Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 23:49
Behavioral task
behavioral1
Sample
ОКУРАТНО.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ОКУРАТНО.exe
Resource
win10v2004-20240709-en
General
-
Target
ОКУРАТНО.exe
-
Size
2.0MB
-
MD5
843aaea3f9fcd5d05ff2561ee611880c
-
SHA1
e8cd96e2933414c3d70d9db4a7014835cfa1bd10
-
SHA256
94bd0998c7505445e3f74a8d902e4e768adc6304e0135075d0d856eae7c37ab1
-
SHA512
cbed538d4521b58310700c6b439be87233c2f7035ac9e6edbdb177fad665fa379b8a8d0532ad2a68c4b554108d205a1209c02074b47a9ab16683b68be7f44f5d
-
SSDEEP
24576:52G/nvxW3WHj0PhetvJ2pv6zvifbzgs4dGnO1F4R8rDX6ZrnHkBseAa+KMYoI:5bA3ZUo6buPaARUDInHkBHEY
Malware Config
Signatures
-
DcRat 41 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeОКУРАТНО.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeHypercommon.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4276 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation ОКУРАТНО.exe 3492 schtasks.exe 4364 schtasks.exe 2680 schtasks.exe 3732 schtasks.exe 5020 schtasks.exe 3876 schtasks.exe 2988 schtasks.exe 1940 schtasks.exe 4212 schtasks.exe 2360 schtasks.exe 432 schtasks.exe 1892 schtasks.exe 1468 schtasks.exe 1736 schtasks.exe 60 schtasks.exe 1372 schtasks.exe 3460 schtasks.exe 3172 schtasks.exe 4964 schtasks.exe 4764 schtasks.exe 4900 schtasks.exe 2352 schtasks.exe 4220 schtasks.exe 4736 schtasks.exe 3616 schtasks.exe 3456 schtasks.exe 2656 schtasks.exe 3056 schtasks.exe File created C:\Program Files\7-Zip\7a0fd90576e088 Hypercommon.exe 2496 schtasks.exe 1992 schtasks.exe 4480 schtasks.exe 412 schtasks.exe 32 schtasks.exe 2012 schtasks.exe 3996 schtasks.exe 4680 schtasks.exe 5088 schtasks.exe 1604 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 13 IoCs
Processes:
Hypercommon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\CrackLauncher.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\CrackLauncher.exe\", \"C:\\Windows\\tracing\\WaaSMedicAgent.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\CrackLauncher.exe\", \"C:\\Windows\\tracing\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\lsass.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\CrackLauncher.exe\", \"C:\\Windows\\tracing\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\lsass.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\csrss.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\"" Hypercommon.exe -
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3492 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4736 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4764 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 412 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4212 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 32 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4276 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3732 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3616 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3456 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3876 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3172 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 60 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 3976 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 3976 schtasks.exe -
Processes:
lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exeHypercommon.exelsass.exelsass.exelsass.exelsass.exelsass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe dcrat behavioral2/memory/3736-14-0x0000000000400000-0x0000000000611000-memory.dmp dcrat C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe dcrat behavioral2/memory/1292-29-0x0000000000420000-0x0000000000590000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 22 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exeHypercommon.exelsass.exeОКУРАТНО.exeWScript.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exeNursultanCrack.exelsass.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Hypercommon.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation ОКУРАТНО.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation NursultanCrack.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation lsass.exe -
Executes dropped EXE 21 IoCs
Processes:
NursultanCrack.exeCrackLauncher.exeHypercommon.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exepid process 2624 NursultanCrack.exe 1204 CrackLauncher.exe 1292 Hypercommon.exe 3336 lsass.exe 1852 lsass.exe 5352 lsass.exe 5236 lsass.exe 2688 lsass.exe 4028 lsass.exe 5768 lsass.exe 6108 lsass.exe 4816 lsass.exe 5656 lsass.exe 5588 lsass.exe 2340 lsass.exe 1236 lsass.exe 5424 lsass.exe 4864 lsass.exe 5236 lsass.exe 5036 lsass.exe 5044 lsass.exe -
Adds Run key to start application 2 TTPs 26 IoCs
Processes:
Hypercommon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Windows\\tracing\\WaaSMedicAgent.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Public\\Desktop\\TextInputHost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Windows\\tracing\\WaaSMedicAgent.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\lsass.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\csrss.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\CrackLauncher.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\7-Zip\\explorer.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\CrackLauncher.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\csrss.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Public\\Desktop\\TextInputHost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\lsass.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\7-Zip\\explorer.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\"" Hypercommon.exe -
Processes:
lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exeHypercommon.exelsass.exelsass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Hypercommon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Program Files directory 13 IoCs
Processes:
Hypercommon.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\sihost.exe Hypercommon.exe File created C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe Hypercommon.exe File created C:\Program Files (x86)\Windows Multimedia Platform\6203df4a6bafc7 Hypercommon.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\886983d96e3d3e Hypercommon.exe File opened for modification C:\Program Files\7-Zip\explorer.exe Hypercommon.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe Hypercommon.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\CrackLauncher.exe Hypercommon.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\7a8b3f7b9ee9a7 Hypercommon.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\5b884080fd4f94 Hypercommon.exe File created C:\Program Files (x86)\Windows Sidebar\66fc9ff0ee96c2 Hypercommon.exe File created C:\Program Files\7-Zip\explorer.exe Hypercommon.exe File created C:\Program Files\7-Zip\7a0fd90576e088 Hypercommon.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe Hypercommon.exe -
Drops file in Windows directory 2 IoCs
Processes:
Hypercommon.exedescription ioc process File created C:\Windows\tracing\WaaSMedicAgent.exe Hypercommon.exe File created C:\Windows\tracing\c82b8037eab33d Hypercommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 28 IoCs
Processes:
lsass.exeCrackLauncher.exelsass.exelsass.exelsass.exelsass.exeNursultanCrack.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\shell\open\command CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\shell CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347 CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\DefaultIcon CrackLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings NursultanCrack.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\shell\open CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol" CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\URL Protocol CrackLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" CrackLauncher.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings lsass.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2680 schtasks.exe 2656 schtasks.exe 3460 schtasks.exe 1940 schtasks.exe 1736 schtasks.exe 4220 schtasks.exe 2352 schtasks.exe 3616 schtasks.exe 3456 schtasks.exe 2012 schtasks.exe 3876 schtasks.exe 2988 schtasks.exe 3996 schtasks.exe 1892 schtasks.exe 1992 schtasks.exe 5088 schtasks.exe 4364 schtasks.exe 60 schtasks.exe 4964 schtasks.exe 3492 schtasks.exe 1468 schtasks.exe 4736 schtasks.exe 4480 schtasks.exe 1604 schtasks.exe 4900 schtasks.exe 432 schtasks.exe 32 schtasks.exe 3732 schtasks.exe 4680 schtasks.exe 3056 schtasks.exe 2360 schtasks.exe 2496 schtasks.exe 412 schtasks.exe 4212 schtasks.exe 1372 schtasks.exe 5020 schtasks.exe 4764 schtasks.exe 4276 schtasks.exe 3172 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
Processes:
Hypercommon.exelsass.exelsass.exemsedge.exemsedge.exemsedge.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exepid process 1292 Hypercommon.exe 1292 Hypercommon.exe 1292 Hypercommon.exe 1292 Hypercommon.exe 1292 Hypercommon.exe 1292 Hypercommon.exe 1292 Hypercommon.exe 1292 Hypercommon.exe 1292 Hypercommon.exe 1292 Hypercommon.exe 1292 Hypercommon.exe 1292 Hypercommon.exe 1292 Hypercommon.exe 1292 Hypercommon.exe 1292 Hypercommon.exe 3336 lsass.exe 1852 lsass.exe 628 msedge.exe 628 msedge.exe 4944 msedge.exe 4944 msedge.exe 4652 msedge.exe 4652 msedge.exe 5352 lsass.exe 5352 lsass.exe 5236 lsass.exe 5236 lsass.exe 2688 lsass.exe 2688 lsass.exe 4028 lsass.exe 4028 lsass.exe 5768 lsass.exe 5768 lsass.exe 6108 lsass.exe 6108 lsass.exe 4816 lsass.exe 4816 lsass.exe 5656 lsass.exe 5656 lsass.exe 5588 lsass.exe 5588 lsass.exe 2340 lsass.exe 2340 lsass.exe 1236 lsass.exe 1236 lsass.exe 5424 lsass.exe 5424 lsass.exe 4864 lsass.exe 4864 lsass.exe 5236 lsass.exe 5236 lsass.exe 5036 lsass.exe 5036 lsass.exe 5044 lsass.exe 5044 lsass.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Hypercommon.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exedescription pid process Token: SeDebugPrivilege 1292 Hypercommon.exe Token: SeDebugPrivilege 3336 lsass.exe Token: SeDebugPrivilege 1852 lsass.exe Token: SeDebugPrivilege 5352 lsass.exe Token: SeDebugPrivilege 5236 lsass.exe Token: SeDebugPrivilege 2688 lsass.exe Token: SeDebugPrivilege 4028 lsass.exe Token: SeDebugPrivilege 5768 lsass.exe Token: SeDebugPrivilege 6108 lsass.exe Token: SeDebugPrivilege 4816 lsass.exe Token: SeDebugPrivilege 5656 lsass.exe Token: SeDebugPrivilege 5588 lsass.exe Token: SeDebugPrivilege 2340 lsass.exe Token: SeDebugPrivilege 1236 lsass.exe Token: SeDebugPrivilege 5424 lsass.exe Token: SeDebugPrivilege 4864 lsass.exe Token: SeDebugPrivilege 5236 lsass.exe Token: SeDebugPrivilege 5036 lsass.exe Token: SeDebugPrivilege 5044 lsass.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ОКУРАТНО.exeCrackLauncher.exeNursultanCrack.exeWScript.execmd.exeHypercommon.exelsass.exeWScript.exelsass.exemsedge.exemsedge.exedescription pid process target process PID 3736 wrote to memory of 2624 3736 ОКУРАТНО.exe NursultanCrack.exe PID 3736 wrote to memory of 2624 3736 ОКУРАТНО.exe NursultanCrack.exe PID 3736 wrote to memory of 2624 3736 ОКУРАТНО.exe NursultanCrack.exe PID 3736 wrote to memory of 1204 3736 ОКУРАТНО.exe CrackLauncher.exe PID 3736 wrote to memory of 1204 3736 ОКУРАТНО.exe CrackLauncher.exe PID 1204 wrote to memory of 228 1204 CrackLauncher.exe cmd.exe PID 1204 wrote to memory of 228 1204 CrackLauncher.exe cmd.exe PID 2624 wrote to memory of 1396 2624 NursultanCrack.exe WScript.exe PID 2624 wrote to memory of 1396 2624 NursultanCrack.exe WScript.exe PID 2624 wrote to memory of 1396 2624 NursultanCrack.exe WScript.exe PID 1396 wrote to memory of 2688 1396 WScript.exe cmd.exe PID 1396 wrote to memory of 2688 1396 WScript.exe cmd.exe PID 1396 wrote to memory of 2688 1396 WScript.exe cmd.exe PID 2688 wrote to memory of 1292 2688 cmd.exe Hypercommon.exe PID 2688 wrote to memory of 1292 2688 cmd.exe Hypercommon.exe PID 1292 wrote to memory of 3336 1292 Hypercommon.exe lsass.exe PID 1292 wrote to memory of 3336 1292 Hypercommon.exe lsass.exe PID 3336 wrote to memory of 4664 3336 lsass.exe WScript.exe PID 3336 wrote to memory of 4664 3336 lsass.exe WScript.exe PID 3336 wrote to memory of 5040 3336 lsass.exe WScript.exe PID 3336 wrote to memory of 5040 3336 lsass.exe WScript.exe PID 4664 wrote to memory of 1852 4664 WScript.exe lsass.exe PID 4664 wrote to memory of 1852 4664 WScript.exe lsass.exe PID 1852 wrote to memory of 668 1852 lsass.exe WScript.exe PID 1852 wrote to memory of 668 1852 lsass.exe WScript.exe PID 1852 wrote to memory of 4720 1852 lsass.exe WScript.exe PID 1852 wrote to memory of 4720 1852 lsass.exe WScript.exe PID 1204 wrote to memory of 3616 1204 CrackLauncher.exe cmd.exe PID 1204 wrote to memory of 3616 1204 CrackLauncher.exe cmd.exe PID 1204 wrote to memory of 4944 1204 CrackLauncher.exe msedge.exe PID 1204 wrote to memory of 4944 1204 CrackLauncher.exe msedge.exe PID 4944 wrote to memory of 4704 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 4704 4944 msedge.exe msedge.exe PID 1204 wrote to memory of 2836 1204 CrackLauncher.exe msedge.exe PID 1204 wrote to memory of 2836 1204 CrackLauncher.exe msedge.exe PID 2836 wrote to memory of 4612 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4612 2836 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe PID 4944 wrote to memory of 716 4944 msedge.exe msedge.exe -
System policy modification 1 TTPs 57 IoCs
Processes:
lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exeHypercommon.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe"C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"5⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1292 -
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3336 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\094b527f-5d0f-41b7-9486-4243c02494c7.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1852 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8109e7f3-5c87-446a-92b5-d6daf6f4ef28.vbs"9⤵PID:668
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5352 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a00419e0-caa7-4665-be15-309076d59d38.vbs"11⤵PID:5596
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5236 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b50e0ce-f352-4061-bdf0-edfe3ce957b1.vbs"13⤵PID:5616
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25a44d63-064b-430c-84b0-7de77a94f036.vbs"15⤵PID:1556
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4028 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32b6013e-5a51-4d69-a45d-9302721bb3ca.vbs"17⤵PID:5476
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5768 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c286f5ed-a3a6-4e03-b077-15bc52a4c172.vbs"19⤵PID:5972
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:6108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d5fa3e1-d27b-4a6d-b60d-6b44f6892750.vbs"21⤵PID:4984
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4816 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07d281f2-dc2d-4ea7-ba8d-b7308c6e97b5.vbs"23⤵PID:2704
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5656 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0e5a249-66ac-48ce-8cdf-0ac071b61759.vbs"25⤵PID:1572
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5588 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c2f67a6-93cf-4d58-a065-471e29104847.vbs"27⤵PID:5504
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2340 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a984a861-15b5-4e28-ab1c-3d0f7b93d84a.vbs"29⤵PID:5844
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"30⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1236 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f279707-4164-498a-bca3-fe719c612dd6.vbs"31⤵PID:5020
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"32⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5424 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6594f0c-c27e-4dca-b9f8-236d5dd50918.vbs"33⤵PID:3100
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"34⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4864 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f6415f1-521c-4f4c-b5fc-6beed88cf1fd.vbs"35⤵PID:2848
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"36⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5236 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97e5f140-b73e-40ec-ac5c-7c16e79d2b65.vbs"37⤵PID:4968
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"38⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5036 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc76acfa-7a30-42f6-8513-5cf33ef5cb23.vbs"39⤵PID:2340
-
C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"40⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\577a0707-2ed0-4256-a80c-f8e56b682ff7.vbs"41⤵PID:5948
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30cb9fef-89a3-41bd-835a-d6443da98827.vbs"41⤵PID:5996
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0900029-1a6f-4bf3-9f22-9b382f321d5a.vbs"39⤵PID:4920
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e539fab4-8fa0-408f-88c9-e4077f5f5ba3.vbs"37⤵PID:2388
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e680a61-0f34-4bff-8aac-19113cf69a9c.vbs"35⤵PID:5612
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18e09da9-21b3-4cb0-97ed-f8fad841626b.vbs"33⤵PID:4988
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d31783a-1f46-436a-b6e4-9bbbd31b39fc.vbs"31⤵PID:5728
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f495cc43-755e-4edd-987c-9ad41ac167b9.vbs"29⤵PID:2040
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac602450-47af-4617-b78f-b516a07c0576.vbs"27⤵PID:4332
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\752ddcb7-f088-4161-a8e5-ec0907154059.vbs"25⤵PID:3196
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0799878b-ae25-4c51-a3d1-4ba225c23ef0.vbs"23⤵PID:5164
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16b2fe7b-09cc-4e81-9b26-776240937476.vbs"21⤵PID:5216
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f4e98de-bc38-4198-9bca-1ca5964ee849.vbs"19⤵PID:6052
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00d677e6-ec59-4590-8ee8-44cf4b3ecd8a.vbs"17⤵PID:5332
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1436ff0-1b6f-45c7-b4b6-345efa84879e.vbs"15⤵PID:4220
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\389c61c7-dd41-4a98-834c-7ca749b3f86b.vbs"13⤵PID:5712
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0af3d330-4a8d-4780-9fad-da2fe70c23fc.vbs"11⤵PID:5644
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b21812e-1b81-4ce6-8d89-11091d42f095.vbs"9⤵PID:4720
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcc912dc-efe5-4edf-a025-2cb2a9e36a48.vbs"7⤵PID:5040
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/SDxDej44bY3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90d5546f8,0x7ff90d554708,0x7ff90d5547184⤵PID:4704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:24⤵PID:716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:84⤵PID:3632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:14⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:14⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:14⤵PID:1876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:14⤵PID:5448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:14⤵PID:5496
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/sk3d_club3⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff90d5546f8,0x7ff90d554708,0x7ff90d5547184⤵PID:4612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14240757729148080218,1022807100950769410,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:24⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,14240757729148080218,1022807100950769410,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4652
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\CrackLauncher.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\CrackLauncher.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\WaaSMedicAgent.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\tracing\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4652
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4932
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5144
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5244
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59b0256da3bf9a5303141361b3da59823
SHA1d73f34951777136c444eb2c98394f62912ebcdac
SHA25696cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA5129f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164
-
Filesize
152B
MD5b28ef7d9f6d74f055cc49876767c886c
SHA1d6b3267f36c340979f8fc3e012fdd02c468740bf
SHA256fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37
SHA512491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75
-
Filesize
152B
MD5584971c8ba88c824fd51a05dddb45a98
SHA1b7c9489b4427652a9cdd754d1c1b6ac4034be421
SHA256e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307
SHA5125dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD512cd6f173a1322e52cc3dc0b5d058405
SHA17af0a48047ad8dd7b135dad3c526e7ccc68eea0b
SHA25657e89cb2a66f7a569a3db6b1863f6f1173aa3fd4bd6a5dca7f3ff5a0786aeb19
SHA512f1d79ea14ca82bebb1402d7f3f79f54aa4b5b36b1a90101c1da0fbc00f1bf2bb7b201cc5ddad642623fab6a8ab988e1fbe822cb55309cc26a4a04755c257ca7d
-
Filesize
579B
MD50d78c00d11690c5b6a913c9a2480505c
SHA1def440ffcc48f6bd1f4a3f004c1b1ddca11946a7
SHA256a93adc0980d4d09a01acf1014a527133cc9e72594abd75c4d744a6f22d755050
SHA512290a1836557fe4a4623cc1283cb2b31c4c415b141126cfa9d61b3675d5ec11c7bf41af94fc62f9365000971e76ff08bc1262fb977a2556c7ea972c497319f618
-
Filesize
5KB
MD5ad393b64aa1fc18bf11397a7dee86dbc
SHA1c317fb5153dc4820684cb08505fd4b933c5d0e47
SHA256753a56500b8cb327735610226de661927c9f61cd8ecdf5e8a8528e6263e28997
SHA512c98f8366db9dce0683d2179f58eb6f42b114be0c5c81ecd739d3a7a6915f512e998f7a8de3e7e8c2d5ce1d1f7d50889acba3e8c057d910410e564428ce51d0a4
-
Filesize
7KB
MD5aaf55d493ed6c5ff5906a512fb174f22
SHA142fd4644f09c3b6eccfed5dc5867f97664d33073
SHA2566e5a8e170ff237cd22bc256b01001df81bfefc2ec1f8f26dbf95bbe3c8474bfc
SHA5127c8f4d0eabebb0386518c883d3c3d34ddd25f6ff67d80a2be90ba604314de1f638540cda3c3dd76a49f530ecadf7e400ae5525e63c0900b5831ef4e14aed9a40
-
Filesize
8KB
MD594299eb6adaa0e6bd8caf7174a0acf9e
SHA11074fd9e04327cf71a17abd9d43e87941d124dae
SHA2569c7b54eb0a6e8793eb9071a9645c0a9148556916dc895a295b1843ff5611db76
SHA512802e824356f02c689dec9499419652fc63bc9d54b2a6f07b7f0208e2e50ec78aa61c9c0c5ec4c571a2fbbde1ba3bddba3e1bbbf335b6fd4ea9ec8dbabf897a6b
-
Filesize
11KB
MD502163e9897e751328db8a0f58f28c30e
SHA108585252450fed177d552db9443efcfadd0cb070
SHA256046de3e7837fd0dc4b35faf77541a6f5e900651f17345ab9e2ca8a084da118d2
SHA51203b2034c8fb991a767cb04aec32817d4d0628ec64ddc34e50ebb22fce6703d2303951f389229cd83289946584c07a18cead23764b2263f6e80bbb9521c0203ab
-
Filesize
736B
MD5388d53e0ccf7aae8e7be08c4714e2942
SHA1ab43c14d581c507c85b8d13d5748ab44f8ccd2a1
SHA25611f9a34fd305b43a0a32650a77b674053e2dd5465e315efb960b3b5735b97609
SHA5128d556b56355bc340ced88cf075378f3bfe2b5fed164dbc777c6c1afccb3ce373ef7fc1711069ac3e564845dde3590016cadf96d3b5e817d240a5b5169ea39123
-
Filesize
736B
MD50d175e104c7020ad74d43e0b458b13b9
SHA10d9c402666caef1851ea2542fae7864df503150b
SHA25605d0c70bfb7c17bbebcfc9edcf843ea2f18479fb5ad4d1e98e2075a104648cdc
SHA512ff177b6384742c1df7ffd338af93357290069421ae4d2be65df91bc3051df24718fa20cef2396a2b57322a877401271ba6765a16f69fe91b931a20ddc9d796ba
-
Filesize
736B
MD573509bc7df30be31bc2edd7abae6430b
SHA1b1162049bfc13380a620d7cd9132db53b24f70e2
SHA2561d93417d4fe87e9b3247616c4a4ce66a7a81f055c2c87469871f5079ace819dd
SHA512cb476f753aca1c1b484109e7748630c7de61ca88c2a3d09fe33f64d1c55fec4c9714a856869da1404502bc35f041baf754409e7fdf5234c6ae747f3768e8cfd8
-
Filesize
736B
MD57dd01e4bbc530c52e2c66f18c6f6bb5b
SHA178c3fc0e36b94e68f34863b9961d6a4dbef3b56f
SHA2561f2a8124db0f93a329fa9610dbe9a29b92212ec823d86dc1304ac8da2d022347
SHA5123b9dedd95ed8d2dc969cc51a1f4c10c01b08517b497d777e7ac1d5ea05a2eccf36ab391c114f4c9ab42e40c97dea12c718feb9b7caedf03300c4dc10fd16f2a0
-
Filesize
736B
MD58cec536b7753ee6bac6f5a85988febae
SHA168f9e7891dee620650f30ff8de0c592e599bc6e4
SHA256401f842b129278128fba24800643bd29affd104e99e36470556b94f626bf24ec
SHA512c42c94b744afb00fad8f0a1d18126be19b180e030a828f770510e4ddaa8f79cf8bc1dd1d382879fdbd5103301e26c6778f8f67c6a28fc06ba60b6842c01aa24c
-
Filesize
736B
MD58975719adf9eaeee7d680608986e9c6e
SHA11491f790a0a9932726a247de12ff5d483818b6a2
SHA256995422b3ba1387e9cc7e6514ee6d54d5f09d1b72c7acedfd61779e13159d24b2
SHA512cfe7b501d9d120ef1e98e5848a1577cb491d58d6e17a817ae157235ea0f5af5a555888b1e74856110cf7b1db91d953025b7e47f515799cccbc3ceb4976fec3fa
-
Filesize
736B
MD51998c0d24c60f6a579f60ea9acd4bb50
SHA1be002a1824b313a0a2549178853809057b930d0b
SHA256ae083c96e8f3fe3d51d3def2135143eb4283905a53314b24096047827af1edff
SHA512cd46a462b021055928641e7402626af0b82e35ea439c07a8c7338b0c252ef8efffbc67f4e663cca059cfab83f4efdfb988c03e4f7ffddb43ed6ced3c7aaec359
-
Filesize
102KB
MD5c137c5f5287d73a94d55bc18df238303
SHA195b4b01775bea14feaaa462c98d969eb81696d2c
SHA256d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0
SHA512ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5
-
Filesize
1.9MB
MD59c49f8ab036331a19ab63f9aff82db38
SHA1a27f11d48f1428b8efb5384f779f355271cc8877
SHA256c50ff535a4d6f888019f7865b319658fc35fd9c3ce5734308821641407d91df9
SHA5122a61a2bf0bfff8c84f2ba5065b87563edd36b4a8ab34e2354f01e46a9ab7d19677cda9b686f95598921de7c2480da53a5e76965f01733e875033208adf9bfecd
-
Filesize
736B
MD5969410f61cbc803ec328f44f4ca60d75
SHA125d5c2393bac72f20137965e9df8fe2340e41fca
SHA25644ae4be2b6b06545dd2fafa4f7ee845379b13b11e9a36f26fc63ae2a75beb3cf
SHA51278419baedba13615802d0c2857d1113ff50531a2203ce14142c23008159b8210693137708a4c16f3359be5901a2f232bf3aca144660aa098503f20127fb016fc
-
Filesize
736B
MD56a94e1c5738516fc339c9e99c32e4748
SHA1f3d3505cded22e1906c5abc79b6c7414721dc34c
SHA25688c98dc40423c01f4cddaa75d247ec4a591c282d644942ba2bceb9c415828f8e
SHA51275b9e4fede60f4cea571b0bd0325e2154da30726773a759dff49bb7e78df5ac5acd5189573ffbe09d8a518b7e760de8d48d1952034b498199a4ce61c70dcd52a
-
Filesize
512B
MD54762bdb1382dc19c0a833a87b1e8ba5e
SHA1569605c96c22c58738da45420908bf8b53b4f4d1
SHA25689723100ff107034b4048265beaf47d29d2c1e34b942039bbb72bcb188186431
SHA512b56f9be97644019cb2d9f50ba7d02c1ac39862673c82b71bfb605a05b3ab7cdb4a205ce3e3fc43c4933bdbef948326c356f5732d397927345a4e00d5e99917e1
-
Filesize
736B
MD52cae103a5e17b06237da28768185bd83
SHA1ff7fb761c8a275a9066f5da441590c0a59f46be0
SHA256f71d15af1390843f34278a22c9bfc595f994f9ab56d2b1c891e898cebcc56907
SHA5124c7736985d5935ac9e277915ffed91acd614896c75489a0560b9b63468fb81ffeb93a1cdf4eabe70277393a8c0c15d24ed9c182afde91f851ee92577c73c0909
-
Filesize
38B
MD56c77726beb17fe13c44cbc3312d1ca54
SHA1919076735be5e1c6c9d077b12beadce4470c7bb2
SHA256e8130ea9479e696b38d37edbd700f6f08daf4c85c1758d6b6a9a71e627ce5e03
SHA5125089be432cd1f996f399f4aa03140a7bdb8062304fbf4818351f93090deaa1f2e42fe034307ce542ca5ad7f7484948e7e454b4cfee885815ce402436e573d9c4
-
Filesize
1.4MB
MD5f1ca585436d62720be1c8d7f24fb773f
SHA13687e578f150e45aa5194f9c485b221459f0f454
SHA256dc22e22564f7758fd8179f22aace45dfb9a5fbedcf7203ee71a71bf26435cbc7
SHA5129e56f51802b8de96589dfd51da94c466c70fd320e05a4a574054fac41ffcf5acba2fcbc29f3a655c152560dc13a45cb4f13366ab2db975b3aa7371a041fdaddc
-
Filesize
209B
MD52febca5513bbb1d2fb14b29bd4998314
SHA15fbcf3720fa6200f4dfd67e2d3ec4d91e45b9def
SHA256d92d5826088b6d9e94de6ef772d9283594ee4c51ca03e829c7024b4dd2f74112
SHA51260a6ef94ea1d5c379c330e5c2627a34d33c5d1ed85e03fb01d561aa3ded0cad26f5ff9ef682ad83abc234a9aede970dd902e508556524c135ff3661e60b27e1c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e