Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:40
Static task
static1
Behavioral task
behavioral1
Sample
2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe
Resource
win7-20240903-en
General
-
Target
2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe
-
Size
4.9MB
-
MD5
35612ca19890339ff523d7a64dcc546f
-
SHA1
8f6eb8a29167819fbe9b6274b770f2df64381203
-
SHA256
2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177
-
SHA512
1ed3e12527195000b086b06fd468e77f6e3364f0ee5de617739c67e7d843e61575d46da91313165b7b21d38e7f7a2587528127e5256c96c1c864ca4d78158b05
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8J:J
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3872 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4124 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4228 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4264 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4784 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4240 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4736 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3356 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3824 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3296 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4816 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3776 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4196 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3876 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3088 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 3708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 3708 schtasks.exe 83 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe -
resource yara_rule behavioral2/memory/2456-3-0x000000001BEC0000-0x000000001BFEE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3936 powershell.exe 2592 powershell.exe 2616 powershell.exe 4552 powershell.exe 3032 powershell.exe 4764 powershell.exe 4892 powershell.exe 5000 powershell.exe 1012 powershell.exe 3952 powershell.exe 4480 powershell.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Registry.exe -
Executes dropped EXE 35 IoCs
pid Process 2656 tmpD3DC.tmp.exe 1004 tmpD3DC.tmp.exe 2872 Registry.exe 1040 tmpEC0.tmp.exe 4240 tmpEC0.tmp.exe 1672 Registry.exe 5048 tmp436D.tmp.exe 1260 tmp436D.tmp.exe 1444 Registry.exe 224 tmp5F61.tmp.exe 1704 tmp5F61.tmp.exe 2216 Registry.exe 2516 tmp8FD7.tmp.exe 3832 tmp8FD7.tmp.exe 4708 Registry.exe 1136 tmpADDF.tmp.exe 2056 tmpADDF.tmp.exe 1204 Registry.exe 2692 tmpDD6B.tmp.exe 4520 tmpDD6B.tmp.exe 4644 Registry.exe 3332 tmpFAC6.tmp.exe 2888 tmpFAC6.tmp.exe 4900 tmpFAC6.tmp.exe 4328 Registry.exe 1436 tmp1776.tmp.exe 3596 tmp1776.tmp.exe 5060 tmp1776.tmp.exe 2736 Registry.exe 4472 tmp46F2.tmp.exe 5048 tmp46F2.tmp.exe 4680 Registry.exe 4112 Registry.exe 2356 tmp9198.tmp.exe 2432 tmp9198.tmp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 2656 set thread context of 1004 2656 tmpD3DC.tmp.exe 141 PID 1040 set thread context of 4240 1040 tmpEC0.tmp.exe 172 PID 5048 set thread context of 1260 5048 tmp436D.tmp.exe 194 PID 224 set thread context of 1704 224 tmp5F61.tmp.exe 204 PID 2516 set thread context of 3832 2516 tmp8FD7.tmp.exe 213 PID 1136 set thread context of 2056 1136 tmpADDF.tmp.exe 222 PID 2692 set thread context of 4520 2692 tmpDD6B.tmp.exe 233 PID 2888 set thread context of 4900 2888 tmpFAC6.tmp.exe 243 PID 3596 set thread context of 5060 3596 tmp1776.tmp.exe 252 PID 4472 set thread context of 5048 4472 tmp46F2.tmp.exe 261 PID 2356 set thread context of 2432 2356 tmp9198.tmp.exe 275 -
Drops file in Program Files directory 36 IoCs
description ioc Process File created C:\Program Files\dotnet\dwm.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\66fc9ff0ee96c2 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\MSBuild\sppsvc.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files\Windows Defender\uk-UA\9e8d7a4ca61bd9 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files\Windows Multimedia Platform\dllhost.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\RCXDFF8.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\MSBuild\RCXE981.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCXF56D.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files\Windows NT\Registry.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files\Windows NT\ee2ad38f3d4382 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files\dotnet\6cb0b6c459d5d3 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\RCXEB96.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files\Windows Photo Viewer\de-DE\fontdrvhost.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\MSBuild\0a1fd5f707cd16 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\Windows NT\Registry.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\dotnet\dwm.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files\Windows Photo Viewer\de-DE\5b884080fd4f94 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\Windows NT\RCXD4A8.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files\Windows Multimedia Platform\5940a34987c991 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\fontdrvhost.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\Windows Multimedia Platform\dllhost.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Windows Mail\f3b6ecef712a24 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\dotnet\RCXDB62.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXEFAF.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Windows Mail\spoolsv.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Windows Mail\spoolsv.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\MSBuild\sppsvc.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCXD8D1.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCXE4FB.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\ShellExperiences\eddb19405b7ce1 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Windows\diagnostics\system\Device\uk-UA\RuntimeBroker.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Windows\ShellExperiences\RCXE27A.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Windows\es-ES\RCXF349.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Windows\es-ES\RuntimeBroker.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Windows\ShellExperiences\backgroundTaskHost.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Windows\es-ES\RuntimeBroker.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Windows\es-ES\9e8d7a4ca61bd9 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Windows\ShellExperiences\backgroundTaskHost.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpEC0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8FD7.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpADDF.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDD6B.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAC6.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1776.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9198.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD3DC.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp436D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5F61.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAC6.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1776.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp46F2.tmp.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Registry.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4888 schtasks.exe 4944 schtasks.exe 1296 schtasks.exe 4264 schtasks.exe 3184 schtasks.exe 4196 schtasks.exe 4124 schtasks.exe 4768 schtasks.exe 3372 schtasks.exe 4372 schtasks.exe 2908 schtasks.exe 4932 schtasks.exe 1388 schtasks.exe 3296 schtasks.exe 3776 schtasks.exe 2288 schtasks.exe 2024 schtasks.exe 5004 schtasks.exe 4784 schtasks.exe 3824 schtasks.exe 2424 schtasks.exe 2772 schtasks.exe 4864 schtasks.exe 4152 schtasks.exe 3872 schtasks.exe 1228 schtasks.exe 4920 schtasks.exe 5104 schtasks.exe 3876 schtasks.exe 4228 schtasks.exe 3016 schtasks.exe 3088 schtasks.exe 584 schtasks.exe 3020 schtasks.exe 2228 schtasks.exe 3860 schtasks.exe 3356 schtasks.exe 1096 schtasks.exe 4816 schtasks.exe 916 schtasks.exe 1424 schtasks.exe 3956 schtasks.exe 1256 schtasks.exe 2252 schtasks.exe 4364 schtasks.exe 1152 schtasks.exe 2560 schtasks.exe 3712 schtasks.exe 912 schtasks.exe 2592 schtasks.exe 4240 schtasks.exe 5048 schtasks.exe 4736 schtasks.exe 4536 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 2592 powershell.exe 2592 powershell.exe 3936 powershell.exe 3936 powershell.exe 4764 powershell.exe 4764 powershell.exe 5000 powershell.exe 5000 powershell.exe 3952 powershell.exe 3952 powershell.exe 2616 powershell.exe 2616 powershell.exe 1012 powershell.exe 1012 powershell.exe 4892 powershell.exe 4892 powershell.exe 3032 powershell.exe 3032 powershell.exe 4552 powershell.exe 4552 powershell.exe 4480 powershell.exe 4480 powershell.exe 2592 powershell.exe 3952 powershell.exe 2616 powershell.exe 4764 powershell.exe 5000 powershell.exe 3936 powershell.exe 4552 powershell.exe 1012 powershell.exe 4480 powershell.exe 3032 powershell.exe 4892 powershell.exe 2872 Registry.exe 1672 Registry.exe 1444 Registry.exe 2216 Registry.exe 4708 Registry.exe 1204 Registry.exe 4644 Registry.exe 4328 Registry.exe 2736 Registry.exe 4680 Registry.exe 4112 Registry.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 3936 powershell.exe Token: SeDebugPrivilege 4764 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 3952 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 4892 powershell.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeDebugPrivilege 4480 powershell.exe Token: SeDebugPrivilege 2872 Registry.exe Token: SeDebugPrivilege 1672 Registry.exe Token: SeDebugPrivilege 1444 Registry.exe Token: SeDebugPrivilege 2216 Registry.exe Token: SeDebugPrivilege 4708 Registry.exe Token: SeDebugPrivilege 1204 Registry.exe Token: SeDebugPrivilege 4644 Registry.exe Token: SeDebugPrivilege 4328 Registry.exe Token: SeDebugPrivilege 2736 Registry.exe Token: SeDebugPrivilege 4680 Registry.exe Token: SeDebugPrivilege 4112 Registry.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2656 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 138 PID 2456 wrote to memory of 2656 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 138 PID 2456 wrote to memory of 2656 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 138 PID 2656 wrote to memory of 1004 2656 tmpD3DC.tmp.exe 141 PID 2656 wrote to memory of 1004 2656 tmpD3DC.tmp.exe 141 PID 2656 wrote to memory of 1004 2656 tmpD3DC.tmp.exe 141 PID 2656 wrote to memory of 1004 2656 tmpD3DC.tmp.exe 141 PID 2656 wrote to memory of 1004 2656 tmpD3DC.tmp.exe 141 PID 2656 wrote to memory of 1004 2656 tmpD3DC.tmp.exe 141 PID 2656 wrote to memory of 1004 2656 tmpD3DC.tmp.exe 141 PID 2456 wrote to memory of 3032 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 144 PID 2456 wrote to memory of 3032 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 144 PID 2456 wrote to memory of 3952 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 145 PID 2456 wrote to memory of 3952 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 145 PID 2456 wrote to memory of 2592 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 146 PID 2456 wrote to memory of 2592 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 146 PID 2456 wrote to memory of 1012 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 147 PID 2456 wrote to memory of 1012 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 147 PID 2456 wrote to memory of 5000 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 148 PID 2456 wrote to memory of 5000 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 148 PID 2456 wrote to memory of 3936 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 149 PID 2456 wrote to memory of 3936 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 149 PID 2456 wrote to memory of 4892 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 150 PID 2456 wrote to memory of 4892 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 150 PID 2456 wrote to memory of 4764 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 151 PID 2456 wrote to memory of 4764 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 151 PID 2456 wrote to memory of 2616 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 152 PID 2456 wrote to memory of 2616 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 152 PID 2456 wrote to memory of 4552 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 154 PID 2456 wrote to memory of 4552 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 154 PID 2456 wrote to memory of 4480 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 155 PID 2456 wrote to memory of 4480 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 155 PID 2456 wrote to memory of 2872 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 166 PID 2456 wrote to memory of 2872 2456 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 166 PID 2872 wrote to memory of 960 2872 Registry.exe 168 PID 2872 wrote to memory of 960 2872 Registry.exe 168 PID 2872 wrote to memory of 4732 2872 Registry.exe 169 PID 2872 wrote to memory of 4732 2872 Registry.exe 169 PID 2872 wrote to memory of 1040 2872 Registry.exe 170 PID 2872 wrote to memory of 1040 2872 Registry.exe 170 PID 2872 wrote to memory of 1040 2872 Registry.exe 170 PID 1040 wrote to memory of 4240 1040 tmpEC0.tmp.exe 172 PID 1040 wrote to memory of 4240 1040 tmpEC0.tmp.exe 172 PID 1040 wrote to memory of 4240 1040 tmpEC0.tmp.exe 172 PID 1040 wrote to memory of 4240 1040 tmpEC0.tmp.exe 172 PID 1040 wrote to memory of 4240 1040 tmpEC0.tmp.exe 172 PID 1040 wrote to memory of 4240 1040 tmpEC0.tmp.exe 172 PID 1040 wrote to memory of 4240 1040 tmpEC0.tmp.exe 172 PID 960 wrote to memory of 1672 960 WScript.exe 186 PID 960 wrote to memory of 1672 960 WScript.exe 186 PID 1672 wrote to memory of 2288 1672 Registry.exe 190 PID 1672 wrote to memory of 2288 1672 Registry.exe 190 PID 1672 wrote to memory of 1400 1672 Registry.exe 191 PID 1672 wrote to memory of 1400 1672 Registry.exe 191 PID 1672 wrote to memory of 5048 1672 Registry.exe 192 PID 1672 wrote to memory of 5048 1672 Registry.exe 192 PID 1672 wrote to memory of 5048 1672 Registry.exe 192 PID 5048 wrote to memory of 1260 5048 tmp436D.tmp.exe 194 PID 5048 wrote to memory of 1260 5048 tmp436D.tmp.exe 194 PID 5048 wrote to memory of 1260 5048 tmp436D.tmp.exe 194 PID 5048 wrote to memory of 1260 5048 tmp436D.tmp.exe 194 PID 5048 wrote to memory of 1260 5048 tmp436D.tmp.exe 194 PID 5048 wrote to memory of 1260 5048 tmp436D.tmp.exe 194 PID 5048 wrote to memory of 1260 5048 tmp436D.tmp.exe 194 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe"C:\Users\Admin\AppData\Local\Temp\2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\tmpD3DC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD3DC.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\tmpD3DC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD3DC.tmp.exe"3⤵
- Executes dropped EXE
PID:1004
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
C:\Program Files\Windows NT\Registry.exe"C:\Program Files\Windows NT\Registry.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2872 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44d2dfab-346c-4e5a-9dbc-b27d4bbc8477.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Program Files\Windows NT\Registry.exe"C:\Program Files\Windows NT\Registry.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1672 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73c7306b-8963-42a5-9abd-dd8e65dc681f.vbs"5⤵PID:2288
-
C:\Program Files\Windows NT\Registry.exe"C:\Program Files\Windows NT\Registry.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1444 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5e4e511-1ff5-4e53-9f12-261f6a457820.vbs"7⤵PID:4768
-
C:\Program Files\Windows NT\Registry.exe"C:\Program Files\Windows NT\Registry.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2216 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e20126ed-246a-4e2c-b4e9-babffe8e2a51.vbs"9⤵PID:1640
-
C:\Program Files\Windows NT\Registry.exe"C:\Program Files\Windows NT\Registry.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4708 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86fd6fb4-8c67-4856-be5f-ea4e10e6b726.vbs"11⤵PID:808
-
C:\Program Files\Windows NT\Registry.exe"C:\Program Files\Windows NT\Registry.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1204 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99cf9a47-6809-4789-b7e0-c482f843acb6.vbs"13⤵PID:2560
-
C:\Program Files\Windows NT\Registry.exe"C:\Program Files\Windows NT\Registry.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4644 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38268bc4-44b8-4000-87c1-0342f5be3984.vbs"15⤵PID:2032
-
C:\Program Files\Windows NT\Registry.exe"C:\Program Files\Windows NT\Registry.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4328 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60dd96d5-ac19-4137-b053-583f6efe1710.vbs"17⤵PID:4428
-
C:\Program Files\Windows NT\Registry.exe"C:\Program Files\Windows NT\Registry.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15853fbc-02c1-4a89-8b46-999c46cca8a6.vbs"19⤵PID:1876
-
C:\Program Files\Windows NT\Registry.exe"C:\Program Files\Windows NT\Registry.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4680 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b14e06-761d-4f86-b1d1-9cd3ee4f9977.vbs"21⤵PID:3496
-
C:\Program Files\Windows NT\Registry.exe"C:\Program Files\Windows NT\Registry.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4112 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64824822-1fa8-4793-a58b-f5779710231b.vbs"23⤵PID:452
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59a57989-072a-4a73-ad3d-a8e0aa854e47.vbs"23⤵PID:4432
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9198.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9198.tmp.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\tmp9198.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9198.tmp.exe"24⤵
- Executes dropped EXE
PID:2432
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8f32dff-90a2-4f64-b4c6-a9dda1b970af.vbs"21⤵PID:4368
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f459a58d-d5ea-4263-a42d-c14ea8f3a3c5.vbs"19⤵PID:1880
-
-
C:\Users\Admin\AppData\Local\Temp\tmp46F2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp46F2.tmp.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\tmp46F2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp46F2.tmp.exe"20⤵
- Executes dropped EXE
PID:5048
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cb60bad-0d32-4e20-9f47-83d28d01e096.vbs"17⤵PID:3772
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1776.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1776.tmp.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\tmp1776.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1776.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\tmp1776.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1776.tmp.exe"19⤵
- Executes dropped EXE
PID:5060
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8620003e-eab7-4cac-816a-a03ae01adae1.vbs"15⤵PID:1028
-
-
C:\Users\Admin\AppData\Local\Temp\tmpFAC6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAC6.tmp.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\tmpFAC6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAC6.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\tmpFAC6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAC6.tmp.exe"17⤵
- Executes dropped EXE
PID:4900
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29589a15-01d7-498e-904e-0ec6803df93c.vbs"13⤵PID:1052
-
-
C:\Users\Admin\AppData\Local\Temp\tmpDD6B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDD6B.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\tmpDD6B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDD6B.tmp.exe"14⤵
- Executes dropped EXE
PID:4520
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\240a12af-de61-4b2d-aef1-79b28c0cd529.vbs"11⤵PID:3276
-
-
C:\Users\Admin\AppData\Local\Temp\tmpADDF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpADDF.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\tmpADDF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpADDF.tmp.exe"12⤵
- Executes dropped EXE
PID:2056
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92c2f234-4d8b-4ed9-b83e-6011c3381c93.vbs"9⤵PID:2152
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8FD7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8FD7.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\tmp8FD7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8FD7.tmp.exe"10⤵
- Executes dropped EXE
PID:3832
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6d1953c-69dd-4fe2-990c-4685072d53bb.vbs"7⤵PID:4544
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5F61.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5F61.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:224 -
C:\Users\Admin\AppData\Local\Temp\tmp5F61.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5F61.tmp.exe"8⤵
- Executes dropped EXE
PID:1704
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aefd5fd7-5450-4fa1-a769-6e0982b59be3.vbs"5⤵PID:1400
-
-
C:\Users\Admin\AppData\Local\Temp\tmp436D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp436D.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\tmp436D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp436D.tmp.exe"6⤵
- Executes dropped EXE
PID:1260
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af5f9e69-437a-4eb2-9369-4b6656601b5d.vbs"3⤵PID:4732
-
-
C:\Users\Admin\AppData\Local\Temp\tmpEC0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEC0.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\tmpEC0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEC0.tmp.exe"4⤵
- Executes dropped EXE
PID:4240
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\dotnet\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellExperiences\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellExperiences\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD513a815d3d84adc3c8317f1aefe3be024
SHA1b926298df5ab02d6cdd01f38544c2c1b975114ed
SHA2568e7e55aa9040d280d42e4c740fcfa438604fe74b764eaf7f67b431f8eb46c9a1
SHA512ad19817bd611b00af1003f809ec691666a44f7a4c8325c2b4ec8fc42b566d20433c13036c2fdff2698a4e11203da7ac1e92647822fdb607f3faa27ba8c1530fd
-
Filesize
4.9MB
MD5ce8419937d6e1ddc4b201a1b1a73e600
SHA1d9cfa5b7e77acb2a6683a43183c7706289956610
SHA256018dbccde62769d092da05ceff5631e652abab459719de4755349c520af1d6ae
SHA512af52ac46c0b70337f71a028184834a00238ebe2dc0fcdbed8ba4bb7195c26548625efc9bb7f048244d34568f0933f9464145a2ef3605e5fd58c473bb07004f8e
-
Filesize
4.9MB
MD535612ca19890339ff523d7a64dcc546f
SHA18f6eb8a29167819fbe9b6274b770f2df64381203
SHA2562595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177
SHA5121ed3e12527195000b086b06fd468e77f6e3364f0ee5de617739c67e7d843e61575d46da91313165b7b21d38e7f7a2587528127e5256c96c1c864ca4d78158b05
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
716B
MD5e097018b7c32f45c08d2db57e32bae82
SHA1d7c99bbdf835f63bb8f3e4e91d0f1fd0358c9de2
SHA2564350af7fe4bb9c503fd7887626e37a1831e37061c74276c57fe3627e73752982
SHA5123393d765322d00406a4c38e5df8862f01c47db19f46f53057b5628843985fafadbc28e7b76cf4673c04c5092d1e222418a7ebedc8dd11b05a56cc0434ee28205
-
Filesize
716B
MD578c18cd13bc54d648f17a2bd50656a95
SHA1e61d794fd2909fb84ab8c9c70372d040febdeee3
SHA2560681431c13149ab38538b17391c2e759a73b2ed23cf6a2afe32ba0f18d2d8bc9
SHA51275def395d750450f4a4c93e6aa41aec1355f951d39dd0dc8706b1e0323fc265ca96676d94883d237f4b6271ae8b0c1264382869afa0d55847802e5eb71864bba
-
Filesize
716B
MD5a28170617231bfab40e8a0b12a308ff7
SHA1462ab06e75ac53e3b9c7231bda68314197150a91
SHA2567848962bcbca3cfacb769c03023f672d441745304dacef69828b242c93aa622d
SHA512827b31a10c9f3204d6f9bdf9ff182153986ef1b4e300f8891d260637ea1760b9322d3ee1d1d1f7f698405d23bed0246cac1e4016422854a4ef1fd323a81961d1
-
Filesize
716B
MD5d71d828f49c0ae9b5dd52b9b184cc928
SHA1cec692b8d7887627c98f229b7d5187907b211919
SHA2567b5edb587dd909429a7430671e875e4f19ebd45390dfd0f7258c0aca73bb908f
SHA512d856bccafdce3cac209ee4576ae7f40cbcec5251520b95b162e7dc31b7cb0553af12de0059b054ead5f7d81d23119903206f00631dcb1830f48ca90930ca8d1c
-
Filesize
716B
MD5b346e0d521496449a0f915dc3fda1039
SHA160da1deb5110336474dd9df2d5637e881c389619
SHA256309ccb3af0c2ce8e1f2937a1a64e07e693e6f52eac02a1dd9f489211de2a703c
SHA5122727e37845347e626cb1ed12d7cc09b33ce83cde670ba37f9da28b4398dbb1bbfa45f37b0efb4900121e23ccf99d4b367f58f8f88eb6869fd48e63e8bd828563
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
492B
MD5fcbb40211b69cfdc7a6e9aa762ae883d
SHA11a8f3691519bedfc8a7fcb12077ba0c8af2608bc
SHA25621d5795ca048ab16900a7faea7f7d7fddbe0fb4adb31310acd1cb4bd2d5108b0
SHA512f380f7e85f877aa8038c2b3c40c21736b22f2407ab3d75df5b09e9ce4b2a4e9cd7f8c8354fe9e48096ddf73ef7613d2e7b5a008f87572c2ccf524935119bd297
-
Filesize
716B
MD5b6c2115819635bf65a3919913ade770f
SHA1e96756e89b185c0ba6b3c3f7f4a6dc9ff716dfe1
SHA25621e669e4475b24bbfa028626dfebff4151134d9e1d8bb1d91c993b01551f2f92
SHA5124d0a405542d0655fa10640a07615cbaf68c2bed356de92b15a3f6ae413f60d64567189239b54fcb85ebb9e5cd6ccc829d5168cacb7bc4305da1e0a7a7128111b
-
Filesize
716B
MD506f50641f5f1dc75a0fdf5067993a4e8
SHA153edbf9b7228c86f6a866fa389e8c1037920740e
SHA2566f35988af0d4b7dcce71d850fcbc0c3ab2a70fd538f758ead9e13bf15cbdabb8
SHA5124cf6aae16348b9c82db8564c23c05e7e41a6db466ba837c97b91cfb558fca4b0e2de5e5b858339ce36d56e5774372b8f1d759652e700afd10e636b60f97c3f18
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
4.9MB
MD5dbf98d1843e598654389856825fd8285
SHA16730be889c53be5bea49529358b45b7e899dd92a
SHA256ac393cceb792f714ff76658df8f5ae3d5d533fc23cf13cbd99b90d34c5aeebe1
SHA5120d66be87b8e3e78ab675b88cd7ebd9af4c61b532bbf4fffe56a17d6c8b6606f3d7a877906542b9214790f61341187b4c17ab17f26f11e919b8a0d1ea4136a3c9
-
Filesize
4.9MB
MD528218d284bc4eeadcc9d19f308a62ad1
SHA1cd2fc9f9b667225d139f0377bda80684f4fc4f8a
SHA25617ec108a2e5a7d9261284300ff9e1233a7fcf820b9411a759accc883b5b007f2
SHA51254750d50635709e4c7a15e5a2adef29437f33dca0028054e80efa98d81187fff7fd522252539dcd4f72ee9968c48643d9a4bf33c047b027cd66afe7877508ce9