Analysis
-
max time kernel
154s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 01:02
Behavioral task
behavioral1
Sample
0924b9eca922c9227c4f426be5174bae.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
0924b9eca922c9227c4f426be5174bae.exe
Resource
win10v2004-20231127-en
General
-
Target
0924b9eca922c9227c4f426be5174bae.exe
-
Size
4.8MB
-
MD5
0924b9eca922c9227c4f426be5174bae
-
SHA1
8d2abdecd0fc744ee836d75ad5c3b52585d8041f
-
SHA256
e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8
-
SHA512
47a234ac042b01fdd3d9eaf33f80d932386c841ad64cb8453e9c2e56a71d869eac632e0a8b5af029a9187e8367147ec1afcc337bc9249f253ddff6a743ba9de2
-
SSDEEP
49152:wZ52zVeXI03Z6wg8NEoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9BA:YghQjZ6wt2W6eW8WAh2DQyC0q8G9wyQ/
Malware Config
Signatures
-
DcRat 29 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 3936 schtasks.exe 4716 schtasks.exe 3348 schtasks.exe 1608 schtasks.exe 1316 schtasks.exe 3964 schtasks.exe 1616 schtasks.exe 2068 schtasks.exe 1564 schtasks.exe 2944 schtasks.exe 3316 schtasks.exe 1892 schtasks.exe 4212 schtasks.exe 2544 schtasks.exe 2528 schtasks.exe 1960 schtasks.exe 1676 schtasks.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\088424020bedd6 winRefMonitor.exe 2288 schtasks.exe 708 schtasks.exe 1744 schtasks.exe 1292 schtasks.exe 560 schtasks.exe 396 schtasks.exe 2892 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation 0924b9eca922c9227c4f426be5174bae.exe 2432 schtasks.exe 3640 schtasks.exe 1820 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\odt\\explorer.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Users\\Default\\Saved Games\\spoolsv.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Users\\Default\\Saved Games\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Users\\Default\\Saved Games\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\wininit.exe\", \"C:\\Program Files\\Uninstall Information\\dwm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\"" winRefMonitor.exe -
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4716 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4212 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3348 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 708 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3640 1064 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 1064 schtasks.exe 97 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe -
resource yara_rule behavioral2/files/0x00070000000231f5-17.dat dcrat behavioral2/files/0x00070000000231f5-18.dat dcrat behavioral2/memory/408-19-0x00000000008A0000-0x0000000000C0A000-memory.dmp dcrat behavioral2/files/0x0008000000023215-61.dat dcrat behavioral2/files/0x000c000000023202-86.dat dcrat behavioral2/files/0x000c000000023202-85.dat dcrat behavioral2/files/0x000c000000023202-104.dat dcrat behavioral2/files/0x0006000000023242-113.dat dcrat behavioral2/files/0x000c000000023202-121.dat dcrat behavioral2/files/0x0006000000023242-127.dat dcrat behavioral2/files/0x000c000000023202-135.dat dcrat behavioral2/files/0x0006000000023242-142.dat dcrat behavioral2/files/0x000c000000023202-150.dat dcrat behavioral2/files/0x0006000000023242-156.dat dcrat behavioral2/files/0x000c000000023202-164.dat dcrat behavioral2/files/0x0006000000023242-171.dat dcrat behavioral2/files/0x000c000000023202-179.dat dcrat behavioral2/files/0x0006000000023242-185.dat dcrat behavioral2/files/0x000c000000023202-193.dat dcrat behavioral2/files/0x0006000000023242-199.dat dcrat behavioral2/files/0x000c000000023202-207.dat dcrat behavioral2/files/0x0006000000023242-212.dat dcrat behavioral2/files/0x000c000000023202-220.dat dcrat behavioral2/files/0x0006000000023242-227.dat dcrat behavioral2/files/0x000c000000023202-235.dat dcrat behavioral2/files/0x0006000000023242-241.dat dcrat behavioral2/files/0x000c000000023202-249.dat dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation winRefMonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation 0924b9eca922c9227c4f426be5174bae.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation conhost.exe -
Executes dropped EXE 13 IoCs
pid Process 408 winRefMonitor.exe 860 conhost.exe 1748 conhost.exe 4852 conhost.exe 3892 conhost.exe 1660 conhost.exe 4840 conhost.exe 4460 conhost.exe 752 conhost.exe 4404 conhost.exe 2860 conhost.exe 1048 conhost.exe 4948 conhost.exe -
Adds Run key to start application 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\Saved Games\\spoolsv.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Defender\\de-DE\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\odt\\explorer.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\Saved Games\\spoolsv.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Uninstall Information\\dwm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Uninstall Information\\dwm.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\odt\\explorer.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Defender\\de-DE\\wininit.exe\"" winRefMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\"" winRefMonitor.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winRefMonitor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2956 0924b9eca922c9227c4f426be5174bae.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\6cb0b6c459d5d3 winRefMonitor.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe winRefMonitor.exe File created C:\Program Files\Windows Defender\de-DE\56085415360792 winRefMonitor.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\088424020bedd6 winRefMonitor.exe File created C:\Program Files\Windows NT\Accessories\en-US\fontdrvhost.exe winRefMonitor.exe File created C:\Program Files\Windows NT\Accessories\en-US\5b884080fd4f94 winRefMonitor.exe File created C:\Program Files\Windows Defender\de-DE\wininit.exe winRefMonitor.exe File created C:\Program Files\Uninstall Information\dwm.exe winRefMonitor.exe File created C:\Program Files\ModifiableWindowsApps\Registry.exe winRefMonitor.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe winRefMonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1744 schtasks.exe 4716 schtasks.exe 3348 schtasks.exe 2944 schtasks.exe 1616 schtasks.exe 1676 schtasks.exe 1820 schtasks.exe 4212 schtasks.exe 3316 schtasks.exe 1564 schtasks.exe 708 schtasks.exe 2288 schtasks.exe 2892 schtasks.exe 1892 schtasks.exe 2068 schtasks.exe 560 schtasks.exe 2544 schtasks.exe 396 schtasks.exe 3936 schtasks.exe 1960 schtasks.exe 2432 schtasks.exe 2528 schtasks.exe 3640 schtasks.exe 1316 schtasks.exe 1292 schtasks.exe 3964 schtasks.exe 1608 schtasks.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings 0924b9eca922c9227c4f426be5174bae.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings conhost.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4516 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 408 winRefMonitor.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe 860 conhost.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 408 winRefMonitor.exe Token: SeDebugPrivilege 860 conhost.exe Token: SeDebugPrivilege 1748 conhost.exe Token: SeDebugPrivilege 4852 conhost.exe Token: SeDebugPrivilege 3892 conhost.exe Token: SeDebugPrivilege 1660 conhost.exe Token: SeDebugPrivilege 4840 conhost.exe Token: SeDebugPrivilege 4460 conhost.exe Token: SeDebugPrivilege 752 conhost.exe Token: SeDebugPrivilege 4404 conhost.exe Token: SeDebugPrivilege 2860 conhost.exe Token: SeDebugPrivilege 1048 conhost.exe Token: SeDebugPrivilege 4948 conhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2956 0924b9eca922c9227c4f426be5174bae.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 4020 2956 0924b9eca922c9227c4f426be5174bae.exe 87 PID 2956 wrote to memory of 4020 2956 0924b9eca922c9227c4f426be5174bae.exe 87 PID 2956 wrote to memory of 4020 2956 0924b9eca922c9227c4f426be5174bae.exe 87 PID 2956 wrote to memory of 2068 2956 0924b9eca922c9227c4f426be5174bae.exe 89 PID 2956 wrote to memory of 2068 2956 0924b9eca922c9227c4f426be5174bae.exe 89 PID 2956 wrote to memory of 2068 2956 0924b9eca922c9227c4f426be5174bae.exe 89 PID 4020 wrote to memory of 4164 4020 WScript.exe 103 PID 4020 wrote to memory of 4164 4020 WScript.exe 103 PID 4020 wrote to memory of 4164 4020 WScript.exe 103 PID 4164 wrote to memory of 408 4164 cmd.exe 105 PID 4164 wrote to memory of 408 4164 cmd.exe 105 PID 408 wrote to memory of 860 408 winRefMonitor.exe 134 PID 408 wrote to memory of 860 408 winRefMonitor.exe 134 PID 4164 wrote to memory of 4516 4164 cmd.exe 135 PID 4164 wrote to memory of 4516 4164 cmd.exe 135 PID 4164 wrote to memory of 4516 4164 cmd.exe 135 PID 860 wrote to memory of 4640 860 conhost.exe 137 PID 860 wrote to memory of 4640 860 conhost.exe 137 PID 860 wrote to memory of 2112 860 conhost.exe 138 PID 860 wrote to memory of 2112 860 conhost.exe 138 PID 4640 wrote to memory of 1748 4640 WScript.exe 140 PID 4640 wrote to memory of 1748 4640 WScript.exe 140 PID 1748 wrote to memory of 376 1748 conhost.exe 141 PID 1748 wrote to memory of 376 1748 conhost.exe 141 PID 1748 wrote to memory of 840 1748 conhost.exe 142 PID 1748 wrote to memory of 840 1748 conhost.exe 142 PID 376 wrote to memory of 4852 376 WScript.exe 144 PID 376 wrote to memory of 4852 376 WScript.exe 144 PID 4852 wrote to memory of 3052 4852 conhost.exe 145 PID 4852 wrote to memory of 3052 4852 conhost.exe 145 PID 4852 wrote to memory of 2056 4852 conhost.exe 146 PID 4852 wrote to memory of 2056 4852 conhost.exe 146 PID 3052 wrote to memory of 3892 3052 WScript.exe 147 PID 3052 wrote to memory of 3892 3052 WScript.exe 147 PID 3892 wrote to memory of 4044 3892 conhost.exe 148 PID 3892 wrote to memory of 4044 3892 conhost.exe 148 PID 3892 wrote to memory of 2980 3892 conhost.exe 149 PID 3892 wrote to memory of 2980 3892 conhost.exe 149 PID 4044 wrote to memory of 1660 4044 WScript.exe 150 PID 4044 wrote to memory of 1660 4044 WScript.exe 150 PID 1660 wrote to memory of 4060 1660 conhost.exe 152 PID 1660 wrote to memory of 4060 1660 conhost.exe 152 PID 1660 wrote to memory of 484 1660 conhost.exe 153 PID 1660 wrote to memory of 484 1660 conhost.exe 153 PID 4060 wrote to memory of 4840 4060 WScript.exe 154 PID 4060 wrote to memory of 4840 4060 WScript.exe 154 PID 4840 wrote to memory of 3716 4840 conhost.exe 155 PID 4840 wrote to memory of 3716 4840 conhost.exe 155 PID 4840 wrote to memory of 808 4840 conhost.exe 156 PID 4840 wrote to memory of 808 4840 conhost.exe 156 PID 3716 wrote to memory of 4460 3716 WScript.exe 157 PID 3716 wrote to memory of 4460 3716 WScript.exe 157 PID 4460 wrote to memory of 4280 4460 conhost.exe 158 PID 4460 wrote to memory of 4280 4460 conhost.exe 158 PID 4460 wrote to memory of 4052 4460 conhost.exe 159 PID 4460 wrote to memory of 4052 4460 conhost.exe 159 PID 4280 wrote to memory of 752 4280 WScript.exe 163 PID 4280 wrote to memory of 752 4280 WScript.exe 163 PID 752 wrote to memory of 1244 752 conhost.exe 164 PID 752 wrote to memory of 1244 752 conhost.exe 164 PID 752 wrote to memory of 4428 752 conhost.exe 165 PID 752 wrote to memory of 4428 752 conhost.exe 165 PID 1244 wrote to memory of 4404 1244 WScript.exe 166 PID 1244 wrote to memory of 4404 1244 WScript.exe 166 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winRefMonitor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\driversessioncrt\winRefMonitor.exe"C:\driversessioncrt\winRefMonitor.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:408 -
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:860 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c27bbc71-6775-4ee3-b607-e84b32aee802.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1748 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0c4cd8d-5d6d-49ad-b0b6-52c857eb6ea0.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4852 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6456acd-8ee4-40f0-addb-79668c1996a8.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3892 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4776bb40-6d7d-44cd-9e4a-4dcdb921d473.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1660 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\184d4178-ba22-4563-a801-e33d6a7c8ad6.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4840 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d3db136-1657-4ca0-8b00-ae6796820123.vbs"16⤵
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4460 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ec08751-b681-4bac-b1a8-e4999c98d8a1.vbs"18⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:752 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37ec852f-af23-4b1c-ac53-2bdedec689fc.vbs"20⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4404 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb0f8bc6-5270-4044-9174-c7fe08174d44.vbs"22⤵PID:4756
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2860 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd89738d-0af5-4f1d-a4a5-792869bf4983.vbs"24⤵PID:2724
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1048 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8188d727-d87d-46f7-977a-3e813f00fb3b.vbs"26⤵PID:224
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"27⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4948
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\119fbecb-e36d-415d-af22-f4a47140160a.vbs"26⤵PID:4908
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84fed986-2aac-4175-ae87-4e2519289131.vbs"24⤵PID:4624
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3513ed5e-cc76-41ce-a2f3-c6f08a8c2a80.vbs"22⤵PID:3968
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7844476-8e4e-4b7e-bc3f-79454c661585.vbs"20⤵PID:4428
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38beff78-6db4-4ad3-ae73-da695f383ddd.vbs"18⤵PID:4052
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\764ef9f6-e6cf-4189-b8ee-7d7c7994f828.vbs"16⤵PID:808
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cce3b71-ce66-4372-94be-b5aebb138519.vbs"14⤵PID:484
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08e34886-9c93-4c6e-b82f-34be045332b1.vbs"12⤵PID:2980
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\090a44c2-b0f8-4bf4-9980-3d2ed75a7616.vbs"10⤵PID:2056
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05b7c832-2497-4d0e-8a5c-20f59396a5f1.vbs"8⤵PID:840
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac64032d-c22d-4c37-9054-5ed1672efd3c.vbs"6⤵PID:2112
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:4516
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\file.vbs"2⤵PID:2068
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\odt\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\odt\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Saved Games\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Saved Games\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
515B
MD518286ed6e5cde0d765057ca3a580182a
SHA19a837e37d932ea7158cacbffe68c91161b73938f
SHA2569c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA5124fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7
-
Filesize
515B
MD518286ed6e5cde0d765057ca3a580182a
SHA19a837e37d932ea7158cacbffe68c91161b73938f
SHA2569c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA5124fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7
-
Filesize
515B
MD518286ed6e5cde0d765057ca3a580182a
SHA19a837e37d932ea7158cacbffe68c91161b73938f
SHA2569c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA5124fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7
-
Filesize
515B
MD518286ed6e5cde0d765057ca3a580182a
SHA19a837e37d932ea7158cacbffe68c91161b73938f
SHA2569c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA5124fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7
-
Filesize
515B
MD518286ed6e5cde0d765057ca3a580182a
SHA19a837e37d932ea7158cacbffe68c91161b73938f
SHA2569c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA5124fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7
-
Filesize
739B
MD5bfc62d491cf261a894d198c90e5d26c0
SHA177b862afd5d5cd7231d359cafc36f74ec2254fdc
SHA256278d0707dcc274d1c9afab447d003ff843ded8ee5cf79fd5ab7d782308e955ce
SHA512f7b9286ca974e139890add2e1aa52b57692d45db48871cdc786edea1507e28e933f87083c68ffa64d11092ec2ef5fe366b2881efa287f9877bc50a8ebc01bc7f
-
Filesize
739B
MD50a9d2547efe3231fbeac4a44deb1e72a
SHA1145267dc807b45ca21b209dc1cd6703e59f25701
SHA25611e47b8a60f9b0d98c3e6a37c5431413b0b7db0534f04b6764be4ad99362d448
SHA512b8cbbea25c4bb8338271f62af8f82b90f0431c86278cab7cb7262fdb2c598b87082f3f35fde1a8792a9ddaab3461649e9d718207358718d3cdc4af602a1a9a2a
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
515B
MD518286ed6e5cde0d765057ca3a580182a
SHA19a837e37d932ea7158cacbffe68c91161b73938f
SHA2569c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA5124fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7
-
Filesize
738B
MD5836b4492ae5f4ee9f7401581f1d86069
SHA19e4c307ef5281b190b2960a94f99a5ff25a1425e
SHA25646000e0842c1c0e7d739484b42c6666fd70abbc1712c75eef6389787db08c58a
SHA512d12e96b076a8d88ac0df7b4b8266ce6f1fe044cc4631f6de1561f862581ed836914e232557699c305dcf4bd04207087426110e766bad788bb2631a1e7f01b44e
-
Filesize
515B
MD518286ed6e5cde0d765057ca3a580182a
SHA19a837e37d932ea7158cacbffe68c91161b73938f
SHA2569c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA5124fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7
-
Filesize
739B
MD522ba8b6eaead824d90367fbea994e092
SHA1421abd4b5a45f5432d5edf0521207dd5bebf6375
SHA2562bec7c202af7d671f4b2a6e751f34b1794e32fdd789d110421d338f7bb9b1329
SHA512ced137a436d4922b496f09f0021e5705df4a8400386c0068c45e431e40c27e03dd289380a3252b0ce126195ff607bdf70a888c22d7d0d26d82f18ef0525bdf6c
-
Filesize
515B
MD518286ed6e5cde0d765057ca3a580182a
SHA19a837e37d932ea7158cacbffe68c91161b73938f
SHA2569c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA5124fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7
-
Filesize
515B
MD518286ed6e5cde0d765057ca3a580182a
SHA19a837e37d932ea7158cacbffe68c91161b73938f
SHA2569c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA5124fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7
-
Filesize
739B
MD5a8a73638587c5d3bb27d0f060c7c6bb3
SHA14aae3c956dd01d03eab172225c05fc02ed45d458
SHA25661566dbfdc8a1512d7e9f400d77cb66faf7a9a615dd863f0aba0db208714ae9c
SHA51268117e14d25392c46bd6bad3d00022d8051130ac7f779c92355fdd4fd762b21c8defd57fd196169a45fa0505bf13f7c42cb10a4d3fa02d70f097b16faf06bc3c
-
Filesize
515B
MD518286ed6e5cde0d765057ca3a580182a
SHA19a837e37d932ea7158cacbffe68c91161b73938f
SHA2569c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA5124fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7
-
Filesize
739B
MD5a42730509405e9727f077fb1e10f05f6
SHA166a0fa3d14756369fb2971c1c6702ac19087b54d
SHA256cbb5ec00a556328b7849141ed2518a6350c8453c1adefff2af7d689b508c0202
SHA512d9a92e57630027f4f06120504b62f68b3d755f781969348046f8b70b3c8bb4f481e78593398f81c386d584a287a07fa10114b4f54b4f6cb218b914d85b12c18d
-
Filesize
515B
MD518286ed6e5cde0d765057ca3a580182a
SHA19a837e37d932ea7158cacbffe68c91161b73938f
SHA2569c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA5124fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7
-
Filesize
515B
MD518286ed6e5cde0d765057ca3a580182a
SHA19a837e37d932ea7158cacbffe68c91161b73938f
SHA2569c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA5124fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7
-
Filesize
739B
MD59deb15d3a1262b993c5d772b4bce8af8
SHA101a0698501643eec4e21e1e8eef49e482b07f463
SHA256614eeb4b1e7ec3e81c7059fbb063f82014272f0a5fa6450395c0c4eaf6205486
SHA512be7523016dd183615a7c5090bc5d8e7fdd3a98d1cfee2cc482e40c5dc42389f1981ea15c1701e2b0a812749d81741f62e4f0fe69fbe511c57122c7934482028c
-
Filesize
738B
MD5b88d4a3a4b740de33743386189d5158f
SHA18052965de2ac17880fea574168469991027fb252
SHA2568cbefb3f2ec86e130b27011934fdb8d9133f54f5fb97f6c4c0ecf412980440af
SHA51298200cd454719e905d9bc89472e5eac7c6a49d2446ccd4476ee8359df28e6385929784a8b7bbadb36e63a3e7957ef152eee4a211ad18808744c3a5c9141403a0
-
Filesize
739B
MD53331e33efbba06546fe247e8ca8a9fd4
SHA15a1a168c8341965ff0f135af8f0e7ccf15b875a9
SHA256ca1866b0ca3e88ac1a094e8c50385c3e3bf98089b6e274eca848728bdd0a0fe2
SHA512da73510a632e6000b209cf6e3bde7a891009c19db0465003afc287a4c94a1f9ca5ab6f57d49f695188a7ab13ccc0f76f6afa6df18f856eb32da7aa72e7e0807d
-
Filesize
739B
MD5bddb590cb06ef3328367070b291c5371
SHA17111891a457e0c78c45000e78f97355dc1bf380c
SHA256a4eb43a315adc89e7fc602551590acebcddbc4e21cb8ec462dbc2e6b2661d04d
SHA5120db89f0642e14dd2b7df5f82602164bc4ce019e19eec3797364b74c5cdf223bf0f5446b96d399964fd90326ec53e4ce1992608f6c8dbf8205aa399b6b71dc59d
-
Filesize
739B
MD5c1299601ab47b8eebf141377a418aafa
SHA1b21e99c9650380f5d0f8fea0a0bbc70e73a52a70
SHA25654c0d8f804324b316adf4bf166e142367097729b91abdb60bae8e5a1303c953f
SHA51275c0860a972205294a53f04dcae72db38e294efe76e17a2932fa817e0dedb47cd02ec346f999887451ee9e158d2993efc56f81fe965219897ee8d3b7b224fc9f
-
Filesize
151B
MD540a5023d150998b4ba256dd94ea31230
SHA136702bfd3e71b3495e61ea589003bb856b959aca
SHA256e9706a7a4d0fda27dac28f357e20d924779b307b0222c9a34f18701e5b78fbfc
SHA5126deca418669bf26c67cbcc67f97478a445bf87ba3e1a886d479ee9a4ad736b0b47b196ed77e40f31ad2292ecbd43ec0129c0ce6a7b0915cc787f598577f26a15
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
223B
MD5d7664d494b1b6e05334ada9accc57d06
SHA12cc50d284a600e30287fdef5efe56a586199eb28
SHA256531da88fff8963b42512583a711381b3ceef16ff6ff9763547e6eabf5665f9d6
SHA5127e73fc680bd8aab94b89724c81cfd8e0b679ba0a9a4abca8dc522f1169f4123a8f2844677819190f1faba5df19c584fb1a7e7f2e361e57463050b7d3dc3eccb6
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44