Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 05:22
Static task
static1
Behavioral task
behavioral1
Sample
76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
Resource
win7-20240903-en
General
-
Target
76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
-
Size
4.9MB
-
MD5
028bdc90907407e6347ed647ec3a4520
-
SHA1
a4666b332fa2086a2367fca57e8f8516f661703f
-
SHA256
76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154b
-
SHA512
a98b624d5a480fe88d23a0c11f52bf16c9f7631d1f0a4d8eb1255b1da325c8a78b997b75c43d79c6b16a1d9b6704315b931eba826ee0266487b099244a2a852e
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3820 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3312 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4352 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 452 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4652 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3476 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3480 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 2112 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2112 schtasks.exe 86 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
resource yara_rule behavioral2/memory/2412-2-0x000000001BA50000-0x000000001BB7E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3448 powershell.exe 4560 powershell.exe 4476 powershell.exe 1104 powershell.exe 1036 powershell.exe 3124 powershell.exe 1432 powershell.exe 4140 powershell.exe 544 powershell.exe 1404 powershell.exe 432 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe -
Executes dropped EXE 47 IoCs
pid Process 3732 tmpBF4C.tmp.exe 3908 tmpBF4C.tmp.exe 4716 winlogon.exe 892 tmpFD2C.tmp.exe 956 tmpFD2C.tmp.exe 3944 winlogon.exe 5088 tmp2C7A.tmp.exe 4472 tmp2C7A.tmp.exe 2216 winlogon.exe 2348 tmp5B89.tmp.exe 1280 tmp5B89.tmp.exe 1060 winlogon.exe 3448 tmp8B72.tmp.exe 3056 tmp8B72.tmp.exe 2888 winlogon.exe 1772 tmpB9C6.tmp.exe 4624 tmpB9C6.tmp.exe 2716 winlogon.exe 2436 tmpD5F8.tmp.exe 2216 tmpD5F8.tmp.exe 3636 tmpD5F8.tmp.exe 2792 tmpD5F8.tmp.exe 1920 winlogon.exe 4112 tmpF0C4.tmp.exe 3180 tmpF0C4.tmp.exe 5044 winlogon.exe 832 tmp20BD.tmp.exe 1556 tmp20BD.tmp.exe 4084 tmp20BD.tmp.exe 3820 tmp20BD.tmp.exe 2340 winlogon.exe 2792 tmp5172.tmp.exe 2052 tmp5172.tmp.exe 1616 winlogon.exe 1252 tmp8207.tmp.exe 4804 tmp8207.tmp.exe 2688 winlogon.exe 3848 tmp9D5F.tmp.exe 4720 tmp9D5F.tmp.exe 1120 winlogon.exe 2016 tmpB9E0.tmp.exe 1780 tmpB9E0.tmp.exe 1896 tmpB9E0.tmp.exe 940 winlogon.exe 4912 tmpEAF3.tmp.exe 3532 tmpEAF3.tmp.exe 3028 winlogon.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 3732 set thread context of 3908 3732 tmpBF4C.tmp.exe 131 PID 892 set thread context of 956 892 tmpFD2C.tmp.exe 165 PID 5088 set thread context of 4472 5088 tmp2C7A.tmp.exe 176 PID 2348 set thread context of 1280 2348 tmp5B89.tmp.exe 186 PID 3448 set thread context of 3056 3448 tmp8B72.tmp.exe 196 PID 1772 set thread context of 4624 1772 tmpB9C6.tmp.exe 205 PID 3636 set thread context of 2792 3636 tmpD5F8.tmp.exe 215 PID 4112 set thread context of 3180 4112 tmpF0C4.tmp.exe 224 PID 4084 set thread context of 3820 4084 tmp20BD.tmp.exe 235 PID 2792 set thread context of 2052 2792 tmp5172.tmp.exe 244 PID 1252 set thread context of 4804 1252 tmp8207.tmp.exe 254 PID 3848 set thread context of 4720 3848 tmp9D5F.tmp.exe 264 PID 1780 set thread context of 1896 1780 tmpB9E0.tmp.exe 274 PID 4912 set thread context of 3532 4912 tmpEAF3.tmp.exe 283 -
Drops file in Program Files directory 20 IoCs
description ioc Process File created C:\Program Files\Windows Mail\9e8d7a4ca61bd9 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File created C:\Program Files (x86)\Windows Portable Devices\dwm.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Program Files\7-Zip\Lang\RCXC19F.tmp 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File created C:\Program Files\Windows Security\RuntimeBroker.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File created C:\Program Files\Windows Mail\RuntimeBroker.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File created C:\Program Files\Microsoft Office 15\ClientX64\cc11b995f2a76d 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Program Files\Windows Security\RCXBAB6.tmp 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Program Files\Windows Mail\RuntimeBroker.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXCF03.tmp 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Program Files\Windows Security\RuntimeBroker.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File created C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File created C:\Program Files\7-Zip\Lang\ee2ad38f3d4382 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Program Files\7-Zip\Lang\Registry.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCXC635.tmp 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File created C:\Program Files\Windows Security\9e8d7a4ca61bd9 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File created C:\Program Files\7-Zip\Lang\Registry.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\dwm.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File created C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Program Files\Windows Mail\RCXCCEF.tmp 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Media\Sonata\csrss.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Windows\L2Schemas\Idle.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Windows\Media\Sonata\RCXD81F.tmp 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Windows\Media\Sonata\csrss.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File created C:\Windows\ServiceState\SEMgrSvc\Data\sysmon.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File created C:\Windows\L2Schemas\Idle.exe 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File created C:\Windows\L2Schemas\6ccacd8608530f 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File created C:\Windows\Media\Sonata\886983d96e3d3e 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe File opened for modification C:\Windows\L2Schemas\RCXD185.tmp 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9D5F.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB9E0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpEAF3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBF4C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB9C6.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8207.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2C7A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF0C4.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp20BD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD5F8.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD5F8.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB9E0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5B89.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8B72.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD5F8.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5172.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFD2C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp20BD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp20BD.tmp.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings winlogon.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3604 schtasks.exe 2360 schtasks.exe 4536 schtasks.exe 4652 schtasks.exe 1960 schtasks.exe 3476 schtasks.exe 828 schtasks.exe 5048 schtasks.exe 2956 schtasks.exe 2608 schtasks.exe 2964 schtasks.exe 748 schtasks.exe 2364 schtasks.exe 3820 schtasks.exe 2952 schtasks.exe 4352 schtasks.exe 1200 schtasks.exe 3164 schtasks.exe 4628 schtasks.exe 2868 schtasks.exe 2044 schtasks.exe 1772 schtasks.exe 1080 schtasks.exe 4796 schtasks.exe 2056 schtasks.exe 3008 schtasks.exe 2552 schtasks.exe 912 schtasks.exe 5036 schtasks.exe 4492 schtasks.exe 3480 schtasks.exe 3000 schtasks.exe 624 schtasks.exe 4184 schtasks.exe 3024 schtasks.exe 3312 schtasks.exe 2844 schtasks.exe 832 schtasks.exe 5016 schtasks.exe 452 schtasks.exe 2624 schtasks.exe 1764 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 1036 powershell.exe 1036 powershell.exe 4140 powershell.exe 4140 powershell.exe 4560 powershell.exe 4560 powershell.exe 1432 powershell.exe 1432 powershell.exe 3124 powershell.exe 3124 powershell.exe 3448 powershell.exe 3448 powershell.exe 544 powershell.exe 544 powershell.exe 4476 powershell.exe 4476 powershell.exe 1404 powershell.exe 1404 powershell.exe 432 powershell.exe 432 powershell.exe 1104 powershell.exe 1104 powershell.exe 1432 powershell.exe 1104 powershell.exe 4560 powershell.exe 4140 powershell.exe 3124 powershell.exe 1036 powershell.exe 4476 powershell.exe 432 powershell.exe 3448 powershell.exe 544 powershell.exe 1404 powershell.exe 4716 winlogon.exe 3944 winlogon.exe 2216 winlogon.exe 1060 winlogon.exe 2888 winlogon.exe 2716 winlogon.exe 1920 winlogon.exe 5044 winlogon.exe 2340 winlogon.exe 1616 winlogon.exe 2688 winlogon.exe 1120 winlogon.exe 940 winlogon.exe 3028 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 4140 powershell.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeDebugPrivilege 4476 powershell.exe Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 3124 powershell.exe Token: SeDebugPrivilege 432 powershell.exe Token: SeDebugPrivilege 3448 powershell.exe Token: SeDebugPrivilege 544 powershell.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeDebugPrivilege 1104 powershell.exe Token: SeDebugPrivilege 4716 winlogon.exe Token: SeDebugPrivilege 3944 winlogon.exe Token: SeDebugPrivilege 2216 winlogon.exe Token: SeDebugPrivilege 1060 winlogon.exe Token: SeDebugPrivilege 2888 winlogon.exe Token: SeDebugPrivilege 2716 winlogon.exe Token: SeDebugPrivilege 1920 winlogon.exe Token: SeDebugPrivilege 5044 winlogon.exe Token: SeDebugPrivilege 2340 winlogon.exe Token: SeDebugPrivilege 1616 winlogon.exe Token: SeDebugPrivilege 2688 winlogon.exe Token: SeDebugPrivilege 1120 winlogon.exe Token: SeDebugPrivilege 940 winlogon.exe Token: SeDebugPrivilege 3028 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 3732 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 129 PID 2412 wrote to memory of 3732 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 129 PID 2412 wrote to memory of 3732 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 129 PID 3732 wrote to memory of 3908 3732 tmpBF4C.tmp.exe 131 PID 3732 wrote to memory of 3908 3732 tmpBF4C.tmp.exe 131 PID 3732 wrote to memory of 3908 3732 tmpBF4C.tmp.exe 131 PID 3732 wrote to memory of 3908 3732 tmpBF4C.tmp.exe 131 PID 3732 wrote to memory of 3908 3732 tmpBF4C.tmp.exe 131 PID 3732 wrote to memory of 3908 3732 tmpBF4C.tmp.exe 131 PID 3732 wrote to memory of 3908 3732 tmpBF4C.tmp.exe 131 PID 2412 wrote to memory of 1104 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 133 PID 2412 wrote to memory of 1104 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 133 PID 2412 wrote to memory of 1036 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 134 PID 2412 wrote to memory of 1036 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 134 PID 2412 wrote to memory of 3448 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 135 PID 2412 wrote to memory of 3448 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 135 PID 2412 wrote to memory of 4560 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 136 PID 2412 wrote to memory of 4560 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 136 PID 2412 wrote to memory of 3124 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 137 PID 2412 wrote to memory of 3124 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 137 PID 2412 wrote to memory of 1432 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 138 PID 2412 wrote to memory of 1432 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 138 PID 2412 wrote to memory of 4140 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 139 PID 2412 wrote to memory of 4140 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 139 PID 2412 wrote to memory of 4476 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 140 PID 2412 wrote to memory of 4476 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 140 PID 2412 wrote to memory of 544 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 141 PID 2412 wrote to memory of 544 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 141 PID 2412 wrote to memory of 1404 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 142 PID 2412 wrote to memory of 1404 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 142 PID 2412 wrote to memory of 432 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 143 PID 2412 wrote to memory of 432 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 143 PID 2412 wrote to memory of 3172 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 154 PID 2412 wrote to memory of 3172 2412 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe 154 PID 3172 wrote to memory of 568 3172 cmd.exe 157 PID 3172 wrote to memory of 568 3172 cmd.exe 157 PID 3172 wrote to memory of 4716 3172 cmd.exe 159 PID 3172 wrote to memory of 4716 3172 cmd.exe 159 PID 4716 wrote to memory of 1556 4716 winlogon.exe 161 PID 4716 wrote to memory of 1556 4716 winlogon.exe 161 PID 4716 wrote to memory of 3936 4716 winlogon.exe 162 PID 4716 wrote to memory of 3936 4716 winlogon.exe 162 PID 4716 wrote to memory of 892 4716 winlogon.exe 163 PID 4716 wrote to memory of 892 4716 winlogon.exe 163 PID 4716 wrote to memory of 892 4716 winlogon.exe 163 PID 892 wrote to memory of 956 892 tmpFD2C.tmp.exe 165 PID 892 wrote to memory of 956 892 tmpFD2C.tmp.exe 165 PID 892 wrote to memory of 956 892 tmpFD2C.tmp.exe 165 PID 892 wrote to memory of 956 892 tmpFD2C.tmp.exe 165 PID 892 wrote to memory of 956 892 tmpFD2C.tmp.exe 165 PID 892 wrote to memory of 956 892 tmpFD2C.tmp.exe 165 PID 892 wrote to memory of 956 892 tmpFD2C.tmp.exe 165 PID 1556 wrote to memory of 3944 1556 WScript.exe 168 PID 1556 wrote to memory of 3944 1556 WScript.exe 168 PID 3944 wrote to memory of 1612 3944 winlogon.exe 171 PID 3944 wrote to memory of 1612 3944 winlogon.exe 171 PID 3944 wrote to memory of 1956 3944 winlogon.exe 172 PID 3944 wrote to memory of 1956 3944 winlogon.exe 172 PID 3944 wrote to memory of 5088 3944 winlogon.exe 174 PID 3944 wrote to memory of 5088 3944 winlogon.exe 174 PID 3944 wrote to memory of 5088 3944 winlogon.exe 174 PID 5088 wrote to memory of 4472 5088 tmp2C7A.tmp.exe 176 PID 5088 wrote to memory of 4472 5088 tmp2C7A.tmp.exe 176 PID 5088 wrote to memory of 4472 5088 tmp2C7A.tmp.exe 176 -
System policy modification 1 TTPs 45 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe"C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe"3⤵
- Executes dropped EXE
PID:3908
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gIs0BZ0kRQ.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:568
-
-
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4716 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a8787b8-388e-4af3-8338-915e70aabe0a.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3944 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3abf6c4-8980-46b0-b33e-105781fc263d.vbs"6⤵PID:1612
-
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2216 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c447d91-e929-424b-bdca-65bb693e57a6.vbs"8⤵PID:2428
-
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1060 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\648d6337-d433-427f-9994-e63c897d4118.vbs"10⤵PID:832
-
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2888 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\088aa34f-6c9d-4f57-bb04-7eaab1df9bce.vbs"12⤵PID:4012
-
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2716 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f66b5e8-99f3-465d-9b50-3fed43676c36.vbs"14⤵PID:3008
-
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1920 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b9a3f0b-0689-4243-8f6f-0088f209b745.vbs"16⤵PID:4380
-
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b65ef64-7149-4fd3-ad7d-f19441c06d84.vbs"18⤵PID:2696
-
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2340 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a236869-731b-4930-ab15-683f9a64069b.vbs"20⤵PID:4304
-
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1616 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\383a00f2-bc0c-49de-a8ba-2a0eb5fb550e.vbs"22⤵PID:816
-
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0532af16-57b7-4f31-a747-8605c7c7df68.vbs"24⤵PID:3088
-
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1120 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1262d666-1894-4af5-8307-b2bb2cee90fc.vbs"26⤵PID:3312
-
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:940 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c1ee020-e308-4c1f-b3d1-10f6acf54922.vbs"28⤵PID:3112
-
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"29⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3028
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\390414c6-e573-4e87-8c71-5b13c5f395d0.vbs"28⤵PID:376
-
-
C:\Users\Admin\AppData\Local\Temp\tmpEAF3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEAF3.tmp.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\tmpEAF3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEAF3.tmp.exe"29⤵
- Executes dropped EXE
PID:3532
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22584939-b13f-4e58-b0ea-7fa62d68bc34.vbs"26⤵PID:912
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe"28⤵
- Executes dropped EXE
PID:1896
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5d8d9df-a2f4-43c9-84bc-daefa5784ba1.vbs"24⤵PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9D5F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9D5F.tmp.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\tmp9D5F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9D5F.tmp.exe"25⤵
- Executes dropped EXE
PID:4720
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0934eac-1c6c-4e2e-b9f9-d400a8b1a547.vbs"22⤵PID:4260
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8207.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8207.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\tmp8207.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8207.tmp.exe"23⤵
- Executes dropped EXE
PID:4804
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db403960-4c76-449c-8d19-0eb1a4976926.vbs"20⤵PID:1792
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp.exe"21⤵
- Executes dropped EXE
PID:2052
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b1bd83f-0fab-4e53-9b7c-4091ba59d7f2.vbs"18⤵PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe"18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:832 -
C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe"21⤵
- Executes dropped EXE
PID:3820
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44a8ac9e-7323-41a6-8774-bd75bbc72f84.vbs"16⤵PID:3284
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF0C4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF0C4.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\tmpF0C4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF0C4.tmp.exe"17⤵
- Executes dropped EXE
PID:3180
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f3d6b0d-64fb-467a-af5b-40bd4adee15b.vbs"14⤵PID:5068
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe"17⤵
- Executes dropped EXE
PID:2792
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2f8794e-a669-47d2-935f-ab35264b613f.vbs"12⤵PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB9C6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB9C6.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\tmpB9C6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB9C6.tmp.exe"13⤵
- Executes dropped EXE
PID:4624
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53de6aae-eb70-4b66-9e1c-cc2191c63b0e.vbs"10⤵PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8B72.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8B72.tmp.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\tmp8B72.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8B72.tmp.exe"11⤵
- Executes dropped EXE
PID:3056
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daf2fed0-d545-4d5f-be6e-332d387dca02.vbs"8⤵PID:3132
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp.exe"9⤵
- Executes dropped EXE
PID:1280
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a02600fd-e831-4e6a-be81-5399ebae31da.vbs"6⤵PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe"7⤵
- Executes dropped EXE
PID:4472
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e013e806-1484-4989-a52e-151653aa297f.vbs"4⤵PID:3936
-
-
C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe"5⤵
- Executes dropped EXE
PID:956
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\Pictures\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Pictures\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Temp\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Sonata\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Media\Sonata\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Sonata\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5028bdc90907407e6347ed647ec3a4520
SHA1a4666b332fa2086a2367fca57e8f8516f661703f
SHA25676a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154b
SHA512a98b624d5a480fe88d23a0c11f52bf16c9f7631d1f0a4d8eb1255b1da325c8a78b997b75c43d79c6b16a1d9b6704315b931eba826ee0266487b099244a2a852e
-
Filesize
4.9MB
MD5363b517614376666de0f9ee3dd87a0b0
SHA1fc7cb033406413ac578d4b7d44653974dba2c7cc
SHA25653d859b1d4ccb0fe1117fd724762a9b74180f4313deffa5058342f8988e70328
SHA512feb709e9c01352a378ff682ad74b279e950def493bf1b8ccebfa71304559d38780865be92d0386f228df43718d3b03fc23cd4cbea111b870acd1b25aec3b31d9
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD56c47b3f4e68eebd47e9332eebfd2dd4e
SHA167f0b143336d7db7b281ed3de5e877fa87261834
SHA2568c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA5120acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
240B
MD576c3d774eea65dc4afc47c9850cf83be
SHA128a60136ad0ac48a07f280f9abb9f3e33e5e2033
SHA2568eb8184fab9806d379cfe52b9117a055eed72d1bd17044f8369c44842b18134c
SHA51249a72caf489b36fabcb6a10a6360397ccb1a3b56168dd4a2fca21ee5cdaab8f41274713194ca25c14e7390e85fec5b49d01dcf257932ebbf3619d08272ad7cdf
-
Filesize
735B
MD58bc4188570283daedc6a3409c6128f0d
SHA1771fc2ddb8b937a2c7ed346c67fe714f793c4dd7
SHA25653db82b9a8ed91772bb7ee571dc5abdb5271c237d93593c59656c313139a1fd0
SHA512ab820e98e9bb629aed0a138347e61ef6a08e1fe13e73d967cb8e60e8b428aa3ef3fb7c5dd8deeb5dbb79cc43b95721ab644ce815c9cba8d35f5df0359a909963
-
Filesize
735B
MD562e2e807d6b0880b84abc4c563f305f2
SHA1b7079be3e5e3436b91adea82343886c24c24af7e
SHA256cd3a6a78941f0ed06271cd86e9197c93eb7e0a6b8ce060cdda2242f541c45789
SHA5127b56f3f51284b846288f365e472de007a3c5f60540049c8e067d8477ad0410cf1819a1c6d8d732db151cebb6b09134dd617889161af9bfa8787c431edd052947
-
Filesize
735B
MD54702e821e65a63e684699d8ebf804fdf
SHA148d0ab0a401bd3e86048a85b326ad124ad8e9530
SHA256e11dbdfdc3afd9b5fae1546f06ab750005a516f36102970fa13fa84c8d64aec8
SHA51216744d0e108668c940144bac76367694f7cf69aa679efcc1839a6d2974b5462c991863948d9a1e49e67cd78f5e0337d3ac854e24794f5ee4b8abbc38f60c0464
-
Filesize
735B
MD5d97524b1d77da4a395f5228839be3ea4
SHA1ef739c1ce4c156241e9d21af216c9e557224916c
SHA2563b77b7aab3c3804491eb299f76f75b9c188bb8c3d339d0804f1ba69a69a6f647
SHA512a0920502a319879ccb42ed1dcb873f108daae2a5f8645292dc5125a47ae478282f3b9885273846b8d47b69c1efdf8d10b4a1a7387b9e853b6e002048defa340f
-
Filesize
735B
MD5b8700de41328f59c271fbf62f87eb701
SHA18f2d78ed51d72ba5ae4c8ec3c6d7f9dbb6ba88f2
SHA256eeada2a27ae8b721a4216915d8ac9affbc84b80ba5842b461e886e045643364f
SHA51203ea30c3647bc152735f6daaf8ee410f3388c66c7709d2b092cd392b2232798c0d9ba0e5b8d2d8c73f7efc68105de2818cd8087fe23543515b1a123a8eae871d
-
Filesize
735B
MD5c4f0fbc293fcf1d97fa17db31202f8bc
SHA1160d89779b9a3244b802394d9f71c3ff981fa841
SHA256f0ba9b8a758cc25f4948b7af0442ebef816cb00e7702e1bc4aae54e45d586c02
SHA51234383d287828ba418ff2e4084b01bf759ded1a8508c5b0f27a551be4828ec0a143f0743bb5f7a15223260b20a85ad1e813b5dd4cc67139328a23987c9417b21a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
735B
MD5327cbd66b15036027064ac2040362525
SHA1d83fee77127440942daee9d3f880119285c102b1
SHA256b05820bae62739bc0b73842ebf66b2c92b1ccea74f225f81662782a9475e9cdb
SHA512b0e62ddd67561708e92e3687c7b98b78c2bb2ba7d7eeb070c2a8badc9bee909d8264b2ebf6d66f641702724c31e6cabe83904797c22d99fa2d5d1a769f7294eb
-
Filesize
511B
MD54a05e07a308de6f6fc9e0e24c32b184a
SHA1b88f3fd45e46424464f80a4141d7c2a73c802c97
SHA256118e5d4bf4aca5995424eb9d865ce6809a5ef04f0a51ce6d52de7a36f4863e20
SHA512f52cb6b07be9c44be4f8bfaa899500b24d883760b57b0b08a4cd2a356978739568a888d13c7ba3948bee760480a0a80f47ab662874a2bb041b15622daf51de2e
-
Filesize
224B
MD5a277008f02f36ea2c85c8c20027ea791
SHA1ba813e4c152b37b4545d1dfd7ad71b1c1f59f214
SHA256d1feb225176374192e13bd7aebf877956161d839d937c5ffd59a1b1eec3d6f4f
SHA5124a296304fd830000c7f5172eb0a6d35125bafa97ef32051cafc0792792a26de2db32b3e5a08bbc81223273d1a9de43769d7d288310a40abf1e55cc8357c49d12
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2