Analysis
-
max time kernel
26s -
max time network
26s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 13:04
Behavioral task
behavioral1
Sample
c830d62f6f45993891816dee47dee340N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c830d62f6f45993891816dee47dee340N.exe
Resource
win10v2004-20240709-en
General
-
Target
c830d62f6f45993891816dee47dee340N.exe
-
Size
1.7MB
-
MD5
c830d62f6f45993891816dee47dee340
-
SHA1
4284963ed30b687ccd47a2d69e6809e4290f0c78
-
SHA256
2338d4f0154b4295202b61eafb9c5e457112de784325f6fc38a587be668024e3
-
SHA512
d7870eca65c6b6b25b3f7dd788414afd64c075db9bdd1d8b099e932ab571449fe20126d5bde0bd3aaebd2c10ac4160c6ffee1899d8b2b37874f0a996af886fdc
-
SSDEEP
24576:mwtlgjpoyMl1W9Rl/3XF9R95g9f53Lv+6gJUHGHhuf9QkGuW+4HcWb1JB4nS:BtyotW9RN+f53i1JUHG4xGuDkcY1JB
Malware Config
Signatures
-
DcRat 43 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exec830d62f6f45993891816dee47dee340N.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1040 schtasks.exe 2752 schtasks.exe 1660 schtasks.exe 1936 schtasks.exe 1508 schtasks.exe 2972 schtasks.exe File opened for modification C:\Windows\System32\drivers\etc\hosts c830d62f6f45993891816dee47dee340N.exe 2192 schtasks.exe 988 schtasks.exe 608 schtasks.exe 1856 schtasks.exe 2708 schtasks.exe 1336 schtasks.exe 1044 schtasks.exe 2944 schtasks.exe 396 schtasks.exe 1960 schtasks.exe 952 schtasks.exe 2764 schtasks.exe 264 schtasks.exe 468 schtasks.exe 2984 schtasks.exe 1432 schtasks.exe 1056 schtasks.exe 1536 schtasks.exe 796 schtasks.exe 1968 schtasks.exe 2864 schtasks.exe 2620 schtasks.exe 2232 schtasks.exe 2012 schtasks.exe 956 schtasks.exe 2796 schtasks.exe 2644 schtasks.exe 1480 schtasks.exe 2348 schtasks.exe 2148 schtasks.exe 3008 schtasks.exe 2884 schtasks.exe 2096 schtasks.exe 2640 schtasks.exe 672 schtasks.exe 2908 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 14 IoCs
Processes:
c830d62f6f45993891816dee47dee340N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Windows\\PLA\\dllhost.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Windows\\PLA\\dllhost.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\ja-JP\\csrss.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Windows\\PLA\\dllhost.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Windows\\PLA\\dllhost.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\OSPPSVC.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Windows\\PLA\\dllhost.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\ja-JP\\csrss.exe\", \"C:\\Windows\\Registration\\CRMLog\\sppsvc.exe\"" c830d62f6f45993891816dee47dee340N.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 2444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2444 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/2104-1-0x00000000012D0000-0x0000000001482000-memory.dmp dcrat C:\Users\Public\Desktop\csrss.exe dcrat C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RCXC3B3.tmp dcrat C:\Windows\Registration\CRMLog\sppsvc.exe dcrat C:\Users\Public\Desktop\csrss.exe dcrat behavioral1/memory/2904-153-0x00000000012F0000-0x00000000014A2000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 484 powershell.exe 2796 powershell.exe 2608 powershell.exe 2236 powershell.exe 1880 powershell.exe 2620 powershell.exe 2628 powershell.exe 2752 powershell.exe 2632 powershell.exe 2720 powershell.exe 2808 powershell.exe 540 powershell.exe 1596 powershell.exe 1172 powershell.exe 2204 powershell.exe -
Drops file in Drivers directory 1 IoCs
Processes:
c830d62f6f45993891816dee47dee340N.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts c830d62f6f45993891816dee47dee340N.exe -
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 2904 csrss.exe -
Adds Run key to start application 2 TTPs 28 IoCs
Processes:
c830d62f6f45993891816dee47dee340N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Reference Assemblies\\winlogon.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\PLA\\dllhost.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\PLA\\dllhost.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\OSPPSVC.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\OSPPSVC.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Common Files\\System\\ja-JP\\csrss.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Reference Assemblies\\winlogon.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\c830d62f6f45993891816dee47dee340N = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Desktop\\csrss.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Common Files\\System\\ja-JP\\csrss.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Microsoft Games\\wininit.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Desktop\\csrss.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Registration\\CRMLog\\sppsvc.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Microsoft Games\\wininit.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c830d62f6f45993891816dee47dee340N = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\"" c830d62f6f45993891816dee47dee340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Registration\\CRMLog\\sppsvc.exe\"" c830d62f6f45993891816dee47dee340N.exe -
Drops file in Program Files directory 20 IoCs
Processes:
c830d62f6f45993891816dee47dee340N.exedescription ioc process File opened for modification C:\Program Files\Microsoft Games\wininit.exe c830d62f6f45993891816dee47dee340N.exe File created C:\Program Files\Microsoft Games\wininit.exe c830d62f6f45993891816dee47dee340N.exe File created C:\Program Files (x86)\Common Files\System\ja-JP\886983d96e3d3e c830d62f6f45993891816dee47dee340N.exe File opened for modification C:\Program Files\Reference Assemblies\winlogon.exe c830d62f6f45993891816dee47dee340N.exe File opened for modification C:\Program Files\Java\jre7\bin\plugin2\csrss.exe c830d62f6f45993891816dee47dee340N.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe c830d62f6f45993891816dee47dee340N.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc c830d62f6f45993891816dee47dee340N.exe File created C:\Program Files (x86)\Common Files\System\ja-JP\csrss.exe c830d62f6f45993891816dee47dee340N.exe File opened for modification C:\Program Files\Reference Assemblies\RCXBA5C.tmp c830d62f6f45993891816dee47dee340N.exe File opened for modification C:\Program Files\Microsoft Games\RCXBC60.tmp c830d62f6f45993891816dee47dee340N.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD111.tmp c830d62f6f45993891816dee47dee340N.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe c830d62f6f45993891816dee47dee340N.exe File created C:\Program Files\Microsoft Games\56085415360792 c830d62f6f45993891816dee47dee340N.exe File created C:\Program Files\Reference Assemblies\cc11b995f2a76d c830d62f6f45993891816dee47dee340N.exe File created C:\Program Files\Java\jre7\bin\plugin2\csrss.exe c830d62f6f45993891816dee47dee340N.exe File created C:\Program Files\Java\jre7\bin\plugin2\886983d96e3d3e c830d62f6f45993891816dee47dee340N.exe File opened for modification C:\Program Files\Java\jre7\bin\plugin2\RCXC5B6.tmp c830d62f6f45993891816dee47dee340N.exe File opened for modification C:\Program Files (x86)\Common Files\System\ja-JP\RCXD315.tmp c830d62f6f45993891816dee47dee340N.exe File opened for modification C:\Program Files (x86)\Common Files\System\ja-JP\csrss.exe c830d62f6f45993891816dee47dee340N.exe File created C:\Program Files\Reference Assemblies\winlogon.exe c830d62f6f45993891816dee47dee340N.exe -
Drops file in Windows directory 8 IoCs
Processes:
c830d62f6f45993891816dee47dee340N.exedescription ioc process File created C:\Windows\PLA\dllhost.exe c830d62f6f45993891816dee47dee340N.exe File created C:\Windows\PLA\5940a34987c991 c830d62f6f45993891816dee47dee340N.exe File created C:\Windows\Registration\CRMLog\sppsvc.exe c830d62f6f45993891816dee47dee340N.exe File created C:\Windows\Registration\CRMLog\0a1fd5f707cd16 c830d62f6f45993891816dee47dee340N.exe File opened for modification C:\Windows\PLA\RCXCC9C.tmp c830d62f6f45993891816dee47dee340N.exe File opened for modification C:\Windows\PLA\dllhost.exe c830d62f6f45993891816dee47dee340N.exe File opened for modification C:\Windows\Registration\CRMLog\RCXD519.tmp c830d62f6f45993891816dee47dee340N.exe File opened for modification C:\Windows\Registration\CRMLog\sppsvc.exe c830d62f6f45993891816dee47dee340N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2944 schtasks.exe 1660 schtasks.exe 1480 schtasks.exe 2012 schtasks.exe 2348 schtasks.exe 264 schtasks.exe 1044 schtasks.exe 1432 schtasks.exe 2796 schtasks.exe 2864 schtasks.exe 2708 schtasks.exe 2644 schtasks.exe 1856 schtasks.exe 1508 schtasks.exe 2192 schtasks.exe 2972 schtasks.exe 988 schtasks.exe 1968 schtasks.exe 2764 schtasks.exe 2640 schtasks.exe 2752 schtasks.exe 2884 schtasks.exe 672 schtasks.exe 608 schtasks.exe 1040 schtasks.exe 1936 schtasks.exe 1056 schtasks.exe 2984 schtasks.exe 396 schtasks.exe 796 schtasks.exe 1960 schtasks.exe 2620 schtasks.exe 2232 schtasks.exe 2096 schtasks.exe 956 schtasks.exe 2148 schtasks.exe 1536 schtasks.exe 952 schtasks.exe 3008 schtasks.exe 1336 schtasks.exe 468 schtasks.exe 2908 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c830d62f6f45993891816dee47dee340N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exepid process 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2104 c830d62f6f45993891816dee47dee340N.exe 2628 powershell.exe 1880 powershell.exe 2620 powershell.exe 2796 powershell.exe 2752 powershell.exe 540 powershell.exe 2204 powershell.exe 1172 powershell.exe 2720 powershell.exe 2808 powershell.exe 2608 powershell.exe 2236 powershell.exe 2632 powershell.exe 484 powershell.exe 2904 csrss.exe 2904 csrss.exe 2904 csrss.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
c830d62f6f45993891816dee47dee340N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2104 c830d62f6f45993891816dee47dee340N.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 540 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2904 csrss.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 484 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
c830d62f6f45993891816dee47dee340N.exedescription pid process target process PID 2104 wrote to memory of 2796 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2796 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2796 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2608 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2608 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2608 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2628 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2628 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2628 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2720 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2720 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2720 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2752 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2752 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2752 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2236 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2236 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2236 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2204 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2204 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2204 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2632 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2632 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2632 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 1880 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 1880 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 1880 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2808 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2808 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2808 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2620 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2620 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2620 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 484 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 484 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 484 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 540 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 540 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 540 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 1596 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 1596 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 1596 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 1172 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 1172 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 1172 2104 c830d62f6f45993891816dee47dee340N.exe powershell.exe PID 2104 wrote to memory of 2904 2104 c830d62f6f45993891816dee47dee340N.exe csrss.exe PID 2104 wrote to memory of 2904 2104 c830d62f6f45993891816dee47dee340N.exe csrss.exe PID 2104 wrote to memory of 2904 2104 c830d62f6f45993891816dee47dee340N.exe csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe"C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c830d62f6f45993891816dee47dee340N.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\OSPPSVC.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\ja-JP\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c830d62f6f45993891816dee47dee340Nc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c830d62f6f45993891816dee47dee340N.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c830d62f6f45993891816dee47dee340N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c830d62f6f45993891816dee47dee340N.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c830d62f6f45993891816dee47dee340Nc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c830d62f6f45993891816dee47dee340N.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PLA\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\ja-JP\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\System\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5568c52e6cf24db35c0ac1f9670d4d140
SHA1570037d5dc3065eed9d17e038d1d198059e931de
SHA256ed1baeb845d9a797d0ad874e5271589aee3159fdb36ce933be9ea9bffcb07c0b
SHA512dac10fba93b0945ea87b958d3fdaede7a4a9fcd12b6a817a5b1e63e221d4e01c19ac09937566b1959b50768d2d792076554a11de9eb38a50500e0fa1a2b4141a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53bf78b8b0495c97db5ca9a1647618545
SHA15e56bbe546846dfe735f2c9c4fb0d7fb47c0e9be
SHA25675f57294cbcdb58c135e18fc3ed9a43f4d31d1fa54cc7b2eeec40f05fe4980b2
SHA512b0f51f40105ee4ab470321586cc87ffa36d81a4662dc752473ca22eeba48dccd6dfdbf2dfbcf321b2360d71a48cfc98dcf26e242488b20d97146c36cb35b63f0
-
Filesize
1.7MB
MD5c830d62f6f45993891816dee47dee340
SHA14284963ed30b687ccd47a2d69e6809e4290f0c78
SHA2562338d4f0154b4295202b61eafb9c5e457112de784325f6fc38a587be668024e3
SHA512d7870eca65c6b6b25b3f7dd788414afd64c075db9bdd1d8b099e932ab571449fe20126d5bde0bd3aaebd2c10ac4160c6ffee1899d8b2b37874f0a996af886fdc
-
Filesize
1.7MB
MD5671cbf574660490e11c8f5e698b1aa54
SHA1cff58e3c6f7faa1e0c2a082e310ed75ae08294e0
SHA25660b1d8eab5594894957691472c1e6a863f43a9b359cb89b2f284f4df5f431bd0
SHA5120ab5b2212c46e2d843b8d8a7dc7461285dc41201400bcc4cd826233e509ab0c5fcff5ca05b4ac09c9caffbab41480511660631e7120bd32d593e51299d03b8b7
-
Filesize
1.7MB
MD52ede430f50b682d2d3e340d92547a65e
SHA1a1157d983acad4868e6bbc0908856d8795f228b6
SHA256cea6be492ab545395a1ef0d92c2448138c2ebeba131ee8ec8a25105b7cfa266d
SHA512b71797a71af23bc58d48d7e29836c1f6cd86b7de36d5f95577d63a64844d251ae6df8997ca339e90d21f85ce2e8f8946ba1ad27a65113b7c5a8f700260e504d0