Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 07:00
Static task
static1
Behavioral task
behavioral1
Sample
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Resource
win7-20240903-en
General
-
Target
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
-
Size
4.9MB
-
MD5
06f186fc55f38b20a7273da22fe0007a
-
SHA1
3eae6dd2aec4dcd82864b9fbe446e85ea603784b
-
SHA256
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7
-
SHA512
05ea938925775b835e347265e255372c0c2deee1d68b356836c85b93f5751fced8ca8d758ebdc745c0274c53c9c350e63cc2a8624b99aa345438b2963b2a1f37
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3548 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5000 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4756 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4572 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3304 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3992 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3788 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4708 4968 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4048 4968 schtasks.exe 86 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe -
resource yara_rule behavioral2/memory/5028-3-0x000000001C030000-0x000000001C15E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1324 powershell.exe 3092 powershell.exe 5084 powershell.exe 3632 powershell.exe 3440 powershell.exe 1792 powershell.exe 3996 powershell.exe 4772 powershell.exe 2040 powershell.exe 3688 powershell.exe 3108 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe -
Executes dropped EXE 42 IoCs
pid Process 3372 tmp9A9D.tmp.exe 3488 tmp9A9D.tmp.exe 4824 dllhost.exe 3156 tmpD7A3.tmp.exe 4612 tmpD7A3.tmp.exe 2652 dllhost.exe 4692 tmpF491.tmp.exe 2980 tmpF491.tmp.exe 3852 dllhost.exe 4744 tmp23FE.tmp.exe 2988 tmp23FE.tmp.exe 3168 dllhost.exe 1572 tmp3F94.tmp.exe 4760 tmp3F94.tmp.exe 4592 dllhost.exe 3492 tmp8373.tmp.exe 4424 tmp8373.tmp.exe 1712 tmp8373.tmp.exe 624 tmp8373.tmp.exe 4144 dllhost.exe 2456 tmpB3EA.tmp.exe 3996 tmpB3EA.tmp.exe 4456 dllhost.exe 3916 tmpCF03.tmp.exe 820 tmpCF03.tmp.exe 1508 dllhost.exe 540 dllhost.exe 2256 tmp1C29.tmp.exe 756 tmp1C29.tmp.exe 4156 dllhost.exe 2360 tmp4B38.tmp.exe 3916 tmp4B38.tmp.exe 1184 dllhost.exe 3944 tmp66A0.tmp.exe 640 tmp66A0.tmp.exe 1064 dllhost.exe 3440 dllhost.exe 2724 tmpB174.tmp.exe 3632 tmpB174.tmp.exe 5020 dllhost.exe 2560 tmpCCDB.tmp.exe 3392 tmpCCDB.tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe -
Suspicious use of SetThreadContext 13 IoCs
description pid Process procid_target PID 3372 set thread context of 3488 3372 tmp9A9D.tmp.exe 128 PID 3156 set thread context of 4612 3156 tmpD7A3.tmp.exe 170 PID 4692 set thread context of 2980 4692 tmpF491.tmp.exe 179 PID 4744 set thread context of 2988 4744 tmp23FE.tmp.exe 191 PID 1572 set thread context of 4760 1572 tmp3F94.tmp.exe 201 PID 1712 set thread context of 624 1712 tmp8373.tmp.exe 212 PID 2456 set thread context of 3996 2456 tmpB3EA.tmp.exe 222 PID 3916 set thread context of 820 3916 tmpCF03.tmp.exe 231 PID 2256 set thread context of 756 2256 tmp1C29.tmp.exe 245 PID 2360 set thread context of 3916 2360 tmp4B38.tmp.exe 254 PID 3944 set thread context of 640 3944 tmp66A0.tmp.exe 263 PID 2724 set thread context of 3632 2724 tmpB174.tmp.exe 278 PID 2560 set thread context of 3392 2560 tmpCCDB.tmp.exe 287 -
Drops file in Program Files directory 28 IoCs
description ioc Process File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\spoolsv.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\sysmon.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files\Windows Sidebar\Gadgets\winlogon.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\RCXB237.tmp f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\c5b4cb5e9653cc f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCX9925.tmp f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\RCX9D5E.tmp f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\services.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\121e5b5079f7c0 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files (x86)\Google\Temp\dwm.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\sysmon.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCXA68A.tmp f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files (x86)\Google\Temp\6cb0b6c459d5d3 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files\MSBuild\Microsoft\RCX9B3A.tmp f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCXA476.tmp f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files (x86)\Google\Temp\RCXAB8D.tmp f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files (x86)\Microsoft\Edge\MusNotification.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files\Windows Sidebar\Gadgets\cc11b995f2a76d f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files (x86)\Google\Temp\dwm.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files\MSBuild\Microsoft\wininit.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\winlogon.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\f3b6ecef712a24 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files\MSBuild\Microsoft\wininit.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files\MSBuild\Microsoft\56085415360792 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files (x86)\Microsoft\Edge\aa97147c4c782d f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\services.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\spoolsv.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\MusNotification.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Windows\RemotePackages\RemoteDesktops\9e8d7a4ca61bd9 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Windows\RemotePackages\RemoteDesktops\RCXA02E.tmp f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp66A0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpCCDB.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp23FE.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8373.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9A9D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8373.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB174.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB3EA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpCF03.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1C29.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4B38.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD7A3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF491.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp3F94.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8373.tmp.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4708 schtasks.exe 5000 schtasks.exe 4144 schtasks.exe 2776 schtasks.exe 4208 schtasks.exe 1712 schtasks.exe 1068 schtasks.exe 1944 schtasks.exe 4780 schtasks.exe 5096 schtasks.exe 4756 schtasks.exe 2792 schtasks.exe 2380 schtasks.exe 4712 schtasks.exe 3788 schtasks.exe 1628 schtasks.exe 3548 schtasks.exe 4548 schtasks.exe 2192 schtasks.exe 2064 schtasks.exe 4616 schtasks.exe 3688 schtasks.exe 536 schtasks.exe 2728 schtasks.exe 4844 schtasks.exe 3992 schtasks.exe 696 schtasks.exe 4572 schtasks.exe 2456 schtasks.exe 2660 schtasks.exe 4936 schtasks.exe 2384 schtasks.exe 744 schtasks.exe 2324 schtasks.exe 2988 schtasks.exe 3664 schtasks.exe 3304 schtasks.exe 3588 schtasks.exe 4048 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 4772 powershell.exe 4772 powershell.exe 3092 powershell.exe 3092 powershell.exe 1792 powershell.exe 1792 powershell.exe 3688 powershell.exe 3688 powershell.exe 1324 powershell.exe 1324 powershell.exe 2040 powershell.exe 2040 powershell.exe 3108 powershell.exe 3108 powershell.exe 3440 powershell.exe 3440 powershell.exe 3632 powershell.exe 3632 powershell.exe 3996 powershell.exe 3996 powershell.exe 3092 powershell.exe 5084 powershell.exe 5084 powershell.exe 2040 powershell.exe 4772 powershell.exe 1792 powershell.exe 3688 powershell.exe 3440 powershell.exe 3996 powershell.exe 1324 powershell.exe 3108 powershell.exe 3632 powershell.exe 5084 powershell.exe 4824 dllhost.exe 2652 dllhost.exe 3852 dllhost.exe 3168 dllhost.exe 4592 dllhost.exe 4144 dllhost.exe 4456 dllhost.exe 1508 dllhost.exe 540 dllhost.exe 4156 dllhost.exe 1184 dllhost.exe 1064 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Token: SeDebugPrivilege 4772 powershell.exe Token: SeDebugPrivilege 3092 powershell.exe Token: SeDebugPrivilege 3688 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 1324 powershell.exe Token: SeDebugPrivilege 3108 powershell.exe Token: SeDebugPrivilege 3632 powershell.exe Token: SeDebugPrivilege 3440 powershell.exe Token: SeDebugPrivilege 3996 powershell.exe Token: SeDebugPrivilege 5084 powershell.exe Token: SeDebugPrivilege 4824 dllhost.exe Token: SeDebugPrivilege 2652 dllhost.exe Token: SeDebugPrivilege 3852 dllhost.exe Token: SeDebugPrivilege 3168 dllhost.exe Token: SeDebugPrivilege 4592 dllhost.exe Token: SeDebugPrivilege 4144 dllhost.exe Token: SeDebugPrivilege 4456 dllhost.exe Token: SeDebugPrivilege 1508 dllhost.exe Token: SeDebugPrivilege 540 dllhost.exe Token: SeDebugPrivilege 4156 dllhost.exe Token: SeDebugPrivilege 1184 dllhost.exe Token: SeDebugPrivilege 1064 dllhost.exe Token: SeDebugPrivilege 3440 dllhost.exe Token: SeDebugPrivilege 5020 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5028 wrote to memory of 3372 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 126 PID 5028 wrote to memory of 3372 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 126 PID 5028 wrote to memory of 3372 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 126 PID 3372 wrote to memory of 3488 3372 tmp9A9D.tmp.exe 128 PID 3372 wrote to memory of 3488 3372 tmp9A9D.tmp.exe 128 PID 3372 wrote to memory of 3488 3372 tmp9A9D.tmp.exe 128 PID 3372 wrote to memory of 3488 3372 tmp9A9D.tmp.exe 128 PID 3372 wrote to memory of 3488 3372 tmp9A9D.tmp.exe 128 PID 3372 wrote to memory of 3488 3372 tmp9A9D.tmp.exe 128 PID 3372 wrote to memory of 3488 3372 tmp9A9D.tmp.exe 128 PID 5028 wrote to memory of 1792 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 136 PID 5028 wrote to memory of 1792 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 136 PID 5028 wrote to memory of 3632 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 137 PID 5028 wrote to memory of 3632 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 137 PID 5028 wrote to memory of 3996 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 138 PID 5028 wrote to memory of 3996 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 138 PID 5028 wrote to memory of 4772 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 139 PID 5028 wrote to memory of 4772 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 139 PID 5028 wrote to memory of 3440 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 140 PID 5028 wrote to memory of 3440 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 140 PID 5028 wrote to memory of 5084 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 141 PID 5028 wrote to memory of 5084 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 141 PID 5028 wrote to memory of 2040 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 143 PID 5028 wrote to memory of 2040 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 143 PID 5028 wrote to memory of 1324 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 144 PID 5028 wrote to memory of 1324 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 144 PID 5028 wrote to memory of 3108 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 145 PID 5028 wrote to memory of 3108 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 145 PID 5028 wrote to memory of 3688 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 149 PID 5028 wrote to memory of 3688 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 149 PID 5028 wrote to memory of 3092 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 150 PID 5028 wrote to memory of 3092 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 150 PID 5028 wrote to memory of 4736 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 158 PID 5028 wrote to memory of 4736 5028 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 158 PID 4736 wrote to memory of 1640 4736 cmd.exe 160 PID 4736 wrote to memory of 1640 4736 cmd.exe 160 PID 4736 wrote to memory of 4824 4736 cmd.exe 164 PID 4736 wrote to memory of 4824 4736 cmd.exe 164 PID 4824 wrote to memory of 3548 4824 dllhost.exe 166 PID 4824 wrote to memory of 3548 4824 dllhost.exe 166 PID 4824 wrote to memory of 1124 4824 dllhost.exe 167 PID 4824 wrote to memory of 1124 4824 dllhost.exe 167 PID 4824 wrote to memory of 3156 4824 dllhost.exe 168 PID 4824 wrote to memory of 3156 4824 dllhost.exe 168 PID 4824 wrote to memory of 3156 4824 dllhost.exe 168 PID 3156 wrote to memory of 4612 3156 tmpD7A3.tmp.exe 170 PID 3156 wrote to memory of 4612 3156 tmpD7A3.tmp.exe 170 PID 3156 wrote to memory of 4612 3156 tmpD7A3.tmp.exe 170 PID 3156 wrote to memory of 4612 3156 tmpD7A3.tmp.exe 170 PID 3156 wrote to memory of 4612 3156 tmpD7A3.tmp.exe 170 PID 3156 wrote to memory of 4612 3156 tmpD7A3.tmp.exe 170 PID 3156 wrote to memory of 4612 3156 tmpD7A3.tmp.exe 170 PID 3548 wrote to memory of 2652 3548 WScript.exe 173 PID 3548 wrote to memory of 2652 3548 WScript.exe 173 PID 2652 wrote to memory of 2252 2652 dllhost.exe 175 PID 2652 wrote to memory of 2252 2652 dllhost.exe 175 PID 2652 wrote to memory of 3320 2652 dllhost.exe 176 PID 2652 wrote to memory of 3320 2652 dllhost.exe 176 PID 2652 wrote to memory of 4692 2652 dllhost.exe 177 PID 2652 wrote to memory of 4692 2652 dllhost.exe 177 PID 2652 wrote to memory of 4692 2652 dllhost.exe 177 PID 4692 wrote to memory of 2980 4692 tmpF491.tmp.exe 179 PID 4692 wrote to memory of 2980 4692 tmpF491.tmp.exe 179 PID 4692 wrote to memory of 2980 4692 tmpF491.tmp.exe 179 -
System policy modification 1 TTPs 45 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"C:\Users\Admin\AppData\Local\Temp\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\tmp9A9D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9A9D.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\tmp9A9D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9A9D.tmp.exe"3⤵
- Executes dropped EXE
PID:3488
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\27IhZRW36F.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1640
-
-
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4824 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6f098ba-716f-4f40-b8b5-657af222aae6.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2652 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3afc6c8d-67e5-45cb-b8d7-2b7365b511e3.vbs"6⤵PID:2252
-
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3852 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b02ea336-4766-4c0c-a203-9ecba2202fc2.vbs"8⤵PID:4452
-
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3168 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e59693cf-ae84-4314-868a-048c43dcbaca.vbs"10⤵PID:548
-
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4592 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09f7c935-aaf5-454c-b6a9-3261c0f94553.vbs"12⤵PID:3104
-
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4144 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\861288c2-56c7-46ca-acd9-9a5318f3e41a.vbs"14⤵PID:2392
-
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4456 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b286098-9ccf-4442-bb66-d91e28903c39.vbs"16⤵PID:3336
-
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1508 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\409df9b6-4a07-4447-8af6-ee92892d72a7.vbs"18⤵PID:4208
-
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:540 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7e4eded-cd25-438a-b259-291f56b68605.vbs"20⤵PID:3608
-
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4156 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49061138-3381-46df-87b6-45a777a34e1e.vbs"22⤵PID:876
-
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1184 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9bfe4f4-5184-45f7-a4ca-2ae15fc1edea.vbs"24⤵PID:4696
-
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1064 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1abade5c-e92c-47f0-8b15-7ea6109398c3.vbs"26⤵PID:688
-
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3440 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8aa978a-b739-41dd-815f-39cc077f95b7.vbs"28⤵PID:4400
-
C:\Users\Admin\Start Menu\dllhost.exe"C:\Users\Admin\Start Menu\dllhost.exe"29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5020 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c0f90e9-cfd0-4d44-a8aa-d1f18f5b1594.vbs"30⤵PID:4896
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a71af320-9b6a-4f3c-962d-cd18c68ae4b9.vbs"30⤵PID:2536
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCCDB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCCDB.tmp.exe"30⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\tmpCCDB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCCDB.tmp.exe"31⤵
- Executes dropped EXE
PID:3392
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73f4c682-4317-4e7d-b0db-666bcbab21a7.vbs"28⤵PID:1648
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB174.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB174.tmp.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\tmpB174.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB174.tmp.exe"29⤵
- Executes dropped EXE
PID:3632
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe70898f-5cd6-4420-a821-2f10c2304a45.vbs"26⤵PID:1492
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\777af899-879e-4413-8479-6312b2d32f1f.vbs"24⤵PID:3336
-
-
C:\Users\Admin\AppData\Local\Temp\tmp66A0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp66A0.tmp.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\tmp66A0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp66A0.tmp.exe"25⤵
- Executes dropped EXE
PID:640
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da7cd0f1-e414-4212-9800-b25309be9aa2.vbs"22⤵PID:216
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4B38.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4B38.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\tmp4B38.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4B38.tmp.exe"23⤵
- Executes dropped EXE
PID:3916
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65de4eb2-c6cd-4620-a361-f7cdfc18ec2a.vbs"20⤵PID:4496
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp.exe"21⤵
- Executes dropped EXE
PID:756
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30bbcfa9-9553-4d18-a51b-4e31f1b3d30e.vbs"18⤵PID:3728
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be223420-7480-4d4b-97c4-0980417fdb41.vbs"16⤵PID:4880
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp.exe"17⤵
- Executes dropped EXE
PID:820
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6710c080-51e2-4b75-95a5-eda427db81bd.vbs"14⤵PID:2472
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB3EA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB3EA.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\tmpB3EA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB3EA.tmp.exe"15⤵
- Executes dropped EXE
PID:3996
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbbf86c4-fba1-4e1c-be18-8287f6bdbce8.vbs"12⤵PID:1488
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe"15⤵
- Executes dropped EXE
PID:624
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\218e9ead-9c3c-4016-ad3c-629f20173906.vbs"10⤵PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3F94.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3F94.tmp.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\tmp3F94.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3F94.tmp.exe"11⤵
- Executes dropped EXE
PID:4760
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\418b8fde-0b38-430e-9dba-471fd26f19e3.vbs"8⤵PID:2368
-
-
C:\Users\Admin\AppData\Local\Temp\tmp23FE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp23FE.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\tmp23FE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp23FE.tmp.exe"9⤵
- Executes dropped EXE
PID:2988
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33d69974-93fa-4a63-bd37-8c2a9548363e.vbs"6⤵PID:3320
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF491.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF491.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\tmpF491.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF491.tmp.exe"7⤵
- Executes dropped EXE
PID:2980
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dda5ad04-37b1-4641-8151-6f6f20033923.vbs"4⤵PID:1124
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD7A3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD7A3.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\tmpD7A3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD7A3.tmp.exe"5⤵
- Executes dropped EXE
PID:4612
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\Edge\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD50ac2edfafe2e9ee4456667e5270ead56
SHA1507d9fb4562f6c87747ba40307a0468df006a071
SHA256c940076a925b9c9ada96ed0481d055a6621252fa2c77f6d3f9afbff852668f1b
SHA5121e2ae35cd290b15c150bc31667160d945ca37e95ae4f98d0f984eab311409338f4fcc41e5daa43c2c27aae4087cfa11487f953685045320b59b3a9d95f98faee
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
713B
MD56d114e91306d04a7d5201e9c5dbd5ec4
SHA10f7dcf714a01b7a9ce2ed798d5b323b677dd2ba7
SHA256609f4435b947722a5d07390ea882d3d4dbb0ece06496ff55bdd613ebcc5d887b
SHA512ffe12a8c4846bf41687d2620b3a26d0c63a3f1ce5615f578926ef4c737fd6b0476c7b80cd4e565cc6a09df42556e7047014aa052c7b42b1175502765bc4eb143
-
Filesize
713B
MD576f187836e83ab58cf948172cf3803ae
SHA1a4e427ae43bc8995fd7e65af7edbe646fbd41b13
SHA25634b4afc4b97204a4a09f3402b46947863c69c8c51bad6c68193a98eaa2fe552a
SHA512bb76e400b083103a791a9be8878911970a9f65304f2ef33ebe14b268257d83f37c76b27907df9009e44f4983ce888c4eb26f49ddd47b2379c5a98961c5e38528
-
Filesize
202B
MD541d2bf7e9acf1deb672bc4b4d2cf79e6
SHA18737d9acb101aa150d69152f979bb3d80108d10e
SHA25631f5de6609a3f0093b0375d80cfc33f125fce9d41dd2b5d79a01c38709a8bb2b
SHA512d669963cfde2ec659b3e44c6664792a4efb0c2b3b36a0504f551e220da3ed4d3683da3ddf4f6cb37ee824d362f5e7178ae5d3f6a0830c0254fd021ccbc6b7825
-
Filesize
713B
MD5c2fcd3c6a70a4fbfcc9239c1959df8ae
SHA1d8bb874b8f45e1b6dcf3a7272de3169736b5e7bf
SHA256a022373f89e9d6b807bddbaf3873f6d4d843048066da2bc3e0fa62f6dadd9574
SHA5123902d327112cc33cdeef50345860f64408cf64515f9624ef1b358ec3b5310330a29bb147e936752fd5657b2cc5a5f307a11888bcb9e3009efeb59c03bb858470
-
Filesize
713B
MD5db27af6a888da2a3e8f5a96d0df9fdcd
SHA165ecef5148f1afc8f7998c827f17cf1505ad2a95
SHA2560b64bd5fb9904c2ed875929699c152792fdd1e310ba37feef29921f32f7b3827
SHA512b0e9cde538ab6bb8c1c863cd898ec3f11d177c4c101e1d6607ac0a0597a9252e412e29425ab2fa79854d4b027a1a8565e9347359dd38369936a7ec324307560b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
713B
MD528f1e68ae538f90153cc30ce67bdf0b3
SHA1b9d5280d379e4f7de5727a8ee5207b6455fa1970
SHA256a60f2d35f7126d2d385973cf6ec8f4e768edb08f34f1e9bede133707ecb78942
SHA51268ce187ba7016a6ad3c1464222294f66a394a2669559038b63a34e57faf3495b9ef1630a73fe594217bff23d7b9cc0c959af6bf3e95a4af90d1f04ebe519b177
-
Filesize
713B
MD53ba8de10e9c1e3d28437ac89aa9ef8ae
SHA12933f138618f8cb233c9760869d26452e15faa4a
SHA2565a59133596b5b81d29dfc7308d527dd308231bbfb96a4022670bdc1a08068dec
SHA512b4cf7adfcfe5e87a40f4421d79d80061a5225164f1255998a92cb1fd7ecb76bc49d00a20346242d955a9dbd2008006d766d954264bbd96d5a1c2343b88011f33
-
Filesize
489B
MD572f7c01899943194c2a4a2f536a6ccf3
SHA1ea390761f7fa8df9c2caeaa8fba58e2d9262ffd2
SHA256ab61837dca2fee24b5a778b78ceccf7dd999891f6f75aadda2a3e56217f20562
SHA5121939a6035fc7b8e70aaf573378481d7286b07f8d40d5d6442a74e2cdd6ab24b0d686243a5bc69ac2cd6a9e481de96cf150edfa2fde99ecd64d184c98c8cf4a27
-
Filesize
713B
MD5c40e45602e0195c6ca84803c4e2fc34c
SHA1001a8b1c381a6b2d4c67acbd7d34148c870c2d8f
SHA256c7493f55d679a916f1daba037fdaacd231e0815b913be8ff8debd11d77164149
SHA51263c7274635b8daca27d9948e959c0fa298dafcc801c6cad1a81afc76e832ac9d4310aa32e3c1ef64ec6f4ba5a3f95829f5aa2b0de7c88cc20e54c16a11fc01ed
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
4.9MB
MD506f186fc55f38b20a7273da22fe0007a
SHA13eae6dd2aec4dcd82864b9fbe446e85ea603784b
SHA256f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7
SHA51205ea938925775b835e347265e255372c0c2deee1d68b356836c85b93f5751fced8ca8d758ebdc745c0274c53c9c350e63cc2a8624b99aa345438b2963b2a1f37