Analysis
-
max time kernel
119s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 18:41
Static task
static1
Behavioral task
behavioral1
Sample
e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe
Resource
win7-20240903-en
General
-
Target
e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe
-
Size
4.9MB
-
MD5
af89c377c4187104880b9716a2291940
-
SHA1
078bee54ed2d3935c55bf589d76eaba3af1ccb96
-
SHA256
e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2e
-
SHA512
6bc81561adfa39cf3d0d4821799875b55ce5912009b6421113039a33100f9b2cf8d1770ac131a4a4cb0d811c2f2f8f790126a3a718a484096568728a52233762
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3084 3428 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4992 3428 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 3428 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 3428 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 3428 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 3428 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 3428 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 3428 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 3428 schtasks.exe 86 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
resource yara_rule behavioral2/memory/1908-3-0x000000001B280000-0x000000001B3AE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4260 powershell.exe 4608 powershell.exe 3760 powershell.exe 1040 powershell.exe 4524 powershell.exe 2000 powershell.exe 2948 powershell.exe 2992 powershell.exe 384 powershell.exe 1768 powershell.exe 3276 powershell.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation explorer.exe -
Executes dropped EXE 34 IoCs
pid Process 1228 tmpBC30.tmp.exe 724 tmpBC30.tmp.exe 232 explorer.exe 3480 tmpCE3D.tmp.exe 4440 tmpCE3D.tmp.exe 4528 explorer.exe 3304 tmp1FF.tmp.exe 1948 tmp1FF.tmp.exe 4168 explorer.exe 1228 tmp1E22.tmp.exe 4600 tmp1E22.tmp.exe 5052 explorer.exe 2052 tmp4DAE.tmp.exe 2460 tmp4DAE.tmp.exe 3624 explorer.exe 1392 tmp8066.tmp.exe 3848 tmp8066.tmp.exe 4624 explorer.exe 3128 tmpB188.tmp.exe 4340 tmpB188.tmp.exe 3708 explorer.exe 2000 tmpCEC5.tmp.exe 4048 tmpCEC5.tmp.exe 4460 explorer.exe 1484 tmpECEB.tmp.exe 2300 tmpECEB.tmp.exe 3096 explorer.exe 3580 explorer.exe 4732 tmp2495.tmp.exe 1632 tmp2495.tmp.exe 2660 explorer.exe 5028 tmp5598.tmp.exe 3112 tmp5598.tmp.exe 1388 explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 1228 set thread context of 724 1228 tmpBC30.tmp.exe 121 PID 3480 set thread context of 4440 3480 tmpCE3D.tmp.exe 129 PID 3304 set thread context of 1948 3304 tmp1FF.tmp.exe 138 PID 1228 set thread context of 4600 1228 tmp1E22.tmp.exe 144 PID 2052 set thread context of 2460 2052 tmp4DAE.tmp.exe 152 PID 1392 set thread context of 3848 1392 tmp8066.tmp.exe 158 PID 3128 set thread context of 4340 3128 tmpB188.tmp.exe 164 PID 2000 set thread context of 4048 2000 tmpCEC5.tmp.exe 170 PID 1484 set thread context of 2300 1484 tmpECEB.tmp.exe 176 PID 4732 set thread context of 1632 4732 tmp2495.tmp.exe 185 PID 5028 set thread context of 3112 5028 tmp5598.tmp.exe 191 -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Mail\sihost.exe e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe File created C:\Program Files\Windows Mail\sihost.exe e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe File created C:\Program Files\Windows Mail\66fc9ff0ee96c2 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe File opened for modification C:\Program Files\Windows Mail\RCXBA98.tmp e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\apppatch\fr-FR\lsass.exe e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe File created C:\Windows\apppatch\fr-FR\6203df4a6bafc7 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe File opened for modification C:\Windows\apppatch\fr-FR\RCXB894.tmp e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe File opened for modification C:\Windows\apppatch\fr-FR\lsass.exe e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBC30.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1FF.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4DAE.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8066.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2495.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpCE3D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1E22.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB188.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpCEC5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpECEB.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5598.tmp.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3084 schtasks.exe 2312 schtasks.exe 1200 schtasks.exe 2568 schtasks.exe 3496 schtasks.exe 4992 schtasks.exe 4772 schtasks.exe 5004 schtasks.exe 2176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 1768 powershell.exe 1768 powershell.exe 4608 powershell.exe 4608 powershell.exe 4260 powershell.exe 4260 powershell.exe 1040 powershell.exe 1040 powershell.exe 2000 powershell.exe 2000 powershell.exe 3276 powershell.exe 3276 powershell.exe 2948 powershell.exe 2948 powershell.exe 2992 powershell.exe 2992 powershell.exe 4524 powershell.exe 4524 powershell.exe 3760 powershell.exe 3760 powershell.exe 384 powershell.exe 384 powershell.exe 3760 powershell.exe 2000 powershell.exe 1768 powershell.exe 1040 powershell.exe 4260 powershell.exe 3276 powershell.exe 4608 powershell.exe 2992 powershell.exe 2948 powershell.exe 4524 powershell.exe 384 powershell.exe 232 explorer.exe 4528 explorer.exe 4168 explorer.exe 5052 explorer.exe 3624 explorer.exe 4624 explorer.exe 3708 explorer.exe 4460 explorer.exe 3096 explorer.exe 3580 explorer.exe 2660 explorer.exe 1388 explorer.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 4608 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 4260 powershell.exe Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 3276 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeDebugPrivilege 3760 powershell.exe Token: SeDebugPrivilege 384 powershell.exe Token: SeDebugPrivilege 232 explorer.exe Token: SeDebugPrivilege 4528 explorer.exe Token: SeDebugPrivilege 4168 explorer.exe Token: SeDebugPrivilege 5052 explorer.exe Token: SeDebugPrivilege 3624 explorer.exe Token: SeDebugPrivilege 4624 explorer.exe Token: SeDebugPrivilege 3708 explorer.exe Token: SeDebugPrivilege 4460 explorer.exe Token: SeDebugPrivilege 3096 explorer.exe Token: SeDebugPrivilege 3580 explorer.exe Token: SeDebugPrivilege 2660 explorer.exe Token: SeDebugPrivilege 1388 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1908 wrote to memory of 1228 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 98 PID 1908 wrote to memory of 1228 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 98 PID 1908 wrote to memory of 1228 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 98 PID 1908 wrote to memory of 1768 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 100 PID 1908 wrote to memory of 1768 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 100 PID 1908 wrote to memory of 3760 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 101 PID 1908 wrote to memory of 3760 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 101 PID 1908 wrote to memory of 384 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 102 PID 1908 wrote to memory of 384 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 102 PID 1908 wrote to memory of 4260 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 103 PID 1908 wrote to memory of 4260 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 103 PID 1908 wrote to memory of 2992 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 104 PID 1908 wrote to memory of 2992 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 104 PID 1908 wrote to memory of 4608 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 105 PID 1908 wrote to memory of 4608 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 105 PID 1908 wrote to memory of 1040 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 106 PID 1908 wrote to memory of 1040 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 106 PID 1908 wrote to memory of 4524 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 107 PID 1908 wrote to memory of 4524 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 107 PID 1908 wrote to memory of 2000 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 108 PID 1908 wrote to memory of 2000 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 108 PID 1908 wrote to memory of 3276 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 109 PID 1908 wrote to memory of 3276 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 109 PID 1908 wrote to memory of 2948 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 110 PID 1908 wrote to memory of 2948 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 110 PID 1228 wrote to memory of 724 1228 tmpBC30.tmp.exe 121 PID 1228 wrote to memory of 724 1228 tmpBC30.tmp.exe 121 PID 1228 wrote to memory of 724 1228 tmpBC30.tmp.exe 121 PID 1228 wrote to memory of 724 1228 tmpBC30.tmp.exe 121 PID 1228 wrote to memory of 724 1228 tmpBC30.tmp.exe 121 PID 1228 wrote to memory of 724 1228 tmpBC30.tmp.exe 121 PID 1228 wrote to memory of 724 1228 tmpBC30.tmp.exe 121 PID 1908 wrote to memory of 232 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 123 PID 1908 wrote to memory of 232 1908 e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe 123 PID 232 wrote to memory of 3600 232 explorer.exe 125 PID 232 wrote to memory of 3600 232 explorer.exe 125 PID 232 wrote to memory of 4760 232 explorer.exe 126 PID 232 wrote to memory of 4760 232 explorer.exe 126 PID 232 wrote to memory of 3480 232 explorer.exe 127 PID 232 wrote to memory of 3480 232 explorer.exe 127 PID 232 wrote to memory of 3480 232 explorer.exe 127 PID 3480 wrote to memory of 4440 3480 tmpCE3D.tmp.exe 129 PID 3480 wrote to memory of 4440 3480 tmpCE3D.tmp.exe 129 PID 3480 wrote to memory of 4440 3480 tmpCE3D.tmp.exe 129 PID 3480 wrote to memory of 4440 3480 tmpCE3D.tmp.exe 129 PID 3480 wrote to memory of 4440 3480 tmpCE3D.tmp.exe 129 PID 3480 wrote to memory of 4440 3480 tmpCE3D.tmp.exe 129 PID 3480 wrote to memory of 4440 3480 tmpCE3D.tmp.exe 129 PID 3600 wrote to memory of 4528 3600 WScript.exe 133 PID 3600 wrote to memory of 4528 3600 WScript.exe 133 PID 4528 wrote to memory of 3276 4528 explorer.exe 134 PID 4528 wrote to memory of 3276 4528 explorer.exe 134 PID 4528 wrote to memory of 3104 4528 explorer.exe 135 PID 4528 wrote to memory of 3104 4528 explorer.exe 135 PID 4528 wrote to memory of 3304 4528 explorer.exe 136 PID 4528 wrote to memory of 3304 4528 explorer.exe 136 PID 4528 wrote to memory of 3304 4528 explorer.exe 136 PID 3304 wrote to memory of 1948 3304 tmp1FF.tmp.exe 138 PID 3304 wrote to memory of 1948 3304 tmp1FF.tmp.exe 138 PID 3304 wrote to memory of 1948 3304 tmp1FF.tmp.exe 138 PID 3304 wrote to memory of 1948 3304 tmp1FF.tmp.exe 138 PID 3304 wrote to memory of 1948 3304 tmp1FF.tmp.exe 138 PID 3304 wrote to memory of 1948 3304 tmp1FF.tmp.exe 138 PID 3304 wrote to memory of 1948 3304 tmp1FF.tmp.exe 138 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe"C:\Users\Admin\AppData\Local\Temp\e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2eN.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\tmpBC30.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBC30.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\tmpBC30.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBC30.tmp.exe"3⤵
- Executes dropped EXE
PID:724
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Users\Default\Cookies\explorer.exe"C:\Users\Default\Cookies\explorer.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:232 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22905b1f-c4aa-4c41-8c78-120a416245f2.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Default\Cookies\explorer.exeC:\Users\Default\Cookies\explorer.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4528 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e46503d3-e441-466a-89e3-45d5e71644a3.vbs"5⤵PID:3276
-
C:\Users\Default\Cookies\explorer.exeC:\Users\Default\Cookies\explorer.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4168 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d00e703-c13b-4fd7-88ef-5abc6cf6bbc3.vbs"7⤵PID:2500
-
C:\Users\Default\Cookies\explorer.exeC:\Users\Default\Cookies\explorer.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5052 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42f73393-3424-4430-a9a8-860f3dc23106.vbs"9⤵PID:4020
-
C:\Users\Default\Cookies\explorer.exeC:\Users\Default\Cookies\explorer.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3624 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6cc77cc-bdf3-473a-ba07-c6008b1a4c9d.vbs"11⤵PID:3820
-
C:\Users\Default\Cookies\explorer.exeC:\Users\Default\Cookies\explorer.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4624 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\285cf6ab-572f-4243-b743-318356eb300a.vbs"13⤵PID:1384
-
C:\Users\Default\Cookies\explorer.exeC:\Users\Default\Cookies\explorer.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3708 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae558315-70c1-4610-ac7e-77017b9b2521.vbs"15⤵PID:1600
-
C:\Users\Default\Cookies\explorer.exeC:\Users\Default\Cookies\explorer.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4460 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a14cf95b-314d-4121-b1b7-4287f38db879.vbs"17⤵PID:1544
-
C:\Users\Default\Cookies\explorer.exeC:\Users\Default\Cookies\explorer.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3096 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30f928a8-4742-4d10-8546-a1272bdd5614.vbs"19⤵PID:4440
-
C:\Users\Default\Cookies\explorer.exeC:\Users\Default\Cookies\explorer.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3580 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cdeb912-6e6b-4d1e-8f1a-8e24cd2521d5.vbs"21⤵PID:4624
-
C:\Users\Default\Cookies\explorer.exeC:\Users\Default\Cookies\explorer.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2660 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa8170e3-c180-4acf-953e-95ad246712ed.vbs"23⤵PID:4756
-
C:\Users\Default\Cookies\explorer.exeC:\Users\Default\Cookies\explorer.exe24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1388 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb0cf359-d0a6-4fac-8d00-f372c5397e10.vbs"25⤵PID:3304
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a8dad19-3108-4d39-92da-ad76b13d8a85.vbs"25⤵PID:2004
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53e16c40-9f69-4082-91c8-daf9b0fcd0e5.vbs"23⤵PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5598.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5598.tmp.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\tmp5598.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5598.tmp.exe"24⤵
- Executes dropped EXE
PID:3112
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71496c7e-a924-44a3-bf58-b83c7fd626d9.vbs"21⤵PID:3376
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2495.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2495.tmp.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\tmp2495.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2495.tmp.exe"22⤵
- Executes dropped EXE
PID:1632
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e8c65db-b5c6-4c5d-a5e0-4dc0d846ff32.vbs"19⤵PID:3584
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\651dde56-bce9-4ec6-91ce-f57648a9ef2a.vbs"17⤵PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\tmpECEB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpECEB.tmp.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\tmpECEB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpECEB.tmp.exe"18⤵
- Executes dropped EXE
PID:2300
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8aca7d23-0e72-4593-a098-fefade13b90e.vbs"15⤵PID:1688
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCEC5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCEC5.tmp.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\tmpCEC5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCEC5.tmp.exe"16⤵
- Executes dropped EXE
PID:4048
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b0ed0a7-71c3-4e3e-bca1-073587c7feab.vbs"13⤵PID:1848
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB188.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB188.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\tmpB188.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB188.tmp.exe"14⤵
- Executes dropped EXE
PID:4340
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0931f80b-71da-4abf-9d57-04f8e021a650.vbs"11⤵PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8066.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8066.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\tmp8066.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8066.tmp.exe"12⤵
- Executes dropped EXE
PID:3848
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e99c37c-1fcf-459d-8f29-b0cf321469ce.vbs"9⤵PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4DAE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4DAE.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\tmp4DAE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4DAE.tmp.exe"10⤵
- Executes dropped EXE
PID:2460
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eabccb06-0806-4986-bcad-d2594a7822f0.vbs"7⤵PID:4444
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1E22.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1E22.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\tmp1E22.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1E22.tmp.exe"8⤵
- Executes dropped EXE
PID:4600
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\260a0b43-d306-4a27-b42f-dbcb64b17630.vbs"5⤵PID:3104
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1FF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1FF.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\tmp1FF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1FF.tmp.exe"6⤵
- Executes dropped EXE
PID:1948
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f98a6fb-a261-4f50-8e4b-6c1c226cd0f3.vbs"3⤵PID:4760
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCE3D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCE3D.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\tmpCE3D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCE3D.tmp.exe"4⤵
- Executes dropped EXE
PID:4440
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Cookies\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\apppatch\fr-FR\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\apppatch\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\apppatch\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
712B
MD54e662f9132890d89b3f22df95c5240a7
SHA144e44b7790795311958474ca0f8b8b3a1c479a72
SHA2563be41f76119d6927636bc2940a45e58c911cafd894e4f33a13e65b305b7ae4ed
SHA5126b8057bac2684132c456de9373f8d6302963148a5aeeab0e7da9e5fa6e967eab71d5b521fab667cc87d2c3ed247012c92613667de5238518076aa9817c4ca687
-
Filesize
713B
MD538e0b0a8d4d7fb913b6e1ad736cca74f
SHA1a3dc2efb47341b46e34d8fccb89de8a15754d4da
SHA25628301a63d5010fd6604d88baada878887678180ee05d5a78d2d801841b9fbc72
SHA512da06d1a76543061b8d886a1bc9f76e39a236d0478c661267e065249b87417eac0fa0befca19233e34ef1db77bd6b1d292ded8414d35c65ea9e6face874290918
-
Filesize
489B
MD54712d9fc3910f86d96273e5be683ae87
SHA1e5c526b396af55408288e6c6793e57cb7c6c1bfb
SHA256d43ebc6ff2d7a25e5a3fb17e8d5dbb5f4bafa5c662ba158d4e673ec00edffb66
SHA512a3b4cf8d4877da62dd696043589797cc46e282219b90439541109e29ed2c4d61e9db43d3e60c60a22a65c1b344210eb6e336aacd5d9801a297d14b19deba9488
-
Filesize
713B
MD5c8ba4de629bc7cb2d0b37cef5d4d4318
SHA1eae0a82bce00208bd3f0489c7a35c3470bbcd2e0
SHA25668a6a7211a4455379fb17dce986c1777e43d70da9413c731c43a4c3106b4634e
SHA5128430f127cc198cebaa5248c1a70044c0d85a094d1c3db7f9920383cd128508c60c1489a9788362bad41e8cec46a292bd4bfeb5ed89c12adaaeee53420f82738c
-
Filesize
713B
MD581de1f245978ac23791242d221e33626
SHA159b204d72d917e9e23d529f403103d792703c7f4
SHA256a5ac411f8a2a7567880985c0fa5ba47abe65707e0c59c92d1e9277eeadecee5e
SHA51271177845daa8b6d10c017ca5c7d180ee22f4c33e32e143916e5ed31094fe8c89538ac627ca80cd32c54e2bfeebf5fe5a241be24e2f4176555bcdc78e6ad53737
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
713B
MD57b63866af737ac6bc2f2094a35cd045e
SHA1f8b162895c62d770650c08761529cf1cc41a9547
SHA256729e6b83d18452cb2f324c81d950dca4ddd1b4381199e2600ada6eda153b66a8
SHA512717368ae748acfea939e47ea3fc97a31afeaa98e24d18fe6071cb31cd3537a5c54e9ad387cea6915a36e7692cbd9db459564cf9fc2784e201cd5c2e6e332415a
-
Filesize
713B
MD5a150b416603a26d52196639e62f61276
SHA1085a955af1f9df39d54326e077032f5517086fa6
SHA256986ef362d5bed270b1c108454ff1d46f2a2b5d3dd6010781ae1048dccf716885
SHA512df9916675d46bbcc44c52a6b59ab3d5862e82ed74ff432fd68d7ac8db6a17d5e727ff091afb920a9767e1b74c83e9ede636fa6668c1fc83dfcc444697964aecf
-
Filesize
713B
MD5e78c5c42984edeac126862c40be374f7
SHA1e813647391b2a6b48171090a23f7230fb472e340
SHA25658c3afe1abebaab4dbd4ea4220733faf16b9e3718556efefcbf81921eda7ac2b
SHA512d7d63fca517475c6548e12b691d2526e45e44e0b873c109578348ce47c351dbebddf98f03f71c9bdd2a3c497aa3515b7f070027b00d65b7c620dab19437f1e3a
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
4.9MB
MD5af89c377c4187104880b9716a2291940
SHA1078bee54ed2d3935c55bf589d76eaba3af1ccb96
SHA256e47d5a381d3c9816f5886f278c8f3189457c55137c8042cc7131dea69572af2e
SHA5126bc81561adfa39cf3d0d4821799875b55ce5912009b6421113039a33100f9b2cf8d1770ac131a4a4cb0d811c2f2f8f790126a3a718a484096568728a52233762