Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:15
Static task
static1
Behavioral task
behavioral1
Sample
c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe
Resource
win7-20240903-en
General
-
Target
c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe
-
Size
4.9MB
-
MD5
0ebad9b503420a52d8624a119e9b0390
-
SHA1
1f7ac06f73e31f55a13177d4d6e0992e9086c87a
-
SHA256
c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246d
-
SHA512
ad34304a6bcbfac284bdb43f73eaedab24851709de14a465494a78fc6d427ca547a2dc957f1ba553cd91126b7d5fde0c445089fe90fa934e4ce78168e709fa40
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 456 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3564 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4672 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3644 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4204 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 724 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4004 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4784 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3912 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3920 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3196 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4052 1788 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 1788 schtasks.exe 83 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe -
resource yara_rule behavioral2/memory/3760-3-0x000000001B460000-0x000000001B58E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2388 powershell.exe 1272 powershell.exe 2276 powershell.exe 3604 powershell.exe 4112 powershell.exe 2924 powershell.exe 4376 powershell.exe 724 powershell.exe 3592 powershell.exe 3024 powershell.exe 396 powershell.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sihost.exe -
Executes dropped EXE 36 IoCs
pid Process 644 tmp9210.tmp.exe 212 tmp9210.tmp.exe 3620 tmp9210.tmp.exe 3052 sihost.exe 4028 tmpCC68.tmp.exe 4740 tmpCC68.tmp.exe 1148 sihost.exe 3084 tmpEADD.tmp.exe 3988 tmpEADD.tmp.exe 3912 tmpEADD.tmp.exe 2208 tmpEADD.tmp.exe 1688 sihost.exe 2644 tmp606.tmp.exe 4728 tmp606.tmp.exe 4004 sihost.exe 536 sihost.exe 3424 sihost.exe 2636 tmp5ABD.tmp.exe 4512 tmp5ABD.tmp.exe 1168 sihost.exe 1800 tmp779C.tmp.exe 1188 sihost.exe 764 tmp9371.tmp.exe 5060 tmp9371.tmp.exe 1032 sihost.exe 4004 tmpC2CE.tmp.exe 4868 tmpC2CE.tmp.exe 4456 sihost.exe 3800 tmpF22B.tmp.exe 4308 tmpF22B.tmp.exe 4844 sihost.exe 4892 tmp21E6.tmp.exe 988 tmp21E6.tmp.exe 3292 sihost.exe 1936 tmp51A1.tmp.exe 3456 tmp51A1.tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe -
Suspicious use of SetThreadContext 10 IoCs
description pid Process procid_target PID 212 set thread context of 3620 212 tmp9210.tmp.exe 144 PID 4028 set thread context of 4740 4028 tmpCC68.tmp.exe 185 PID 3912 set thread context of 2208 3912 tmpEADD.tmp.exe 196 PID 2644 set thread context of 4728 2644 tmp606.tmp.exe 208 PID 2636 set thread context of 4512 2636 tmp5ABD.tmp.exe 228 PID 764 set thread context of 5060 764 tmp9371.tmp.exe 250 PID 4004 set thread context of 4868 4004 tmpC2CE.tmp.exe 259 PID 3800 set thread context of 4308 3800 tmpF22B.tmp.exe 268 PID 4892 set thread context of 988 4892 tmp21E6.tmp.exe 278 PID 1936 set thread context of 3456 1936 tmp51A1.tmp.exe 288 -
Drops file in Program Files directory 21 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\9e8d7a4ca61bd9 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\winlogon.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files\Windows Security\RCX9C08.tmp c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files\Windows Security\csrss.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files\dotnet\sihost.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files\dotnet\66fc9ff0ee96c2 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files\Windows Security\csrss.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files\Microsoft Office\RuntimeBroker.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files\Windows Media Player\en-US\Registry.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files\Microsoft Office\RuntimeBroker.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files (x86)\Windows Portable Devices\winlogon.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files\Windows Media Player\en-US\Registry.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files\Windows Media Player\en-US\ee2ad38f3d4382 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files\Windows Media Player\en-US\RCX97C1.tmp c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files\dotnet\RCX99E4.tmp c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files\dotnet\sihost.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files\Microsoft Office\RCXAB03.tmp c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files\Windows Security\886983d96e3d3e c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files\ModifiableWindowsApps\winlogon.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX9379.tmp c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\de-DE\Idle.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Windows\IdentityCRL\INT\eddb19405b7ce1 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Windows\de-DE\Idle.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Windows\de-DE\6ccacd8608530f c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Windows\IdentityCRL\INT\RCX959D.tmp c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Windows\de-DE\RCXAF99.tmp c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4376 1800 WerFault.exe 236 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9210.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp779C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpCC68.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpEADD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpEADD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF22B.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpEADD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp606.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9210.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5ABD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9371.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC2CE.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp21E6.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp51A1.tmp.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings sihost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2444 schtasks.exe 1784 schtasks.exe 1064 schtasks.exe 3604 schtasks.exe 3336 schtasks.exe 456 schtasks.exe 3912 schtasks.exe 3284 schtasks.exe 5040 schtasks.exe 4680 schtasks.exe 2092 schtasks.exe 3564 schtasks.exe 3496 schtasks.exe 1096 schtasks.exe 3120 schtasks.exe 4880 schtasks.exe 2076 schtasks.exe 2072 schtasks.exe 5112 schtasks.exe 2984 schtasks.exe 3920 schtasks.exe 4672 schtasks.exe 3460 schtasks.exe 3952 schtasks.exe 724 schtasks.exe 2924 schtasks.exe 2144 schtasks.exe 1500 schtasks.exe 2452 schtasks.exe 3436 schtasks.exe 2976 schtasks.exe 4784 schtasks.exe 1000 schtasks.exe 1568 schtasks.exe 1148 schtasks.exe 2636 schtasks.exe 2576 schtasks.exe 1484 schtasks.exe 2208 schtasks.exe 4004 schtasks.exe 920 schtasks.exe 4052 schtasks.exe 900 schtasks.exe 2460 schtasks.exe 764 schtasks.exe 3644 schtasks.exe 3196 schtasks.exe 1816 schtasks.exe 4988 schtasks.exe 4204 schtasks.exe 2164 schtasks.exe 2836 schtasks.exe 1780 schtasks.exe 2388 schtasks.exe 2600 schtasks.exe 4448 schtasks.exe 2736 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 1272 powershell.exe 1272 powershell.exe 3024 powershell.exe 3024 powershell.exe 396 powershell.exe 396 powershell.exe 2924 powershell.exe 2924 powershell.exe 2276 powershell.exe 2276 powershell.exe 4112 powershell.exe 4112 powershell.exe 724 powershell.exe 724 powershell.exe 4376 powershell.exe 4376 powershell.exe 2388 powershell.exe 2388 powershell.exe 4112 powershell.exe 3604 powershell.exe 3604 powershell.exe 2388 powershell.exe 1272 powershell.exe 3592 powershell.exe 3592 powershell.exe 3024 powershell.exe 724 powershell.exe 2924 powershell.exe 396 powershell.exe 2276 powershell.exe 4376 powershell.exe 3592 powershell.exe 3604 powershell.exe 3052 sihost.exe 1148 sihost.exe 1688 sihost.exe 4004 sihost.exe 536 sihost.exe 3424 sihost.exe 1168 sihost.exe 1188 sihost.exe 1032 sihost.exe 4456 sihost.exe 4844 sihost.exe 3292 sihost.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 4112 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 724 powershell.exe Token: SeDebugPrivilege 4376 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 3604 powershell.exe Token: SeDebugPrivilege 3592 powershell.exe Token: SeDebugPrivilege 3052 sihost.exe Token: SeDebugPrivilege 1148 sihost.exe Token: SeDebugPrivilege 1688 sihost.exe Token: SeDebugPrivilege 4004 sihost.exe Token: SeDebugPrivilege 536 sihost.exe Token: SeDebugPrivilege 3424 sihost.exe Token: SeDebugPrivilege 1168 sihost.exe Token: SeDebugPrivilege 1188 sihost.exe Token: SeDebugPrivilege 1032 sihost.exe Token: SeDebugPrivilege 4456 sihost.exe Token: SeDebugPrivilege 4844 sihost.exe Token: SeDebugPrivilege 3292 sihost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3760 wrote to memory of 644 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 141 PID 3760 wrote to memory of 644 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 141 PID 3760 wrote to memory of 644 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 141 PID 644 wrote to memory of 212 644 tmp9210.tmp.exe 143 PID 644 wrote to memory of 212 644 tmp9210.tmp.exe 143 PID 644 wrote to memory of 212 644 tmp9210.tmp.exe 143 PID 212 wrote to memory of 3620 212 tmp9210.tmp.exe 144 PID 212 wrote to memory of 3620 212 tmp9210.tmp.exe 144 PID 212 wrote to memory of 3620 212 tmp9210.tmp.exe 144 PID 212 wrote to memory of 3620 212 tmp9210.tmp.exe 144 PID 212 wrote to memory of 3620 212 tmp9210.tmp.exe 144 PID 212 wrote to memory of 3620 212 tmp9210.tmp.exe 144 PID 212 wrote to memory of 3620 212 tmp9210.tmp.exe 144 PID 3760 wrote to memory of 3592 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 157 PID 3760 wrote to memory of 3592 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 157 PID 3760 wrote to memory of 1272 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 158 PID 3760 wrote to memory of 1272 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 158 PID 3760 wrote to memory of 2276 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 159 PID 3760 wrote to memory of 2276 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 159 PID 3760 wrote to memory of 3604 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 160 PID 3760 wrote to memory of 3604 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 160 PID 3760 wrote to memory of 3024 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 161 PID 3760 wrote to memory of 3024 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 161 PID 3760 wrote to memory of 724 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 162 PID 3760 wrote to memory of 724 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 162 PID 3760 wrote to memory of 4376 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 163 PID 3760 wrote to memory of 4376 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 163 PID 3760 wrote to memory of 2924 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 164 PID 3760 wrote to memory of 2924 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 164 PID 3760 wrote to memory of 4112 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 165 PID 3760 wrote to memory of 4112 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 165 PID 3760 wrote to memory of 396 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 166 PID 3760 wrote to memory of 396 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 166 PID 3760 wrote to memory of 2388 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 167 PID 3760 wrote to memory of 2388 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 167 PID 3760 wrote to memory of 3052 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 179 PID 3760 wrote to memory of 3052 3760 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 179 PID 3052 wrote to memory of 3600 3052 sihost.exe 181 PID 3052 wrote to memory of 3600 3052 sihost.exe 181 PID 3052 wrote to memory of 208 3052 sihost.exe 182 PID 3052 wrote to memory of 208 3052 sihost.exe 182 PID 3052 wrote to memory of 4028 3052 sihost.exe 183 PID 3052 wrote to memory of 4028 3052 sihost.exe 183 PID 3052 wrote to memory of 4028 3052 sihost.exe 183 PID 4028 wrote to memory of 4740 4028 tmpCC68.tmp.exe 185 PID 4028 wrote to memory of 4740 4028 tmpCC68.tmp.exe 185 PID 4028 wrote to memory of 4740 4028 tmpCC68.tmp.exe 185 PID 4028 wrote to memory of 4740 4028 tmpCC68.tmp.exe 185 PID 4028 wrote to memory of 4740 4028 tmpCC68.tmp.exe 185 PID 4028 wrote to memory of 4740 4028 tmpCC68.tmp.exe 185 PID 4028 wrote to memory of 4740 4028 tmpCC68.tmp.exe 185 PID 3600 wrote to memory of 1148 3600 WScript.exe 188 PID 3600 wrote to memory of 1148 3600 WScript.exe 188 PID 1148 wrote to memory of 2164 1148 sihost.exe 190 PID 1148 wrote to memory of 2164 1148 sihost.exe 190 PID 1148 wrote to memory of 3628 1148 sihost.exe 191 PID 1148 wrote to memory of 3628 1148 sihost.exe 191 PID 1148 wrote to memory of 3084 1148 sihost.exe 192 PID 1148 wrote to memory of 3084 1148 sihost.exe 192 PID 1148 wrote to memory of 3084 1148 sihost.exe 192 PID 3084 wrote to memory of 3988 3084 tmpEADD.tmp.exe 194 PID 3084 wrote to memory of 3988 3084 tmpEADD.tmp.exe 194 PID 3084 wrote to memory of 3988 3084 tmpEADD.tmp.exe 194 PID 3988 wrote to memory of 3912 3988 tmpEADD.tmp.exe 195 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe"C:\Users\Admin\AppData\Local\Temp\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe"4⤵
- Executes dropped EXE
PID:3620
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Program Files\dotnet\sihost.exe"C:\Program Files\dotnet\sihost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3052 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e1bd9e6-5573-4ff5-ac89-d36980a9e43b.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Program Files\dotnet\sihost.exe"C:\Program Files\dotnet\sihost.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1148 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88f47692-e819-45f0-b205-5d08eb189989.vbs"5⤵PID:2164
-
C:\Program Files\dotnet\sihost.exe"C:\Program Files\dotnet\sihost.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9c52a9a-7b52-4f98-a659-fb0469ff71c2.vbs"7⤵PID:1536
-
C:\Program Files\dotnet\sihost.exe"C:\Program Files\dotnet\sihost.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4004 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65843b57-4bdc-4bce-94ff-e953dac6c35f.vbs"9⤵PID:3532
-
C:\Program Files\dotnet\sihost.exe"C:\Program Files\dotnet\sihost.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:536 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\836a5d68-3fb4-4b78-b48a-745f5980d021.vbs"11⤵PID:3600
-
C:\Program Files\dotnet\sihost.exe"C:\Program Files\dotnet\sihost.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3424 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\376adb97-fcf6-4c68-91e2-e3e5fb26b777.vbs"13⤵PID:1136
-
C:\Program Files\dotnet\sihost.exe"C:\Program Files\dotnet\sihost.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1168 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25b1fb2d-f230-41e5-8c29-89979b8603a9.vbs"15⤵PID:5072
-
C:\Program Files\dotnet\sihost.exe"C:\Program Files\dotnet\sihost.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1188 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00d2d660-9b63-4fb4-9d65-c611191957c2.vbs"17⤵PID:5108
-
C:\Program Files\dotnet\sihost.exe"C:\Program Files\dotnet\sihost.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1032 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2205b37-cf23-446f-aa71-29a5b5046cde.vbs"19⤵PID:5000
-
C:\Program Files\dotnet\sihost.exe"C:\Program Files\dotnet\sihost.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4456 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\785a4840-82eb-4e14-bf7f-a3bebf529022.vbs"21⤵PID:4240
-
C:\Program Files\dotnet\sihost.exe"C:\Program Files\dotnet\sihost.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4844 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ac1a74e-e451-420b-9a31-bf1c26c3a414.vbs"23⤵PID:1284
-
C:\Program Files\dotnet\sihost.exe"C:\Program Files\dotnet\sihost.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3292 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a730d9c-b43b-4025-b04f-f5a2a1e0655d.vbs"25⤵PID:1548
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71c9ed71-3301-48c6-8eeb-f95e9bd11cca.vbs"25⤵PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\tmp51A1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp51A1.tmp.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\tmp51A1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp51A1.tmp.exe"26⤵
- Executes dropped EXE
PID:3456
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d2178cd-d51b-4d8c-84d2-42efad88b691.vbs"23⤵PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\tmp21E6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp21E6.tmp.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\tmp21E6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp21E6.tmp.exe"24⤵
- Executes dropped EXE
PID:988
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47b8bccd-aec2-4fd9-afed-fdef6d1fce56.vbs"21⤵PID:1500
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF22B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF22B.tmp.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\tmpF22B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF22B.tmp.exe"22⤵
- Executes dropped EXE
PID:4308
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8da70988-58dc-4856-a3ef-210f239d2e8d.vbs"19⤵PID:4740
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC2CE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC2CE.tmp.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\tmpC2CE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC2CE.tmp.exe"20⤵
- Executes dropped EXE
PID:4868
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0338e929-5a96-40ca-895a-bfe272ab6ff5.vbs"17⤵PID:3208
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9371.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9371.tmp.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:764 -
C:\Users\Admin\AppData\Local\Temp\tmp9371.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9371.tmp.exe"18⤵
- Executes dropped EXE
PID:5060
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b7b54b9-3deb-4956-bae0-1e1d77a25eb4.vbs"15⤵PID:4936
-
-
C:\Users\Admin\AppData\Local\Temp\tmp779C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp779C.tmp.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\tmp779C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp779C.tmp.exe"16⤵PID:2600
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 31216⤵
- Program crash
PID:4376
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c658718-c7d8-477a-a6c9-798dba241641.vbs"13⤵PID:4676
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5ABD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5ABD.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\tmp5ABD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5ABD.tmp.exe"14⤵
- Executes dropped EXE
PID:4512
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c1380b5-9a7a-45ca-ab32-7df85e3eab23.vbs"11⤵PID:64
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17042936-8a6f-479a-8834-256ef9fd2baa.vbs"9⤵PID:3244
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b340097-3dab-4dae-956e-f3fa811c2909.vbs"7⤵PID:1016
-
-
C:\Users\Admin\AppData\Local\Temp\tmp606.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp606.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\tmp606.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp606.tmp.exe"8⤵
- Executes dropped EXE
PID:4728
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e62ded22-2501-47a7-a157-47b257ea2099.vbs"5⤵PID:3628
-
-
C:\Users\Admin\AppData\Local\Temp\tmpEADD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEADD.tmp.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\tmpEADD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEADD.tmp.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\tmpEADD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEADD.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\tmpEADD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEADD.tmp.exe"8⤵
- Executes dropped EXE
PID:2208
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fe9d8a9-9685-48ac-a7b6-0ff3fa597845.vbs"3⤵PID:208
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCC68.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCC68.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\tmpCC68.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCC68.tmp.exe"4⤵
- Executes dropped EXE
PID:4740
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\en-US\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\en-US\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\dotnet\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Packages\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Packages\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Packages\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\de-DE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1800 -ip 18001⤵PID:216
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD50ebad9b503420a52d8624a119e9b0390
SHA11f7ac06f73e31f55a13177d4d6e0992e9086c87a
SHA256c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246d
SHA512ad34304a6bcbfac284bdb43f73eaedab24851709de14a465494a78fc6d427ca547a2dc957f1ba553cd91126b7d5fde0c445089fe90fa934e4ce78168e709fa40
-
Filesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
710B
MD5d5b54a90f9ecbd72fab17f1e29390ae4
SHA1641afbef6b35ea11d3aebd8a18866b3d9cb69174
SHA256626faa39cc981b9219cf6a299b8f5a410f37bd220256f33c77fa71cadfda098a
SHA512a82091b4109040616cdcbff232c025ccf8cc9f11e2d75220c65ecbabd318760c74fe2cefd02db42fc3805da0ac747908215fd269a5a664254b43746e54896dc0
-
Filesize
710B
MD549d283761d2a964989adac0034bb4d95
SHA128f81c66f5f46bae87f3d0327af22807179445c5
SHA256f7c65f7e9a173fcff5aee74e99a2b76d8b7ca910ac1abdb940d0f642b60a374a
SHA51287198bf38ba2e7598459a089675bd59a575c521820fddae23594d5f706937987097b911244541dd04d8406d5c526fc082892f2358c45f3ff31a5ad7fac88fddc
-
Filesize
710B
MD5f606741044f50e86054f061c182b4133
SHA1538222d33eb4c122c601b2bf9c4392de1ec7def5
SHA25606bc05991bcaaf2f6d0b220bdcce99c8d6ae3fb76a5f134f1f66ac3f17b52158
SHA5126b696ae6fa252d4ff8ce801f8df1b68d73e0e8946d12ae3cbdef78863f2105c5e8baba03e9d2c6e1fe26f17e0be6c738a35ac745721935d2bb98a44168eb20b7
-
Filesize
710B
MD58cc38f96e48fe11193b547389f46d3e8
SHA10abaa1f1a4704ba8940796ccc46299baa93e47b4
SHA256919bf7c7257e17dd50cd8dd6adb6c56f681be7191ac7c3c619ea55cb297a44f2
SHA5128628f8d5af4357f99b84699a8a92a2e18c925325deca1fbe108ba9a0a8a15fc7d4cc6383a1235b1c728d8c25e34b1d7b9d1baf159003423b8b6525093295c98e
-
Filesize
710B
MD5e0ab87f5ac21ef37e5754916721cdb99
SHA1595f263b698f72f4954316841e1aa05868e5f519
SHA25683322ee609eb2ea7761440105c0f0ee9c781b734fb1bcd881e3dfbf1d037789f
SHA5121ea7581698885ff9668681b921ba3ba4f70d979c03a3a914081d97a5226c287532b15542eb311ef186766f1a4d1bad3b3a6a0f3d85a7a6945489075a8e3b63c4
-
Filesize
709B
MD504524e94058a85395c0789faee38a2db
SHA1d57fa8a3576c760de8ad9168026a5041df578227
SHA2569f42918f46847df79b7e5ea1a41f230ebbd091f14d7d04c323791bf380cce20b
SHA512c75a6b963c52d305eb58c73d0593f5c0fe736cd729a4846f04544c92f5b534e46f97299faaaff353298dc6be3fe4cd797d3a879489ebb8e8d406d0b1272c7d08
-
Filesize
710B
MD5dc01b8732a289d98c9eb12a7567e959c
SHA1591dd7c3ffb21a100e8927012ad7bba03979ce9c
SHA256d9745f2d9eda0793aba218666a80b579247b46876cdf981b58d054d7a1b113ad
SHA512555c12b28672546208028938bc4377180c36f207fc425bd18fba8e1ab32c63daaf14b27db5df40c6a0fa2300232627b8a6d8f7250e06dc304d672cd645527c5d
-
Filesize
486B
MD58ac4bdd458968adcaeb9880617511362
SHA10dffa346024800ff405a26c60e590b598253c225
SHA2563af364329f190b56ae2a1a0519c5cc40d12333f179c26bf68dda453f5a134d37
SHA512f18865f6eae0635e603ebd36bf615dbebacf764bd79f712b361a808c483018b9a9665d77f2ba242d6daab41f3b52721df217fd43600524be45c2c4bb1061761a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
710B
MD5182f58603a716943f7e2963175b5974e
SHA1ce228b2acf8d2b92005b6c75f5742f443c28903f
SHA2564685817cd07d9dacac4c759b538e647a12992843419454bb35f82e4ab0f45adb
SHA5127c860a53a1ffe88d258807a12108c49e4d5e8a5a709697779f8efa296f7b7b54ec13bf35282b02f88efff518e6ebf6d0a099ffbd6956940312444d5685074bf4
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2