Analysis
-
max time kernel
1786s -
max time network
1452s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2024 16:36
Static task
static1
Behavioral task
behavioral1
Sample
XBinderOutput(1).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XBinderOutput(1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
XBinderOutput(1).exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
XBinderOutput(1).exe
Resource
win11-20241007-en
General
-
Target
XBinderOutput(1).exe
-
Size
607KB
-
MD5
19d31479381cfda2c9878b427f51a0c2
-
SHA1
5b8774c60b71dd32e7325d0fbceb3434975ca7cc
-
SHA256
e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550
-
SHA512
14ce10c974af40f5ab3e93f3bb3ff5ada22a8c2245bf45f40be0a59a75bcd9bfb2bf2288416744a2cebb93b3eb487ba070670d553ea87ca8c0e566c727bf28a2
-
SSDEEP
12288:DikJ/Wmo/J594F3o472LiJgSifSdq/UByol53uFb/V4YUWpcZm83:TJ/+z4F3osuiKoqsyol54bWYUK
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" conhost.exe -
Process spawned unexpected child process 46 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3236 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4100 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3208 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4540 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3224 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 720 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3412 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3480 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5084 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 640 schtasks.exe 93 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 620 schtasks.exe 193 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 620 schtasks.exe 193 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 620 schtasks.exe 193 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 620 schtasks.exe 193 -
resource yara_rule behavioral2/files/0x0005000000022aa6-5.dat dcrat behavioral2/files/0x001d000000023ab9-23.dat dcrat behavioral2/memory/1904-25-0x0000000000480000-0x0000000000556000-memory.dmp dcrat -
Drops file in Drivers directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\portcls.sys conhost.exe File opened for modification C:\Windows\System32\drivers\rasl2tp.sys conhost.exe File opened for modification C:\Windows\System32\drivers\1394ohci.sys conhost.exe File opened for modification C:\Windows\System32\drivers\bthmodem.sys conhost.exe File opened for modification C:\Windows\System32\drivers\hidbth.sys conhost.exe File opened for modification C:\Windows\System32\drivers\rdyboost.sys conhost.exe File opened for modification C:\Windows\System32\drivers\Rtnic64.sys conhost.exe File opened for modification C:\Windows\System32\drivers\usbehci.sys conhost.exe File opened for modification C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui conhost.exe File opened for modification C:\Windows\System32\drivers\netio.sys conhost.exe File opened for modification C:\Windows\System32\drivers\storvsc.sys conhost.exe File opened for modification C:\Windows\System32\drivers\vpci.sys conhost.exe File opened for modification C:\Windows\System32\drivers\nwifi.sys conhost.exe File opened for modification C:\Windows\System32\drivers\raspppoe.sys conhost.exe File opened for modification C:\Windows\System32\drivers\usbuhci.sys conhost.exe File opened for modification C:\Windows\System32\drivers\werkernel.sys conhost.exe File opened for modification C:\Windows\System32\drivers\en-US\pcmcia.sys.mui conhost.exe File opened for modification C:\Windows\System32\drivers\crashdmp.sys conhost.exe File opened for modification C:\Windows\System32\drivers\HdAudio.sys conhost.exe File opened for modification C:\Windows\System32\drivers\tsusbhub.sys conhost.exe File opened for modification C:\Windows\System32\drivers\en-US\scsiport.sys.mui conhost.exe File opened for modification C:\Windows\System32\drivers\hyperkbd.sys conhost.exe File opened for modification C:\Windows\System32\drivers\NetAdapterCx.sys conhost.exe File opened for modification C:\Windows\System32\drivers\rmcast.sys conhost.exe File opened for modification C:\Windows\System32\drivers\Ucx01000.sys conhost.exe File opened for modification C:\Windows\System32\drivers\clfs.sys conhost.exe File opened for modification C:\Windows\System32\drivers\hidspi.sys conhost.exe File opened for modification C:\Windows\System32\drivers\TsUsbGD.sys conhost.exe File opened for modification C:\Windows\System32\drivers\AppvVfs.sys conhost.exe File opened for modification C:\Windows\System32\drivers\NdisVirtualBus.sys conhost.exe File opened for modification C:\Windows\System32\drivers\ndiswan.sys conhost.exe File opened for modification C:\Windows\System32\drivers\UMDF\en-US\SensorsHid.dll.mui conhost.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui conhost.exe File opened for modification C:\Windows\System32\drivers\fdc.sys conhost.exe File opened for modification C:\Windows\System32\drivers\ndiscap.sys conhost.exe File opened for modification C:\Windows\System32\drivers\sdbus.sys conhost.exe File opened for modification C:\Windows\System32\drivers\xinputhid.sys conhost.exe File opened for modification C:\Windows\System32\drivers\en-US\tsusbhub.sys.mui conhost.exe File opened for modification C:\Windows\System32\drivers\mup.sys conhost.exe File opened for modification C:\Windows\System32\drivers\en-US\winnat.sys.mui conhost.exe File opened for modification C:\Windows\System32\drivers\storport.sys conhost.exe File opened for modification C:\Windows\System32\drivers\umpass.sys conhost.exe File opened for modification C:\Windows\System32\drivers\WdiWiFi.sys conhost.exe File opened for modification C:\Windows\System32\drivers\WpdUpFltr.sys conhost.exe File opened for modification C:\Windows\System32\drivers\UMDF\en-US\SensorsCx.dll.mui conhost.exe File opened for modification C:\Windows\System32\drivers\hidi2c.sys conhost.exe File opened for modification C:\Windows\System32\drivers\spaceport.sys conhost.exe File opened for modification C:\Windows\System32\drivers\srvnet.sys conhost.exe File opened for modification C:\Windows\System32\drivers\en-US\afd.sys.mui conhost.exe File opened for modification C:\Windows\System32\drivers\en-US\VerifierExt.sys.mui conhost.exe File opened for modification C:\Windows\System32\drivers\UMDF\en-US\Microsoft.Bluetooth.Profiles.HidOverGatt.dll.mui conhost.exe File opened for modification C:\Windows\System32\drivers\cimfs.sys conhost.exe File opened for modification C:\Windows\System32\drivers\dumpsd.sys conhost.exe File opened for modification C:\Windows\System32\drivers\WindowsTrustedRT.sys conhost.exe File opened for modification C:\Windows\System32\drivers\en-US\scmbus.sys.mui conhost.exe File opened for modification C:\Windows\System32\drivers\UMDF\SMCCx.dll conhost.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui conhost.exe File opened for modification C:\Windows\System32\drivers\acpitime.sys conhost.exe File opened for modification C:\Windows\System32\drivers\pciidex.sys conhost.exe File opened for modification C:\Windows\System32\drivers\Udecx.sys conhost.exe File opened for modification C:\Windows\System32\drivers\vmgid.sys conhost.exe File opened for modification C:\Windows\System32\drivers\volsnap.sys conhost.exe File opened for modification C:\Windows\System32\drivers\mshwnclx.sys conhost.exe File opened for modification C:\Windows\System32\drivers\msiscsi.sys conhost.exe -
Manipulates Digital Signatures 4 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll conhost.exe File opened for modification C:\Windows\SysWOW64\wintrust.dll conhost.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll conhost.exe File opened for modification C:\Windows\System32\wintrust.dll conhost.exe -
Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
description ioc Process File opened for modification C:\Windows\System32\spool\prtprocs\x64\winprint.dll conhost.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation XBinderOutput(1).exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation kendalcp.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation reviewDll.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation conhost.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 4260 conhost.exe -
Executes dropped EXE 5 IoCs
pid Process 1636 kendalcp.exe 1904 reviewDll.exe 4260 conhost.exe 4768 conhost.exe 4396 conhost.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 64 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\winevt\Logs\Application.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Key Management Service.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Security.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-VDRVROOT%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\OAlerts.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\HardwareEvents.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Audit.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\System.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx conhost.exe File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx conhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 31 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini conhost.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf conhost.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf conhost.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\en-US\IdListen.dll.mui conhost.exe File opened for modification C:\Windows\System32\uk-UA\phoneactivate.exe.mui conhost.exe File opened for modification C:\Windows\System32\de-DE\DscCoreConfProv.dll.mui conhost.exe File opened for modification C:\Windows\System32\fr-FR\wbadmin.exe.mui conhost.exe File opened for modification C:\Windows\SysWOW64\rekeywiz.exe conhost.exe File opened for modification C:\Windows\System32\srmstormod.dll conhost.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\ndiscap.inf_loc conhost.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\e2xw10x64.inf conhost.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\circlass.inf_loc conhost.exe File opened for modification C:\Windows\System32\es-ES\hnetmon.dll.mui conhost.exe File opened for modification C:\Windows\System32\msidle.dll conhost.exe File opened for modification C:\Windows\SysWOW64\en-US\wiadss.dll.mui conhost.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\pspluginwkr.dll.mui conhost.exe File opened for modification C:\Windows\System32\de-DE\GCDEF.dll.mui conhost.exe File opened for modification C:\Windows\System32\wpnsruprov.dll conhost.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\c_magneticstripereader.inf_loc conhost.exe File opened for modification C:\Windows\System32\Fondue.exe conhost.exe File opened for modification C:\Windows\System32\es-ES\rascustom.dll.mui conhost.exe File opened for modification C:\Windows\System32\fr-FR\MitigationClient.dll.mui conhost.exe File opened for modification C:\Windows\System32\fr-FR\Windows.Devices.Bluetooth.dll.mui conhost.exe File opened for modification C:\Windows\System32\it-IT\IdListen.dll.mui conhost.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\it-IT\ArchiveProvider.psd1 conhost.exe File opened for modification C:\Windows\SysWOW64\AuthBrokerUI.dll conhost.exe File opened for modification C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll conhost.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\microsoft_bluetooth_a2dp_snk.inf_loc conhost.exe File opened for modification C:\Windows\SysWOW64\cryptext.dll conhost.exe File opened for modification C:\Windows\SysWOW64\wups.dll conhost.exe File opened for modification C:\Windows\System32\PhoneSystemToastIcon.contrast-white.png conhost.exe File opened for modification C:\Windows\SysWOW64\LaunchWinApp.exe conhost.exe File opened for modification C:\Windows\System32\fr-FR\blbres.dll.mui conhost.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\bthoob.inf_amd64_c6923052f60677d9\BthOob.inf conhost.exe File opened for modification C:\Windows\System32\en-US\dmwappushsvc.dll.mui conhost.exe File opened for modification C:\Windows\System32\en-US\PhoneUtilRes.dll.mui conhost.exe File opened for modification C:\Windows\System32\es-ES\EventCreate.exe.mui conhost.exe File opened for modification C:\Windows\System32\es-ES\ManageCI.dll.mui conhost.exe File opened for modification C:\Windows\System32\es-ES\twext.dll.mui conhost.exe File opened for modification C:\Windows\System32\es-ES\ws2_32.dll.mui conhost.exe File opened for modification C:\Windows\System32\tsdiscon.exe conhost.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedNamespace.xsd conhost.exe File opened for modification C:\Windows\System32\en-US\cscobj.dll.mui conhost.exe File opened for modification C:\Windows\System32\ja-jp\gpresult.exe.mui conhost.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\PrintQueue.inf_loc conhost.exe File opened for modification C:\Windows\System32\wsl.exe conhost.exe File opened for modification C:\Windows\System32\Windows.Media.BackgroundPlayback.exe conhost.exe File opened for modification C:\Windows\System32\fr-FR\sdengin2.dll.mui conhost.exe File opened for modification C:\Windows\System32\pt-PT\quickassist.exe.mui conhost.exe File opened for modification C:\Windows\SysWOW64\F12\DiagnosticsHub.DataWarehouse.dll conhost.exe File opened for modification C:\Windows\SysWOW64\wbem\Microsoft.Uev.ManagedAgentWmi.mof conhost.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\SmbScriptModule.psm1 conhost.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_1daeee8f3aa30fcb\Amd64\TTY.GPD conhost.exe File opened for modification C:\Windows\SysWOW64\Dism\de-DE\AppxProvider.dll.mui conhost.exe File opened for modification C:\Windows\SysWOW64\ja-JP\onex.dll.mui conhost.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\msgpiowin32.inf_amd64_46634fa071d1db0d\msgpiowin32.sys conhost.exe File opened for modification C:\Windows\SysWOW64\dcomp.dll conhost.exe File opened for modification C:\Windows\SysWOW64\KBDA3.DLL conhost.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA344a_highTX.bin conhost.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsClient\PS_DnsClientNRPTRule_v1.0.0.cdxml conhost.exe File opened for modification C:\Windows\SysWOW64\rdvgumd32.dll conhost.exe File opened for modification C:\Windows\System32\KBDMACST.DLL conhost.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\c_sslaccel.inf_loc conhost.exe File opened for modification C:\Windows\System32\it-IT\SystemPropertiesComputerName.exe.mui conhost.exe File opened for modification C:\Windows\System32\de-DE\csrss.exe.mui conhost.exe File opened for modification C:\Windows\System32\wbem\en-US\npivwmi.mfl conhost.exe File opened for modification C:\Windows\System32\de-DE\srchadmin.dll.mui conhost.exe -
Modifies termsrv.dll 1 TTPs 1 IoCs
Commonly used to allow simultaneous RDP sessions.
description ioc Process File opened for modification C:\Windows\System32\termsrv.dll conhost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-black_devicefamily-colorfulunplated.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jscripts\winrthost.js conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\MedTile.scale-100.png conhost.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll conhost.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-125.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated_contrast-white.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-125.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileVisio32x32.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleUtilRT.winmd conhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-150.png conhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-200.png conhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-100.png conhost.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\resources.pri conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-200_contrast-white.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-36.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-30.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\EntCommon.dll conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png conhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-300.png conhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-200.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxManifest.xml conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24_altform-unplated.png conhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf conhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-100.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80.png conhost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui conhost.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-100.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.AppTk.NativeDirect3d.UAP\Native3d.TextureRendererPixelShader.cso conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-125.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ChakraBridge.winmd conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72.png conhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8041_40x40x32.png conhost.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\GlobalMock-B.Tests.ps1 conhost.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-125_contrast-white.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.dll conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-200_contrast-black.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-100.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_3.m4a conhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-200.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-64_altform-unplated.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-200_contrast-white.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Get_Started_icon.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircleHover.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-125.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Studio.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-80.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\officons.ttf conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-100_contrast-black.png conhost.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\PesterState.Tests.ps1 conhost.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-white.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd conhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyCalendarSearch.scale-100.png conhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-200.png conhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-200.png conhost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaps.dll conhost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll conhost.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Containers-Guest-Shared-Package~31bf3856ad364e35~amd64~~10.0.19041.928.cat conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.19041.1_es-es_65b02ea2b3f8eb14\winhttp.dll.mui conhost.exe File opened for modification C:\Windows\WinSxS\FileMaps\$$_system32_boot_de-de_bd6b30942a28275d.cdf-ms conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_uk-ua_8221a9204f808b72.manifest conhost.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c68aa74741937c24\dsregtask.dll.mui conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..tcapture-powershell_31bf3856ad364e35_10.0.19041.1_none_4bf902d1685e1d06\NetEventPacketCapture.psd1 conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..mgmttools.resources_31bf3856ad364e35_10.0.19041.1_es-es_435cbda8df282435\TSPSEngine.resources.dll conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_digitalmediadevice.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fc57290856e10ff7.manifest conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..gementwmi.resources_31bf3856ad364e35_10.0.19041.1_es-es_2f63b728e887d212.manifest conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-speech-windows_31bf3856ad364e35_10.0.19041.1_none_84892d5a292daba2.manifest conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_sl-si_a3ea73e4c39c1b1f.manifest conhost.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-w..ment-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_844e1ddfd123de41\WsmRes.dll.mui conhost.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\CExecSvc.exe.mui conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..ntmanifests-onecore_31bf3856ad364e35_10.0.19041.546_none_49063acdd1f64c20\tpmvsc-repl.man conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wsp-spaces.resources_31bf3856ad364e35_10.0.19041.1_de-de_a7cd2f07cddcc60d\smphost.dll.mui conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\msil_system.web.dynamicdata.design.resources_31bf3856ad364e35_10.0.19041.1_es-es_9388a569f1163ff3.manifest conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-csvlk-pack-license_31bf3856ad364e35_10.0.19041.1266_none_ddea75e4d9c5687b\csvlk-pack-Volume-CSVLK-9-ul-phn-rtm.xrm-ms conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\msil_microsoft.iis.power...provider.resources_31bf3856ad364e35_10.0.19041.1_es-es_467b6b1894b92c08.manifest conhost.exe File opened for modification C:\Windows\WinSxS\msil_microsoft.powershell.consolehost_31bf3856ad364e35_1.0.0.0_none_644eb55fd3a8b3d0\Microsoft.PowerShell.ConsoleHost.dll conhost.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.windows.powershell.common_31bf3856ad364e35_10.0.19041.1_none_f125082deef76556\PSDiagnostics.psm1 conhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Deployment.resources.dll conhost.exe File opened for modification C:\Windows\servicing\Packages\HyperV-KernelInt-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat conhost.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.19041.264_none_6b6699b671c8f5a8\f\VmComputeAgent.exe conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\diskperf.exe conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-aadcloudapplugin_31bf3856ad364e35_10.0.19041.1266_none_97765959c002c029\r\aadcloudap.dll conhost.exe File opened for modification C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_psdesiredstateconfiguration_dscclassresources_windowspack_a46fa608faf67c41.cdf-ms conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft.powershell.ovf_31bf3856ad364e35_10.0.19041.1_none_9b15a85ee89056f8.manifest conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.264_none_876d2c71ceefefbb\iisRtl.dll conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-grouppolicy_31bf3856ad364e35_10.0.19041.610_none_f3ce60a24f923bd1\f\CloudContent.admx conhost.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-onecore-pnp-devicemanagement_31bf3856ad364e35_10.0.19041.1_none_03a6ad8d31b214f4\devrtl.dll conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_757b1fb62148c452\f\AppxSignature.p7x conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..aleducation-license_31bf3856ad364e35_10.0.19041.1266_none_ac8d2c3ca59c96a7\ProfessionalEducation-Retail-1-ul-store-rtm.xrm-ms conhost.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.TextToSpeech~el-gr~1.0.mum conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-devicediagnostic_31bf3856ad364e35_10.0.19041.1_none_9f161f16da1d1848\DB_DeviceErrorLibrary.ps1 conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\500-18.htm conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_6544a4ab6302c712\WalletService.dll.mui conhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Messaging.dll conhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\Microsoft.Build.Tasks.v3.5.dll conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\Devices.png conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-powershell-sip_31bf3856ad364e35_10.0.19041.1_none_1e5fae61a2104eff\pwrshsip.dll conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-f..-settings.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4d8d4f589ea8ff7f.manifest conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_netfx-csharp_compiler_cscomp_b03f5f7f11d50a3a_10.0.19041.1_none_a2a888f44e6679c2.manifest conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_taskschedulersettings.resources_31bf3856ad364e35_10.0.19041.1_es-es_a929756dcd3c3b31.manifest conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\x86_microsoft-windows-ie-imagesupport_31bf3856ad364e35_11.0.19041.746_none_03878c0fc2f4e725.manifest conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-store-licensemanager_31bf3856ad364e35_10.0.19041.906_none_142faef31fe5c6a3\r\LicenseManager.dll conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-n..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_uk-ua_8c80a9095963136e.manifest conhost.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-s..e-runtime.resources_31bf3856ad364e35_10.0.19041.1_es-es_0ab3fc25950f613e\Windows.ApplicationModel.Store.TestingFramework.dll.mui conhost.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershel..resources.resources_31bf3856ad364e35_10.0.19041.1_en-us_4211752681e50d90\PSDSCxMachine.strings.psd1 conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobeprovisioningentry-vm.js conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mmsys.resources_31bf3856ad364e35_10.0.19041.1_es-es_bbfbaef0c1d2af6e\mmsys.cpl.mui conhost.exe File opened for modification C:\Windows\WinSxS\amd64_wave.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e89f3a127f7f0e67\wave.inf_loc conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-filehistory-core-cpl_31bf3856ad364e35_10.0.19041.423_none_9134ae6b97cbbd15.manifest conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-wab-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_66491ce936e9c71a.manifest conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_wdmaudio.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_e3af831cfe738719.manifest conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-frame-template.html conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wldp.resources_31bf3856ad364e35_10.0.19041.1_en-us_e1df6e92b40dd5f7\wldp.dll.mui conhost.exe File opened for modification C:\Windows\WinSxS\amd64_usbcciddriver.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_fe9031f03eff8d0e\UsbccidDriver.dll.mui conhost.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_10.0.19041.546_none_db05a21561861236.manifest conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-l..alization.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_815e1d2df9d8e1a5.manifest conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\msil_system.servicemodel.resources_b77a5c561934e089_10.0.19041.1_ja-jp_f5cc9a7b20ae6fc2.manifest conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\cssMode.js conhost.exe File opened for modification C:\Windows\WinSxS\Catalogs\a838a203d3c5cc495a250e94b129db7814afd13fcdacbc1734a9541a4dd1e562.cat conhost.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-c..atahelper.resources_31bf3856ad364e35_10.0.19041.1_es-es_eacc2538b555796b.manifest conhost.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..erymanager.appxmain_31bf3856ad364e35_10.0.19041.1_none_61ab84439fac4697\resources.pri conhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kendalcp.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings kendalcp.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2996 schtasks.exe 4540 schtasks.exe 4564 schtasks.exe 3224 schtasks.exe 1016 schtasks.exe 1440 schtasks.exe 4944 schtasks.exe 3208 schtasks.exe 4384 schtasks.exe 4588 schtasks.exe 2584 schtasks.exe 2180 schtasks.exe 1688 schtasks.exe 2832 schtasks.exe 888 schtasks.exe 2968 schtasks.exe 2380 schtasks.exe 720 schtasks.exe 1812 schtasks.exe 4692 schtasks.exe 1652 schtasks.exe 1104 schtasks.exe 812 schtasks.exe 1748 schtasks.exe 3412 schtasks.exe 3480 schtasks.exe 5020 schtasks.exe 2944 schtasks.exe 3236 schtasks.exe 4100 schtasks.exe 2792 schtasks.exe 696 schtasks.exe 2204 schtasks.exe 2452 schtasks.exe 4404 schtasks.exe 2268 schtasks.exe 2656 schtasks.exe 628 schtasks.exe 3156 schtasks.exe 2884 schtasks.exe 2424 schtasks.exe 5084 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1904 reviewDll.exe 1904 reviewDll.exe 1904 reviewDll.exe 1904 reviewDll.exe 1904 reviewDll.exe 1904 reviewDll.exe 1904 reviewDll.exe 1904 reviewDll.exe 1904 reviewDll.exe 4260 conhost.exe 4260 conhost.exe 4260 conhost.exe 4260 conhost.exe 4260 conhost.exe 4260 conhost.exe 4260 conhost.exe 4260 conhost.exe 4260 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4260 conhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1904 reviewDll.exe Token: SeDebugPrivilege 4260 conhost.exe Token: SeManageVolumePrivilege 3864 svchost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3732 wrote to memory of 1636 3732 XBinderOutput(1).exe 88 PID 3732 wrote to memory of 1636 3732 XBinderOutput(1).exe 88 PID 3732 wrote to memory of 1636 3732 XBinderOutput(1).exe 88 PID 1636 wrote to memory of 3968 1636 kendalcp.exe 89 PID 1636 wrote to memory of 3968 1636 kendalcp.exe 89 PID 1636 wrote to memory of 3968 1636 kendalcp.exe 89 PID 3968 wrote to memory of 3516 3968 WScript.exe 95 PID 3968 wrote to memory of 3516 3968 WScript.exe 95 PID 3968 wrote to memory of 3516 3968 WScript.exe 95 PID 3516 wrote to memory of 1904 3516 cmd.exe 97 PID 3516 wrote to memory of 1904 3516 cmd.exe 97 PID 1904 wrote to memory of 4260 1904 reviewDll.exe 142 PID 1904 wrote to memory of 4260 1904 reviewDll.exe 142 PID 4260 wrote to memory of 3820 4260 conhost.exe 198 PID 4260 wrote to memory of 3820 4260 conhost.exe 198 PID 3820 wrote to memory of 748 3820 cmd.exe 200 PID 3820 wrote to memory of 748 3820 cmd.exe 200 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\blocksavesperfMonitorDll\reviewDll.exe"C:\blocksavesperfMonitorDll\reviewDll.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\LiveKernelReports\conhost.exe"C:\Windows\LiveKernelReports\conhost.exe"6⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies termsrv.dll
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:748
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\.NET Data Provider for Oracle\0410\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\INF\.NET Data Provider for Oracle\0410\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\.NET Data Provider for Oracle\0410\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Videos\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Videos\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\blocksavesperfMonitorDll\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\blocksavesperfMonitorDll\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Themes\aero\uk-UA\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\aero\uk-UA\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\aero\uk-UA\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\blocksavesperfMonitorDll\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\blocksavesperfMonitorDll\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\blocksavesperfMonitorDll\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\blocksavesperfMonitorDll\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy1⤵PID:3632
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy1⤵PID:3068
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy1⤵PID:4644
-
C:\Windows\LiveKernelReports\conhost.exeC:\Windows\LiveKernelReports\conhost.exe1⤵
- Executes dropped EXE
PID:4768
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy1⤵PID:4216
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy1⤵PID:1900
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy1⤵PID:1356
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy1⤵PID:388
-
C:\Windows\LiveKernelReports\conhost.exeC:\Windows\LiveKernelReports\conhost.exe1⤵
- Executes dropped EXE
PID:4396
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "conhost" /f1⤵
- Process spawned unexpected child process
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "conhostc" /f1⤵
- Process spawned unexpected child process
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "conhost" /f1⤵
- Process spawned unexpected child process
PID:3420
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "conhostc" /f1⤵
- Process spawned unexpected child process
PID:1728
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵PID:2012
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵PID:1136
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Print Processors
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Print Processors
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
2System Information Discovery
2System Location Discovery
1System Language Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD51a9fc1f643a1de0ab2bed1f7bdeda62e
SHA181cff6c0d0ad1b89729df8e0839c7fd328f6c9dd
SHA256b5230afc88d8b30c3421d36cfdf5ec442873e77ebe5763f1add43c364b78cb80
SHA512bbc0e8656e081bc1df82fbbb390595800a258d7e1d2e01a32056f4e9d30cad7091c336b494e06f1d07685fda13560a1369e311bc414825a85924ad3ddf6df10e
-
Filesize
244B
MD502dd8ad56d16201a69e5fcf73345429b
SHA18faf51cd1c1be7c9c83255b8155010899025515e
SHA25611c44c1611e26a4e87169b59452ebcee5ad8eb4bb62f7ca5337f220c78f028c9
SHA51249a3b4baa2e9201176ce683c692e519d6a3afca987b5f2338d8bced701516bfdd156e29bfee32804c471838ab44a58a899d18e1343e0f28c7a1d2297b8df9de5
-
Filesize
254B
MD50089e8158db503a0cf3d78e4aa6c7e07
SHA1bf6497a4e8e7bee66b3f6d959300533996cadf5f
SHA256c195508d0ea54f354e8df91151ee7f67031cb8c9aa676163e453b9c97250401f
SHA5120496f59867ba93fc6cd64ca2e5eb3a5ac5005b0d0cd16668a89b033057dfc05e629d8e3f678791174d8f8a360159d5398b4ab57143d9031575f948b5eec33a47
-
Filesize
362B
MD5560cc3c0b1fd3ffbb030e4ea4a9390a2
SHA12689aa37347d61e4c870ffb986ebd37efbc18e2c
SHA256eebd6afa3a952c60d368d98431420ac7cad0aec90784a0e21731e5cf5201c807
SHA5126c600644a527250ec2735d8c1950742a07074e7b7ffbaebe84fb2a8b1ea02b4e9719e2dc9f0ed0962224d07ce45830c3621491d98838ea64061ff861ece66da7
-
Filesize
467B
MD5a0ad7316f4d0e0af5e4dd2a8a82ee65c
SHA198bbeecccb7766d215284f5d5664456bbd5e4736
SHA256c791eef6ad1b83577158100cb9566d3020fb9b127c2257b21d4b6cfa8b1d5402
SHA512da6a6f1b4686d235e1822f3e88c72a5f68550367a64b6c324aaa05c1b47e0cfabf0f77ba996d205f66539898e15fd52b8a7631f9533dec60cdde78de432fa4ea
-
Filesize
709B
MD589d43c823ca3f166e41faba19c2ddd97
SHA1c28a7c443ae001ce5c366860596e3b19d5565c56
SHA256e5d7c2e768accc11dbe91233a8250ca157c43296f1b8a4496f694f5708bf793f
SHA512429c7a5303e31e928313873e27907ee837f07275f0cbb2d8340919d60bc5934b7decf1790fa0837b6bc7db5fbb83ff7becd3f6805dbdb17803f222a39ee8f279
-
Filesize
8KB
MD5f3c546572680c1bc8a995889173473c7
SHA185da8072c452bbbeb85baefdcff96fd9de9349c0
SHA25692f5626a35bd1b1f57e2584cadba0f73057642369ff0aea9d2a8535e19d4a2fd
SHA512d23c368f09d7929b376e97f084913eb92d8162a93bdd2032c42fd43eaa16c1598bcc7531cb935c314dd69ee5bf9e6665bac89dea77d3acf181e251232d032dad
-
Filesize
3.0MB
MD5cba98d12dd6b630b3254223f2451e07d
SHA1cf47fbce1297c6847a70bad5be29fa9576565c32
SHA256e81bee299e5199bfc4e7d33f7ba8b2ac2397f4dea3e10b4cd94d739a989493fa
SHA51223c2def7bd3ecb927be1317f5cb08bddb0474113437349acbe81f304ed531e34efc96341f7796152007fc1a9433c0ee854717c3c72c3fe23975236f05b4d55d7
-
Filesize
3.0MB
MD5d1dd210d6b1312cb342b56d02bd5e651
SHA11e5f8def40bb0cb0f7156b9c2bab9efb49cfb699
SHA256bbd05cf6097ac9b1f89ea29d2542c1b7b67ee46848393895f5a9e43fa1f621e5
SHA51237a33d86aa47380aa21b17b41dfc8d04f464de7e71820900397436d0916e91b353f184cefe0ad16ae7902f0128aae786d78f14b58beee0c46d583cf1bfd557b8
-
Filesize
16KB
MD594d5c6f4fcf80291320c32032a29346e
SHA1c223910577dee2c14dc86f37c6defae5f9cf9f85
SHA256498106b26404b8d16ff84bc1c93a2d59c6dcee952384207a6753b33f535cfe33
SHA512f3afefa9f0f250374b0f4df3ca71b6e12c815e0548ab418847c9fbe803ba344d1714a1c52c5dfe9ed7b5d4cadfcec794a5ffd0d6770f80195c7b15865b2fdc1c
-
Filesize
6.0MB
MD560382910f9dadc6f0d43a8012ad8e781
SHA139f2682ce383f1e803c04587d3565028a17f6dd2
SHA256f1756998832e5bbc6abc8c30be266d2a751a0093e40cf4c628b174976b14aa39
SHA512a4f7fd7f76676f0d148ccd62908baf7a0e4d9f039595ffa712f209370c9550196b11b989dce2223839351a77ffef02e9b3994845d7724c3b71386988b32a2c16
-
Filesize
192KB
MD5cb880f47205b1f321001906ceec4cc00
SHA1367724f2e99687c2d2b090788cb690b74157efaa
SHA2562ff0a31099478d08e4ac8b444fa602950b89a2a0af1e0bf7971c56e663bc5b03
SHA512bcd6c21004640426b3e53079d44ae7a5636a104a1b146b22dabbf3912923d1a1fbee7480070abe97e3bd4f8b8a2bc5262b4f435b11e235737ac0efea7002f013
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
269B
MD5138612dafc7f69ff5345a52d3df8980a
SHA1dd0c001ef448a19d67919da7e6b487d9f14bf5ae
SHA2562d0c06c7a35de81225987c7d69cec6ba1ee90a454a816b9cc629c10bf11a52a8
SHA512cbac81ed737af85628529c15ffbc71b2e41b65d6db2c728904d07afb27d25dae6a5539a5fec257b48c34ec376f69ba463f075ebe5b8c86b41522e967244a7f11
-
Filesize
1.1MB
MD50d015cc111d53a019e680b0bed11fcad
SHA13b3fb6eeba0c2ba286a4db5e850697399ccb5e36
SHA2562b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150
SHA512c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab
-
Filesize
669B
MD54dd3ed7933dc0e4d1169bdf5df52adc2
SHA1e5e462d6e520e0b1da059a53da76573ab6ad8da3
SHA25621d4742caf6cde6696a8d05819d85e18ec9e0992752c829de22619dff3f8145f
SHA512ca4a5988276fe866da8e6f89dc3dbcba0c68b6b6b2a9532b5e5a58b7e82082122ab85beddc6f9e197e81003b3ae94b70bbdb63f402b5137e8b6cb9dfecfaf72a
-
Filesize
455B
MD5b7b6604195989a6b902e2bcb46dbad8d
SHA11d6cc9050489b23f3923a71abc861eb36e551f29
SHA256efa2db891b7155d21a307ace9be3dedf6f3f7c8efa6acee66de5f92dd06f0c08
SHA5126b0c99d0f2eeacbc38111d1be37b11576ab99a8d6ef81dc3dfbc3c567463e3c7df107f5d992420cbf2ceefbbe4608a7b7a63a6f4cebc28fcc3d8daa051b05599
-
Filesize
339B
MD53236ad64ccdf47ab6d94377686c87ba8
SHA17f2e0e3fc2bf8467163eaecbc4ca0b22d1736073
SHA256e2c69a7c3750b8e04f925b5494294640cd4659dba8d33c1ebdafcecefebcb088
SHA51209a158711df8403992038f9f0f3e13aba91615cf0e9f7cba3312a6318aa3b55c37499c3f94a6ea6df6c72aa42da53c634b16230e91267f6de48562cb109fc40c
-
Filesize
675B
MD5e3736b66421a1728fc6c808345060382
SHA1ddbde4c72bb2ac74f65f20e6694cb0c79f742c91
SHA256151554d200dec16eb05974d414c8cb182840e51a63b9a4e5e5d60d407b36c7f4
SHA5126f56164ba740eb73d6b550d87304d5b5a9ab907e0381c2cc9adbca1693a770df4a8a7b6c05250f4dd7be5b26708a1f9fc6db4a37035d4cebaea9af347adbdc2a
-
Filesize
497B
MD52718f64fad62f3accf9b0ebaafb1e820
SHA186ede34106c909c00bd4c0cb69de8d5648771fda
SHA2568daba2f25b9ca4a1ccdd692045ac9f211f7be769b1b6cfc1132e116c58a5349f
SHA5125908d5d83e53c7842becd7ba0d281fcca8641599e7a272891f53659268d38f9b2e4f1e80f6479871a31af26aa521ed3d99a9b771eb58d8d4e1cdc82de030e1fb
-
Filesize
723B
MD5a399f7341ef1972689691d6dece8a92c
SHA19337bfc2d800dd833708b891297e724709d9ffb2
SHA2567a50de93e1ccdb17e86cc3f3eddc360af70eb7ae4e4566bee44c0239b3d27d8d
SHA512e3bcee703d95387143c1e1699a2a0fbcd33ee0f95821eff87011b2e4a1dd0714c0b60f19230f4a7862be6744402787e8ca93b09a208eefca61b6bf25019114de
-
Filesize
222B
MD5a6f295a2e58c722b5935cc905e81fd8b
SHA1a2a30408197320a639e3e2f18a57fc8578c97b58
SHA2568bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c
SHA512839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635
-
Filesize
43B
MD57c582abd8874b9cc60df72d62bd86440
SHA1564e7b01338d08f657f2c02fa8fc5b8dadb92331
SHA256c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329
SHA512444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828
-
Filesize
257B
MD58b6e8195ce3abc5c28f44cfd9f541881
SHA1b1e474cb0f6033635bb2a023ea77fc318cbe66ab
SHA25649802aa888ee285b5c738c5dfb187d7c0dd158426e7b47a490c23e26ede60c32
SHA512215434f3d2ee660a824632e6fd7e9d6128736351090e3bb4d8a840b3dd45a727438827dc5f940664ee0b2910b9dcf754a8747a1f86253a425715091a0f79ea18
-
Filesize
818B
MD57350f0fbd09b0ddfb9b6e6ee5c8eac00
SHA15e015bee370966fe9d9b43019400e5f365e0258f
SHA256480925edd430e1d2f393bbba6f2b51a7c20b678756a3150157386c17c5e3a59e
SHA51251db1882e659b09eb2099446cf5a692b0e9218eda94d04a6d98ac918ae1f851e039cf87c0d24cb331ffee38973d7a81764cca7af184831665ba72a2119ed51fb
-
Filesize
828KB
MD5d9dac9e1d95e84e6aec084cf2ddb3f3a
SHA1a231a41c7ad994879b15116dcea41fdc09bb5879
SHA2560fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5
SHA512c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a