Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 16:22
Behavioral task
behavioral1
Sample
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
Resource
win10v2004-20240709-en
General
-
Target
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
-
Size
1.3MB
-
MD5
f946ceb3dfbc4802323f045e77b9fc63
-
SHA1
04beac37360d30c5ad933f82f80bfd41ae294cc4
-
SHA256
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
-
SHA512
7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3
-
SSDEEP
24576:qwwpL4DsvfsODQY2mq7yTK32HbzpEOlM7RJFolBjvmPln0Ep9GKc6NC1t:qw8LnsvQKMzpEOlM7RJqlhgq8rC1
Malware Config
Signatures
-
DcRat 38 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3056 schtasks.exe File created C:\Windows\it-IT\System.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2624 schtasks.exe 1008 schtasks.exe 2708 schtasks.exe 1132 schtasks.exe 2980 schtasks.exe 2412 schtasks.exe 2764 schtasks.exe 2152 schtasks.exe File created C:\Windows\it-IT\27d1bcfc3c54e0 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2916 schtasks.exe 1312 schtasks.exe 2608 schtasks.exe 2028 schtasks.exe 2192 schtasks.exe 1616 schtasks.exe 1492 schtasks.exe 2132 schtasks.exe 2804 schtasks.exe 2312 schtasks.exe 1948 schtasks.exe 1032 schtasks.exe 408 schtasks.exe 2644 schtasks.exe 2716 schtasks.exe 2852 schtasks.exe 2868 schtasks.exe 772 schtasks.exe 1720 schtasks.exe 2268 schtasks.exe 1556 schtasks.exe 2740 schtasks.exe 1636 schtasks.exe 2932 schtasks.exe 768 schtasks.exe 2696 schtasks.exe 2604 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 12 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\Windows\\PLA\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\WmiPrvSE.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\Windows\\PLA\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\dllhost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\Windows\\PLA\\dllhost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe -
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 2564 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/1316-1-0x00000000002A0000-0x00000000003FA000-memory.dmp dcrat C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe dcrat C:\Windows\it-IT\System.exe dcrat C:\Program Files\Windows Journal\ja-JP\spoolsv.exe dcrat C:\Users\Default\System.exe dcrat C:\Program Files\DVD Maker\WmiPrvSE.exe dcrat behavioral1/memory/2240-185-0x0000000000C30000-0x0000000000D8A000-memory.dmp dcrat behavioral1/memory/2964-196-0x00000000001A0000-0x00000000002FA000-memory.dmp dcrat behavioral1/memory/3056-208-0x0000000001250000-0x00000000013AA000-memory.dmp dcrat behavioral1/memory/2200-220-0x0000000000230000-0x000000000038A000-memory.dmp dcrat behavioral1/memory/2992-232-0x0000000000FF0000-0x000000000114A000-memory.dmp dcrat behavioral1/memory/1556-266-0x0000000001290000-0x00000000013EA000-memory.dmp dcrat -
Executes dropped EXE 13 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exepid process 2240 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2964 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 3056 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2200 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2992 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 1832 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 1856 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 1556 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2324 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2176 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2068 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 1940 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2948 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a = "\"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\DVD Maker\\WmiPrvSE.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\Default User\\OSPPSVC.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\Default User\\OSPPSVC.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\it-IT\\System.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\PLA\\dllhost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\dllhost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a = "\"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default User\\System.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\DVD Maker\\WmiPrvSE.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\it-IT\\System.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default User\\System.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\PLA\\dllhost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\dllhost.exe\"" 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
Processes:
flow ioc 18 pastebin.com 21 pastebin.com 9 pastebin.com 12 pastebin.com 27 pastebin.com 33 pastebin.com 30 pastebin.com 36 pastebin.com 39 pastebin.com 4 pastebin.com 5 pastebin.com 15 pastebin.com 24 pastebin.com -
Drops file in Program Files directory 30 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exedescription ioc process File created C:\Program Files (x86)\Microsoft Visual Studio 8\ba72c994d5d333 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCXC99E.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\5940a34987c991 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXB2DF.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files\DVD Maker\RCXC72C.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files\DVD Maker\RCXC79A.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files\Windows Journal\ja-JP\spoolsv.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\RCXB552.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files (x86)\Windows Portable Devices\ba72c994d5d333 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files\DVD Maker\24dbde2999530e 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\spoolsv.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXB756.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\RCXC2B5.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files\DVD Maker\WmiPrvSE.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXB2E0.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\RCXC2B6.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCXC99F.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files\DVD Maker\WmiPrvSE.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\RCXB4E4.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files\Windows Journal\ja-JP\f3b6ecef712a24 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXB757.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe -
Drops file in Windows directory 10 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exedescription ioc process File opened for modification C:\Windows\PLA\RCXC4BB.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Windows\it-IT\System.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Windows\it-IT\System.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Windows\it-IT\RCXB0CC.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Windows\it-IT\RCXB05D.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Windows\PLA\RCXC4BA.tmp 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File opened for modification C:\Windows\PLA\dllhost.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Windows\it-IT\27d1bcfc3c54e0 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Windows\PLA\dllhost.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe File created C:\Windows\PLA\5940a34987c991 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2696 schtasks.exe 2604 schtasks.exe 2132 schtasks.exe 2980 schtasks.exe 1132 schtasks.exe 3056 schtasks.exe 2868 schtasks.exe 2916 schtasks.exe 2852 schtasks.exe 2192 schtasks.exe 2312 schtasks.exe 1556 schtasks.exe 2152 schtasks.exe 2740 schtasks.exe 1008 schtasks.exe 2624 schtasks.exe 1616 schtasks.exe 2764 schtasks.exe 1948 schtasks.exe 1032 schtasks.exe 408 schtasks.exe 2708 schtasks.exe 2608 schtasks.exe 2028 schtasks.exe 1636 schtasks.exe 1492 schtasks.exe 772 schtasks.exe 2412 schtasks.exe 2804 schtasks.exe 2716 schtasks.exe 768 schtasks.exe 1720 schtasks.exe 2268 schtasks.exe 1312 schtasks.exe 2644 schtasks.exe 2932 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exepid process 1316 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 1316 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 1316 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2240 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2964 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 3056 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2200 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2992 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 1832 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 1856 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 1556 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2324 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2176 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2068 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 1940 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe 2948 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exedescription pid process Token: SeDebugPrivilege 1316 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 2240 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 2964 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 3056 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 2200 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 2992 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 1832 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 1856 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 1556 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 2324 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 2176 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 2068 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 1940 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe Token: SeDebugPrivilege 2948 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.execmd.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exeWScript.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exeWScript.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exeWScript.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exeWScript.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exeWScript.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exeWScript.exe682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exedescription pid process target process PID 1316 wrote to memory of 2112 1316 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe cmd.exe PID 1316 wrote to memory of 2112 1316 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe cmd.exe PID 1316 wrote to memory of 2112 1316 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe cmd.exe PID 2112 wrote to memory of 2772 2112 cmd.exe w32tm.exe PID 2112 wrote to memory of 2772 2112 cmd.exe w32tm.exe PID 2112 wrote to memory of 2772 2112 cmd.exe w32tm.exe PID 2112 wrote to memory of 2240 2112 cmd.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2112 wrote to memory of 2240 2112 cmd.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2112 wrote to memory of 2240 2112 cmd.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2240 wrote to memory of 1760 2240 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2240 wrote to memory of 1760 2240 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2240 wrote to memory of 1760 2240 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2240 wrote to memory of 2348 2240 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2240 wrote to memory of 2348 2240 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2240 wrote to memory of 2348 2240 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 1760 wrote to memory of 2964 1760 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 1760 wrote to memory of 2964 1760 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 1760 wrote to memory of 2964 1760 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2964 wrote to memory of 2060 2964 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2964 wrote to memory of 2060 2964 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2964 wrote to memory of 2060 2964 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2964 wrote to memory of 1652 2964 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2964 wrote to memory of 1652 2964 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2964 wrote to memory of 1652 2964 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2060 wrote to memory of 3056 2060 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2060 wrote to memory of 3056 2060 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2060 wrote to memory of 3056 2060 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 3056 wrote to memory of 2212 3056 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 3056 wrote to memory of 2212 3056 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 3056 wrote to memory of 2212 3056 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 3056 wrote to memory of 2540 3056 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 3056 wrote to memory of 2540 3056 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 3056 wrote to memory of 2540 3056 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2212 wrote to memory of 2200 2212 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2212 wrote to memory of 2200 2212 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2212 wrote to memory of 2200 2212 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2200 wrote to memory of 2524 2200 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2200 wrote to memory of 2524 2200 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2200 wrote to memory of 2524 2200 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2200 wrote to memory of 2384 2200 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2200 wrote to memory of 2384 2200 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2200 wrote to memory of 2384 2200 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2524 wrote to memory of 2992 2524 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2524 wrote to memory of 2992 2524 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2524 wrote to memory of 2992 2524 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2992 wrote to memory of 2956 2992 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2992 wrote to memory of 2956 2992 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2992 wrote to memory of 2956 2992 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2992 wrote to memory of 1012 2992 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2992 wrote to memory of 1012 2992 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2992 wrote to memory of 1012 2992 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2956 wrote to memory of 1832 2956 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2956 wrote to memory of 1832 2956 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2956 wrote to memory of 1832 2956 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 1832 wrote to memory of 2628 1832 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 1832 wrote to memory of 2628 1832 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 1832 wrote to memory of 2628 1832 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 1832 wrote to memory of 2144 1832 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 1832 wrote to memory of 2144 1832 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 1832 wrote to memory of 2144 1832 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe PID 2628 wrote to memory of 1856 2628 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2628 wrote to memory of 1856 2628 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 2628 wrote to memory of 1856 2628 WScript.exe 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe PID 1856 wrote to memory of 2584 1856 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vfELjyVScz.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2772
-
-
C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ca00480-b941-467e-814a-54e522f61011.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2aeeca3-8f8c-4e6a-aeb7-915932e6733c.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a84003e-e153-42eb-917a-b1698cdd279e.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75d8087c-804b-42c6-822c-032b2c045633.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8612983c-c1d0-4543-a0f8-9ee2ffdb0cf3.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73c027d4-95f0-4263-bd90-d9667b145154.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\060c69e3-8922-45be-87e9-5f60534bf0fc.vbs"16⤵PID:2584
-
C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41176c31-eceb-404f-9920-3ce32e70f66c.vbs"18⤵PID:1752
-
C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\010c95fe-4b29-480e-b68a-70f9e1cd6505.vbs"20⤵PID:2304
-
C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd8512e7-288f-4163-9b4c-17cfb37453ea.vbs"22⤵PID:2072
-
C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b57db4fc-1272-4c1d-acff-efc70e4c0865.vbs"24⤵PID:2204
-
C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d46d2ee3-0901-4a6a-bfe1-857dec79b0ce.vbs"26⤵PID:2652
-
C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f377bc9c-4af4-4484-8c91-0c3bb510600d.vbs"28⤵PID:2244
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ca71227-1d98-42f2-9124-b99e23a89185.vbs"28⤵PID:876
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f53e243-be3c-44fa-967b-a3fa1860f2e9.vbs"26⤵PID:1848
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55270971-521a-406d-bcbb-5adae37b2bc8.vbs"24⤵PID:1336
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\868ba458-c979-44de-8de7-e263d8d060bc.vbs"22⤵PID:3028
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d93a4c2c-d8bf-4594-a934-a8ab63102ec8.vbs"20⤵PID:1544
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bebe0fd3-b5fd-4c01-9e26-14bb44701e32.vbs"18⤵PID:1632
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67ceb8a9-9199-4256-8ff7-6afbe07971b6.vbs"16⤵PID:2044
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc7791cc-2ebf-4afc-944d-31c3a9fd7c21.vbs"14⤵PID:2144
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\944f4eeb-8be4-4ad3-a5f7-7043880dc520.vbs"12⤵PID:1012
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71150a3b-acf1-4c52-a97f-411fc764092e.vbs"10⤵PID:2384
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30d93118-9910-4ce8-95f5-9e15357e4c33.vbs"8⤵PID:2540
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c332152-d620-47f3-8682-65dd035cb045.vbs"6⤵PID:1652
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf9158c1-ec3f-472f-ad32-5d22e44c125c.vbs"4⤵PID:2348
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a6" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a6" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a6" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a6" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PLA\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5f946ceb3dfbc4802323f045e77b9fc63
SHA104beac37360d30c5ad933f82f80bfd41ae294cc4
SHA256682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
SHA5127ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3
-
Filesize
1.3MB
MD559be1a3db10fdffe0258170ab44303e4
SHA11ff68ff01323f611eb96037d1709c7deaf1f1e15
SHA2564bd3e24484aa90e5e54b83edce70c96e88c7c93522a799e41548b48d144bf27a
SHA5128cf4d868b186b271b6b5f6f4a0d5b8c19a545feb5b8de9b1974647f736bb7c12e9cbec4188529f8cf35a5d8c0cecc9a56d5fb55e876dbc46ca00ccaea896d8ab
-
Filesize
1.3MB
MD5079019233687f775602f6083854c0a3c
SHA18d96468e21fae8501972041545be493fb7bf520d
SHA256a38dd6a3968bdbd7a9b811bd950a131434f16aedc405c1f7eef46f3a86274bab
SHA5125fa31ef176ba33eb823dc326c53168e91d4bd63bbd2e55c770dac0cf1234c49425d6bbb424d5f9945c2dabddcaa5b052aff1e4a26b4043b1ba42ae5be8794527
-
Filesize
792B
MD50c863e163c5b6f33820d84e82202414e
SHA1402c06891c7b75707caff2c5a989fe72dc4c8365
SHA2564aa7d3af491d23944c42479f7db5656a5d1527d7cbf6cf1a4bd41966c9990a6b
SHA512dfa6cbc3b0692d41e437565641685642fad20263834356f8c675b30aaa9d571e9509794c1998ead3d24b0f4cc2b1cebf50b5b8f46dae26e2df42c0ecab4f9466
-
Filesize
792B
MD5e851b27efc0aa5e611a0f8f21b44d7af
SHA10208d843f2dcefd95358a21b3b22b0fc54ac5026
SHA256c0f63a2ddc318d800f7ce08af1647d80a109779736954d0a1acd6671a2e1b2b4
SHA512d8f34e181bbb7236d46a6eab8f0deee35f9bbbd125f8911ad85c0f103a6e0e5ff4ea446cf5ec2ab7b86fb8a881b6cb256a70b6317868652ba63cde9354f12f98
-
Filesize
792B
MD5c0a872d40a6c233bb222b18852f51708
SHA123b5f64a5c3602b898ec4b542f5be263c27bb65e
SHA256180771a30dc34f455e8b8b08f1f20fda684fbe9ddd2325ceea80c0d76b7df847
SHA512b851ef7f084c0b84bcf0e86fc3a56b9093a7b57ee7c44041dc7e5a6528365ebe261157a4ea1a726ab36e52f00e885d5fabc5de33015afc152f8c85ad243b388a
-
Filesize
792B
MD5c0546b1ea78ce440544d2bf3c3fc8aa0
SHA1bf24480341eb91a5d7abb043671de0e5cb8960da
SHA256c78cd485de51f8addf174c6fc2a10ee283d30fcceab57c90afd91fe4715d2516
SHA512d27445b23f28ab6b805522c398c10901fe03e0e98c0c74dbc0d6330f4baaa7c4480d1c509fffb5969503e2ee0407d501b843dab7473b03773b316e6dfb0922e8
-
Filesize
792B
MD551ec3b379d0bb64983be5137d8ac5a56
SHA193d41cf25849471cd1db686305dc6c7f9d69755b
SHA256b05f8af7f24ed683d192af012a0b4a258ca2aadde5ad43fd79947ba9184d5753
SHA512bfdd95b9522ef4d58be7afdaf08ec5a673e34a069196c813a784676cf266efc33a0061160beb3ff057c5f220e09082312969eadd527dc89fa31c9385f68a0435
-
Filesize
792B
MD5f031e96e54d404fea0da0c8d745e4aa6
SHA1057034288bed1c37d0f23b7b2b52ec292fa1c103
SHA2568e895faa91fb0d020348e30869e275542299d580e995ae66b921be02cd1d2807
SHA51249bf5be3f6ceabb0c47327c036e24bc49b3ccab63cc14a6d819740ec52c3ad8430de87bd0e2f44e5445608659a504c0010cc5d4556a1dd38dcf2dcb4b5dd3396
-
Filesize
792B
MD5bcfd3d7836fa644f3db03f0a60f0fbc8
SHA198d3f8a1f3e0d4ef6204db98e972b3f404985912
SHA256fa2fdd7a7222bf408763e6718eb51003dbe1f544bc32dd9f5b0021c8e05eff3f
SHA512a22f695171fbc86f65bf89260ec55d7d10a4bde5ffc973e0221afe5549bce7a319e7853625e130575e9f2944e43da66eabb175bf6b31c953dfea4fd92befa5bb
-
Filesize
792B
MD5567b148c7c10cbe152f0e02fb09a9325
SHA1c40a7ec75d0575ff748ae83d569202ba7d24224e
SHA2562ce04bb1f02b2e6840ba5112c31bc2a94ed5538e127648d7a22a604ff1b5c248
SHA5120b2a2a630637e47b2b1c25f54e967e5cb31118740738e8e182f596e4955f1cbade060533674e94e2cf391d491748e2695fba87ce76ef439f319ef8cf51fe95a1
-
Filesize
792B
MD5a1aa39cf641f9af58d2b3a7395ae56f2
SHA190bb662327d55b635692430a41bd72a8ba267b78
SHA2563e3ba720fb9c9f626065bf5fd5e4b36ded3b8ba25251f0c7cf8150b9405a2bf6
SHA512889685ea04711b0ce471b5b7d2c6003fa9f1c6dcdc448e86c3e0976cd1b96275a76a791bce77b064586b622e283032b350579926ff4752a00762cfcecc28515f
-
Filesize
568B
MD50a7ce9f2aa9aa4e47176d1a70f727f11
SHA1ce326caeaaccf558e80c81a70faab1de1ebfdafd
SHA25615a93dc4aa5eea51bc49f6b080ef18ff07471b89f1500dddee86e63cf6b6d8a6
SHA51225c61aec86021203c9af860b6cc370959b8c43e39a015810631e4c18bf096761d09f9ac69235ca6b0752fc5c3d3422952031877884af742b80bd3a2126062244
-
Filesize
792B
MD5a3d0a5648a7d7af69913c3aa633ce605
SHA11d0f474d8d48687f4aa4a16f5e56885ed2f3c7e1
SHA2568533d5ed50b731db7aec4b4c94e4833a3077ab8fc5d57f2569827c517672e462
SHA5120041c9a4550cd0135c0468d84861d843a5118343872a041e5386f90b4a6634151d931d505a462b960ea54301a5895369aa1c5b49cd1761fa2d1c57a5c29b22f2
-
Filesize
792B
MD52c708257b5bfa3fbaffffef9e0955ab0
SHA18ec65281aefc2ca06eda99ee3049258c3807f3d3
SHA256b18422ccd6364dfefa6733ee495e85386efb178f316ef9bc9c4b3badf9d26a9d
SHA5124e5cda32c1cf8c5ccc7400f7de8a88af739933311df90a3a5803a85066ca620cdf9a4df8512d198edc0d1e5f9d8b5a49cd7bfa6f7d440f68863964233d0baae8
-
Filesize
792B
MD50cc061bc9860e95157ada05d084ee66c
SHA137560e556e64255edcd19f473afba97b5101c5e4
SHA2560d64a16ccb2f1793f6e55bfd126bf7535e4d36b5ff7571c914f088fc276146ee
SHA51295ae51447a0a4a7b4954e829ee877d7f15a3fedad64231a12dad7bccebd87620b386ddc5357b9aa9470138da046374b6e9383cb55db0e0a98b682ef5d8831a1a
-
Filesize
792B
MD5ec4d47b82903fa1394e5b55c4733c720
SHA19f2b9dbe86e965bf2974dbbf6e0c62e3c37a6e4f
SHA256b15fe37e112264143b3d5b51f07f1ddcfddb829f3e8ad3762ef50d0546db36ea
SHA512e121aee8fc2a2f937a364887c1de3b57efaee3c0ef878d0f52e3251b8e2e6f6bff088d4425a92bcdf341f8c8d9e759d263252f9a6fb49b12039346085762370f
-
Filesize
281B
MD56f2973cfb0fd159ba1e4a88e2662a4d5
SHA10e8ecd120b68034b513a8c635b829712d420e521
SHA256b4a2217467884635f0b705d177f421db3b1dd0f3987d31244bd85487317fa513
SHA512e3992dcae1a99c1c842dc6803eb9775e3219fa3522d5700f868871291048bf9e00cce56d7fa8491d55995a6f8117352d37c50a0d549a4ff251409bf6163ed3f1
-
Filesize
1.3MB
MD56903e9a4b5e2768a6846ef8f45e1041f
SHA1742b54fae1ffb097b6b0929a6b81de922720d6a6
SHA2560def9b3c985e30721af2c5f44f047623d60511c4019cf3b7864862fa04151e1b
SHA512b99b1a7e90edbad4531fc960244c174e6add38e542911ca29e6f226fc7a896f5c71653221fff66e92211e147b05344490f12bf34a154f9bfb677b139eb3b27c8
-
Filesize
1.3MB
MD525e3aae206a932b279a0cfab02592866
SHA142eb90e607c83d3e5f5e706ce446206cce2bc5e2
SHA256d3c8e24d8fe6447c55175a8b2fa3534b00423ca3c9480f992c0b21741ed3c9db
SHA5122344a8fe6afb1859b8f036d0eda973be2b1e5ad575449c5f4818e894c2922e4f2fbaf970b223267e6976baff6b38cd17f928351662db3d144a238adc4ca86c7b