Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 05:55
Static task
static1
Behavioral task
behavioral1
Sample
2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
Resource
win7-20241010-en
General
-
Target
2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
-
Size
4.9MB
-
MD5
fa51bf709923fc828149634c38cd60e0
-
SHA1
c6ff8deac79ee442ec3fd2bd034264f07f9964a1
-
SHA256
2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8
-
SHA512
e46cc7817882abacb5096fa0192d9fbc0fa778bfd4128da6a59e522645321558f15e7765d6aba73707bbf4647008d395ffeb76723f6043bd06b56eec06f07dbd
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat 63 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc pid Process 4216 schtasks.exe 4980 schtasks.exe 1368 schtasks.exe 4920 schtasks.exe 3812 schtasks.exe 1840 schtasks.exe 848 schtasks.exe 2236 schtasks.exe 1916 schtasks.exe 4892 schtasks.exe 3588 schtasks.exe 1456 schtasks.exe 2732 schtasks.exe 4544 schtasks.exe 1652 schtasks.exe 4304 schtasks.exe 1628 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 3720 schtasks.exe 4836 schtasks.exe 3220 schtasks.exe 920 schtasks.exe 4828 schtasks.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\6cb0b6c459d5d3 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 1732 schtasks.exe 4532 schtasks.exe 2984 schtasks.exe 4964 schtasks.exe 512 schtasks.exe 1924 schtasks.exe 3260 schtasks.exe 2520 schtasks.exe 4676 schtasks.exe 3680 schtasks.exe 4584 schtasks.exe 4416 schtasks.exe 1172 schtasks.exe 1660 schtasks.exe 4740 schtasks.exe 3724 schtasks.exe 2480 schtasks.exe 4152 schtasks.exe 2696 schtasks.exe 4436 schtasks.exe 456 schtasks.exe 2140 schtasks.exe 3852 schtasks.exe 3056 schtasks.exe 3632 schtasks.exe 216 schtasks.exe 2440 schtasks.exe 4388 schtasks.exe File created C:\Program Files (x86)\Windows NT\56085415360792 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4924 schtasks.exe 3516 schtasks.exe 4396 schtasks.exe 2736 schtasks.exe 4100 schtasks.exe 4584 schtasks.exe 672 schtasks.exe 1496 schtasks.exe 2684 schtasks.exe 2064 schtasks.exe -
Dcrat family
-
Process spawned unexpected child process 60 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4100 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3632 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1172 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 512 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4436 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3260 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 456 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4216 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3220 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4676 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3852 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4532 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4980 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4304 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4396 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3680 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4740 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3724 1164 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3812 1164 schtasks.exe 86 -
Processes:
2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exeservices.exeservices.exeservices.exeservices.exe2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe -
Processes:
resource yara_rule behavioral2/memory/3504-3-0x000000001B510000-0x000000001B63E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 3792 powershell.exe 3128 powershell.exe 3940 powershell.exe 4052 powershell.exe 2800 powershell.exe 3728 powershell.exe 660 powershell.exe 1404 powershell.exe 2244 powershell.exe 1528 powershell.exe 1084 powershell.exe 4804 powershell.exe 4816 powershell.exe 4780 powershell.exe 3768 powershell.exe 3248 powershell.exe 660 powershell.exe 2684 powershell.exe 2840 powershell.exe 1084 powershell.exe 4828 powershell.exe 1168 powershell.exe -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation services.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation services.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation services.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation services.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation services.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation services.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation services.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation services.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation services.exe -
Executes dropped EXE 39 IoCs
Processes:
tmpA656.tmp.exetmpA656.tmp.exe2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exetmpB92E.tmp.exetmpB92E.tmp.exeservices.exetmpFB67.tmp.exetmpFB67.tmp.exeservices.exetmp2C99.tmp.exetmp2C99.tmp.exetmp2C99.tmp.exetmp2C99.tmp.exeservices.exetmp5D9C.tmp.exetmp5D9C.tmp.exetmp5D9C.tmp.exetmp5D9C.tmp.exeservices.exetmp9016.tmp.exetmp9016.tmp.exeservices.exetmpAD91.tmp.exetmpAD91.tmp.exeservices.exetmpC975.tmp.exetmpC975.tmp.exetmpC975.tmp.exeservices.exetmpF96E.tmp.exetmpF96E.tmp.exeservices.exetmp161E.tmp.exetmp161E.tmp.exetmp161E.tmp.exeservices.exetmp453D.tmp.exetmp453D.tmp.exeservices.exepid Process 892 tmpA656.tmp.exe 4832 tmpA656.tmp.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 1384 tmpB92E.tmp.exe 4012 tmpB92E.tmp.exe 4980 services.exe 2944 tmpFB67.tmp.exe 2260 tmpFB67.tmp.exe 4648 services.exe 5016 tmp2C99.tmp.exe 3516 tmp2C99.tmp.exe 2056 tmp2C99.tmp.exe 2032 tmp2C99.tmp.exe 2784 services.exe 3004 tmp5D9C.tmp.exe 3792 tmp5D9C.tmp.exe 1552 tmp5D9C.tmp.exe 1944 tmp5D9C.tmp.exe 4224 services.exe 3532 tmp9016.tmp.exe 2624 tmp9016.tmp.exe 4416 services.exe 1372 tmpAD91.tmp.exe 1912 tmpAD91.tmp.exe 4456 services.exe 3344 tmpC975.tmp.exe 4444 tmpC975.tmp.exe 2040 tmpC975.tmp.exe 4792 services.exe 1440 tmpF96E.tmp.exe 2404 tmpF96E.tmp.exe 3696 services.exe 3004 tmp161E.tmp.exe 2384 tmp161E.tmp.exe 2776 tmp161E.tmp.exe 2516 services.exe 4852 tmp453D.tmp.exe 3256 tmp453D.tmp.exe 892 services.exe -
Processes:
services.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exeservices.exeservices.exeservices.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe -
Suspicious use of SetThreadContext 11 IoCs
Processes:
tmpA656.tmp.exetmpB92E.tmp.exetmpFB67.tmp.exetmp2C99.tmp.exetmp5D9C.tmp.exetmp9016.tmp.exetmpAD91.tmp.exetmpC975.tmp.exetmpF96E.tmp.exetmp161E.tmp.exetmp453D.tmp.exedescription pid Process procid_target PID 892 set thread context of 4832 892 tmpA656.tmp.exe 98 PID 1384 set thread context of 4012 1384 tmpB92E.tmp.exe 178 PID 2944 set thread context of 2260 2944 tmpFB67.tmp.exe 218 PID 2056 set thread context of 2032 2056 tmp2C99.tmp.exe 232 PID 1552 set thread context of 1944 1552 tmp5D9C.tmp.exe 243 PID 3532 set thread context of 2624 3532 tmp9016.tmp.exe 252 PID 1372 set thread context of 1912 1372 tmpAD91.tmp.exe 261 PID 4444 set thread context of 2040 4444 tmpC975.tmp.exe 271 PID 1440 set thread context of 2404 1440 tmpF96E.tmp.exe 280 PID 2384 set thread context of 2776 2384 tmp161E.tmp.exe 291 PID 4852 set thread context of 3256 4852 tmp453D.tmp.exe 300 -
Drops file in Program Files directory 26 IoCs
Processes:
2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exedescription ioc Process File created C:\Program Files (x86)\Windows NT\wininit.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files\Windows Sidebar\Gadgets\explorer.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files\Windows Defender\es-ES\SearchApp.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files\Windows Defender\es-ES\38384e6a620884 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File opened for modification C:\Program Files (x86)\Windows Defender\TextInputHost.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File opened for modification C:\Program Files\Windows Portable Devices\services.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files (x86)\Windows NT\56085415360792 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File opened for modification C:\Program Files (x86)\Windows NT\wininit.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files (x86)\Windows Defender\TextInputHost.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files\Java\jdk-1.8\include\backgroundTaskHost.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files\Java\jdk-1.8\include\eddb19405b7ce1 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File opened for modification C:\Program Files\Windows Defender\es-ES\SearchApp.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\6cb0b6c459d5d3 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files\Windows Sidebar\Gadgets\7a0fd90576e088 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files (x86)\Windows Defender\22eafd247d37c3 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXA3A4.tmp 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File opened for modification C:\Program Files (x86)\Windows NT\RCXA5A9.tmp 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\explorer.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Program Files\Windows Portable Devices\services.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\backgroundTaskHost.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe -
Drops file in Windows directory 9 IoCs
Processes:
2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exedescription ioc Process File created C:\Windows\BitLockerDiscoveryVolumeContents\eddb19405b7ce1 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Windows\RemotePackages\WaaSMedicAgent.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Windows\RemotePackages\c82b8037eab33d 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File opened for modification C:\Windows\fr-FR\explorer.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\backgroundTaskHost.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File opened for modification C:\Windows\RemotePackages\WaaSMedicAgent.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Windows\fr-FR\7a0fd90576e088 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\backgroundTaskHost.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe File created C:\Windows\fr-FR\explorer.exe 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
tmpAD91.tmp.exetmpC975.tmp.exetmp2C99.tmp.exetmp5D9C.tmp.exetmp161E.tmp.exetmp2C99.tmp.exetmpF96E.tmp.exetmp9016.tmp.exetmp161E.tmp.exetmp2C99.tmp.exetmp5D9C.tmp.exetmpFB67.tmp.exetmp5D9C.tmp.exetmpC975.tmp.exetmp453D.tmp.exetmpA656.tmp.exetmpB92E.tmp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAD91.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC975.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2C99.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5D9C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp161E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2C99.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF96E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9016.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp161E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2C99.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5D9C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFB67.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5D9C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC975.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp453D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA656.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB92E.tmp.exe -
Modifies registry class 11 IoCs
Processes:
services.exeservices.exeservices.exeservices.exeservices.exe2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exeservices.exeservices.exeservices.exe2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exeservices.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings services.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 4304 schtasks.exe 3588 schtasks.exe 2684 schtasks.exe 2520 schtasks.exe 3260 schtasks.exe 3516 schtasks.exe 1456 schtasks.exe 4584 schtasks.exe 1172 schtasks.exe 4532 schtasks.exe 4152 schtasks.exe 4100 schtasks.exe 4676 schtasks.exe 4924 schtasks.exe 456 schtasks.exe 848 schtasks.exe 3680 schtasks.exe 2736 schtasks.exe 4436 schtasks.exe 3056 schtasks.exe 4388 schtasks.exe 512 schtasks.exe 1652 schtasks.exe 4544 schtasks.exe 4740 schtasks.exe 920 schtasks.exe 672 schtasks.exe 2140 schtasks.exe 2480 schtasks.exe 2732 schtasks.exe 3812 schtasks.exe 1496 schtasks.exe 1924 schtasks.exe 2236 schtasks.exe 2984 schtasks.exe 4964 schtasks.exe 4920 schtasks.exe 4416 schtasks.exe 1732 schtasks.exe 2064 schtasks.exe 1628 schtasks.exe 3720 schtasks.exe 4828 schtasks.exe 4216 schtasks.exe 2696 schtasks.exe 4836 schtasks.exe 1660 schtasks.exe 3220 schtasks.exe 1368 schtasks.exe 1916 schtasks.exe 4396 schtasks.exe 216 schtasks.exe 4892 schtasks.exe 1840 schtasks.exe 4980 schtasks.exe 4584 schtasks.exe 3724 schtasks.exe 3632 schtasks.exe 2440 schtasks.exe 3852 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 2684 powershell.exe 2684 powershell.exe 3728 powershell.exe 3728 powershell.exe 660 powershell.exe 660 powershell.exe 4828 powershell.exe 4828 powershell.exe 3248 powershell.exe 3248 powershell.exe 4052 powershell.exe 4052 powershell.exe 3792 powershell.exe 3792 powershell.exe 1084 powershell.exe 1084 powershell.exe 4804 powershell.exe 4804 powershell.exe 1168 powershell.exe 1168 powershell.exe 2800 powershell.exe 2800 powershell.exe 4052 powershell.exe 2684 powershell.exe 660 powershell.exe 3728 powershell.exe 3248 powershell.exe 1084 powershell.exe 4828 powershell.exe 3792 powershell.exe 4804 powershell.exe 2800 powershell.exe 1168 powershell.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 1084 powershell.exe 1084 powershell.exe 660 powershell.exe 660 powershell.exe 4780 powershell.exe 4780 powershell.exe 2840 powershell.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exedescription pid Process Token: SeDebugPrivilege 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 3728 powershell.exe Token: SeDebugPrivilege 660 powershell.exe Token: SeDebugPrivilege 4828 powershell.exe Token: SeDebugPrivilege 3248 powershell.exe Token: SeDebugPrivilege 4052 powershell.exe Token: SeDebugPrivilege 3792 powershell.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 4804 powershell.exe Token: SeDebugPrivilege 1168 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 660 powershell.exe Token: SeDebugPrivilege 4780 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeDebugPrivilege 3128 powershell.exe Token: SeDebugPrivilege 4816 powershell.exe Token: SeDebugPrivilege 3768 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 3940 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 4980 services.exe Token: SeDebugPrivilege 4648 services.exe Token: SeDebugPrivilege 2784 services.exe Token: SeDebugPrivilege 4224 services.exe Token: SeDebugPrivilege 4416 services.exe Token: SeDebugPrivilege 4456 services.exe Token: SeDebugPrivilege 4792 services.exe Token: SeDebugPrivilege 3696 services.exe Token: SeDebugPrivilege 2516 services.exe Token: SeDebugPrivilege 892 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exetmpA656.tmp.exe2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exetmpB92E.tmp.exedescription pid Process procid_target PID 3504 wrote to memory of 892 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 96 PID 3504 wrote to memory of 892 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 96 PID 3504 wrote to memory of 892 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 96 PID 892 wrote to memory of 4832 892 tmpA656.tmp.exe 98 PID 892 wrote to memory of 4832 892 tmpA656.tmp.exe 98 PID 892 wrote to memory of 4832 892 tmpA656.tmp.exe 98 PID 892 wrote to memory of 4832 892 tmpA656.tmp.exe 98 PID 892 wrote to memory of 4832 892 tmpA656.tmp.exe 98 PID 892 wrote to memory of 4832 892 tmpA656.tmp.exe 98 PID 892 wrote to memory of 4832 892 tmpA656.tmp.exe 98 PID 3504 wrote to memory of 1168 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 101 PID 3504 wrote to memory of 1168 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 101 PID 3504 wrote to memory of 2684 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 102 PID 3504 wrote to memory of 2684 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 102 PID 3504 wrote to memory of 4828 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 103 PID 3504 wrote to memory of 4828 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 103 PID 3504 wrote to memory of 3792 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 104 PID 3504 wrote to memory of 3792 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 104 PID 3504 wrote to memory of 660 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 105 PID 3504 wrote to memory of 660 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 105 PID 3504 wrote to memory of 3728 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 106 PID 3504 wrote to memory of 3728 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 106 PID 3504 wrote to memory of 1084 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 107 PID 3504 wrote to memory of 1084 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 107 PID 3504 wrote to memory of 4804 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 108 PID 3504 wrote to memory of 4804 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 108 PID 3504 wrote to memory of 3248 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 109 PID 3504 wrote to memory of 3248 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 109 PID 3504 wrote to memory of 2800 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 110 PID 3504 wrote to memory of 2800 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 110 PID 3504 wrote to memory of 4052 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 111 PID 3504 wrote to memory of 4052 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 111 PID 3504 wrote to memory of 4108 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 123 PID 3504 wrote to memory of 4108 3504 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 123 PID 4108 wrote to memory of 1384 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 176 PID 4108 wrote to memory of 1384 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 176 PID 4108 wrote to memory of 1384 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 176 PID 1384 wrote to memory of 4012 1384 tmpB92E.tmp.exe 178 PID 1384 wrote to memory of 4012 1384 tmpB92E.tmp.exe 178 PID 1384 wrote to memory of 4012 1384 tmpB92E.tmp.exe 178 PID 1384 wrote to memory of 4012 1384 tmpB92E.tmp.exe 178 PID 1384 wrote to memory of 4012 1384 tmpB92E.tmp.exe 178 PID 1384 wrote to memory of 4012 1384 tmpB92E.tmp.exe 178 PID 1384 wrote to memory of 4012 1384 tmpB92E.tmp.exe 178 PID 4108 wrote to memory of 4816 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 186 PID 4108 wrote to memory of 4816 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 186 PID 4108 wrote to memory of 2840 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 187 PID 4108 wrote to memory of 2840 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 187 PID 4108 wrote to memory of 4780 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 188 PID 4108 wrote to memory of 4780 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 188 PID 4108 wrote to memory of 660 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 189 PID 4108 wrote to memory of 660 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 189 PID 4108 wrote to memory of 1404 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 190 PID 4108 wrote to memory of 1404 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 190 PID 4108 wrote to memory of 3940 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 191 PID 4108 wrote to memory of 3940 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 191 PID 4108 wrote to memory of 1084 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 192 PID 4108 wrote to memory of 1084 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 192 PID 4108 wrote to memory of 3768 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 194 PID 4108 wrote to memory of 3768 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 194 PID 4108 wrote to memory of 1528 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 196 PID 4108 wrote to memory of 1528 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 196 PID 4108 wrote to memory of 2244 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 199 PID 4108 wrote to memory of 2244 4108 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe 199 -
System policy modification 1 TTPs 36 IoCs
Processes:
2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exeservices.exeservices.exeservices.exeservices.exe2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe"C:\Users\Admin\AppData\Local\Temp\2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe"1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\tmpA656.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA656.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\tmpA656.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA656.tmp.exe"3⤵
- Executes dropped EXE
PID:4832
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
C:\Users\Admin\AppData\Local\Temp\2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe"C:\Users\Admin\AppData\Local\Temp\2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\tmpB92E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB92E.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\tmpB92E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB92E.tmp.exe"4⤵
- Executes dropped EXE
PID:4012
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Pz8Ynvt3a.bat"3⤵PID:1664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵PID:3852
-
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4980 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50892823-17cd-433c-823b-f4495ab15f83.vbs"5⤵PID:5048
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4648 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d4f9d47-b665-44be-9ff4-c7e1a53a3e66.vbs"7⤵PID:2384
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2784 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37887128-9004-4969-b8e1-cb3c4caab28b.vbs"9⤵PID:4840
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4224 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3076b75-73cc-4e7e-80ec-18db6d795930.vbs"11⤵PID:4396
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4416 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51c6e380-2b2e-46aa-9b66-b9ac69616eb9.vbs"13⤵PID:968
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4456 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eefb4c54-01ec-44a2-a03e-810060deeff5.vbs"15⤵PID:4188
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4792 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dde63b9-6159-4cb8-9d11-507b1669fc6f.vbs"17⤵PID:2104
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3696 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfc5f3b0-a542-439a-8e1e-4366032bd071.vbs"19⤵PID:1752
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2516 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d001f2d0-ddb2-4edc-910c-7b4b06980ab1.vbs"21⤵PID:1052
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:892
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5b83a6f-0cc6-4003-9a01-9d2f19d27903.vbs"21⤵PID:4356
-
-
C:\Users\Admin\AppData\Local\Temp\tmp453D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp453D.tmp.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\tmp453D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp453D.tmp.exe"22⤵
- Executes dropped EXE
PID:3256
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6dd203d-5ade-40fc-8495-3b34ffcb7fd1.vbs"19⤵PID:4108
-
-
C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp.exe"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp.exe"21⤵
- Executes dropped EXE
PID:2776
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5b46131-d61b-4093-bfa8-218e1c530f94.vbs"17⤵PID:3532
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF96E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF96E.tmp.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\tmpF96E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF96E.tmp.exe"18⤵
- Executes dropped EXE
PID:2404
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d371f8d-c770-4dbd-b50d-e2684a07c1ab.vbs"15⤵PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC975.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC975.tmp.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\tmpC975.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC975.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\tmpC975.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC975.tmp.exe"17⤵
- Executes dropped EXE
PID:2040
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ec6c27e-3cfb-43f6-af2f-ba9effc0a8f8.vbs"13⤵PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAD91.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAD91.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\tmpAD91.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAD91.tmp.exe"14⤵
- Executes dropped EXE
PID:1912
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2789fbf3-fa06-415e-9725-3785a8db44a9.vbs"11⤵PID:4892
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9016.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9016.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\tmp9016.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9016.tmp.exe"12⤵
- Executes dropped EXE
PID:2624
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34beb3eb-3379-4885-9abf-cad954c3f90e.vbs"9⤵PID:3788
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3792 -
C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5D9C.tmp.exe"12⤵
- Executes dropped EXE
PID:1944
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e08dffcf-b32c-4f33-9290-0312b8982c03.vbs"7⤵PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2C99.tmp.exe"10⤵
- Executes dropped EXE
PID:2032
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\916b4a8f-6970-4620-b88e-9e1887bc7626.vbs"5⤵PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\tmpFB67.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFB67.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\tmpFB67.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFB67.tmp.exe"6⤵
- Executes dropped EXE
PID:2260
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Recent\MusNotification.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Admin\Recent\MusNotification.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Recent\MusNotification.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk-1.8\include\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\include\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk-1.8\include\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\fr-FR\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\WaaSMedicAgent.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\RemotePackages\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\es-ES\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe.log
Filesize1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
Filesize
944B
MD5457770e1c3411b3079598f94b3be7ab5
SHA14067100e8bb26ca1d34599e3a50e2f18d5d350c4
SHA256b5ce065648d8c810cde1a8472424bb7b6fec867b14d72cec9c2e58cf6d8aca50
SHA51254bdc0a2261fcbb2ebb8f29b102e5fc7b2af4d33bb82016c4187a01bfe92c522cbc38faa46614b24cdbce3f6eba4b44587ff007fca6961f95e0a34f0cc35d104
-
Filesize
944B
MD5b4b6d4cc52b5a3a71149b1f33d94d5de
SHA197d3dbdd24919eab70e3b14c68797cefc07e90dd
SHA256da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe
SHA512fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af
-
Filesize
944B
MD57d9ecfe610b58440e18d2bffe5167d71
SHA17afeed064042ef5e614228f678a0c595699c3d84
SHA2562c42082be2718281fe2a2bf0136bf417ff214ce7c36bc22a40d23adb1d026632
SHA512017a63c4b81cd256adec796b9258fbae464d32af59cb654a81dd157e02896f50a252c25b6eac07fc6cb44a493b477e7debfaf9999c854dbd3fb34e24ef443c29
-
Filesize
944B
MD53b444d3f0ddea49d84cc7b3972abe0e6
SHA10a896b3808e68d5d72c2655621f43b0b2c65ae02
SHA256ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74
SHA512eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b
-
Filesize
944B
MD506fd7257306cba6d58a43b20391a7308
SHA118c7b5aea005c71e490a6d41b3879531b3983a6d
SHA2569e0012e95506b8d02ea9edc2060211f423b331aedeb312e13a349d5f11d9df21
SHA512173d45f70a9bf048b35083787fa6108bd175a26601b3a9eb895c85956040a4d9a36ff50ff9f1e6eb8c731fe1d303485b6a5611669549f8be9fede77cd0789317
-
Filesize
944B
MD5a9a7f35c006bbf5da72f9cb250ffbddb
SHA1458a8cedc38dac109631d9fccb3bf6d2c5c0e89e
SHA256a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b
SHA512d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131
-
Filesize
944B
MD5a672fcf7facce635c83caf7b195d0bf8
SHA1fec2f6c2456efe713ba08fa692a4a356f2f37ba8
SHA25671945453f618f8cf9c2ddb24132d7e0522643e13ce42a59ff65476938f56082c
SHA51212713a140e8a73c9dd8b3bc309e3ff1256c16ecd019d1ded31ab47c71651b11dcdcf48ef889805e5bc87bdeb323c5663ff34313cc41170d2d9b45051107dc31f
-
Filesize
944B
MD58320aeea03d40a74715d8b9613f9d0cc
SHA109fcf3cf06de496b434aaf3181f5aed78731425e
SHA25654d89ac6af0379f2fa8afc5137450f796cd22f70da2b6b68a299b23c521eb205
SHA5127d6fd85c54a4c8a63069fa02cd8b892f448be8b11b97190653864a076bfe5f2d4061b354ce2e3ad8b49a0e482ee90992493bb823f5e6f664dc7ac3937a547dba
-
Filesize
944B
MD5b740f7616c3c3d006afd7e1586758eeb
SHA1c465af4c07ecb9e3de239c410d3b2ed5de93cdde
SHA256c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872
SHA512d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e
-
Filesize
730B
MD5279099b7e7f27f077253fcdab5f3d8aa
SHA1837bbc9640bc3e1ed74936a8139e09eab5e12df7
SHA2566135e100baa0ad46e59de998085a289b1ceebc9617dfed0f344008bacd4adce4
SHA51257ed79d04c1d124b2ce50e7af53df23b594c5ce59501ff576c586f926882280f21ca927e62f29adc9d976527af3049e93ff791a32e4df94a0b22f35a88170ea1
-
Filesize
730B
MD5655b2434e4d88ba145963fcc62e43b04
SHA1d1bbcf6d58eb22a3e6c13c4744001a08e4056811
SHA2568a5b7111f8442514588ca22c2fa89b2875968fdeb5dcce8720a8ddb9c0b6086a
SHA512f93992a6672c93d8ff5222df11b46343791d76b9720ad3680de47c6aec3d4e69db55b19cd05d77762dd2b8f3a763a5f1958ae27f2b98bdaf6906b2ec62477d49
-
Filesize
219B
MD51ebb073a90b6aa1213b5ada2ce7afa88
SHA15cea88eab3fad84a252d03721df020fcaa2c82dd
SHA256f8ca87fe7371ed5be04b65862002842dcb8905c13ef0967370c7b0ea178e456d
SHA51220f7ae01b3e2308682686249d23c1dd848da12a22085c92c265ae168ee2a793a5a7cb7290848bc00ba1ad7edbcc2960973393dac23db3e2c8391eb606c277c74
-
Filesize
730B
MD521682ce4eedc90f91574b0eff470cffa
SHA189548af874c455fdd5a7f91d94b066bb22288a6b
SHA256c13a56d796f5a27a705560e674967c86febe30acaa6dda6e64a062f0121c6bfc
SHA512affaa285b9cc600d2faebb684ed6a736262af7dc3fd2795681f83837ef01179df2f7c6d6258f497685ccba784a1df1fda30b29072c50dea50c30c234968bf2e9
-
Filesize
506B
MD574f0f8b0f9121ccaca68f3866685c465
SHA1fd36b2a2277374ef2e59419bebc9894d60b75265
SHA2564238bac8427aef82bfcd4583ef93bff8cf18ef696df0ba74cd445851a3aaf37b
SHA5123bb2ffb953536f3ab5c602ccaa9986b9d8f2edfd5dd3bf892eddd1241efdce158e2c8d75133db69d004348340c757c90242d797bc178447c2ed14908b232c2a3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
730B
MD5d8d22e9143480a75f11deecd067a6b46
SHA1851ea76cf60e087893e35766ff35b9516b33f580
SHA25698c16237c8483f60fa43507487965ca65af6299fa3a898a8ed6cbbf5fe657f0f
SHA51261359f279e6464b7981e2161c710ed9015ce67f91b17078b947b2f255c07734adc61dd717867a415a3fa594a8011220ea087e8652ff59316979716dc41d9b494
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
4.9MB
MD5fa51bf709923fc828149634c38cd60e0
SHA1c6ff8deac79ee442ec3fd2bd034264f07f9964a1
SHA2562714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8
SHA512e46cc7817882abacb5096fa0192d9fbc0fa778bfd4128da6a59e522645321558f15e7765d6aba73707bbf4647008d395ffeb76723f6043bd06b56eec06f07dbd