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winRefMonitor.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winRefMonitor.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\driversessioncrt\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\driversessioncrt\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\driversessioncrt\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\driversessioncrt\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\driversessioncrt\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\driversessioncrt\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\My Music\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Music\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\My Music\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\DPX\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\DPX\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\driversessioncrt\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\driversessioncrt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\driversessioncrt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484B
MD55c3b61c4fb8c5d44a5d1c4fcb3d7ae53
SHA1eb903b8b7d92a1ce784d9f615be419726326a5f3
SHA256e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9
SHA512aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7
-
Filesize
708B
MD5511ee97dc9e9de1a531bc3a6337e6680
SHA12b9ec24ca8b6435b6a715a5f7e7f6f8a4bca5c0c
SHA256dfaa0931ae6e3bac5a769962a523f9029734c2ff5bf85d348ea269300029be58
SHA51222d0fc3c89b54461fdd8e0ab1220368e7d9e154914624adda620699ccc1221671ff04b847a888db4d926a5b3eca957bbba3990d9c80037702fc36927b45690ef
-
Filesize
708B
MD50aec6349b4d56d44e28c77c8c5405463
SHA14556a90d3c5b6f0897a51504e1f01d1ec6c94dc4
SHA2562661308329712c966dcb8d79036d4f9d67f6c3454142518921a6e34db21d0f5d
SHA512e6ed17f22ff45c2d0387f112bcdc340ee51df16fb1e594eb2822083ba035332c9b1feb1f02ae8b7d474ca8dfa1fadf95834669e720ccab7dbd051fdecdf678e0
-
Filesize
202B
MD50bc99b36ffd928554df8059cdad89664
SHA13250fc8aecbfa46eb5f9e621daa123fc235e4fdd
SHA256afd56dd8bc6fb82b10e83ccc91fb6403e5b6e4c1f2ac180152afe53e3606244d
SHA512d0a97728914bdc6bd64056377e1ef654ab08dc92327f509a3f4d9e8a302987502c34262febdb4fca8ae7a0c1725258a9cadd0a25cd5db29d9d91dce1de7b8ae6
-
Filesize
708B
MD52b95c1c6867ffbe2930f9d719d56d416
SHA19e93ce929fa91d21836341c2dcbfb4553bd8cecd
SHA256dfab9690789d887b9391c971424f5a823ffe72d8694d37713eb1e73f3aede646
SHA51241ff5b2ee04e4e07cee4dbc7c2702e5bed9bfb2385dd06f02ed1833c87b33f67b1066ccba65e4c826292273f7e9a4ece19d0c998fcddbb209f432daaa29d0e86
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
708B
MD588137f82f4e244a665d2ccc03aacb609
SHA170b4c2dbcf3fd3eae9bfd9cbfdf9c13d4872116e
SHA25683eb170234daf01456c7875f9c8e9f9f1349aea5c10ac872aab080b95bf3f699
SHA51281424ae9c795fb2106384e16746d1c4701a4b6b2b8f79e522a458b6d9750232f6532e39887d949f23a1b816e9c37b7077a2052d5dffb374188194f7fce303208
-
Filesize
484B
MD55c3b61c4fb8c5d44a5d1c4fcb3d7ae53
SHA1eb903b8b7d92a1ce784d9f615be419726326a5f3
SHA256e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9
SHA512aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7
-
Filesize
484B
MD55c3b61c4fb8c5d44a5d1c4fcb3d7ae53
SHA1eb903b8b7d92a1ce784d9f615be419726326a5f3
SHA256e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9
SHA512aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7
-
Filesize
484B
MD55c3b61c4fb8c5d44a5d1c4fcb3d7ae53
SHA1eb903b8b7d92a1ce784d9f615be419726326a5f3
SHA256e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9
SHA512aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7
-
Filesize
708B
MD53ac74fe9a39410eddf94b58512e53818
SHA16b50a212f305ee9a36cf0cbd49c3409c6842d1e2
SHA25681a10f3c0549fdd5f9e8a87fff6a3b6730089afc189679c0ec7594da2c39dee9
SHA512bfae59ea84604a9f061137e52df1cb99971d6ff9404f8b4663c5147a8812c2c647ec6b8c0d77b5bcb48deb99c506aa2867aa27897abfebd287a4471966cbd0e5
-
Filesize
484B
MD55c3b61c4fb8c5d44a5d1c4fcb3d7ae53
SHA1eb903b8b7d92a1ce784d9f615be419726326a5f3
SHA256e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9
SHA512aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7
-
Filesize
484B
MD55c3b61c4fb8c5d44a5d1c4fcb3d7ae53
SHA1eb903b8b7d92a1ce784d9f615be419726326a5f3
SHA256e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9
SHA512aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7
-
Filesize
197B
MD558f7105be112bc3a14fdcb21145cd649
SHA1608e43e9aa73e65e31003e492b874f8735fc9365
SHA2566bf9d10f6e7f0dbd1318881e20bf34b98088a29e3c68a45350576e4be26a790c
SHA51231cb23a1ad61955ce562148f71a3a9ef8d61a116722c7d32849a285a4cb6cab41351e43afdd03b87ad5241134440ebd62494e8cf55bb3316455eca26fdfd5950
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
151B
MD540a5023d150998b4ba256dd94ea31230
SHA136702bfd3e71b3495e61ea589003bb856b959aca
SHA256e9706a7a4d0fda27dac28f357e20d924779b307b0222c9a34f18701e5b78fbfc
SHA5126deca418669bf26c67cbcc67f97478a445bf87ba3e1a886d479ee9a4ad736b0b47b196ed77e40f31ad2292ecbd43ec0129c0ce6a7b0915cc787f598577f26a15
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
223B
MD5d7664d494b1b6e05334ada9accc57d06
SHA12cc50d284a600e30287fdef5efe56a586199eb28
SHA256531da88fff8963b42512583a711381b3ceef16ff6ff9763547e6eabf5665f9d6
SHA5127e73fc680bd8aab94b89724c81cfd8e0b679ba0a9a4abca8dc522f1169f4123a8f2844677819190f1faba5df19c584fb1a7e7f2e361e57463050b7d3dc3eccb6
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44