Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 12:44
Static task
static1
Behavioral task
behavioral1
Sample
16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Resource
win7-20240903-en
General
-
Target
16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
-
Size
4.9MB
-
MD5
d6c32cc92aff05247e665fec5d1ca5ed
-
SHA1
864e040db2c99477669bbe45261d8d93ebdba021
-
SHA256
16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00
-
SHA512
b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8O:2
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat 30 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4988 schtasks.exe 4488 schtasks.exe 392 schtasks.exe 2976 schtasks.exe 1040 schtasks.exe 4972 schtasks.exe File created C:\Program Files\Windows Sidebar\22eafd247d37c3 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 3408 schtasks.exe 4948 schtasks.exe 4192 schtasks.exe 4052 schtasks.exe 4768 schtasks.exe 4324 schtasks.exe 3100 schtasks.exe 2212 schtasks.exe 4388 schtasks.exe 2180 schtasks.exe 2952 schtasks.exe 3760 schtasks.exe 2436 schtasks.exe 1384 schtasks.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\e6c9b481da804f 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 3216 schtasks.exe 2140 schtasks.exe 3956 schtasks.exe 2428 schtasks.exe 3900 schtasks.exe 4824 schtasks.exe 2660 schtasks.exe -
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3216 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3900 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4948 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4052 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3760 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 1712 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3100 1712 schtasks.exe 82 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe -
resource yara_rule behavioral2/memory/2492-3-0x000000001B370000-0x000000001B49E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4688 powershell.exe 4412 powershell.exe 4644 powershell.exe 3728 powershell.exe 2252 powershell.exe 3840 powershell.exe 1380 powershell.exe 4828 powershell.exe 4736 powershell.exe 336 powershell.exe 1520 powershell.exe 4488 powershell.exe 4536 powershell.exe 1316 powershell.exe 1096 powershell.exe 2284 powershell.exe 1952 powershell.exe 3400 powershell.exe 2696 powershell.exe 2688 powershell.exe 3220 powershell.exe 2000 powershell.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation dwm.exe -
Executes dropped EXE 35 IoCs
pid Process 1596 tmpC16F.tmp.exe 3796 tmpC16F.tmp.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4620 tmpD2D1.tmp.exe 396 tmpD2D1.tmp.exe 3768 dwm.exe 2584 tmpE937.tmp.exe 5040 tmpE937.tmp.exe 1556 dwm.exe 784 tmp1A69.tmp.exe 2392 tmp1A69.tmp.exe 2284 dwm.exe 4512 tmp4B0E.tmp.exe 1260 tmp4B0E.tmp.exe 1272 dwm.exe 1500 tmp6675.tmp.exe 4068 tmp6675.tmp.exe 4160 dwm.exe 3976 tmp82B8.tmp.exe 3952 tmp82B8.tmp.exe 784 tmp82B8.tmp.exe 1688 dwm.exe 4816 tmpB2F0.tmp.exe 3608 tmpB2F0.tmp.exe 1284 dwm.exe 1800 tmpCF03.tmp.exe 3876 tmpCF03.tmp.exe 2676 dwm.exe 216 dwm.exe 2256 tmp1B7D.tmp.exe 1628 tmp1B7D.tmp.exe 2008 dwm.exe 3748 dwm.exe 2348 tmp67B9.tmp.exe 3100 tmp67B9.tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 1596 set thread context of 3796 1596 tmpC16F.tmp.exe 118 PID 4620 set thread context of 396 4620 tmpD2D1.tmp.exe 142 PID 2584 set thread context of 5040 2584 tmpE937.tmp.exe 173 PID 784 set thread context of 2392 784 tmp1A69.tmp.exe 179 PID 4512 set thread context of 1260 4512 tmp4B0E.tmp.exe 187 PID 1500 set thread context of 4068 1500 tmp6675.tmp.exe 193 PID 3952 set thread context of 784 3952 tmp82B8.tmp.exe 200 PID 4816 set thread context of 3608 4816 tmpB2F0.tmp.exe 206 PID 1800 set thread context of 3876 1800 tmpCF03.tmp.exe 212 PID 2256 set thread context of 1628 2256 tmp1B7D.tmp.exe 221 PID 2348 set thread context of 3100 2348 tmp67B9.tmp.exe 230 -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\Office16\TextInputHost.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6cb0b6c459d5d3 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files\Windows Sidebar\TextInputHost.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files\Windows Sidebar\TextInputHost.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\38384e6a620884 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files\Windows Sidebar\22eafd247d37c3 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files\Windows Sidebar\RCXBFD8.tmp 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files\Microsoft Office\Office16\TextInputHost.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files\Microsoft Office\Office16\22eafd247d37c3 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\e6c9b481da804f 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXBD57.tmp 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3970336390\OfficeClickToRun.exe 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1A69.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4B0E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp6675.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp82B8.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpCF03.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1B7D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC16F.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD2D1.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpE937.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp82B8.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB2F0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp67B9.tmp.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings dwm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4052 schtasks.exe 4324 schtasks.exe 2436 schtasks.exe 3100 schtasks.exe 2952 schtasks.exe 2660 schtasks.exe 4948 schtasks.exe 4824 schtasks.exe 4388 schtasks.exe 3956 schtasks.exe 4768 schtasks.exe 1040 schtasks.exe 2212 schtasks.exe 2180 schtasks.exe 2140 schtasks.exe 3760 schtasks.exe 4988 schtasks.exe 2428 schtasks.exe 392 schtasks.exe 3408 schtasks.exe 4488 schtasks.exe 3900 schtasks.exe 2976 schtasks.exe 1384 schtasks.exe 4972 schtasks.exe 3216 schtasks.exe 4192 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 1316 powershell.exe 1316 powershell.exe 1096 powershell.exe 1096 powershell.exe 4736 powershell.exe 4736 powershell.exe 1380 powershell.exe 1380 powershell.exe 4412 powershell.exe 4412 powershell.exe 2284 powershell.exe 2284 powershell.exe 4828 powershell.exe 4828 powershell.exe 1952 powershell.exe 1952 powershell.exe 1520 powershell.exe 1520 powershell.exe 336 powershell.exe 336 powershell.exe 4688 powershell.exe 4688 powershell.exe 1096 powershell.exe 4828 powershell.exe 336 powershell.exe 4736 powershell.exe 4412 powershell.exe 1380 powershell.exe 1316 powershell.exe 1520 powershell.exe 2284 powershell.exe 1952 powershell.exe 4688 powershell.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 3728 powershell.exe 3728 powershell.exe 3840 powershell.exe 3840 powershell.exe 3400 powershell.exe 3400 powershell.exe 4536 powershell.exe 4536 powershell.exe 2696 powershell.exe 2696 powershell.exe 4644 powershell.exe 4644 powershell.exe 2688 powershell.exe 2688 powershell.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 1380 powershell.exe Token: SeDebugPrivilege 4412 powershell.exe Token: SeDebugPrivilege 4828 powershell.exe Token: SeDebugPrivilege 336 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 4688 powershell.exe Token: SeDebugPrivilege 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Token: SeDebugPrivilege 3728 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 3840 powershell.exe Token: SeDebugPrivilege 3400 powershell.exe Token: SeDebugPrivilege 4536 powershell.exe Token: SeDebugPrivilege 4644 powershell.exe Token: SeDebugPrivilege 4488 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 3220 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 3768 dwm.exe Token: SeDebugPrivilege 1556 dwm.exe Token: SeDebugPrivilege 2284 dwm.exe Token: SeDebugPrivilege 1272 dwm.exe Token: SeDebugPrivilege 4160 dwm.exe Token: SeDebugPrivilege 1688 dwm.exe Token: SeDebugPrivilege 1284 dwm.exe Token: SeDebugPrivilege 2676 dwm.exe Token: SeDebugPrivilege 216 dwm.exe Token: SeDebugPrivilege 2008 dwm.exe Token: SeDebugPrivilege 3748 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2492 wrote to memory of 4688 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 95 PID 2492 wrote to memory of 4688 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 95 PID 2492 wrote to memory of 336 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 96 PID 2492 wrote to memory of 336 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 96 PID 2492 wrote to memory of 1952 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 97 PID 2492 wrote to memory of 1952 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 97 PID 2492 wrote to memory of 4736 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 98 PID 2492 wrote to memory of 4736 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 98 PID 2492 wrote to memory of 1596 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 94 PID 2492 wrote to memory of 1596 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 94 PID 2492 wrote to memory of 1596 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 94 PID 2492 wrote to memory of 4412 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 99 PID 2492 wrote to memory of 4412 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 99 PID 2492 wrote to memory of 2284 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 100 PID 2492 wrote to memory of 2284 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 100 PID 2492 wrote to memory of 1520 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 101 PID 2492 wrote to memory of 1520 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 101 PID 2492 wrote to memory of 4828 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 102 PID 2492 wrote to memory of 4828 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 102 PID 2492 wrote to memory of 1096 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 103 PID 2492 wrote to memory of 1096 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 103 PID 2492 wrote to memory of 1380 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 104 PID 2492 wrote to memory of 1380 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 104 PID 2492 wrote to memory of 1316 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 105 PID 2492 wrote to memory of 1316 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 105 PID 1596 wrote to memory of 3796 1596 tmpC16F.tmp.exe 118 PID 1596 wrote to memory of 3796 1596 tmpC16F.tmp.exe 118 PID 1596 wrote to memory of 3796 1596 tmpC16F.tmp.exe 118 PID 1596 wrote to memory of 3796 1596 tmpC16F.tmp.exe 118 PID 1596 wrote to memory of 3796 1596 tmpC16F.tmp.exe 118 PID 1596 wrote to memory of 3796 1596 tmpC16F.tmp.exe 118 PID 1596 wrote to memory of 3796 1596 tmpC16F.tmp.exe 118 PID 2492 wrote to memory of 4512 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 119 PID 2492 wrote to memory of 4512 2492 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 119 PID 4512 wrote to memory of 4620 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 140 PID 4512 wrote to memory of 4620 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 140 PID 4512 wrote to memory of 4620 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 140 PID 4620 wrote to memory of 396 4620 tmpD2D1.tmp.exe 142 PID 4620 wrote to memory of 396 4620 tmpD2D1.tmp.exe 142 PID 4620 wrote to memory of 396 4620 tmpD2D1.tmp.exe 142 PID 4620 wrote to memory of 396 4620 tmpD2D1.tmp.exe 142 PID 4620 wrote to memory of 396 4620 tmpD2D1.tmp.exe 142 PID 4620 wrote to memory of 396 4620 tmpD2D1.tmp.exe 142 PID 4620 wrote to memory of 396 4620 tmpD2D1.tmp.exe 142 PID 4512 wrote to memory of 4488 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 144 PID 4512 wrote to memory of 4488 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 144 PID 4512 wrote to memory of 4644 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 145 PID 4512 wrote to memory of 4644 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 145 PID 4512 wrote to memory of 3840 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 146 PID 4512 wrote to memory of 3840 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 146 PID 4512 wrote to memory of 2252 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 147 PID 4512 wrote to memory of 2252 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 147 PID 4512 wrote to memory of 3728 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 149 PID 4512 wrote to memory of 3728 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 149 PID 4512 wrote to memory of 2000 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 151 PID 4512 wrote to memory of 2000 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 151 PID 4512 wrote to memory of 3220 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 152 PID 4512 wrote to memory of 3220 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 152 PID 4512 wrote to memory of 2688 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 153 PID 4512 wrote to memory of 2688 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 153 PID 4512 wrote to memory of 2696 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 156 PID 4512 wrote to memory of 2696 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 156 PID 4512 wrote to memory of 4536 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 157 PID 4512 wrote to memory of 4536 4512 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe 157 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\tmpC16F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC16F.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\tmpC16F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC16F.tmp.exe"3⤵
- Executes dropped EXE
PID:3796
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\tmpD2D1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD2D1.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\tmpD2D1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD2D1.tmp.exe"4⤵
- Executes dropped EXE
PID:396
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3768 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b883c56-9b19-4e45-b0ce-3887352ec10b.vbs"4⤵PID:2820
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1556 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba9d06ba-8f9a-45f3-927a-33b1c57a4314.vbs"6⤵PID:4440
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2284 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6859041-0437-42bf-a199-50f09214ac64.vbs"8⤵PID:2676
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1272 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be235e87-96eb-43ee-a6a1-d85ca5d59f06.vbs"10⤵PID:1484
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4160 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9c036ae-5dbc-42c1-a1a3-68dac4ecd62d.vbs"12⤵PID:1376
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ef993b8-755b-4f63-afcd-5573097a53bc.vbs"14⤵PID:1040
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1284 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9bb2da0-64c0-4880-96b5-718cc6f5ab13.vbs"16⤵PID:4284
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2676 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b118343-50fb-44a8-b912-e66f66cb855d.vbs"18⤵PID:3628
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:216 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b657e3d1-3f45-46a5-b130-79ed922da618.vbs"20⤵PID:2096
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2008 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaf86d55-63d5-4c3c-afdb-81b8d360e071.vbs"22⤵PID:4268
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3748 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\306e978f-d40b-4208-8f0c-68dbe31b0ea7.vbs"24⤵PID:3288
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea8cb4c3-51e8-4970-b21f-174abca84e4a.vbs"24⤵PID:976
-
-
C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe"25⤵
- Executes dropped EXE
PID:3100
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f353457-d0de-4d4b-965c-86382ccf386f.vbs"22⤵PID:4376
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\361118b5-3b8c-419c-bff6-cab39d6eb4ca.vbs"20⤵PID:808
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1B7D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1B7D.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\tmp1B7D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1B7D.tmp.exe"21⤵
- Executes dropped EXE
PID:1628
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be3c471e-f6a7-4259-88cf-ac78453c545e.vbs"18⤵PID:3272
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c152e26-6f48-4d05-ab17-db7588895603.vbs"16⤵PID:3956
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp.exe"17⤵
- Executes dropped EXE
PID:3876
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c7be567-a419-47d7-ae4c-6f9ac13facf7.vbs"14⤵PID:3220
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB2F0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB2F0.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\tmpB2F0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB2F0.tmp.exe"15⤵
- Executes dropped EXE
PID:3608
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d927763-7d95-420e-978d-14352802c5f9.vbs"12⤵PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe"14⤵
- Executes dropped EXE
PID:784
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91fb3642-d120-46dd-8780-f98eb56a9fcd.vbs"10⤵PID:3592
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe"11⤵
- Executes dropped EXE
PID:4068
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ed08ede-3f68-4125-ba55-f32f252afd68.vbs"8⤵PID:876
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4B0E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4B0E.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\tmp4B0E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4B0E.tmp.exe"9⤵
- Executes dropped EXE
PID:1260
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f5b66ae-bf19-41e6-9aa7-b0934f92c9b0.vbs"6⤵PID:3164
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1A69.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1A69.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:784 -
C:\Users\Admin\AppData\Local\Temp\tmp1A69.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1A69.tmp.exe"7⤵
- Executes dropped EXE
PID:2392
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8c1ab38-1255-4656-82bf-b3a3f2e7a90b.vbs"4⤵PID:1608
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE937.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE937.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\tmpE937.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE937.tmp.exe"5⤵
- Executes dropped EXE
PID:5040
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office16\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\powershell.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe.log
Filesize1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD52dadcdbb2b489045245be9cb53dcb850
SHA19f3f86b9ce5f9374342dd0304e88d156f5684aac
SHA2566d598c5833911eccbcbe6ae18c0750982790545184166bf3414e1fe63318cf85
SHA512952c68c24234b23c89f25a43c44dc926115bf0295e6483da1de52f6d9fac056e20d362286a83ea846e4a3f35fa346602b92677010f0a6adb236231b20fd439bc
-
Filesize
944B
MD5150616521d490e160cd33b97d678d206
SHA171594f5b97a4a61fe5f120eb10bcd6b73d7e6e78
SHA25694595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827
SHA5127043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815
-
Filesize
944B
MD5ca5f066b9f9fe5524bc68022defc0152
SHA136002bf06b2e5d6e2e0e19d3d7274f11e0c5cec2
SHA2562020884668619f82b26cf38f827e154af76652f36ba1ddd41a6b93eb585d4f43
SHA512a39310d4e931f133be3f894c50bf557b229adf9fbd9e0cefd47a072a7fbe2aeb1b593fb37e3d699b1c45d06ef62a6e02d39e383701e9936a95bf9968a747388f
-
Filesize
944B
MD5057e7742b25e65a341d1341da25b54a8
SHA165c874ac4f429a4172bdf89a73922e39873ecab6
SHA256f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468
SHA51294b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7
-
Filesize
944B
MD5b7b47377bcaba7a045dc11be31f711b3
SHA1c915578f1139e3d0ca94d8ea73a17698771400e8
SHA25623d457e05f8b8fc47e6617fee28d04a7e6fab993751b94514c9308e387c95a1a
SHA512be381612f831f820e7fb04fa94c7a61954f4bba3d1b2d1112e455b41a6e9322b35e75311fbf24d5ff541a73d56bf79976e1462fee06d337341ad0953325636a3
-
Filesize
944B
MD50f6a77860cd9c5289dd6e45bbc36a982
SHA1750d55b0d394bc5716fc3e3204975b029d3dc43b
SHA256a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4
SHA512e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06
-
Filesize
747B
MD5dad580c0ac5fc0549b08ab064a810fc3
SHA1934042ea4f8a28ebbd432fe19477742cd53138ee
SHA256eec874f5f416784d42bd1c4a566e8efcc71008862abf8172b6e17cfa805e62a1
SHA51253e80c75c3e541d1d9051a48193b22a2f3a05c3f01b27906b24ea87b14fcfdffa13e6219cae9d149bcb3796d7548131cba583a0e23901914aaa465c7c8c9e3cd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
523B
MD5c5afec1afb7c74a0ea541ff58a76d91f
SHA1d32941f44a9c028d6077c14fbf3494464294c6f3
SHA2567daf225e8db0dbc0fcddb0d94a8eaffb4197ca3980d806fd924a4fecef91f393
SHA512c3328b7de78ace26659f318e349b9fd0eaf8d44dbcb06ed419966e26d6f259a9ea9c70cd5354f6b691edc52fa7b36196582d625187e18beb001cfc028dd96fd1
-
Filesize
747B
MD5560cff6cd843ebf047d5658c882e04a0
SHA1edada3d9b807b2bafd75c03a346c1fd9ed6d3401
SHA2565e7429b0bf0c4b2d6bd0677a21f7c1432e36d7cef0979d9d2cd940283010a57f
SHA512b5bcd6855e7facd5c217caf33595a709c940cba4a29438435498f79dc27add09e4663fc82dee0bb4fb472213df6edfa2aba8e8d5b27302b7b2fa22b9f70e7748
-
Filesize
747B
MD57a4e8299f1046b944b591daa79890608
SHA125b6b5bbabeff80f187b741d004994d3bd005bc4
SHA25659e51fb5890fb9a620be7d9be149cd271b298df97a84509705c070f077d93b87
SHA5128f8908625a6399d45401bd4640d8463cedb1ac3870b4f45291676959318ec6875b98a65f77d799d8a73c80b7a5e25a48db3e5370563f4b9a63ae12577c66b479
-
Filesize
747B
MD5f4f91813eeb99da509b1d5cf3305c8f6
SHA1652451fd59f87f93a044f76f1eec9e27d11acc1f
SHA2569d704a0f751fd9478d3269c6ce8b5a4e506e11160c37904917bd0154d2bf1959
SHA512dc66a14e9f7443557e3317d41966b6166f6ed2e0f80515b854c4817091e943f616fafac9058c88806e7fe07422d39b00dcc2b365294f78144861bcd47c0a5c08
-
Filesize
747B
MD5e1c643140cec46009c03c0f5c2d16804
SHA1c8191425777dc7f53730948998b49e647027cae1
SHA256d6005e31e9a2d6286221ba1d0487c005cd55e1259c76aa00b1ab508427a4be52
SHA51264a38421569b531450ea801ca88adf3d15565410537447fbf1ba9e63299b27d12ecd543a5ac918da80a549beadd43acd8e9f37c39c3f0d2045f185974dec4165
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
4.9MB
MD5d6c32cc92aff05247e665fec5d1ca5ed
SHA1864e040db2c99477669bbe45261d8d93ebdba021
SHA25616f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00
SHA512b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96