Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13-05-2024 20:58
Behavioral task
behavioral1
Sample
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe
Resource
win10v2004-20240226-en
General
-
Target
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe
-
Size
3.7MB
-
MD5
3aff466445051bd93a7ea3ae519587ef
-
SHA1
516c1e9da912f6d988146fb812d88bdc7b30588a
-
SHA256
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e
-
SHA512
3870bd70e038bb27035eec3eb8bd8f88c2bb720f59dd5283e2bc095f540e3ab4d6e991d7a601b4d809d8de7e7592d2010c41cf57b708ea2f42a5323353a8338f
-
SSDEEP
49152:UbA30nPNSHQAjwNVYyHycT6JYRAwWPScqhWtkOTwol8FxMQFQnSMvTklif/:UbhwTNJytcqgtkzoEOSMvTwif/
Malware Config
Signatures
-
DcRat 53 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeintobroker.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2836 schtasks.exe 2560 schtasks.exe 892 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA intobroker.exe 2712 schtasks.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72 intobroker.exe 832 schtasks.exe 1576 schtasks.exe 2256 schtasks.exe 2556 schtasks.exe 1988 schtasks.exe 2972 schtasks.exe 2160 schtasks.exe 984 schtasks.exe 1940 schtasks.exe 1724 schtasks.exe 904 schtasks.exe 1312 schtasks.exe 2440 schtasks.exe 2552 schtasks.exe 2348 schtasks.exe 1088 schtasks.exe 2144 schtasks.exe 1556 schtasks.exe 584 schtasks.exe 1848 schtasks.exe 2776 schtasks.exe 1772 schtasks.exe 2396 schtasks.exe 2904 schtasks.exe 1672 schtasks.exe 2296 schtasks.exe 2320 schtasks.exe 2864 schtasks.exe 2204 schtasks.exe 1592 schtasks.exe 2004 schtasks.exe 2132 schtasks.exe 2544 schtasks.exe 744 schtasks.exe 692 schtasks.exe 1876 schtasks.exe 2908 schtasks.exe 2020 schtasks.exe 2164 schtasks.exe 2364 schtasks.exe 2524 schtasks.exe 2420 schtasks.exe 908 schtasks.exe 860 schtasks.exe 2288 schtasks.exe 752 schtasks.exe 900 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 17 IoCs
Processes:
intobroker.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Media\\Afternoon\\wscript.exe\", \"C:\\Windows\\Fonts\\wininit.exe\", \"C:\\Bridgeserverintocommon\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\System.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Media\\Afternoon\\wscript.exe\", \"C:\\Windows\\Fonts\\wininit.exe\", \"C:\\Bridgeserverintocommon\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Media\\Afternoon\\wscript.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Media\\Afternoon\\wscript.exe\", \"C:\\Windows\\Fonts\\wininit.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\", \"C:\\Windows\\PLA\\Templates\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Media\\Afternoon\\wscript.exe\", \"C:\\Windows\\Fonts\\wininit.exe\", \"C:\\Bridgeserverintocommon\\cmd.exe\"" intobroker.exe -
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2832 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2832 schtasks.exe -
Processes:
intobroker.exeservices.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe -
Processes:
resource yara_rule \Bridgeserverintocommon\intobroker.exe dcrat behavioral1/memory/2672-18-0x00000000009F0000-0x0000000000D58000-memory.dmp dcrat behavioral1/memory/2708-92-0x0000000000D80000-0x00000000010E8000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2672-24-0x0000000002380000-0x0000000002390000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2672-31-0x000000001AB70000-0x000000001AB7A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2672-38-0x000000001B190000-0x000000001B19C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2672-41-0x000000001B1C0000-0x000000001B1CC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2672-43-0x000000001B1D0000-0x000000001B1DC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2672-44-0x000000001B2F0000-0x000000001B2FA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2672-49-0x000000001B340000-0x000000001B34C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2672-51-0x000000001B560000-0x000000001B56A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Executes dropped EXE 2 IoCs
Processes:
intobroker.exeservices.exepid process 2672 intobroker.exe 2708 services.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2688 cmd.exe 2688 cmd.exe -
Adds Run key to start application 2 TTPs 34 IoCs
Processes:
intobroker.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Bridgeserverintocommon\\cmd.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\System.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\intobroker = "\"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\System.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\intobroker = "\"C:\\Program Files\\Microsoft Games\\Chess\\intobroker.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\PLA\\Templates\\services.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Bridgeserverintocommon\\cmd.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Windows\\Media\\Afternoon\\wscript.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Windows\\Media\\Afternoon\\wscript.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\smss.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Journal\\Templates\\csrss.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Fonts\\wininit.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Fonts\\wininit.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\wininit.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\PLA\\Templates\\services.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\"" intobroker.exe -
Processes:
intobroker.exeservices.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe -
Drops file in Program Files directory 15 IoCs
Processes:
intobroker.exedescription ioc process File created C:\Program Files\Windows Journal\Templates\886983d96e3d3e intobroker.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe intobroker.exe File created C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc intobroker.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe intobroker.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe intobroker.exe File created C:\Program Files\Windows Journal\Templates\csrss.exe intobroker.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\27d1bcfc3c54e0 intobroker.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72 intobroker.exe File created C:\Program Files\Microsoft Games\Chess\intobroker.exe intobroker.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\56085415360792 intobroker.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe intobroker.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe intobroker.exe File created C:\Program Files\Microsoft Games\Chess\dcdb6905e4a371 intobroker.exe File created C:\Program Files (x86)\Windows Portable Devices\services.exe intobroker.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\cc11b995f2a76d intobroker.exe -
Drops file in Windows directory 6 IoCs
Processes:
intobroker.exedescription ioc process File created C:\Windows\Media\Afternoon\817c8c8ec737a7 intobroker.exe File created C:\Windows\Fonts\wininit.exe intobroker.exe File created C:\Windows\Fonts\56085415360792 intobroker.exe File created C:\Windows\PLA\Templates\services.exe intobroker.exe File created C:\Windows\PLA\Templates\c5b4cb5e9653cc intobroker.exe File created C:\Windows\Media\Afternoon\wscript.exe intobroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2132 schtasks.exe 2004 schtasks.exe 584 schtasks.exe 2204 schtasks.exe 900 schtasks.exe 1088 schtasks.exe 1312 schtasks.exe 2164 schtasks.exe 2908 schtasks.exe 2524 schtasks.exe 692 schtasks.exe 908 schtasks.exe 832 schtasks.exe 2556 schtasks.exe 1592 schtasks.exe 2420 schtasks.exe 2160 schtasks.exe 1988 schtasks.exe 2320 schtasks.exe 2348 schtasks.exe 1848 schtasks.exe 1724 schtasks.exe 892 schtasks.exe 2560 schtasks.exe 860 schtasks.exe 2396 schtasks.exe 752 schtasks.exe 2836 schtasks.exe 2144 schtasks.exe 1672 schtasks.exe 2440 schtasks.exe 2544 schtasks.exe 2552 schtasks.exe 2972 schtasks.exe 984 schtasks.exe 2288 schtasks.exe 2020 schtasks.exe 1772 schtasks.exe 744 schtasks.exe 2296 schtasks.exe 904 schtasks.exe 1556 schtasks.exe 2364 schtasks.exe 1876 schtasks.exe 1576 schtasks.exe 1940 schtasks.exe 2712 schtasks.exe 2904 schtasks.exe 2256 schtasks.exe 2864 schtasks.exe 2776 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
intobroker.exeservices.exepid process 2672 intobroker.exe 2672 intobroker.exe 2672 intobroker.exe 2672 intobroker.exe 2672 intobroker.exe 2672 intobroker.exe 2672 intobroker.exe 2672 intobroker.exe 2672 intobroker.exe 2672 intobroker.exe 2672 intobroker.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe 2708 services.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
services.exepid process 2708 services.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
intobroker.exeservices.exevssvc.exedescription pid process Token: SeDebugPrivilege 2672 intobroker.exe Token: SeDebugPrivilege 2708 services.exe Token: SeBackupPrivilege 1604 vssvc.exe Token: SeRestorePrivilege 1604 vssvc.exe Token: SeAuditPrivilege 1604 vssvc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exeWScript.execmd.exeintobroker.exeservices.exedescription pid process target process PID 2172 wrote to memory of 1060 2172 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 2172 wrote to memory of 1060 2172 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 2172 wrote to memory of 1060 2172 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 2172 wrote to memory of 1060 2172 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 2172 wrote to memory of 2760 2172 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 2172 wrote to memory of 2760 2172 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 2172 wrote to memory of 2760 2172 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 2172 wrote to memory of 2760 2172 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 1060 wrote to memory of 2688 1060 WScript.exe cmd.exe PID 1060 wrote to memory of 2688 1060 WScript.exe cmd.exe PID 1060 wrote to memory of 2688 1060 WScript.exe cmd.exe PID 1060 wrote to memory of 2688 1060 WScript.exe cmd.exe PID 2688 wrote to memory of 2672 2688 cmd.exe intobroker.exe PID 2688 wrote to memory of 2672 2688 cmd.exe intobroker.exe PID 2688 wrote to memory of 2672 2688 cmd.exe intobroker.exe PID 2688 wrote to memory of 2672 2688 cmd.exe intobroker.exe PID 2672 wrote to memory of 2708 2672 intobroker.exe services.exe PID 2672 wrote to memory of 2708 2672 intobroker.exe services.exe PID 2672 wrote to memory of 2708 2672 intobroker.exe services.exe PID 2708 wrote to memory of 2888 2708 services.exe WScript.exe PID 2708 wrote to memory of 2888 2708 services.exe WScript.exe PID 2708 wrote to memory of 2888 2708 services.exe WScript.exe PID 2708 wrote to memory of 1824 2708 services.exe WScript.exe PID 2708 wrote to memory of 1824 2708 services.exe WScript.exe PID 2708 wrote to memory of 1824 2708 services.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
intobroker.exeservices.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe"C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Bridgeserverintocommon\intobroker.exe"C:\Bridgeserverintocommon\intobroker.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2672 -
C:\Windows\PLA\Templates\services.exe"C:\Windows\PLA\Templates\services.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2708 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed83a9bb-53f3-4788-944a-770ff34ac20c.vbs"6⤵PID:2888
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e8e1f47-810e-42c7-8afb-87a7af23927e.vbs"6⤵PID:1824
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\file.vbs"2⤵PID:2760
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "intobrokeri" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Chess\intobroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "intobroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\intobroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "intobrokeri" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Chess\intobroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Templates\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\Templates\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Afternoon\wscript.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Windows\Media\Afternoon\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Afternoon\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Fonts\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Bridgeserverintocommon\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Bridgeserverintocommon\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Bridgeserverintocommon\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1504
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42B
MD59005984f23c241ae6504691edad99db9
SHA150ec3cca58fd37b1853bd144854fb0242019d2b9
SHA256e4d707b17add26a6652c539cdb21c37fdad6e3ace7c81ecf2174e9822ec722de
SHA512183a00fb20157a7125673eada3c8fd6c7be9b15ce84ae92e4f82c8838f6a68f3c76d8a4e38022b29480007f9ff46020e7bd3f32fd1c2684c62978a0e24e3d1ff
-
Filesize
227B
MD58ad651de9eab5382f5aeb6e0a38e22bc
SHA1c45b320fdec6e25ccacc31bdf3999a6fec82c9a0
SHA256adc8a48ba4abcaba69bb11494239f5f36da9146e54d03d3ecbf30628b77bdf01
SHA5126fa241fb0c56d172dd72a1560329f573d10b2cf289aaa1e4a8e36e7a00c0f10e52fa566997654ef985f838b44b8230a5ca1215aacd1a2910ae25f0988519fb3a
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
489B
MD59e888e59e647a26ccfc29968bc56466e
SHA16c74c59a97b2d94fbb7f4413a494d70baadb7d93
SHA2569f1815830978894f75f08f4845198dd56c08f7abf6cbf0c2df10647afe46fae8
SHA512a2c815c9d3c55ff46dcbf662566e7ff90c6d4f8f5d540ebd32e029fa4cb2a4277581b215a4653472d412502217c41fc656c243527df4c8862b66375e6fd8cee7
-
Filesize
713B
MD5dee19409427568c5c7d70eb865457ce9
SHA1508a2a9d0e976e7493ef9ecc4495f500fde6204e
SHA256d481a6f8a93e67fb1a0e4d6b40e7a6b3c190ecee1662db96c2b6eb9ab167f32c
SHA51294ab9c18c63a0deb19a9d913c77f45d1076fe05907e61214385e3cb26905426ff8f1c8fc27eefddc44c47879305b68383eeee53cac10f7f1978031cfe89e4dc0
-
Filesize
3.4MB
MD534f09d31d624cddea4794d6b60fb342a
SHA121dae839ec2ac251c1d80d51e32e5b0f7c9c208f
SHA256fd3a3a73eaee67019836012fff9be8474388fe57f8fcf0fb60d0326acd9a9c8f
SHA512e1f3c7e71a9921b6c2be32ace2ed8b809a81bfa5047034f4d3acf13386154bbda150c812def937542e01f7228b52cfe3fef1fe4446503f7a0048c852c7b2e873