Analysis
-
max time kernel
119s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2024 11:56
Static task
static1
Behavioral task
behavioral1
Sample
2e427fad65a1acee051224babed62e00N.exe
Resource
win7-20240903-en
General
-
Target
2e427fad65a1acee051224babed62e00N.exe
-
Size
4.9MB
-
MD5
2e427fad65a1acee051224babed62e00
-
SHA1
9f01f207c5213f3adf2d0ddd0806135c96e03d84
-
SHA256
6e5aad0db5a6d82f3aadef1cd9856462367d2abc7da9e23adb90e6c738b830f0
-
SHA512
6c26bd4fa1a96c9a5d78bdd71b707d3f553d04f462a35fc5ad34c229fd9cb7dfac2d3e409a7b2562541a785c32c881b27b2ff94eccc8a5e9a555945be9f7cc3b
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 312 4724 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 4724 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 4724 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 4724 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 4724 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4704 4724 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 4724 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4156 4724 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 4724 schtasks.exe 86 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2e427fad65a1acee051224babed62e00N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2e427fad65a1acee051224babed62e00N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2e427fad65a1acee051224babed62e00N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe -
resource yara_rule behavioral2/memory/4376-3-0x000000001B760000-0x000000001B88E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1896 powershell.exe 8 powershell.exe 4604 powershell.exe 2456 powershell.exe 4768 powershell.exe 1768 powershell.exe 1900 powershell.exe 4432 powershell.exe 776 powershell.exe 4080 powershell.exe 3912 powershell.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 2e427fad65a1acee051224babed62e00N.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation taskhostw.exe -
Executes dropped EXE 38 IoCs
pid Process 2560 tmpC577.tmp.exe 4588 tmpC577.tmp.exe 964 tmpC577.tmp.exe 2392 taskhostw.exe 4252 tmpEAEC.tmp.exe 5008 tmpEAEC.tmp.exe 1784 taskhostw.exe 4828 tmp6C1.tmp.exe 3712 tmp6C1.tmp.exe 3524 taskhostw.exe 2596 tmp22B6.tmp.exe 3408 tmp22B6.tmp.exe 1772 taskhostw.exe 748 taskhostw.exe 2556 tmp71EF.tmp.exe 2616 tmp71EF.tmp.exe 1692 taskhostw.exe 5036 tmpA275.tmp.exe 2288 tmpA275.tmp.exe 1204 taskhostw.exe 5008 tmpC119.tmp.exe 1364 tmpC119.tmp.exe 4092 taskhostw.exe 3240 tmpDD99.tmp.exe 1596 tmpDD99.tmp.exe 4600 taskhostw.exe 4240 tmpF98E.tmp.exe 4300 tmpF98E.tmp.exe 4920 taskhostw.exe 2636 tmp2A71.tmp.exe 3872 tmp2A71.tmp.exe 4588 taskhostw.exe 3596 tmp5A1C.tmp.exe 4704 tmp5A1C.tmp.exe 748 taskhostw.exe 3656 tmp8B6D.tmp.exe 4600 tmp8B6D.tmp.exe 4076 tmp8B6D.tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2e427fad65a1acee051224babed62e00N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2e427fad65a1acee051224babed62e00N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe -
Suspicious use of SetThreadContext 12 IoCs
description pid Process procid_target PID 4588 set thread context of 964 4588 tmpC577.tmp.exe 125 PID 4252 set thread context of 5008 4252 tmpEAEC.tmp.exe 136 PID 4828 set thread context of 3712 4828 tmp6C1.tmp.exe 142 PID 2596 set thread context of 3408 2596 tmp22B6.tmp.exe 148 PID 2556 set thread context of 2616 2556 tmp71EF.tmp.exe 159 PID 5036 set thread context of 2288 5036 tmpA275.tmp.exe 165 PID 5008 set thread context of 1364 5008 tmpC119.tmp.exe 171 PID 3240 set thread context of 1596 3240 tmpDD99.tmp.exe 177 PID 4240 set thread context of 4300 4240 tmpF98E.tmp.exe 183 PID 2636 set thread context of 3872 2636 tmp2A71.tmp.exe 189 PID 3596 set thread context of 4704 3596 tmp5A1C.tmp.exe 195 PID 4600 set thread context of 4076 4600 tmp8B6D.tmp.exe 202 -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\DiagTrack\sppsvc.exe 2e427fad65a1acee051224babed62e00N.exe File opened for modification C:\Windows\DiagTrack\sppsvc.exe 2e427fad65a1acee051224babed62e00N.exe File created C:\Windows\DiagTrack\0a1fd5f707cd16 2e427fad65a1acee051224babed62e00N.exe File opened for modification C:\Windows\DiagTrack\RCXBF59.tmp 2e427fad65a1acee051224babed62e00N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpEAEC.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp71EF.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5A1C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC119.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF98E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8B6D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp6C1.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC577.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC577.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp22B6.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA275.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDD99.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2A71.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8B6D.tmp.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings 2e427fad65a1acee051224babed62e00N.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4704 schtasks.exe 1864 schtasks.exe 312 schtasks.exe 4448 schtasks.exe 1624 schtasks.exe 4156 schtasks.exe 2796 schtasks.exe 996 schtasks.exe 2168 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 4376 2e427fad65a1acee051224babed62e00N.exe 4604 powershell.exe 4604 powershell.exe 3912 powershell.exe 3912 powershell.exe 1768 powershell.exe 1768 powershell.exe 1900 powershell.exe 1900 powershell.exe 4768 powershell.exe 4768 powershell.exe 2456 powershell.exe 2456 powershell.exe 8 powershell.exe 8 powershell.exe 4080 powershell.exe 4080 powershell.exe 4432 powershell.exe 4432 powershell.exe 3912 powershell.exe 1896 powershell.exe 1896 powershell.exe 776 powershell.exe 776 powershell.exe 4604 powershell.exe 1768 powershell.exe 2456 powershell.exe 1900 powershell.exe 4768 powershell.exe 4432 powershell.exe 1896 powershell.exe 8 powershell.exe 4080 powershell.exe 776 powershell.exe 2392 taskhostw.exe 1784 taskhostw.exe 3524 taskhostw.exe 1772 taskhostw.exe 748 taskhostw.exe 1692 taskhostw.exe 1204 taskhostw.exe 4092 taskhostw.exe 4600 taskhostw.exe 4920 taskhostw.exe 4588 taskhostw.exe 748 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 4376 2e427fad65a1acee051224babed62e00N.exe Token: SeDebugPrivilege 4604 powershell.exe Token: SeDebugPrivilege 3912 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeDebugPrivilege 4768 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 4080 powershell.exe Token: SeDebugPrivilege 776 powershell.exe Token: SeDebugPrivilege 2392 taskhostw.exe Token: SeDebugPrivilege 1784 taskhostw.exe Token: SeDebugPrivilege 3524 taskhostw.exe Token: SeDebugPrivilege 1772 taskhostw.exe Token: SeDebugPrivilege 748 taskhostw.exe Token: SeDebugPrivilege 1692 taskhostw.exe Token: SeDebugPrivilege 1204 taskhostw.exe Token: SeDebugPrivilege 4092 taskhostw.exe Token: SeDebugPrivilege 4600 taskhostw.exe Token: SeDebugPrivilege 4920 taskhostw.exe Token: SeDebugPrivilege 4588 taskhostw.exe Token: SeDebugPrivilege 748 taskhostw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4376 wrote to memory of 2560 4376 2e427fad65a1acee051224babed62e00N.exe 98 PID 4376 wrote to memory of 2560 4376 2e427fad65a1acee051224babed62e00N.exe 98 PID 4376 wrote to memory of 2560 4376 2e427fad65a1acee051224babed62e00N.exe 98 PID 4376 wrote to memory of 776 4376 2e427fad65a1acee051224babed62e00N.exe 99 PID 4376 wrote to memory of 776 4376 2e427fad65a1acee051224babed62e00N.exe 99 PID 4376 wrote to memory of 4604 4376 2e427fad65a1acee051224babed62e00N.exe 100 PID 4376 wrote to memory of 4604 4376 2e427fad65a1acee051224babed62e00N.exe 100 PID 4376 wrote to memory of 4080 4376 2e427fad65a1acee051224babed62e00N.exe 101 PID 4376 wrote to memory of 4080 4376 2e427fad65a1acee051224babed62e00N.exe 101 PID 4376 wrote to memory of 1896 4376 2e427fad65a1acee051224babed62e00N.exe 103 PID 4376 wrote to memory of 1896 4376 2e427fad65a1acee051224babed62e00N.exe 103 PID 4376 wrote to memory of 2456 4376 2e427fad65a1acee051224babed62e00N.exe 104 PID 4376 wrote to memory of 2456 4376 2e427fad65a1acee051224babed62e00N.exe 104 PID 4376 wrote to memory of 1768 4376 2e427fad65a1acee051224babed62e00N.exe 105 PID 4376 wrote to memory of 1768 4376 2e427fad65a1acee051224babed62e00N.exe 105 PID 4376 wrote to memory of 3912 4376 2e427fad65a1acee051224babed62e00N.exe 106 PID 4376 wrote to memory of 3912 4376 2e427fad65a1acee051224babed62e00N.exe 106 PID 4376 wrote to memory of 4768 4376 2e427fad65a1acee051224babed62e00N.exe 107 PID 4376 wrote to memory of 4768 4376 2e427fad65a1acee051224babed62e00N.exe 107 PID 4376 wrote to memory of 4432 4376 2e427fad65a1acee051224babed62e00N.exe 111 PID 4376 wrote to memory of 4432 4376 2e427fad65a1acee051224babed62e00N.exe 111 PID 4376 wrote to memory of 8 4376 2e427fad65a1acee051224babed62e00N.exe 112 PID 4376 wrote to memory of 8 4376 2e427fad65a1acee051224babed62e00N.exe 112 PID 4376 wrote to memory of 1900 4376 2e427fad65a1acee051224babed62e00N.exe 113 PID 4376 wrote to memory of 1900 4376 2e427fad65a1acee051224babed62e00N.exe 113 PID 4376 wrote to memory of 2784 4376 2e427fad65a1acee051224babed62e00N.exe 121 PID 4376 wrote to memory of 2784 4376 2e427fad65a1acee051224babed62e00N.exe 121 PID 2560 wrote to memory of 4588 2560 tmpC577.tmp.exe 124 PID 2560 wrote to memory of 4588 2560 tmpC577.tmp.exe 124 PID 2560 wrote to memory of 4588 2560 tmpC577.tmp.exe 124 PID 4588 wrote to memory of 964 4588 tmpC577.tmp.exe 125 PID 4588 wrote to memory of 964 4588 tmpC577.tmp.exe 125 PID 4588 wrote to memory of 964 4588 tmpC577.tmp.exe 125 PID 4588 wrote to memory of 964 4588 tmpC577.tmp.exe 125 PID 4588 wrote to memory of 964 4588 tmpC577.tmp.exe 125 PID 4588 wrote to memory of 964 4588 tmpC577.tmp.exe 125 PID 4588 wrote to memory of 964 4588 tmpC577.tmp.exe 125 PID 2784 wrote to memory of 4508 2784 cmd.exe 126 PID 2784 wrote to memory of 4508 2784 cmd.exe 126 PID 2784 wrote to memory of 2392 2784 cmd.exe 129 PID 2784 wrote to memory of 2392 2784 cmd.exe 129 PID 2392 wrote to memory of 4380 2392 taskhostw.exe 131 PID 2392 wrote to memory of 4380 2392 taskhostw.exe 131 PID 2392 wrote to memory of 1948 2392 taskhostw.exe 132 PID 2392 wrote to memory of 1948 2392 taskhostw.exe 132 PID 2392 wrote to memory of 4252 2392 taskhostw.exe 134 PID 2392 wrote to memory of 4252 2392 taskhostw.exe 134 PID 2392 wrote to memory of 4252 2392 taskhostw.exe 134 PID 4252 wrote to memory of 5008 4252 tmpEAEC.tmp.exe 136 PID 4252 wrote to memory of 5008 4252 tmpEAEC.tmp.exe 136 PID 4252 wrote to memory of 5008 4252 tmpEAEC.tmp.exe 136 PID 4252 wrote to memory of 5008 4252 tmpEAEC.tmp.exe 136 PID 4252 wrote to memory of 5008 4252 tmpEAEC.tmp.exe 136 PID 4252 wrote to memory of 5008 4252 tmpEAEC.tmp.exe 136 PID 4252 wrote to memory of 5008 4252 tmpEAEC.tmp.exe 136 PID 4380 wrote to memory of 1784 4380 WScript.exe 137 PID 4380 wrote to memory of 1784 4380 WScript.exe 137 PID 1784 wrote to memory of 804 1784 taskhostw.exe 138 PID 1784 wrote to memory of 804 1784 taskhostw.exe 138 PID 1784 wrote to memory of 4084 1784 taskhostw.exe 139 PID 1784 wrote to memory of 4084 1784 taskhostw.exe 139 PID 1784 wrote to memory of 4828 1784 taskhostw.exe 140 PID 1784 wrote to memory of 4828 1784 taskhostw.exe 140 PID 1784 wrote to memory of 4828 1784 taskhostw.exe 140 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2e427fad65a1acee051224babed62e00N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2e427fad65a1acee051224babed62e00N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2e427fad65a1acee051224babed62e00N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e427fad65a1acee051224babed62e00N.exe"C:\Users\Admin\AppData\Local\Temp\2e427fad65a1acee051224babed62e00N.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\tmpC577.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC577.tmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\tmpC577.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC577.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\tmpC577.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC577.tmp.exe"4⤵
- Executes dropped EXE
PID:964
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZnppPT7KU.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4508
-
-
C:\Recovery\WindowsRE\taskhostw.exe"C:\Recovery\WindowsRE\taskhostw.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2392 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11b9e322-e108-4dd6-976c-5dc3e34740a6.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Recovery\WindowsRE\taskhostw.exeC:\Recovery\WindowsRE\taskhostw.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1784 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc7569b5-c71a-4d04-ad0d-181b5d473f3f.vbs"6⤵PID:804
-
C:\Recovery\WindowsRE\taskhostw.exeC:\Recovery\WindowsRE\taskhostw.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d91a415c-11ae-42d8-9b68-fdeb8dc1b86b.vbs"8⤵PID:2268
-
C:\Recovery\WindowsRE\taskhostw.exeC:\Recovery\WindowsRE\taskhostw.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1772 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20e84794-3d45-4da9-b749-e07b506700ee.vbs"10⤵PID:4800
-
C:\Recovery\WindowsRE\taskhostw.exeC:\Recovery\WindowsRE\taskhostw.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:748 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4937b777-d3d9-4d04-9c44-7f322ad96971.vbs"12⤵PID:2060
-
C:\Recovery\WindowsRE\taskhostw.exeC:\Recovery\WindowsRE\taskhostw.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1692 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ea77e0a-1a55-431a-971a-fcd80c4942e6.vbs"14⤵PID:372
-
C:\Recovery\WindowsRE\taskhostw.exeC:\Recovery\WindowsRE\taskhostw.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1204 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e109e011-18e4-41be-8179-cf44a13437ee.vbs"16⤵PID:4480
-
C:\Recovery\WindowsRE\taskhostw.exeC:\Recovery\WindowsRE\taskhostw.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4092 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1143586-df1e-49fa-9a73-93afdd28e7a2.vbs"18⤵PID:4596
-
C:\Recovery\WindowsRE\taskhostw.exeC:\Recovery\WindowsRE\taskhostw.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4600 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a80a1860-dfe0-423e-b8d3-53c9907ca47c.vbs"20⤵PID:2900
-
C:\Recovery\WindowsRE\taskhostw.exeC:\Recovery\WindowsRE\taskhostw.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4920 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\632b36ee-2dea-418d-9679-04e3c8dd27aa.vbs"22⤵PID:3616
-
C:\Recovery\WindowsRE\taskhostw.exeC:\Recovery\WindowsRE\taskhostw.exe23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4588 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f25a7ec-da30-47da-b9cf-c83f6c65a68d.vbs"24⤵PID:1548
-
C:\Recovery\WindowsRE\taskhostw.exeC:\Recovery\WindowsRE\taskhostw.exe25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:748 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfb739cd-e473-4103-b88d-de402c43f604.vbs"26⤵PID:3860
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c6eb04e-eab1-48bb-a943-171f90c8b718.vbs"26⤵PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8B6D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8B6D.tmp.exe"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\tmp8B6D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8B6D.tmp.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\tmp8B6D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8B6D.tmp.exe"28⤵
- Executes dropped EXE
PID:4076
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0acbaaf0-1411-4860-aa5a-aa1a090e56fc.vbs"24⤵PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5A1C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5A1C.tmp.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\tmp5A1C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5A1C.tmp.exe"25⤵
- Executes dropped EXE
PID:4704
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee841ddf-8352-4896-be43-3c86dc5d023b.vbs"22⤵PID:3636
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2A71.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2A71.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\tmp2A71.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2A71.tmp.exe"23⤵
- Executes dropped EXE
PID:3872
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f52e056-4dad-4978-b106-7aa475d47371.vbs"20⤵PID:1740
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF98E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF98E.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\tmpF98E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF98E.tmp.exe"21⤵
- Executes dropped EXE
PID:4300
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7daca7c9-7470-4c0a-b45e-21418b89218c.vbs"18⤵PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\tmpDD99.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDD99.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\tmpDD99.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDD99.tmp.exe"19⤵
- Executes dropped EXE
PID:1596
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad05999a-5980-4d1a-9ccd-caaea20fa8d7.vbs"16⤵PID:4744
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC119.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC119.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\tmpC119.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC119.tmp.exe"17⤵
- Executes dropped EXE
PID:1364
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2848cca5-e6ff-40f4-b80d-6367331070b9.vbs"14⤵PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA275.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA275.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\tmpA275.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA275.tmp.exe"15⤵
- Executes dropped EXE
PID:2288
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8419c9a1-9b6e-4613-9698-c1e7982af73f.vbs"12⤵PID:3148
-
-
C:\Users\Admin\AppData\Local\Temp\tmp71EF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp71EF.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\tmp71EF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp71EF.tmp.exe"13⤵
- Executes dropped EXE
PID:2616
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\232ce704-b3d4-410d-a5ca-d06306173a18.vbs"10⤵PID:4912
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c666b21-be0c-4eb8-b6db-1662fda4454b.vbs"8⤵PID:4568
-
-
C:\Users\Admin\AppData\Local\Temp\tmp22B6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp22B6.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\tmp22B6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp22B6.tmp.exe"9⤵
- Executes dropped EXE
PID:3408
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e87660a0-3319-4669-8567-eb55a4b41638.vbs"6⤵PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6C1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6C1.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\tmp6C1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6C1.tmp.exe"7⤵
- Executes dropped EXE
PID:3712
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\546c2075-5aac-47fb-879d-1c8536e02f57.vbs"4⤵PID:1948
-
-
C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp.exe"5⤵
- Executes dropped EXE
PID:5008
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\DiagTrack\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\DiagTrack\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\MF\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MF\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\MF\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
711B
MD518f2681d7ead4ff010e9038233ef3de5
SHA1355e4c8ac4492310503889b31eead7f66893230a
SHA25649d2d4206630ff7d9130fd37e0b9852ea42c98eb18b845b540ed2da15bdd4173
SHA512f9c82a43ea41077ccf48251b5ea17e584af6ca580330e29c2fd035763310f8c64e748b999b89eae58d3ba5110f2c12fc6689b2636dfc9d71d70e6efd6199eb66
-
Filesize
711B
MD589b4747146ade6c35bebadbbe05ff86f
SHA1a2157cf60030222108fc8c0af529b0826ab27735
SHA256dc40f60e899303f62d955b0ae049c2dc27817ab70821f730524042075aa98bb9
SHA512a2197060febcc31441a7ee05053ba27330b3a108f47f88909cdcab536b7ed2b7d79c01c6fcb31f2f6ca6d16ca39a936ee8fdec1c6924ac90ebb9fa3b3ed914a6
-
Filesize
711B
MD5250d99618db908ef4bfad702bb5a6957
SHA189220c03184357e4963fe0eceeedcc94fb544907
SHA25678a99aaf638e73a2ed53c1478610e1cd585010f7c8806e39bdc1ace853dfdbd8
SHA5123cd82c3d14d7a9daf4d3c08fcc3bfa5f0d4ed737b0715b43441c48f2398ce2e15d2bd7f9880116bc1d2f04ec10fb22c616f7fbee2427b22c0d0ceab68ddb9314
-
Filesize
710B
MD5f32a5ca566c5f1aad9c8c9a7dc4395e6
SHA1bbb6489d4b8dced5672e82fcdf64575de7c05fd1
SHA256bb15212810a92d6836d65251bfb6390997b24e2e581bfe5e65a51b855d021ac6
SHA5125a7c143713b407ffbd58bc9ab7516e10ef5759877ba38a3801eae87a8633571f5cbca3960202f71c6252d2484f4a481e1b78a1482949ce99fbbd828a540aaba1
-
Filesize
487B
MD542054d4224f7d8db5a3c36f0f1698af2
SHA12fb8698cdf64f533fe4871377ad6f6abb44a7a4a
SHA256e180a98ccb342bd63306287d0bdcb9042c44260ada0da3df9e208ac3ba0324f7
SHA512dfd8562e5cc074d107f81115f340fe1e7444b9842c1cc2a97e26c58c6a48ed9e0073a3a47fa1fb0255c48fdf524ed0a59a306a0597dddf3a7d07799507f25a77
-
Filesize
200B
MD58119755ae4102c6248efad9eed17e564
SHA1f492d936c24276a56e287cbd622b2319d1d1834c
SHA256ba7879b0f402503076330e6cc863dcf9881e4b0eb20a08f4736f41192e51e6e9
SHA51239f884e9e0a1ae5ec964283f88c1f7c65cad9a1211fbcc44e9578ca05bf7febaefcaadee617c18144b03d2370777fb7958d1d63886a7879396d032825f111049
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
711B
MD5d0b1354a91ed316c4f4cd224cada84b4
SHA1bff4e4b4e86e142101124d60477e00ec33d318a7
SHA25650191115505cb1c0b19d74d1902cf12a653f6e438f134c53be4ce4592b3fe4cc
SHA512c2fadbf14aa22b203a8c586eab25cb91491797d860b3116be53667ec4cfef24cd416f130ff5dd65f507dedad3a473afcfc5d1fa63452601bd6aca2c337d21adc
-
Filesize
711B
MD50b12697af8882fcef963894232b9d15b
SHA133ced13a699bb90473ff5bbc2b03d4ffd45d5b47
SHA256cab1c63e5b53d8466a211b4d7283f02e69c4479c646e0f1533f10feb3a396cb6
SHA512d8fcc4c049573997316a5128e9769c02a50dbf4baab68f07582ae5b48dadfd5a82354dc93ba3eccb4e8c0f5796c63cd780a3640398c1792a91f3f302b9fa74b3
-
Filesize
711B
MD5ac622de64a4c7c2e4d292b4baf3654ac
SHA1e246f4a412937e372a3887113d695a2283da051f
SHA256aa05a40c73fa230baa4fed2c5e446a2189b69fbac799968d813e899b1e5f9593
SHA5124589277d56f7e4f4f6f0b661d2234586125cb8daa59d3cd1b8a3f4e5be5b1ac18f8e4adffe17398e485706753a5b158d7a1678e2548625a0bb9fea988db5124d
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
4.9MB
MD52e427fad65a1acee051224babed62e00
SHA19f01f207c5213f3adf2d0ddd0806135c96e03d84
SHA2566e5aad0db5a6d82f3aadef1cd9856462367d2abc7da9e23adb90e6c738b830f0
SHA5126c26bd4fa1a96c9a5d78bdd71b707d3f553d04f462a35fc5ad34c229fd9cb7dfac2d3e409a7b2562541a785c32c881b27b2ff94eccc8a5e9a555945be9f7cc3b