Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:45
Static task
static1
Behavioral task
behavioral1
Sample
2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe
Resource
win7-20240903-en
General
-
Target
2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe
-
Size
4.9MB
-
MD5
35612ca19890339ff523d7a64dcc546f
-
SHA1
8f6eb8a29167819fbe9b6274b770f2df64381203
-
SHA256
2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177
-
SHA512
1ed3e12527195000b086b06fd468e77f6e3364f0ee5de617739c67e7d843e61575d46da91313165b7b21d38e7f7a2587528127e5256c96c1c864ca4d78158b05
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8J:J
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 232 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3816 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3584 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 4544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 4544 schtasks.exe 83 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe -
resource yara_rule behavioral2/memory/3728-3-0x000000001B880000-0x000000001B9AE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2384 powershell.exe 2388 powershell.exe 5084 powershell.exe 2064 powershell.exe 3124 powershell.exe 3060 powershell.exe 436 powershell.exe 2708 powershell.exe 4700 powershell.exe 5080 powershell.exe 2960 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation dwm.exe -
Executes dropped EXE 49 IoCs
pid Process 4604 tmpA720.tmp.exe 2156 tmpA720.tmp.exe 4692 tmpA720.tmp.exe 3480 dwm.exe 3116 tmpDF83.tmp.exe 3152 tmpDF83.tmp.exe 4488 dwm.exe 3916 tmpFBA.tmp.exe 3984 tmpFBA.tmp.exe 3156 tmpFBA.tmp.exe 2200 dwm.exe 3896 tmp2D54.tmp.exe 1748 tmp2D54.tmp.exe 1864 tmp2D54.tmp.exe 4364 dwm.exe 3116 tmp5F13.tmp.exe 1760 tmp5F13.tmp.exe 3540 dwm.exe 1468 tmp92E4.tmp.exe 1408 tmp92E4.tmp.exe 2544 tmp92E4.tmp.exe 3636 tmp92E4.tmp.exe 4056 dwm.exe 1508 tmpC4E1.tmp.exe 4292 tmpC4E1.tmp.exe 2676 tmpC4E1.tmp.exe 4472 dwm.exe 2420 tmpE29B.tmp.exe 1404 tmpE29B.tmp.exe 3868 dwm.exe 1416 tmp11F8.tmp.exe 3048 tmp11F8.tmp.exe 1016 dwm.exe 3452 tmp424F.tmp.exe 4832 tmp424F.tmp.exe 3348 dwm.exe 5016 tmp72A6.tmp.exe 3232 tmp72A6.tmp.exe 1652 dwm.exe 3240 tmp8EE8.tmp.exe 4220 tmp8EE8.tmp.exe 5092 dwm.exe 3464 tmpBE45.tmp.exe 1748 tmpBE45.tmp.exe 840 dwm.exe 3588 tmpDAA7.tmp.exe 2052 tmpDAA7.tmp.exe 4200 tmpDAA7.tmp.exe 1392 tmpDAA7.tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 2156 set thread context of 4692 2156 tmpA720.tmp.exe 117 PID 3116 set thread context of 3152 3116 tmpDF83.tmp.exe 154 PID 3984 set thread context of 3156 3984 tmpFBA.tmp.exe 162 PID 1748 set thread context of 1864 1748 tmp2D54.tmp.exe 170 PID 3116 set thread context of 1760 3116 tmp5F13.tmp.exe 176 PID 2544 set thread context of 3636 2544 tmp92E4.tmp.exe 184 PID 4292 set thread context of 2676 4292 tmpC4E1.tmp.exe 191 PID 2420 set thread context of 1404 2420 tmpE29B.tmp.exe 197 PID 1416 set thread context of 3048 1416 tmp11F8.tmp.exe 203 PID 3452 set thread context of 4832 3452 tmp424F.tmp.exe 209 PID 5016 set thread context of 3232 5016 tmp72A6.tmp.exe 215 PID 3240 set thread context of 4220 3240 tmp8EE8.tmp.exe 221 PID 3464 set thread context of 1748 3464 tmpBE45.tmp.exe 227 PID 4200 set thread context of 1392 4200 tmpDAA7.tmp.exe 235 -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\Idle.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\RuntimeBroker.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\Idle.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Windows Defender\uk-UA\RuntimeBroker.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\e6c9b481da804f 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\RCXB231.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\6ccacd8608530f 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCXAFB0.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\RCXB65A.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Common Files\Java\5b884080fd4f94 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Common Files\Java\RCXB86E.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Program Files (x86)\Windows Defender\uk-UA\9e8d7a4ca61bd9 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Registry.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Registry.exe 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\ee2ad38f3d4382 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXA3F2.tmp 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA720.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFBA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFBA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2D54.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp11F8.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDAA7.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDF83.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5F13.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp92E4.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC4E1.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpE29B.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp424F.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp72A6.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8EE8.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA720.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2D54.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp92E4.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC4E1.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBE45.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDAA7.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDAA7.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp92E4.tmp.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2200 schtasks.exe 1788 schtasks.exe 2680 schtasks.exe 2724 schtasks.exe 4640 schtasks.exe 232 schtasks.exe 2352 schtasks.exe 4836 schtasks.exe 4220 schtasks.exe 208 schtasks.exe 5092 schtasks.exe 4648 schtasks.exe 1184 schtasks.exe 1536 schtasks.exe 536 schtasks.exe 2224 schtasks.exe 3984 schtasks.exe 4928 schtasks.exe 4892 schtasks.exe 4424 schtasks.exe 3180 schtasks.exe 704 schtasks.exe 3584 schtasks.exe 2196 schtasks.exe 4680 schtasks.exe 4960 schtasks.exe 2540 schtasks.exe 3816 schtasks.exe 2964 schtasks.exe 2884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 2960 powershell.exe 2960 powershell.exe 2388 powershell.exe 2388 powershell.exe 2384 powershell.exe 2384 powershell.exe 2064 powershell.exe 2064 powershell.exe 436 powershell.exe 436 powershell.exe 2708 powershell.exe 2708 powershell.exe 5084 powershell.exe 5084 powershell.exe 3124 powershell.exe 3124 powershell.exe 5080 powershell.exe 5080 powershell.exe 4700 powershell.exe 4700 powershell.exe 2708 powershell.exe 2960 powershell.exe 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe 5084 powershell.exe 2064 powershell.exe 4700 powershell.exe 2384 powershell.exe 436 powershell.exe 2388 powershell.exe 5080 powershell.exe 3124 powershell.exe 3480 dwm.exe 4488 dwm.exe 2200 dwm.exe 4364 dwm.exe 3540 dwm.exe 4056 dwm.exe 4472 dwm.exe 3868 dwm.exe 1016 dwm.exe 3348 dwm.exe 1652 dwm.exe 5092 dwm.exe 840 dwm.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeDebugPrivilege 4700 powershell.exe Token: SeDebugPrivilege 436 powershell.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 5084 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 3124 powershell.exe Token: SeDebugPrivilege 5080 powershell.exe Token: SeDebugPrivilege 3480 dwm.exe Token: SeDebugPrivilege 4488 dwm.exe Token: SeDebugPrivilege 2200 dwm.exe Token: SeDebugPrivilege 4364 dwm.exe Token: SeDebugPrivilege 3540 dwm.exe Token: SeDebugPrivilege 4056 dwm.exe Token: SeDebugPrivilege 4472 dwm.exe Token: SeDebugPrivilege 3868 dwm.exe Token: SeDebugPrivilege 1016 dwm.exe Token: SeDebugPrivilege 3348 dwm.exe Token: SeDebugPrivilege 1652 dwm.exe Token: SeDebugPrivilege 5092 dwm.exe Token: SeDebugPrivilege 840 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3728 wrote to memory of 4604 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 114 PID 3728 wrote to memory of 4604 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 114 PID 3728 wrote to memory of 4604 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 114 PID 4604 wrote to memory of 2156 4604 tmpA720.tmp.exe 116 PID 4604 wrote to memory of 2156 4604 tmpA720.tmp.exe 116 PID 4604 wrote to memory of 2156 4604 tmpA720.tmp.exe 116 PID 2156 wrote to memory of 4692 2156 tmpA720.tmp.exe 117 PID 2156 wrote to memory of 4692 2156 tmpA720.tmp.exe 117 PID 2156 wrote to memory of 4692 2156 tmpA720.tmp.exe 117 PID 2156 wrote to memory of 4692 2156 tmpA720.tmp.exe 117 PID 2156 wrote to memory of 4692 2156 tmpA720.tmp.exe 117 PID 2156 wrote to memory of 4692 2156 tmpA720.tmp.exe 117 PID 2156 wrote to memory of 4692 2156 tmpA720.tmp.exe 117 PID 3728 wrote to memory of 5080 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 121 PID 3728 wrote to memory of 5080 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 121 PID 3728 wrote to memory of 2960 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 122 PID 3728 wrote to memory of 2960 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 122 PID 3728 wrote to memory of 2388 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 123 PID 3728 wrote to memory of 2388 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 123 PID 3728 wrote to memory of 2384 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 124 PID 3728 wrote to memory of 2384 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 124 PID 3728 wrote to memory of 4700 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 125 PID 3728 wrote to memory of 4700 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 125 PID 3728 wrote to memory of 2708 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 127 PID 3728 wrote to memory of 2708 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 127 PID 3728 wrote to memory of 436 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 128 PID 3728 wrote to memory of 436 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 128 PID 3728 wrote to memory of 3060 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 129 PID 3728 wrote to memory of 3060 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 129 PID 3728 wrote to memory of 2064 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 130 PID 3728 wrote to memory of 2064 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 130 PID 3728 wrote to memory of 5084 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 131 PID 3728 wrote to memory of 5084 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 131 PID 3728 wrote to memory of 3124 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 132 PID 3728 wrote to memory of 3124 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 132 PID 3728 wrote to memory of 4724 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 142 PID 3728 wrote to memory of 4724 3728 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe 142 PID 4724 wrote to memory of 2968 4724 cmd.exe 145 PID 4724 wrote to memory of 2968 4724 cmd.exe 145 PID 4724 wrote to memory of 3480 4724 cmd.exe 149 PID 4724 wrote to memory of 3480 4724 cmd.exe 149 PID 3480 wrote to memory of 2568 3480 dwm.exe 150 PID 3480 wrote to memory of 2568 3480 dwm.exe 150 PID 3480 wrote to memory of 1888 3480 dwm.exe 151 PID 3480 wrote to memory of 1888 3480 dwm.exe 151 PID 3480 wrote to memory of 3116 3480 dwm.exe 152 PID 3480 wrote to memory of 3116 3480 dwm.exe 152 PID 3480 wrote to memory of 3116 3480 dwm.exe 152 PID 3116 wrote to memory of 3152 3116 tmpDF83.tmp.exe 154 PID 3116 wrote to memory of 3152 3116 tmpDF83.tmp.exe 154 PID 3116 wrote to memory of 3152 3116 tmpDF83.tmp.exe 154 PID 3116 wrote to memory of 3152 3116 tmpDF83.tmp.exe 154 PID 3116 wrote to memory of 3152 3116 tmpDF83.tmp.exe 154 PID 3116 wrote to memory of 3152 3116 tmpDF83.tmp.exe 154 PID 3116 wrote to memory of 3152 3116 tmpDF83.tmp.exe 154 PID 2568 wrote to memory of 4488 2568 WScript.exe 155 PID 2568 wrote to memory of 4488 2568 WScript.exe 155 PID 4488 wrote to memory of 4268 4488 dwm.exe 156 PID 4488 wrote to memory of 4268 4488 dwm.exe 156 PID 4488 wrote to memory of 3604 4488 dwm.exe 157 PID 4488 wrote to memory of 3604 4488 dwm.exe 157 PID 4488 wrote to memory of 3916 4488 dwm.exe 159 PID 4488 wrote to memory of 3916 4488 dwm.exe 159 PID 4488 wrote to memory of 3916 4488 dwm.exe 159 -
System policy modification 1 TTPs 42 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe"C:\Users\Admin\AppData\Local\Temp\2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\tmpA720.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA720.tmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\tmpA720.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA720.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\tmpA720.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA720.tmp.exe"4⤵
- Executes dropped EXE
PID:4692
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ut9EuWwAra.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2968
-
-
C:\Users\Default\SendTo\dwm.exe"C:\Users\Default\SendTo\dwm.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3480 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d16f668e-f1b1-4419-91fa-de1b279cee5a.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Default\SendTo\dwm.exeC:\Users\Default\SendTo\dwm.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4488 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b47d6c4-b9fd-4ddc-abf4-ed6d21d84c20.vbs"6⤵PID:4268
-
C:\Users\Default\SendTo\dwm.exeC:\Users\Default\SendTo\dwm.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2200 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84e149d8-56d5-48dd-bb35-ba81d143a1be.vbs"8⤵PID:4476
-
C:\Users\Default\SendTo\dwm.exeC:\Users\Default\SendTo\dwm.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4364 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\659a35fe-9e75-45af-961e-2e7895f83a10.vbs"10⤵PID:4052
-
C:\Users\Default\SendTo\dwm.exeC:\Users\Default\SendTo\dwm.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3540 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a891af1-fbce-4005-8de3-377d9067883f.vbs"12⤵PID:436
-
C:\Users\Default\SendTo\dwm.exeC:\Users\Default\SendTo\dwm.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0489c97-a900-4231-9ef7-358d6a39f525.vbs"14⤵PID:432
-
C:\Users\Default\SendTo\dwm.exeC:\Users\Default\SendTo\dwm.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4472 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\965f8f22-388d-439a-9eb5-a81ef583c5ff.vbs"16⤵PID:4784
-
C:\Users\Default\SendTo\dwm.exeC:\Users\Default\SendTo\dwm.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3868 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\defce018-923f-4327-b9ae-446df843061c.vbs"18⤵PID:4800
-
C:\Users\Default\SendTo\dwm.exeC:\Users\Default\SendTo\dwm.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1016 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1396bd30-6cd1-40d7-9034-99ccaaed9187.vbs"20⤵PID:1020
-
C:\Users\Default\SendTo\dwm.exeC:\Users\Default\SendTo\dwm.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3348 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b3e70b8-196b-4e52-b4f8-a83831101077.vbs"22⤵PID:2396
-
C:\Users\Default\SendTo\dwm.exeC:\Users\Default\SendTo\dwm.exe23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1652 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e907f783-02f0-4a65-9890-f80ab6339132.vbs"24⤵PID:2912
-
C:\Users\Default\SendTo\dwm.exeC:\Users\Default\SendTo\dwm.exe25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5092 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cd420e0-ee82-4789-8aef-c16e5d7d9853.vbs"26⤵PID:2332
-
C:\Users\Default\SendTo\dwm.exeC:\Users\Default\SendTo\dwm.exe27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:840 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74ef0f6d-1e8c-4887-8ed3-3b3bdfb3b8e0.vbs"28⤵PID:2352
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6e820a9-bd35-4b30-9c31-0f78693be00d.vbs"28⤵PID:3400
-
-
C:\Users\Admin\AppData\Local\Temp\tmpDAA7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDAA7.tmp.exe"28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\tmpDAA7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDAA7.tmp.exe"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\tmpDAA7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDAA7.tmp.exe"30⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\tmpDAA7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDAA7.tmp.exe"31⤵
- Executes dropped EXE
PID:1392
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de1e6435-33b3-43a2-ab17-cede781c9159.vbs"26⤵PID:4064
-
-
C:\Users\Admin\AppData\Local\Temp\tmpBE45.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBE45.tmp.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\tmpBE45.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBE45.tmp.exe"27⤵
- Executes dropped EXE
PID:1748
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f20a6d1-9fdc-48ca-a6e2-d14c6c1be87e.vbs"24⤵PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8EE8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8EE8.tmp.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\tmp8EE8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8EE8.tmp.exe"25⤵
- Executes dropped EXE
PID:4220
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f2993c6-2d53-4fcb-80e0-fe131432b7ed.vbs"22⤵PID:2960
-
-
C:\Users\Admin\AppData\Local\Temp\tmp72A6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp72A6.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\tmp72A6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp72A6.tmp.exe"23⤵
- Executes dropped EXE
PID:3232
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f6447dc-12ec-4a38-925c-c45872dc8068.vbs"20⤵PID:2388
-
-
C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.exe"21⤵
- Executes dropped EXE
PID:4832
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\034982c3-d225-445d-ace1-6ccaa8cef077.vbs"18⤵PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\tmp11F8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp11F8.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\tmp11F8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp11F8.tmp.exe"19⤵
- Executes dropped EXE
PID:3048
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08b21e4c-4b65-4eee-9888-0951d61c8ade.vbs"16⤵PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE29B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE29B.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\tmpE29B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE29B.tmp.exe"17⤵
- Executes dropped EXE
PID:1404
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0b63640-695c-4b85-90ee-6475f3682548.vbs"14⤵PID:4852
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC4E1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC4E1.tmp.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\tmpC4E1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC4E1.tmp.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\tmpC4E1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC4E1.tmp.exe"16⤵
- Executes dropped EXE
PID:2676
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3976f5ea-0788-468f-b597-927f5dfb3ebe.vbs"12⤵PID:3904
-
-
C:\Users\Admin\AppData\Local\Temp\tmp92E4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp92E4.tmp.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\tmp92E4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp92E4.tmp.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\tmp92E4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp92E4.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\tmp92E4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp92E4.tmp.exe"15⤵
- Executes dropped EXE
PID:3636
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a37856e2-d563-4a31-a6f0-788054971926.vbs"10⤵PID:616
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5F13.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5F13.tmp.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\tmp5F13.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5F13.tmp.exe"11⤵
- Executes dropped EXE
PID:1760
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d45c328-79a2-4a4c-a24b-bc4ae5a58377.vbs"8⤵PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2D54.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2D54.tmp.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\tmp2D54.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2D54.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\tmp2D54.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2D54.tmp.exe"10⤵
- Executes dropped EXE
PID:1864
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee600259-9d3a-4c67-b0aa-17065f343f67.vbs"6⤵PID:3604
-
-
C:\Users\Admin\AppData\Local\Temp\tmpFBA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFBA.tmp.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\tmpFBA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFBA.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\tmpFBA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFBA.tmp.exe"8⤵
- Executes dropped EXE
PID:3156
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40ada360-2fac-4d3d-a8b2-f62724fe24c6.vbs"4⤵PID:1888
-
-
C:\Users\Admin\AppData\Local\Temp\tmpDF83.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDF83.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\tmpDF83.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDF83.tmp.exe"5⤵
- Executes dropped EXE
PID:3152
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\SendTo\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c1772" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c1772" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD535612ca19890339ff523d7a64dcc546f
SHA18f6eb8a29167819fbe9b6274b770f2df64381203
SHA2562595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177
SHA5121ed3e12527195000b086b06fd468e77f6e3364f0ee5de617739c67e7d843e61575d46da91313165b7b21d38e7f7a2587528127e5256c96c1c864ca4d78158b05
-
Filesize
4.9MB
MD5d9e0c8dab094fb5b38528dbd28f372ea
SHA17276271b83510468e65aed06081673fa21204749
SHA256eabeac331f08d86e60c1f804ec61d4983aa1c951dbc7e2f07ea470b918e844b4
SHA512fcccb29a4486f86566d1189df9aade288b8f3bbfaf85c10cc197324a1e7a86a76fb91fde37b8d0349677fc245a0b1d2d36f078ec1ce3bd2b0f352b344e39abd2
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
707B
MD59304d6e9d4082cab45a349265f85afaf
SHA1173010e4c87b85aceed30211b79c507e44fd42e3
SHA256be280364d1777f78a708553c89f8a5e02948d1b1a002f7522221b14e617ce7c7
SHA5123532311f8de704ababc1f745978d3c5eff45dd885fbfe8caf4a663422589048fa64bbacb1b059fdb459f28c62983443f04ab8693e5019f46a51fcb3bdafdc6b6
-
Filesize
483B
MD5b64ad5facf2cab898d4cae2221a48138
SHA1d69c009966792d71a69e137ffd0b4644e66df2b0
SHA25663431550516df1299b05871c6c9b8419d3ebb0c25d816c30ba73c2824eac4d7a
SHA51202d97ebdc40c6457c924feb52a0681229da201e0960626ed0299839ebab7da2aaed4096630f811ab692fada18aa1daaff90b33b5737c44cf310111ed792de34c
-
Filesize
707B
MD59fb1b73fe8bc2285b29175c378053fa9
SHA1e3cd3fb727fc0e473507aaf0b21b0e46f83d4e5d
SHA256ee87c1f84f054b34397bb1c2ad3c3969f17c59e929f11a4bf718c911ca7dbc0b
SHA5120faa113eb955c4807c9092ab07683d48468e7af8766d8aecf1652f626b1b1d9a3d51fc57d3b5fe37ed305dde3e52cd3ca33a416927e37d49d45d09fef3551e9a
-
Filesize
707B
MD5bebd087651e9c63fbfc9ec64ee811732
SHA1fabae417d667e9449f5dc06fde1d4117df54b2af
SHA2563449c4f6701e44c04467663a27d7a938577238d0ecb816e07197c4fa4e78b983
SHA512e364e7c820b24f1e7fd18fdff2e607eccffa8ab7dec6122cf6ce03cce2c4b851ae48f36a4f1245994ce5bf9c80f393fb28cb1bb1cd96c16957f5cd54ac071624
-
Filesize
707B
MD51895302728d0723b1f6e29b85224fa87
SHA16a629c48f90b237a697bf5689dcf9783484b968e
SHA256795131f594e10c6f19ccb186e5f8dd2f29585bc32609e9c24c9b473fa358fcf0
SHA5127ca612e441109777a7427559b597745b1c39a1b3d51dd916ed753c27154ff71e9481147a361ccb88b761064a1dc86d99be3b2ea0af30f063b1728fbf1eba9157
-
Filesize
196B
MD52afd2871564a307731fdd4cacc6528d9
SHA19143c5538dcd26fe551fbe110e2db0913799d388
SHA2561356d5075e96757886698f045783c286b4b0be44acd62833225975c084868a20
SHA5121dfeb3064a6a1043cf5d1fa99b88510ccd99e6f18f0dddb97877c3aba113c2ef22f45485ec2db8f0e9f3caad068cc8327b70f289eaef19e8263bc0ce4475ca2b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
707B
MD5eb5fec9cadc5cd88c97624676ecd6e9e
SHA11c58ae8f6d1c5c9dd11338bad4857ea286762fb9
SHA256579e256b1088ac90af2379b8a3bb61701157180e2812e4fddd755b09f721cab3
SHA512d29c508bf4631f992494a91dcbec1b061012d37f4b5e887e422c0a24542d1b5b2d6641d11dc873903a625853cdd4b41426e1412fee2b19a5440e3204429268e0
-
Filesize
707B
MD5615dae9d76e8f6850326284161c440c7
SHA167765b8b70300a2a34d5e15d0369bbbf41ea2229
SHA2567d3667aaf0110a9075ca1922be04f4413e3940d2f8ae62d3d6892a325c43547f
SHA5125798b927e7e211dc1a6fa17ba5b0695ddf6815ae43ea1a0cd257832c5e755d73b195e694b908a09ebad0925f9f0fcc2fc4335e0c80b4c900de9be99e67c44823
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2