Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 11:24
Behavioral task
behavioral1
Sample
DCrat.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
DCrat.exe
Resource
win10v2004-20240709-en
General
-
Target
DCrat.exe
-
Size
3.7MB
-
MD5
22cc90f49c151e2b37d98947d4fc7390
-
SHA1
2838b3e4d3d67bd9af50535130c017f3f0e03e61
-
SHA256
1177a24b2539e173f4f9d25c0f3e43a22d23ec64b562a86b4b7ef65741734067
-
SHA512
12eae0f34661ed05742cd183dc4225949004a60d59487d9771b6789482a71821560b3ffd1c81cdb4d5cd2e289f3843b91bfdb65379810b4200c03778c9e44b22
-
SSDEEP
98304:Ubtsvkrdch4OslTJ64XIQB3MjkbFw6kzGYn:UJs8rCrsp44XIq3qztn
Malware Config
Signatures
-
DcRat 44 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeportruntimesvc.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeDCrat.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3568 schtasks.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\24dbde2999530e portruntimesvc.exe 4536 schtasks.exe 2272 schtasks.exe 2252 schtasks.exe 4552 schtasks.exe 876 schtasks.exe 3576 schtasks.exe 4664 schtasks.exe 3064 schtasks.exe 2676 schtasks.exe 4072 schtasks.exe 1288 schtasks.exe 3236 schtasks.exe 404 schtasks.exe 4580 schtasks.exe 4856 schtasks.exe 392 schtasks.exe 3916 schtasks.exe 3860 schtasks.exe 3880 schtasks.exe 3244 schtasks.exe 2500 schtasks.exe 2876 schtasks.exe 4596 schtasks.exe 1316 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation DCrat.exe 3604 schtasks.exe 3212 schtasks.exe 740 schtasks.exe 3136 schtasks.exe 4372 schtasks.exe 4012 schtasks.exe 1084 schtasks.exe 1228 schtasks.exe 3656 schtasks.exe 3712 schtasks.exe 5100 schtasks.exe 2024 schtasks.exe 2076 schtasks.exe 380 schtasks.exe 2136 schtasks.exe 5036 schtasks.exe 4768 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 14 IoCs
Processes:
portruntimesvc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\SearchApp.exe\", \"C:\\Windows\\CbsTemp\\winlogon.exe\", \"C:\\Users\\All Users\\Package Cache\\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Saved Games\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\upfc.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\SearchApp.exe\", \"C:\\Windows\\CbsTemp\\winlogon.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\SearchApp.exe\", \"C:\\Windows\\CbsTemp\\winlogon.exe\", \"C:\\Users\\All Users\\Package Cache\\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\SearchApp.exe\", \"C:\\Windows\\CbsTemp\\winlogon.exe\", \"C:\\Users\\All Users\\Package Cache\\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\\taskhostw.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\SearchApp.exe\", \"C:\\Windows\\CbsTemp\\winlogon.exe\", \"C:\\Users\\All Users\\Package Cache\\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Saved Games\\fontdrvhost.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\SearchApp.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\", \"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\", \"C:\\HyperSurrogateContaineragentWin\\SearchApp.exe\", \"C:\\Windows\\CbsTemp\\winlogon.exe\", \"C:\\Users\\All Users\\Package Cache\\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" portruntimesvc.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3136 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3236 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4012 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3880 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3212 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3576 1368 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 1368 schtasks.exe -
Processes:
upfc.exeportruntimesvc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" portruntimesvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" portruntimesvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" portruntimesvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe -
Processes:
resource yara_rule C:\HyperSurrogateContaineragentWin\portruntimesvc.exe dcrat behavioral2/memory/3872-17-0x0000000000B90000-0x0000000000EFA000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeDCrat.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeportruntimesvc.exeupfc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation DCrat.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation portruntimesvc.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation upfc.exe -
Executes dropped EXE 14 IoCs
Processes:
portruntimesvc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exepid process 3872 portruntimesvc.exe 1456 upfc.exe 3156 upfc.exe 4968 upfc.exe 4992 upfc.exe 3112 upfc.exe 3932 upfc.exe 1344 upfc.exe 1288 upfc.exe 5036 upfc.exe 2204 upfc.exe 1416 upfc.exe 3548 upfc.exe 4248 upfc.exe -
Adds Run key to start application 2 TTPs 26 IoCs
Processes:
portruntimesvc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\upfc.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\HyperSurrogateContaineragentWin\\SearchApp.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\CbsTemp\\winlogon.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\WmiPrvSE.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\HyperSurrogateContaineragentWin\\fontdrvhost.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\CbsTemp\\winlogon.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\All Users\\Package Cache\\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\\taskhostw.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\All Users\\Package Cache\\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\\taskhostw.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Saved Games\\fontdrvhost.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\upfc.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Tasks\\spoolsv.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\HyperSurrogateContaineragentWin\\SearchApp.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SKB\\LanguageModels\\winlogon.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Tasks\\spoolsv.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Saved Games\\fontdrvhost.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" portruntimesvc.exe -
Processes:
portruntimesvc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" portruntimesvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA portruntimesvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe -
Drops file in Program Files directory 6 IoCs
Processes:
portruntimesvc.exedescription ioc process File created C:\Program Files\ModifiableWindowsApps\Registry.exe portruntimesvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\upfc.exe portruntimesvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\ea1d8f6d871115 portruntimesvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe portruntimesvc.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe portruntimesvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\24dbde2999530e portruntimesvc.exe -
Drops file in Windows directory 10 IoCs
Processes:
portruntimesvc.exedescription ioc process File created C:\Windows\Performance\WinSAT\DataStore\Registry.exe portruntimesvc.exe File created C:\Windows\Performance\WinSAT\DataStore\ee2ad38f3d4382 portruntimesvc.exe File created C:\Windows\SKB\LanguageModels\cc11b995f2a76d portruntimesvc.exe File created C:\Windows\Tasks\f3b6ecef712a24 portruntimesvc.exe File created C:\Windows\security\ApplicationId\PolicyManagement\24dbde2999530e portruntimesvc.exe File created C:\Windows\CbsTemp\cc11b995f2a76d portruntimesvc.exe File created C:\Windows\SKB\LanguageModels\winlogon.exe portruntimesvc.exe File created C:\Windows\Tasks\spoolsv.exe portruntimesvc.exe File created C:\Windows\security\ApplicationId\PolicyManagement\WmiPrvSE.exe portruntimesvc.exe File created C:\Windows\CbsTemp\winlogon.exe portruntimesvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 14 IoCs
Processes:
upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeportruntimesvc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeDCrat.exeupfc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings portruntimesvc.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings DCrat.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings upfc.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3656 schtasks.exe 1316 schtasks.exe 4768 schtasks.exe 2876 schtasks.exe 3604 schtasks.exe 4596 schtasks.exe 876 schtasks.exe 5100 schtasks.exe 2076 schtasks.exe 4372 schtasks.exe 3860 schtasks.exe 4664 schtasks.exe 3236 schtasks.exe 4012 schtasks.exe 4552 schtasks.exe 2676 schtasks.exe 740 schtasks.exe 3212 schtasks.exe 392 schtasks.exe 3064 schtasks.exe 3568 schtasks.exe 3136 schtasks.exe 2136 schtasks.exe 4536 schtasks.exe 380 schtasks.exe 1084 schtasks.exe 404 schtasks.exe 1288 schtasks.exe 3880 schtasks.exe 5036 schtasks.exe 3244 schtasks.exe 2252 schtasks.exe 3916 schtasks.exe 1228 schtasks.exe 2500 schtasks.exe 3712 schtasks.exe 3576 schtasks.exe 2024 schtasks.exe 2272 schtasks.exe 4580 schtasks.exe 4072 schtasks.exe 4856 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
portruntimesvc.exeupfc.exeupfc.exepid process 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 3872 portruntimesvc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 1456 upfc.exe 3156 upfc.exe 3156 upfc.exe 3156 upfc.exe 3156 upfc.exe 3156 upfc.exe 3156 upfc.exe 3156 upfc.exe 3156 upfc.exe 3156 upfc.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
portruntimesvc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exedescription pid process Token: SeDebugPrivilege 3872 portruntimesvc.exe Token: SeDebugPrivilege 1456 upfc.exe Token: SeDebugPrivilege 3156 upfc.exe Token: SeDebugPrivilege 4968 upfc.exe Token: SeDebugPrivilege 4992 upfc.exe Token: SeDebugPrivilege 3112 upfc.exe Token: SeDebugPrivilege 3932 upfc.exe Token: SeDebugPrivilege 1344 upfc.exe Token: SeDebugPrivilege 1288 upfc.exe Token: SeDebugPrivilege 5036 upfc.exe Token: SeDebugPrivilege 2204 upfc.exe Token: SeDebugPrivilege 1416 upfc.exe Token: SeDebugPrivilege 3548 upfc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
DCrat.exeWScript.execmd.exeportruntimesvc.execmd.exeupfc.exeWScript.exeupfc.exeWScript.exeupfc.exeWScript.exeupfc.exeWScript.exeupfc.exeWScript.exeupfc.exeWScript.exeupfc.exeWScript.exeupfc.exedescription pid process target process PID 5100 wrote to memory of 2868 5100 DCrat.exe WScript.exe PID 5100 wrote to memory of 2868 5100 DCrat.exe WScript.exe PID 5100 wrote to memory of 2868 5100 DCrat.exe WScript.exe PID 5100 wrote to memory of 3048 5100 DCrat.exe WScript.exe PID 5100 wrote to memory of 3048 5100 DCrat.exe WScript.exe PID 5100 wrote to memory of 3048 5100 DCrat.exe WScript.exe PID 2868 wrote to memory of 5016 2868 WScript.exe cmd.exe PID 2868 wrote to memory of 5016 2868 WScript.exe cmd.exe PID 2868 wrote to memory of 5016 2868 WScript.exe cmd.exe PID 5016 wrote to memory of 3872 5016 cmd.exe portruntimesvc.exe PID 5016 wrote to memory of 3872 5016 cmd.exe portruntimesvc.exe PID 3872 wrote to memory of 1972 3872 portruntimesvc.exe cmd.exe PID 3872 wrote to memory of 1972 3872 portruntimesvc.exe cmd.exe PID 5016 wrote to memory of 2700 5016 cmd.exe reg.exe PID 5016 wrote to memory of 2700 5016 cmd.exe reg.exe PID 5016 wrote to memory of 2700 5016 cmd.exe reg.exe PID 1972 wrote to memory of 4988 1972 cmd.exe w32tm.exe PID 1972 wrote to memory of 4988 1972 cmd.exe w32tm.exe PID 1972 wrote to memory of 1456 1972 cmd.exe upfc.exe PID 1972 wrote to memory of 1456 1972 cmd.exe upfc.exe PID 1456 wrote to memory of 2780 1456 upfc.exe WScript.exe PID 1456 wrote to memory of 2780 1456 upfc.exe WScript.exe PID 1456 wrote to memory of 4192 1456 upfc.exe WScript.exe PID 1456 wrote to memory of 4192 1456 upfc.exe WScript.exe PID 2780 wrote to memory of 3156 2780 WScript.exe upfc.exe PID 2780 wrote to memory of 3156 2780 WScript.exe upfc.exe PID 3156 wrote to memory of 388 3156 upfc.exe WScript.exe PID 3156 wrote to memory of 388 3156 upfc.exe WScript.exe PID 3156 wrote to memory of 4856 3156 upfc.exe WScript.exe PID 3156 wrote to memory of 4856 3156 upfc.exe WScript.exe PID 388 wrote to memory of 4968 388 WScript.exe upfc.exe PID 388 wrote to memory of 4968 388 WScript.exe upfc.exe PID 4968 wrote to memory of 644 4968 upfc.exe WScript.exe PID 4968 wrote to memory of 644 4968 upfc.exe WScript.exe PID 4968 wrote to memory of 544 4968 upfc.exe WScript.exe PID 4968 wrote to memory of 544 4968 upfc.exe WScript.exe PID 644 wrote to memory of 4992 644 WScript.exe upfc.exe PID 644 wrote to memory of 4992 644 WScript.exe upfc.exe PID 4992 wrote to memory of 4888 4992 upfc.exe WScript.exe PID 4992 wrote to memory of 4888 4992 upfc.exe WScript.exe PID 4992 wrote to memory of 4372 4992 upfc.exe WScript.exe PID 4992 wrote to memory of 4372 4992 upfc.exe WScript.exe PID 4888 wrote to memory of 3112 4888 WScript.exe upfc.exe PID 4888 wrote to memory of 3112 4888 WScript.exe upfc.exe PID 3112 wrote to memory of 4188 3112 upfc.exe WScript.exe PID 3112 wrote to memory of 4188 3112 upfc.exe WScript.exe PID 3112 wrote to memory of 1936 3112 upfc.exe WScript.exe PID 3112 wrote to memory of 1936 3112 upfc.exe WScript.exe PID 4188 wrote to memory of 3932 4188 WScript.exe upfc.exe PID 4188 wrote to memory of 3932 4188 WScript.exe upfc.exe PID 3932 wrote to memory of 3184 3932 upfc.exe WScript.exe PID 3932 wrote to memory of 3184 3932 upfc.exe WScript.exe PID 3932 wrote to memory of 1480 3932 upfc.exe WScript.exe PID 3932 wrote to memory of 1480 3932 upfc.exe WScript.exe PID 3184 wrote to memory of 1344 3184 WScript.exe upfc.exe PID 3184 wrote to memory of 1344 3184 WScript.exe upfc.exe PID 1344 wrote to memory of 4588 1344 upfc.exe WScript.exe PID 1344 wrote to memory of 4588 1344 upfc.exe WScript.exe PID 1344 wrote to memory of 1036 1344 upfc.exe WScript.exe PID 1344 wrote to memory of 1036 1344 upfc.exe WScript.exe PID 4588 wrote to memory of 1288 4588 WScript.exe upfc.exe PID 4588 wrote to memory of 1288 4588 WScript.exe upfc.exe PID 1288 wrote to memory of 904 1288 upfc.exe WScript.exe PID 1288 wrote to memory of 904 1288 upfc.exe WScript.exe -
System policy modification 1 TTPs 39 IoCs
Processes:
upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeportruntimesvc.exeupfc.exeupfc.exeupfc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" portruntimesvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" portruntimesvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" portruntimesvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCrat.exe"C:\Users\Admin\AppData\Local\Temp\DCrat.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HyperSurrogateContaineragentWin\bGPSMCCx73WsREqaBZfJC0ze9BBQbq.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\HyperSurrogateContaineragentWin\Trh5bm.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\HyperSurrogateContaineragentWin\portruntimesvc.exe"C:\HyperSurrogateContaineragentWin\portruntimesvc.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRtY9wpW6j.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4988
-
C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1456 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8d5cb4f-9efc-4f88-87b6-46796977d9b4.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3156 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\120dac9a-9cda-45a1-ba36-042b724843f0.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4968 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\318c2959-5c16-4e93-b67c-85286f54088f.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4992 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a9744ec-9a5f-4ef9-b4d0-c79b56ffda0e.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3112 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4edd6f4-7b07-442f-aaa9-a2b55429e04a.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3932 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1309b9cf-bb51-4126-b68d-1642f6b84afd.vbs"17⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1344 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d8416a4-b30f-45b4-a1a9-83220ff18585.vbs"19⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1288 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0eb132b5-5b5e-469f-a479-f9910b07d596.vbs"21⤵PID:904
-
C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5036 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c689aec-21b4-4296-9f27-ca3a74911f75.vbs"23⤵PID:4612
-
C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2204 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a67580c5-5202-47d5-b795-e8e007e87a1b.vbs"25⤵PID:1800
-
C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1416 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\957de2df-1d09-4cb0-8953-597d3e35ef16.vbs"27⤵PID:1772
-
C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3548 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ec65637-3e22-4336-8c1e-1a4a10e6e311.vbs"29⤵PID:4152
-
C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"C:\Program Files (x86)\Windows Photo Viewer\upfc.exe"30⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2019ef24-428d-4bda-9921-b9ebb238ae0e.vbs"29⤵PID:2640
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\075a22a4-fa72-4aea-a6f0-6916081c91c6.vbs"27⤵PID:1644
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\876ec5de-4f5c-47fa-9560-35115f6f981e.vbs"25⤵PID:1992
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\789b7756-ecd2-4317-b7c4-8a54cb367d5c.vbs"23⤵PID:2700
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f37bb64-582c-4fca-8081-aa4c6fe6eae8.vbs"21⤵PID:4820
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7fbfb2a-97c4-4a4d-a4b7-49702ee2c26e.vbs"19⤵PID:1036
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72049e0b-b7a3-4e7f-bf7c-159ee1bbebc6.vbs"17⤵PID:1480
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76619d05-4f98-407f-afb8-6d6247569d14.vbs"15⤵PID:1936
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0f1e476-88f3-4039-bead-8cb9568a9f36.vbs"13⤵PID:4372
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b7f5bb4-2b9c-4846-ad71-354a18b5b1f8.vbs"11⤵PID:544
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a516a436-2875-4b50-8f15-76f5198c5114.vbs"9⤵PID:4856
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8be32ed3-3b83-4c03-b1ca-71e8281ba38a.vbs"7⤵PID:4192
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2700 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HyperSurrogateContaineragentWin\file.vbs"2⤵PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\HyperSurrogateContaineragentWin\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\HyperSurrogateContaineragentWin\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\HyperSurrogateContaineragentWin\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\SKB\LanguageModels\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\ssh\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\ssh\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\ssh\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\HyperSurrogateContaineragentWin\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\HyperSurrogateContaineragentWin\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\HyperSurrogateContaineragentWin\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\CbsTemp\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167B
MD544e4cd0532339b7e22611a09c8220999
SHA18f742acb720ef17baa41ef700c29a3af5582bef9
SHA256d4ecf707a041c14ab6e6719b4c0bcdea96c159865ff6ef80fd73de0b26b695c8
SHA512f10dfda0fc0021f642fc0689a8d217052e50c9e58d1057c2f26005df0433e3af54ac77331d9059746804ddb72589f0e4ec3f50c53b1576efb09134e2aa691809
-
Filesize
214B
MD5bbd4951dfa4c586309c29313a1acc7b9
SHA1b16961014ff484fee5c5548506fa9f8786ead667
SHA256e6a2ee525011550a1508f69a603a3b485e35ec89b9783171cff58a4adccb1fee
SHA5125a7985a58c283240a7c999521a14a8befe71db33d9023f06a78870c663fefbfeac5b9acafc114937ea44ddffb97bad88c448a0c2d025aa21f73d7941b3aaa50e
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
3.4MB
MD53ae60214e5dd15829d6380f5dcaac75c
SHA1c4ff1e0ef5b97b467b28039b3b902b088107ebae
SHA2561a38cd5a9e8fb8086a6f84ac2bbac0ded061766fcdf3a25a1e6147a400cb8b39
SHA512816f2e195827abe524d3ffe3c87ee6a5e02289c2fad1a5ed5b5751ecc356998b61b9638c65b7db7f231a3bc50c002995823755650a703cae12aa9decf4c995ac
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
728B
MD5ad689f9372536ed639d5d00310a8e19d
SHA16ef641e1128de14c33107b3e4269edfd6b012abf
SHA2569fffa5c72f5b416179503a40c33dc8006d6c1f088cdffb6ba338f065dbcfd289
SHA51241088f4236cd12d18709e328ebffaf96c01020bf6accf0f64373e842e04162de65abeb1f2d1858c868d234ed27f986b7f3c85682a566ff5e8881828b42c63807
-
Filesize
728B
MD51b872949dd2d9ff5a4f0adcb2f11bc27
SHA1b3279fa5f40fa0f8a415a7dd7fef38d862f86d1d
SHA256a3b4d39a8090dac9b9f71ce239f8ec108a0f213c815021acefd3a54dd7697a92
SHA512cf62dc0e1e350d19d8b57590244b11e0e8bff98044fe17a11c1731253f0d0a6e7216eecd0815a698e7bb8bd74d6c4ce653e9e4f0d98ba893e06fba34818261f7
-
Filesize
728B
MD53909f808947e65204fc12989175c19c6
SHA1c76c42f169b2a190b8bb49e9c38e3511bb204b0e
SHA25624c365a72372279cee278ed74eca248cc3486d2eca4858e304618a45547ef7b4
SHA512beadc72e6e865b05310129f39af985265765a43f2128b5789757f8aa8f18848d84c90d47a3e1112a909e3f166ad5bb884fe5c684b3fe7b8d1185bb164dd2c8aa
-
Filesize
728B
MD59e19ec6f833c3ae9faa7607cec992761
SHA1d87d9c7584d58c5e37e83fa0a274341ad3741ebc
SHA2563dde36db8a2534e7717b8fe05d3e6eb6add31d9dcf0905bd3392f9da1c2c9df3
SHA512a4158b12610b42fdc18d52651f4a791825ec0d762a99df8df87ac9db5c09c0ebbcc3fadd26f5486b7a2ef9d8c7eb1d9825fb9641c8073cfce31004c7bb0d5e39
-
Filesize
728B
MD5e0940d40d1b89af8d3c664bc19370f06
SHA1a011d5b785d3ea25fe0ac336a8f7a5f8f17479bc
SHA256e6b9d457f20b843a8395b87a3f140a99a4233e969f8e448bab2056b7f58123ea
SHA512a6bbc50fb76b5d2c0ab381a0c6494c3975bf6d3b6ebb5c6b64b1e8675f09c35ffb4ecf2082697e82cb6bd8b2c89cd72e660ad4477da3c066623ee0811d178537
-
Filesize
504B
MD5f0320a30969af3b683c7262e19a7115f
SHA19b426d68eaa57fa52c51754a973b5b131433e119
SHA256de590c30611a03c2c0d26d84ca13519e3a0bafd9eca2b09666728c17e4e6705d
SHA5122a6d9917a3e390427f17b3f5baed5f95b77ffb84277f8f26f6953d13a15cfb05ec27d5e7d8eb8c9eea4d11cb15c4e89ec7689ab1d62d790d4c0ddfc4b38aa99b
-
Filesize
728B
MD514ab4afd861c2a79fadfb81aee666579
SHA1448e480f85bbcee026b5e5549a9692633ba89ed2
SHA256499d4a694b5d2dc468cc274b90bbf9972b9cbcb94eecd1ddee0ffb4ee5ee88c6
SHA5125022cd7e972f022abd332aed0e1809e2927e4262306d027ffda891e3d1cf33c1b547d764fd1bf0134246ca5c2ca7dabeba7d10786dc7a612c5cce6447b85e27a
-
Filesize
728B
MD5b19b592f90bc4b74f4aead55bebdbd7f
SHA1a75f520b56a3c48c5b70f1f67fd7d289c4d9ce3d
SHA25678eb8c259e1bdd53baab04809a25558410c7f48aa1b55197990b5dd8fafd5c8c
SHA512d5411ee7fd9b1831918099817c31f9340d76d199e650d25d401fa48848d5416ec318318caa013a36c42cc5906db52569e5af930a735012b10713b0cdd5cf397e
-
Filesize
728B
MD5618ea592bd25186343dbec2a8108afcc
SHA1efa0b65984336f938e727547464932132a36f1c3
SHA256673e47676dbf890781762d89e78608108d478a17f6bdfdb4d47303e56ca7ee84
SHA512d9d3bca45f973917eef5f901b60cceec4538809f0d5b5bd5c08528ab810377369fb1284ab31c522af080a0fa3c4575f4832b75b3cad50f188eb0f9e1bbf2981e
-
Filesize
728B
MD56f295660feaae92f6bb42ca14663f1cf
SHA15ee098ce9a23c2738b5508f5ca5eccec4b9d1c86
SHA256a37a88268862b1eeb817243b84a74d002ac57889ff33e28158fb16557df6495e
SHA51219ef2bfa5fa7981fdd60265f7c1a17cdc4dee6653e14a000b135842e0fd92b35380c4d69dc326436e897218115a455f30fa0c190b1c2150399162ae21674f8a0
-
Filesize
217B
MD582a86846eb8523f4f37292e3c7c0f9f6
SHA11771dbc6e548c600c8fbddb61354f5c998e43ce8
SHA256ef2322e329f7041d5260790a75da74da38a4e9bc48b572a45882ff70be33c3db
SHA51229ffeb6ae7a558acdf187360e29c00f7c84b1bcd7d97f525ce8828dc21d16926bbf82d635e6ba96f7280247560fd5f0dbe1c573852198428e8d4cab4198e9a73
-
Filesize
728B
MD5c0ecf564af3ac6a60a1d26cd150d282c
SHA1b429f96e9ce4fbb4ec9d2d217a0ce9ae78716565
SHA256942b7901112487466dfa70fd67f28b0a33f2c74e072506dade82fca842ef8147
SHA512e7d6ac0b469be13219012972a6e4cbf602c11ef79b6346836b4fd122800bc1fe62f68c8fac31b11348aff8e7997db1749cf84ce4b2dd64a2432bf80ad1bc3ee6
-
Filesize
728B
MD580bd1b89e8f269e70743d597d7183f17
SHA119e72eb4693de7413dc6b26e189ee42b16a2a437
SHA25651909ffd0b64b8e9a4b2deb45d118b3739be8b5ab123b066874fb098dc467800
SHA512b7337e30474b6f73829ee56632106a5cf6abe4b69367f49f28bfaddaa92ff8a87a3cfaa8be5d3b23bdf694d216091b13005017b14b53f592628b5cfbbfdb52d2
-
Filesize
728B
MD5d19694d1f9c826e642b228c00a9b2674
SHA14dce71c316915d6047c2fd781b35866512fcc728
SHA2568d68d0bc3558ae69742735958c2f1eeeef0282afb5640d28d8723daad6e8ef80
SHA512624b31b8e84daf556cc9af09bf9b0e10506450c5a5694cc5581efd53a182efab03b01a3e43789e57554c8762d42f7d843a718737faaa2f1b3136107e436ebb04