Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2024 06:19
Static task
static1
Behavioral task
behavioral1
Sample
e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Resource
win7-20240903-en
General
-
Target
e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
-
Size
4.9MB
-
MD5
7f124e1fb3980bc3871284f7baed824c
-
SHA1
7f0ab3d0a1ae21c5dd3a737055ddd5c67093d252
-
SHA256
e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2
-
SHA512
2d7f6197e317e91b5a7c07c5cbe0ae1964a955f88a0d4d5cec76111474c9aaaddd692b4555d1beec9061c00d1c13ccf92e1f4d3db26a06672997028e155c8f49
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3400 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3188 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3788 2040 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 2040 schtasks.exe 85 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe -
resource yara_rule behavioral2/memory/184-2-0x000000001BB70000-0x000000001BC9E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1792 powershell.exe 5004 powershell.exe 1232 powershell.exe 4448 powershell.exe 3400 powershell.exe 3052 powershell.exe 2000 powershell.exe 2540 powershell.exe 1744 powershell.exe 868 powershell.exe 560 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 50 IoCs
pid Process 2584 tmp8486.tmp.exe 640 tmp8486.tmp.exe 1632 csrss.exe 2056 tmpB6AD.tmp.exe 3400 tmpB6AD.tmp.exe 2156 tmpB6AD.tmp.exe 860 tmpB6AD.tmp.exe 4448 csrss.exe 1924 tmpD30F.tmp.exe 3620 tmpD30F.tmp.exe 2144 csrss.exe 1932 tmp20E.tmp.exe 2100 tmp20E.tmp.exe 2908 tmp20E.tmp.exe 1424 csrss.exe 3544 tmp1E70.tmp.exe 2320 tmp1E70.tmp.exe 4236 tmp1E70.tmp.exe 2596 csrss.exe 4116 tmp6165.tmp.exe 2908 tmp6165.tmp.exe 1300 csrss.exe 1240 tmp7DE5.tmp.exe 3668 tmp7DE5.tmp.exe 2504 csrss.exe 2304 tmp99DA.tmp.exe 2100 tmp99DA.tmp.exe 60 csrss.exe 4348 tmpB532.tmp.exe 4068 tmpB532.tmp.exe 2616 csrss.exe 2324 tmpCFCE.tmp.exe 776 tmpCFCE.tmp.exe 2660 csrss.exe 5060 csrss.exe 3528 tmp1999.tmp.exe 2616 tmp1999.tmp.exe 2732 csrss.exe 4032 tmp356E.tmp.exe 4380 tmp356E.tmp.exe 2404 csrss.exe 3332 tmp64EA.tmp.exe 4256 tmp64EA.tmp.exe 3400 csrss.exe 3316 tmp7FF4.tmp.exe 1068 tmp7FF4.tmp.exe 4128 csrss.exe 4828 tmpAFED.tmp.exe 3124 tmpAFED.tmp.exe 4728 csrss.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 2584 set thread context of 640 2584 tmp8486.tmp.exe 116 PID 2156 set thread context of 860 2156 tmpB6AD.tmp.exe 159 PID 1924 set thread context of 3620 1924 tmpD30F.tmp.exe 169 PID 2100 set thread context of 2908 2100 tmp20E.tmp.exe 185 PID 2320 set thread context of 4236 2320 tmp1E70.tmp.exe 196 PID 4116 set thread context of 2908 4116 tmp6165.tmp.exe 205 PID 1240 set thread context of 3668 1240 tmp7DE5.tmp.exe 214 PID 2304 set thread context of 2100 2304 tmp99DA.tmp.exe 223 PID 4348 set thread context of 4068 4348 tmpB532.tmp.exe 233 PID 2324 set thread context of 776 2324 tmpCFCE.tmp.exe 242 PID 3528 set thread context of 2616 3528 tmp1999.tmp.exe 261 PID 4032 set thread context of 4380 4032 tmp356E.tmp.exe 271 PID 3332 set thread context of 4256 3332 tmp64EA.tmp.exe 282 PID 3316 set thread context of 1068 3316 tmp7FF4.tmp.exe 292 PID 4828 set thread context of 3124 4828 tmpAFED.tmp.exe 301 -
Drops file in Program Files directory 20 IoCs
description ioc Process File created C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File created C:\Program Files\7-Zip\Lang\lsass.exe e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File created C:\Program Files (x86)\Windows Mail\upfc.exe e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File created C:\Program Files (x86)\Windows Mail\ea1d8f6d871115 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File created C:\Program Files\Crashpad\csrss.exe e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCX894A.tmp e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File opened for modification C:\Program Files (x86)\Windows Mail\upfc.exe e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File created C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File created C:\Program Files\7-Zip\Lang\6203df4a6bafc7 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\38384e6a620884 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File created C:\Program Files\Crashpad\886983d96e3d3e e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File opened for modification C:\Program Files\7-Zip\Lang\lsass.exe e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File opened for modification C:\Program Files\Crashpad\RCX8B5F.tmp e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File opened for modification C:\Program Files\Crashpad\csrss.exe e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\SearchApp.exe e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCX7FFE.tmp e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File opened for modification C:\Program Files\7-Zip\Lang\RCX8222.tmp e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Network Sharing\RCX8437.tmp e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Network Sharing\SearchApp.exe e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp64EA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp6165.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7DE5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp99DA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpCFCE.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp356E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7FF4.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB6AD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp20E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1E70.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1E70.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1999.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8486.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB6AD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD30F.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB532.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB6AD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp20E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAFED.tmp.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings csrss.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1412 schtasks.exe 4328 schtasks.exe 1996 schtasks.exe 3188 schtasks.exe 3788 schtasks.exe 1232 schtasks.exe 560 schtasks.exe 3420 schtasks.exe 2304 schtasks.exe 4976 schtasks.exe 4632 schtasks.exe 5004 schtasks.exe 3400 schtasks.exe 860 schtasks.exe 4780 schtasks.exe 3036 schtasks.exe 4640 schtasks.exe 868 schtasks.exe 788 schtasks.exe 2868 schtasks.exe 2688 schtasks.exe 3496 schtasks.exe 928 schtasks.exe 2208 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 1232 powershell.exe 1232 powershell.exe 2540 powershell.exe 2540 powershell.exe 868 powershell.exe 868 powershell.exe 1792 powershell.exe 1792 powershell.exe 2000 powershell.exe 2000 powershell.exe 560 powershell.exe 560 powershell.exe 3400 powershell.exe 3400 powershell.exe 3052 powershell.exe 3052 powershell.exe 4448 powershell.exe 4448 powershell.exe 1744 powershell.exe 1744 powershell.exe 5004 powershell.exe 5004 powershell.exe 3052 powershell.exe 3400 powershell.exe 1792 powershell.exe 868 powershell.exe 1232 powershell.exe 1232 powershell.exe 2000 powershell.exe 2540 powershell.exe 2540 powershell.exe 560 powershell.exe 4448 powershell.exe 1744 powershell.exe 5004 powershell.exe 1632 csrss.exe 4448 csrss.exe 2144 csrss.exe 1424 csrss.exe 2596 csrss.exe 1300 csrss.exe 2504 csrss.exe 60 csrss.exe 2616 csrss.exe 2660 csrss.exe 2660 csrss.exe 5060 csrss.exe 5060 csrss.exe 2732 csrss.exe 2732 csrss.exe 2404 csrss.exe 2404 csrss.exe 3400 csrss.exe 3400 csrss.exe 4128 csrss.exe 4128 csrss.exe 4728 csrss.exe 4728 csrss.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe Token: SeDebugPrivilege 1232 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 3400 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 560 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 4448 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 5004 powershell.exe Token: SeDebugPrivilege 1632 csrss.exe Token: SeDebugPrivilege 4448 csrss.exe Token: SeDebugPrivilege 2144 csrss.exe Token: SeDebugPrivilege 1424 csrss.exe Token: SeDebugPrivilege 2596 csrss.exe Token: SeDebugPrivilege 1300 csrss.exe Token: SeDebugPrivilege 2504 csrss.exe Token: SeDebugPrivilege 60 csrss.exe Token: SeDebugPrivilege 2616 csrss.exe Token: SeDebugPrivilege 2660 csrss.exe Token: SeDebugPrivilege 5060 csrss.exe Token: SeDebugPrivilege 2732 csrss.exe Token: SeDebugPrivilege 2404 csrss.exe Token: SeDebugPrivilege 3400 csrss.exe Token: SeDebugPrivilege 4128 csrss.exe Token: SeDebugPrivilege 4728 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 184 wrote to memory of 2584 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 114 PID 184 wrote to memory of 2584 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 114 PID 184 wrote to memory of 2584 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 114 PID 2584 wrote to memory of 640 2584 tmp8486.tmp.exe 116 PID 2584 wrote to memory of 640 2584 tmp8486.tmp.exe 116 PID 2584 wrote to memory of 640 2584 tmp8486.tmp.exe 116 PID 2584 wrote to memory of 640 2584 tmp8486.tmp.exe 116 PID 2584 wrote to memory of 640 2584 tmp8486.tmp.exe 116 PID 2584 wrote to memory of 640 2584 tmp8486.tmp.exe 116 PID 2584 wrote to memory of 640 2584 tmp8486.tmp.exe 116 PID 184 wrote to memory of 1792 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 119 PID 184 wrote to memory of 1792 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 119 PID 184 wrote to memory of 5004 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 120 PID 184 wrote to memory of 5004 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 120 PID 184 wrote to memory of 2000 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 121 PID 184 wrote to memory of 2000 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 121 PID 184 wrote to memory of 1232 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 122 PID 184 wrote to memory of 1232 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 122 PID 184 wrote to memory of 4448 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 123 PID 184 wrote to memory of 4448 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 123 PID 184 wrote to memory of 2540 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 124 PID 184 wrote to memory of 2540 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 124 PID 184 wrote to memory of 3400 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 125 PID 184 wrote to memory of 3400 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 125 PID 184 wrote to memory of 3052 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 126 PID 184 wrote to memory of 3052 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 126 PID 184 wrote to memory of 560 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 127 PID 184 wrote to memory of 560 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 127 PID 184 wrote to memory of 1744 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 128 PID 184 wrote to memory of 1744 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 128 PID 184 wrote to memory of 868 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 129 PID 184 wrote to memory of 868 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 129 PID 184 wrote to memory of 4328 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 140 PID 184 wrote to memory of 4328 184 e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe 140 PID 4328 wrote to memory of 3736 4328 cmd.exe 145 PID 4328 wrote to memory of 3736 4328 cmd.exe 145 PID 4328 wrote to memory of 1632 4328 cmd.exe 151 PID 4328 wrote to memory of 1632 4328 cmd.exe 151 PID 1632 wrote to memory of 4388 1632 csrss.exe 153 PID 1632 wrote to memory of 4388 1632 csrss.exe 153 PID 1632 wrote to memory of 4364 1632 csrss.exe 154 PID 1632 wrote to memory of 4364 1632 csrss.exe 154 PID 1632 wrote to memory of 2056 1632 csrss.exe 155 PID 1632 wrote to memory of 2056 1632 csrss.exe 155 PID 1632 wrote to memory of 2056 1632 csrss.exe 155 PID 2056 wrote to memory of 3400 2056 tmpB6AD.tmp.exe 157 PID 2056 wrote to memory of 3400 2056 tmpB6AD.tmp.exe 157 PID 2056 wrote to memory of 3400 2056 tmpB6AD.tmp.exe 157 PID 3400 wrote to memory of 2156 3400 tmpB6AD.tmp.exe 158 PID 3400 wrote to memory of 2156 3400 tmpB6AD.tmp.exe 158 PID 3400 wrote to memory of 2156 3400 tmpB6AD.tmp.exe 158 PID 2156 wrote to memory of 860 2156 tmpB6AD.tmp.exe 159 PID 2156 wrote to memory of 860 2156 tmpB6AD.tmp.exe 159 PID 2156 wrote to memory of 860 2156 tmpB6AD.tmp.exe 159 PID 2156 wrote to memory of 860 2156 tmpB6AD.tmp.exe 159 PID 2156 wrote to memory of 860 2156 tmpB6AD.tmp.exe 159 PID 2156 wrote to memory of 860 2156 tmpB6AD.tmp.exe 159 PID 2156 wrote to memory of 860 2156 tmpB6AD.tmp.exe 159 PID 4388 wrote to memory of 4448 4388 WScript.exe 162 PID 4388 wrote to memory of 4448 4388 WScript.exe 162 PID 4448 wrote to memory of 3696 4448 csrss.exe 164 PID 4448 wrote to memory of 3696 4448 csrss.exe 164 PID 4448 wrote to memory of 1744 4448 csrss.exe 166 PID 4448 wrote to memory of 1744 4448 csrss.exe 166 -
System policy modification 1 TTPs 51 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe"C:\Users\Admin\AppData\Local\Temp\e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:184 -
C:\Users\Admin\AppData\Local\Temp\tmp8486.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8486.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\tmp8486.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8486.tmp.exe"3⤵
- Executes dropped EXE
PID:640
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rbbMpVigC1.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3736
-
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1632 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af9f0b2f-019c-42bf-82bc-793fe1cf2f4c.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4448 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\395a2a96-b628-4018-a686-697c83f53eac.vbs"6⤵PID:3696
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2144 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d11f97a3-45ef-4029-b0b9-5bf9f1a41294.vbs"8⤵PID:3856
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1424 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d727286e-1a21-41e5-a406-c2cd55c6e709.vbs"10⤵PID:3196
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2596 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df0d9ec5-26f9-4079-adcd-2a0ee72a47d6.vbs"12⤵PID:1840
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1300 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88a04dbe-3b2d-46ee-921f-c15188c46d3b.vbs"14⤵PID:2028
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2504 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\066e2057-3c6a-4af6-ab71-00c953e05c62.vbs"16⤵PID:1852
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:60 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2071b6a5-def8-464c-9cd0-9c482fe98d2e.vbs"18⤵PID:3528
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2616 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4930349b-c840-4429-b4c5-426108758775.vbs"20⤵PID:4932
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2660 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7720edf0-000e-4463-9755-fe2c9051ae5a.vbs"22⤵PID:4348
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5060 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7417afda-7807-4278-abbf-affe93530f8e.vbs"24⤵PID:1788
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2732 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfefe12f-2580-4933-9850-7978ed143f6f.vbs"26⤵PID:3516
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2404 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9887cd92-24be-4165-9847-bb3a66771256.vbs"28⤵PID:2024
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3400 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da6b127b-5172-414e-a8e5-a0036a9833fb.vbs"30⤵PID:2284
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"31⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4128 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e1ec391-9e9b-4433-8a36-f43e2f171729.vbs"32⤵PID:2616
-
C:\Program Files\Crashpad\csrss.exe"C:\Program Files\Crashpad\csrss.exe"33⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4728
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a904cff-7a24-4c52-91c4-eeaebc6260f9.vbs"32⤵PID:4396
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAFED.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAFED.tmp.exe"32⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\tmpAFED.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAFED.tmp.exe"33⤵
- Executes dropped EXE
PID:3124
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccb44abc-5d61-4119-948a-55b5389487a0.vbs"30⤵PID:4276
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7FF4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7FF4.tmp.exe"30⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\tmp7FF4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7FF4.tmp.exe"31⤵
- Executes dropped EXE
PID:1068
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71dec974-d555-4c94-a52d-46b359c0a217.vbs"28⤵PID:1424
-
-
C:\Users\Admin\AppData\Local\Temp\tmp64EA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp64EA.tmp.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\tmp64EA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp64EA.tmp.exe"29⤵
- Executes dropped EXE
PID:4256
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9feecbd0-9744-4a4f-b201-a97537aab7ea.vbs"26⤵PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\tmp356E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp356E.tmp.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\tmp356E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp356E.tmp.exe"27⤵
- Executes dropped EXE
PID:4380
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24394c92-0220-4a81-aa88-1786599cadd7.vbs"24⤵PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1999.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1999.tmp.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\tmp1999.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1999.tmp.exe"25⤵
- Executes dropped EXE
PID:2616
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4527fe88-0c6f-4ae3-8424-bcc244d6d5a0.vbs"22⤵PID:3180
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24d88536-a878-494b-a3c4-6d0b9a072cb7.vbs"20⤵PID:3820
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCFCE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCFCE.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\tmpCFCE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCFCE.tmp.exe"21⤵
- Executes dropped EXE
PID:776
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59876cf2-8db6-4c42-a020-d97d7570703c.vbs"18⤵PID:832
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB532.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB532.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\tmpB532.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB532.tmp.exe"19⤵
- Executes dropped EXE
PID:4068
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0766a6f4-82c1-411e-b207-3be959c24155.vbs"16⤵PID:3156
-
-
C:\Users\Admin\AppData\Local\Temp\tmp99DA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp99DA.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\tmp99DA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp99DA.tmp.exe"17⤵
- Executes dropped EXE
PID:2100
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87b426fc-2b13-4ffd-8b36-a8eddf0614e2.vbs"14⤵PID:3692
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7DE5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7DE5.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\tmp7DE5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7DE5.tmp.exe"15⤵
- Executes dropped EXE
PID:3668
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\075bdbfd-c9b3-48ea-9811-4d11509ce89d.vbs"12⤵PID:3136
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6165.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6165.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\tmp6165.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6165.tmp.exe"13⤵
- Executes dropped EXE
PID:2908
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16402b59-7a33-4998-99ea-6332c6e69bf3.vbs"10⤵PID:1404
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1E70.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1E70.tmp.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\tmp1E70.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1E70.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\tmp1E70.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1E70.tmp.exe"12⤵
- Executes dropped EXE
PID:4236
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c679ce24-5f3c-4160-b716-8f19d3ea01c8.vbs"8⤵PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\tmp20E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp20E.tmp.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\tmp20E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp20E.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\tmp20E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp20E.tmp.exe"10⤵
- Executes dropped EXE
PID:2908
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e80eae3-21f6-4153-b7a2-b5a9773858d3.vbs"6⤵PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD30F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD30F.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\tmpD30F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD30F.tmp.exe"7⤵
- Executes dropped EXE
PID:3620
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c19277da-2909-425c-9c53-3711d369d848.vbs"4⤵PID:4364
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB6AD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB6AD.tmp.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\tmpB6AD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB6AD.tmp.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Users\Admin\AppData\Local\Temp\tmpB6AD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB6AD.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\tmpB6AD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB6AD.tmp.exe"7⤵
- Executes dropped EXE
PID:860
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Oracle\Java\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Oracle\Java\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Crashpad\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD57f124e1fb3980bc3871284f7baed824c
SHA17f0ab3d0a1ae21c5dd3a737055ddd5c67093d252
SHA256e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2
SHA5122d7f6197e317e91b5a7c07c5cbe0ae1964a955f88a0d4d5cec76111474c9aaaddd692b4555d1beec9061c00d1c13ccf92e1f4d3db26a06672997028e155c8f49
-
Filesize
4.9MB
MD50bb796becf06d6668e5807f66fd22d26
SHA1febf007de23315a1ed99d56119cbb016300bd621
SHA256edd69dfeabbad8e0ea0b8f2affd364969a260716539d89eeca37a29a71f05615
SHA51233e35f4262193ff4649ca90f4b2f2e763273280e08b843facbaa300e9d1ef4ca14eff419a0981eac645798ca8093ad7fed7e2c3d903f8b9d7366cb33e6fedf01
-
Filesize
4.9MB
MD584d218bf477c96985eccdb259ab5edcb
SHA14511bfbea6edcbb63ebc26b9505ee878bc7e7968
SHA256c9d685050ace50358c157fbd35131b9d6162d25c26ddac64a7e5293b87bbd270
SHA51265c3632344e3184b382d13cdd4f2936f48e0e46381defb9f2fe350de5b23ad97f6417f6f02ad33e84be355ee5d95ddb7c47093ba5e40dce08ce6c9f186182853
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD56c47b3f4e68eebd47e9332eebfd2dd4e
SHA167f0b143336d7db7b281ed3de5e877fa87261834
SHA2568c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA5120acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
711B
MD56511f439c5a9c4b8edfdb479c383dc46
SHA1b1e29b1e36ff45840d042e121a3e9113f1d5e1e3
SHA256361f16d307b570021bdf4327ceaa47468f556c0bdf475e524c0039defc0b21a5
SHA512b63162486eb27fb71d24255c7b6168ff4c3dad63f07eef7771cfc82b9287cf0ae28a3eef0a8c370ff2950b6b3232234c1aca7faf6a1760c9595477e5bc652dff
-
Filesize
711B
MD5cac5fd2a7e385f02fc2f123b93f92c40
SHA187bfef9847fdbb23eb4998ef75bc07893ed0cb1b
SHA2568783ffffeaeffe938ee1b4a7086527614a7652618d1ea074dc0cee2eba8c70b1
SHA512cb8039b497892df3ab777d8dbeb98c4ffd43569bec98e2d0aca7d6cc71847ed9db1ecb46f33ccef9d3cd3520d80fb40a35b1f22850e3a2a736f3b74434db489f
-
Filesize
711B
MD58bac855876df4066e1560c34ebf6faeb
SHA15be46f41e00339f9c6b71f17406626a814b4df18
SHA25611ec63eccf203d0abae3178b810b4e31cb9a64ee2250101876fa32b8abc01848
SHA5122252487e869a779aa79c5eb0c8ceb3acbee51ccb19121801b8e587e1d30e93e8b9c7ae5d79cd44b6fb3e3d678b83f0fecf1c8ab6bab8827f276981a4d8bbdc26
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
711B
MD59f16e96e75b4ec2369a40e143d3af59b
SHA1406a503975c7608624d0deb64b9fa27e4b7a16c7
SHA256dd85d7e4f006d9727539c92d3e56250c095dd052262f60cc4e8818673cc5ef03
SHA51293f548d3719d2006d8e43f07c12b945f05b9e5aadf85750e82b03fff294e6914caced93685ef1d90829136d9edacc527d172ad8116f3f8fb21776594d21f5fac
-
Filesize
487B
MD57faae039198bb3e84441784a3bc0f58e
SHA123968a4e56a433b405a1512bb5ae721a57698dff
SHA256e044fca7d22d42697a472a004a4a70918e35199e868cded7905703548c06788d
SHA512515ca824c790540d93bbf8d44e056f7d3c4b27a3b4547be5e23d0b39be050d0d56df846f420ad80a849e5765a44186e5c7b5915dc15d79679ed68f2917329324
-
Filesize
711B
MD5455b59bdb41869fabfcd5c4fe645029a
SHA10c2a6eeb1080ed1014b1175c743d5a63c9c16f2d
SHA256aa7826bcffd9b82fe33aa2b36dc3bf958f4c15240e956db3f5ba9f81487bd5a4
SHA51266c4b89096fe7ae5469077e9097d4e2146ec0f191af81047869aa5beee5be01854fa94e30e8ead5e7ca2d9f30892baaf87a9a420c9abe84678164fbf27789020
-
Filesize
711B
MD5f7bf645874bbeb48d16ff3cb1a903be8
SHA1c43a565fd996a21a07c1c0dac88391a0c77263e3
SHA256fb541e09d06cc92279bbc65ac4b724b87fde1baa8a31d65d062379916a5a9359
SHA5125624e5a5fda55c86a8ecf0f00ec6932209685f400a0d515f12a31f5369d2b5617584ad10ff5fe68741ecffc7ce1d8fb1c5950c7e856d92741b65e21c52db5b31
-
Filesize
711B
MD59c2d2d1b0284050a6736ea49b3cc340a
SHA18640b7eaa3dac18d67a9893443a4215441402fb0
SHA256d4c24fc9cd25f9cfd6ebdf99f86359814357380518dc9ae079654cd323ba2fbc
SHA512ea1ea16df3335eed108cfad4d8b9f80aaa399980db8e19729357d38738775d77a395d50b638d37615acf90f3d6dd417dc3b1a2175fefc98d0242d588958c5398
-
Filesize
200B
MD5ce0a76df61feff3c35b0a9c0e4102bc4
SHA117f50effe4317c11946174620628c576c4dbb30a
SHA25638fbef9ce238916952cafd603c9fcd37936089becf9c6e71efefaef749c4a6b1
SHA512486b607c8bf0d456f1efa99b3a37d21fe5035611854b0acdaadfce0fe59c39711dd1c675e8b7937d091e86af03492193f49f86c558c9f4b1eac55512c44a1776
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2