Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10d80fa7b3ff...ce.exe
windows7-x64
10d80fa7b3ff...ce.exe
windows10-2004-x64
10d80fa7b3ff...ce.exe
android-9-x86
d80fa7b3ff...ce.exe
android-10-x64
d80fa7b3ff...ce.exe
android-11-x64
d80fa7b3ff...ce.exe
macos-10.15-amd64
d80fa7b3ff...ce.exe
ubuntu-18.04-amd64
d80fa7b3ff...ce.exe
debian-9-armhf
d80fa7b3ff...ce.exe
debian-9-mips
d80fa7b3ff...ce.exe
debian-9-mipsel
Analysis
-
max time kernel
891s -
max time network
428s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2025, 04:00
Behavioral task
behavioral1
Sample
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral4
Sample
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Resource
android-x64-20240910-en
Behavioral task
behavioral5
Sample
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Resource
android-x64-arm64-20240910-en
Behavioral task
behavioral6
Sample
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Resource
macos-20241106-en
Behavioral task
behavioral7
Sample
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral8
Sample
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral9
Sample
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral10
Sample
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Resource
debian9-mipsel-20240611-en
General
-
Target
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
-
Size
984KB
-
MD5
808d571c621732642832aaca4a519717
-
SHA1
cf71f6fc8f7ad0d691cf899928296be33ed46e49
-
SHA256
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce
-
SHA512
f01bb94b9bc2482aebb8862a2cc6a1f43afce1796df373c4d3dd2c33e68f06849c704a4c0a79320f6a1ab04c5227416445c4fe715c18fdfc0bc123f0f79cfb88
-
SSDEEP
12288:syEIOYTNEIf5AycvEhKIV6tEcln0Ai2a61h3cQ9Fk+ntGoWuzsx1oiLgo+:syErYT+PvXIUln/1GJgo+
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2736 schtasks.exe 4184 schtasks.exe 3436 schtasks.exe 1788 schtasks.exe 3092 schtasks.exe 1164 schtasks.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\886983d96e3d3e d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3540 schtasks.exe 4224 schtasks.exe File created C:\Program Files\Windows Media Player\Network Sharing\0a1fd5f707cd16 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3304 schtasks.exe 4332 schtasks.exe 4412 schtasks.exe 3540 schtasks.exe 3788 schtasks.exe 1996 schtasks.exe File created C:\Program Files\Windows Portable Devices\ea9f0e6c9e2dcd d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3572 schtasks.exe File created C:\Program Files (x86)\Windows Portable Devices\ee2ad38f3d4382 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3520 schtasks.exe File created C:\Program Files\Internet Explorer\SIGNUP\0a1fd5f707cd16 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 1208 schtasks.exe 3460 schtasks.exe 4232 schtasks.exe 4280 schtasks.exe 1888 schtasks.exe 228 schtasks.exe 3932 schtasks.exe 1436 schtasks.exe File created C:\Windows\Prefetch\ReadyBoot\6cb0b6c459d5d3 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 2500 schtasks.exe 712 schtasks.exe 436 schtasks.exe 820 schtasks.exe 2780 schtasks.exe 3180 schtasks.exe 4952 schtasks.exe 3432 schtasks.exe 2128 schtasks.exe 1584 schtasks.exe 4156 schtasks.exe 3496 schtasks.exe 1576 schtasks.exe 4088 schtasks.exe 4836 schtasks.exe 4680 schtasks.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\66fc9ff0ee96c2 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\6ccacd8608530f d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3012 schtasks.exe 3476 schtasks.exe 4160 schtasks.exe 4872 schtasks.exe 1552 schtasks.exe 3972 schtasks.exe 4132 schtasks.exe 2560 schtasks.exe 3300 schtasks.exe 4100 schtasks.exe 2492 schtasks.exe 2812 schtasks.exe 3488 schtasks.exe File created C:\Windows\PolicyDefinitions\uk-UA\6cb0b6c459d5d3 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3056 schtasks.exe 3672 schtasks.exe -
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4156 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3476 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4132 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4100 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 712 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3092 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4412 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4224 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3572 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4332 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3556 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3300 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4160 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4088 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3304 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3788 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4280 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 436 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 2628 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 228 2628 schtasks.exe 83 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe -
resource yara_rule behavioral2/memory/3568-1-0x00000000004C0000-0x00000000005BC000-memory.dmp dcrat behavioral2/files/0x000a000000023b75-25.dat dcrat behavioral2/files/0x000d000000023bba-94.dat dcrat behavioral2/files/0x000d000000023b71-118.dat dcrat behavioral2/files/0x000a000000023bbc-153.dat dcrat behavioral2/files/0x000c000000023bbd-209.dat dcrat behavioral2/memory/424-499-0x0000000000BD0000-0x0000000000CCC000-memory.dmp dcrat behavioral2/memory/4744-510-0x00000000003E0000-0x00000000004DC000-memory.dmp dcrat behavioral2/files/0x000b000000023bbb-511.dat dcrat behavioral2/files/0x000b000000023b8c-519.dat dcrat behavioral2/memory/1216-521-0x0000000000110000-0x000000000020C000-memory.dmp dcrat behavioral2/memory/4268-530-0x0000000000510000-0x000000000060C000-memory.dmp dcrat behavioral2/files/0x000c000000023b75-546.dat dcrat behavioral2/memory/2200-548-0x0000000000580000-0x000000000067C000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4884 powershell.exe 2420 powershell.exe 4464 powershell.exe 2420 powershell.exe 1896 powershell.exe 4896 powershell.exe 2460 powershell.exe 2684 powershell.exe 1776 powershell.exe 2800 powershell.exe 1556 powershell.exe 4680 powershell.exe 4436 powershell.exe 1844 powershell.exe 3784 powershell.exe 4132 powershell.exe 4952 powershell.exe 3460 powershell.exe 4268 powershell.exe 4252 powershell.exe 4812 powershell.exe 1608 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe -
Executes dropped EXE 21 IoCs
pid Process 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 1584 wininit.exe 424 sihost.exe 3948 Idle.exe 1896 lsass.exe 1816 unsecapp.exe 4744 System.exe 3740 Registry.exe 3468 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 1444 sihost.exe 1216 sppsvc.exe 564 winlogon.exe 1116 explorer.exe 4268 dwm.exe 2868 Idle.exe 2552 wininit.exe 2812 csrss.exe 3040 dllhost.exe 2904 sysmon.exe 2200 taskhostw.exe 3544 sihost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe -
Drops file in Program Files directory 41 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\SIGNUP\sppsvc.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files\Internet Explorer\SIGNUP\0a1fd5f707cd16 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\RCXC4B9.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RCXB411.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\RCXC4A8.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\886983d96e3d3e d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXBD01.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\Windows Portable Devices\RCXC206.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\RCXCBE3.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\Windows Portable Devices\taskhostw.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXC74B.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files\Windows Portable Devices\taskhostw.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\66fc9ff0ee96c2 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files\Windows Media Player\Network Sharing\0a1fd5f707cd16 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXBD02.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\sppsvc.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\RCXD06A.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RCXB410.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\Registry.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXC6CD.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\WindowsPowerShell\explorer.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files (x86)\Windows Portable Devices\Registry.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\RCXCB65.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files\Crashpad\reports\wininit.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\Crashpad\reports\wininit.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files\WindowsPowerShell\explorer.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files\WindowsPowerShell\7a0fd90576e088 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files (x86)\Windows Portable Devices\ee2ad38f3d4382 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files\Windows Portable Devices\ea9f0e6c9e2dcd d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\6ccacd8608530f d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files\Windows Portable Devices\RCXC284.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\RCXD06B.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Program Files\Crashpad\reports\56085415360792 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\Prefetch\ReadyBoot\dwm.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Windows\Prefetch\ReadyBoot\6cb0b6c459d5d3 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Windows\PolicyDefinitions\uk-UA\dwm.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Windows\PolicyDefinitions\uk-UA\6cb0b6c459d5d3 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Windows\WinSxS\amd64_dc1-controller.inf.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_523ea2d8b406baa8\explorer.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Windows\PolicyDefinitions\uk-UA\RCXC001.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Windows\rescache\_merged\4245263321\System.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\RCXBA4F.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Windows\en-US\121e5b5079f7c0 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Windows\PolicyDefinitions\uk-UA\dwm.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Windows\en-US\sysmon.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Windows\en-US\sysmon.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File created C:\Windows\Prefetch\ReadyBoot\dwm.exe d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\RCXBACD.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe File opened for modification C:\Windows\PolicyDefinitions\uk-UA\RCXBF83.tmp d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4412 schtasks.exe 4680 schtasks.exe 3460 schtasks.exe 3304 schtasks.exe 1788 schtasks.exe 4280 schtasks.exe 3432 schtasks.exe 4132 schtasks.exe 3932 schtasks.exe 4224 schtasks.exe 4184 schtasks.exe 712 schtasks.exe 4332 schtasks.exe 3300 schtasks.exe 1164 schtasks.exe 820 schtasks.exe 4156 schtasks.exe 1576 schtasks.exe 3092 schtasks.exe 4232 schtasks.exe 1552 schtasks.exe 1208 schtasks.exe 4872 schtasks.exe 2736 schtasks.exe 2500 schtasks.exe 2492 schtasks.exe 3572 schtasks.exe 1536 schtasks.exe 4836 schtasks.exe 228 schtasks.exe 1888 schtasks.exe 3476 schtasks.exe 3972 schtasks.exe 2812 schtasks.exe 4088 schtasks.exe 436 schtasks.exe 3436 schtasks.exe 4100 schtasks.exe 3672 schtasks.exe 3496 schtasks.exe 2560 schtasks.exe 3488 schtasks.exe 4160 schtasks.exe 1584 schtasks.exe 3056 schtasks.exe 3788 schtasks.exe 3540 schtasks.exe 1996 schtasks.exe 4952 schtasks.exe 2128 schtasks.exe 3012 schtasks.exe 3180 schtasks.exe 3556 schtasks.exe 3540 schtasks.exe 2780 schtasks.exe 3520 schtasks.exe 1436 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 4268 powershell.exe 4268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Token: SeDebugPrivilege 4268 powershell.exe Token: SeDebugPrivilege 4884 powershell.exe Token: SeDebugPrivilege 4896 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 4464 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 4436 powershell.exe Token: SeDebugPrivilege 3784 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 4132 powershell.exe Token: SeDebugPrivilege 4252 powershell.exe Token: SeDebugPrivilege 4680 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 4952 powershell.exe Token: SeDebugPrivilege 4812 powershell.exe Token: SeDebugPrivilege 3460 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeDebugPrivilege 1584 wininit.exe Token: SeDebugPrivilege 424 sihost.exe Token: SeDebugPrivilege 1896 lsass.exe Token: SeDebugPrivilege 1816 unsecapp.exe Token: SeDebugPrivilege 4744 System.exe Token: SeDebugPrivilege 3740 Registry.exe Token: SeDebugPrivilege 3468 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Token: SeDebugPrivilege 1444 sihost.exe Token: SeDebugPrivilege 1216 sppsvc.exe Token: SeDebugPrivilege 564 winlogon.exe Token: SeDebugPrivilege 1116 explorer.exe Token: SeDebugPrivilege 4268 dwm.exe Token: SeDebugPrivilege 2868 Idle.exe Token: SeDebugPrivilege 2552 wininit.exe Token: SeDebugPrivilege 2812 csrss.exe Token: SeDebugPrivilege 3040 dllhost.exe Token: SeDebugPrivilege 2904 sysmon.exe Token: SeDebugPrivilege 2200 taskhostw.exe Token: SeDebugPrivilege 3544 sihost.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 3568 wrote to memory of 4268 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 133 PID 3568 wrote to memory of 4268 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 133 PID 3568 wrote to memory of 4884 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 134 PID 3568 wrote to memory of 4884 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 134 PID 3568 wrote to memory of 2420 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 135 PID 3568 wrote to memory of 2420 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 135 PID 3568 wrote to memory of 1896 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 136 PID 3568 wrote to memory of 1896 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 136 PID 3568 wrote to memory of 4436 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 137 PID 3568 wrote to memory of 4436 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 137 PID 3568 wrote to memory of 4896 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 138 PID 3568 wrote to memory of 4896 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 138 PID 3568 wrote to memory of 4464 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 139 PID 3568 wrote to memory of 4464 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 139 PID 3568 wrote to memory of 2684 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 140 PID 3568 wrote to memory of 2684 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 140 PID 3568 wrote to memory of 3784 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 141 PID 3568 wrote to memory of 3784 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 141 PID 3568 wrote to memory of 1844 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 142 PID 3568 wrote to memory of 1844 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 142 PID 3568 wrote to memory of 2460 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 143 PID 3568 wrote to memory of 2460 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 143 PID 3568 wrote to memory of 5100 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 154 PID 3568 wrote to memory of 5100 3568 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 154 PID 5100 wrote to memory of 4148 5100 cmd.exe 157 PID 5100 wrote to memory of 4148 5100 cmd.exe 157 PID 5100 wrote to memory of 492 5100 cmd.exe 165 PID 5100 wrote to memory of 492 5100 cmd.exe 165 PID 492 wrote to memory of 4132 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 181 PID 492 wrote to memory of 4132 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 181 PID 492 wrote to memory of 4252 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 182 PID 492 wrote to memory of 4252 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 182 PID 492 wrote to memory of 4680 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 183 PID 492 wrote to memory of 4680 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 183 PID 492 wrote to memory of 1608 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 184 PID 492 wrote to memory of 1608 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 184 PID 492 wrote to memory of 1776 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 186 PID 492 wrote to memory of 1776 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 186 PID 492 wrote to memory of 4812 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 187 PID 492 wrote to memory of 4812 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 187 PID 492 wrote to memory of 1556 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 188 PID 492 wrote to memory of 1556 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 188 PID 492 wrote to memory of 2800 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 189 PID 492 wrote to memory of 2800 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 189 PID 492 wrote to memory of 3460 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 191 PID 492 wrote to memory of 3460 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 191 PID 492 wrote to memory of 2420 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 192 PID 492 wrote to memory of 2420 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 192 PID 492 wrote to memory of 4952 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 194 PID 492 wrote to memory of 4952 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 194 PID 492 wrote to memory of 3188 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 203 PID 492 wrote to memory of 3188 492 d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe 203 PID 3188 wrote to memory of 1696 3188 cmd.exe 205 PID 3188 wrote to memory of 1696 3188 cmd.exe 205 PID 3188 wrote to memory of 1584 3188 cmd.exe 209 PID 3188 wrote to memory of 1584 3188 cmd.exe 209 -
System policy modification 1 TTPs 57 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exeC:\Users\Admin\AppData\Local\Temp\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v0XtNn8zIq.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4148
-
-
C:\Users\Admin\AppData\Local\Temp\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe"C:\Users\Admin\AppData\Local\Temp\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sFa82cOwXa.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:1696
-
-
C:\Program Files\Crashpad\reports\wininit.exe"C:\Program Files\Crashpad\reports\wininit.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1584
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\uk-UA\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\uk-UA\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\uk-UA\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\SIGNUP\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\SIGNUP\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ced" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Packages\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce" /sc ONLOGON /tr "'C:\Users\All Users\Packages\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ced" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Packages\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\en-US\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\reports\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\reports\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:424
-
C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe"C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:3948
-
C:\Users\All Users\lsass.exe"C:\Users\All Users\lsass.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1896
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1816
-
C:\Users\Public\Desktop\System.exeC:\Users\Public\Desktop\System.exe1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4744
-
C:\Program Files (x86)\Windows Portable Devices\Registry.exe"C:\Program Files (x86)\Windows Portable Devices\Registry.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3740
-
C:\Users\All Users\Packages\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe"C:\Users\All Users\Packages\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1444
-
C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe"C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1216
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:564
-
C:\Program Files\WindowsPowerShell\explorer.exe"C:\Program Files\WindowsPowerShell\explorer.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1116
-
C:\Windows\PolicyDefinitions\uk-UA\dwm.exeC:\Windows\PolicyDefinitions\uk-UA\dwm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe"C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2868
-
C:\Program Files\Crashpad\reports\wininit.exe"C:\Program Files\Crashpad\reports\wininit.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2552
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2812
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3040
-
C:\Windows\en-US\sysmon.exeC:\Windows\en-US\sysmon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
C:\Program Files\Windows Portable Devices\taskhostw.exe"C:\Program Files\Windows Portable Devices\taskhostw.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2200
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3544
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
984KB
MD5808d571c621732642832aaca4a519717
SHA1cf71f6fc8f7ad0d691cf899928296be33ed46e49
SHA256d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce
SHA512f01bb94b9bc2482aebb8862a2cc6a1f43afce1796df373c4d3dd2c33e68f06849c704a4c0a79320f6a1ab04c5227416445c4fe715c18fdfc0bc123f0f79cfb88
-
Filesize
984KB
MD5da4d66fe328d749c558da6e3a4899270
SHA1a7cd9ca71fe9f1ea3217cf8e1633dc811f56a211
SHA256d9d151ab0ca505bbc07d24e1d4440b39b5e1bc95c2f92fdd9e37a155d4ed141e
SHA512169a93fe2e293028b85838c469e6a763abefa54b6515f4656a2094140c3cf48ff83eab4486b6229ca73228385cad9b79687424dbf58928164221bb690a9acff6
-
Filesize
984KB
MD55f39446fb018e7c1071ed23732fd4d69
SHA1e58e2f7bd68d200a9deef495a3c3a08c8700b1b2
SHA25616d6197c3eb16d27bfa73f43417ea67553fa64aa6802c9984eedd42eaef6da43
SHA512f93ea550eb41b42de047449312e050ed7f8ccb2ab53d614e2ae320b5fcd42fe4378be9bc3bd5ba5dfe771b5baead2929fcc3ab5fbd25d3bd978df3742ba75da4
-
Filesize
984KB
MD5cdb42b288ca93e4e71da5b0317da5417
SHA15b386160873fde87dad070bf9afe7731c97e62a3
SHA2567eea1c07513a51033ca7b008c502600f424a6818874e8683019b70c48b2bf0dc
SHA51252a1e5a861e25a208890a44419c7665423dcc25aca51fd26e31cb5bc6ae1390400e9cf1fab657963bb33918dd2c9999efb3d64399d0e654dd8ab44e47e777fe5
-
Filesize
984KB
MD5c9fccbd6ca68a603728874f6823988f2
SHA1eff5bc3849c42fdba4c3a90c0ca5869fe40711e5
SHA25674f0ca552e16bcf412eca52edbaea8d5cda9adedd2b8ee4f785c673327562386
SHA5127b50f0ed13c77d43e01aeb2688dcc1de073d956301707613c5fb807a2bc7d4ab9063ec08bd08ac73c743086af944d67227d0ad683e49ddb6f011e5666af0277b
-
Filesize
622B
MD51e3fe4ac12519a6fce3cd4edb9faa974
SHA13408b5ab32e0067948280da014f2bef98ce6ad17
SHA25690a481ddf891f46c7ea45cf89a479dd000e970de15819635a2d58a4ee8a4a476
SHA512b961bd27b0c713e0bee569f6e1a385e7ded8781b2ac7e148d4b7db67aa0df54c509672091a4ae6990c277dc95d8b8cc2605fd6f381664b760036131a2ab9a023
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe.log
Filesize1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
120B
MD55c37fb9a06ec5e24316c99b969ad3c1b
SHA1ebcde24081714a20d1c88f5527fce3aa6da6b833
SHA256d25c8dcd9eaedf398d9dc315f41aaa063043b27ea21b717cc79d6259b77c78ae
SHA512517cf9aea5440ff85d5df41e9443ae41cb31a0d85c0023a87a272369c86bf4c66e9c42321a9c10cc6157cb24bd9f4d641a8f5f0f1204ae08642047ca6b9c045f
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5085e0a3b869f290afea5688a8ac4e7c5
SHA10fedef5057708908bcca9e7572be8f46cef4f3ca
SHA2561fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c
SHA512bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede
-
Filesize
944B
MD550d3033f2bc3a3774c469d03e71a79a9
SHA122027b1d52085de99b3bffa276530fea5d961471
SHA2562987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147
SHA512ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8
-
Filesize
944B
MD520ccd8eee8fb63b0f660c38299f815d4
SHA15882e3b12448a5cd6ab57008c1be852ac84cade1
SHA256cad714968818e2c4fec544ad7aa0faf5da04809f8efd1a8699d2861d0c0809e3
SHA51228b87bd117a752ce699bd00c651c095dcfdb2a6cf71687177862c9062c3f73243ac32ac1b709804f940eef8c1f3e233593c73c4831449742c931d8c845c9fd8f
-
Filesize
944B
MD5dd0716df5ff6e2ed8bfa08e271d64dd8
SHA1c342bbe936058ea27843d5dbe5eb434f926612f7
SHA25615ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8
SHA5127e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4
-
Filesize
944B
MD5150616521d490e160cd33b97d678d206
SHA171594f5b97a4a61fe5f120eb10bcd6b73d7e6e78
SHA25694595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827
SHA5127043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815
-
Filesize
944B
MD57a451cd1316d70a65910773fee8c3a43
SHA1d2db32d5037153dd1d94565b51b5b385817a3c3d
SHA256862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c
SHA51260887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6
-
Filesize
944B
MD53505effaead0f06d098f1aec01836881
SHA194bafdbeb2f5adbd8cec709574df5b8dbcc5eba3
SHA2565d39a25ff8842c7c14aa14f99c5e3e1606fb7516c57f03dc41069df3c3de0517
SHA512934d8eab5bc2ec20e800c668f3c3434829feade4771918a22d712f7ba39f91f93877a1e9dc1beac966646af0c9dd2cf118041535143b3abc585fea8dfb1299f5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
210B
MD561b30754aa6f56c4e9ca30b3004d3ee4
SHA1129fb88bde0f8a9822c33f96a4c93d7ffec1ceb6
SHA256dd46cfb02388ef0c1c511b00d3251e9633333e78d773b6a79d2de4d0c9947943
SHA51230346837e78b1cc7853ba80b1d457e3ea9ef7b2c653016f760cc75a44e0d7c12f9e3fae4e711a76b6893114912df307e540d7dbe786dfd902e813de1ce5c987f
-
Filesize
267B
MD532c3385b9ba53e0daa170f3d1315b199
SHA1382d2c7b4bfe974cccc7b0b1a5435038bea9335a
SHA256f96042a826388f9f4e5eb3917050c4acfea072b9ff1593ef3ab6f557af656209
SHA512835548f780e8084e038ffd1d6bee163363511156e29ebf3db69b19bbd6126967aff6404e4c2a7260c4887e1099e4319f281219de614366be2bcd226be5001d8a
-
Filesize
984KB
MD5576d2968a5c055d0d26b52ce90cc810b
SHA13f092e14b5dd3b60d5a24befeb73b3b0aa98cd69
SHA2567bf41581ca59aeafad0e3ef4255259cd373a193082a5fc709faf90d72574568d
SHA512faeaeebc94f9ffec10e84fea8d33423e14225fc302db3c301fcab98ea97f71bb16e53deeaafd10dd91c6c88aa75caff03e8ec794c6e24a3ca7f88ee926c6d3de
-
Filesize
984KB
MD51b26a2fe4cbcc99112c26aae4a5bb115
SHA141983d1915b04404dea3df828d7041d635edbe7d
SHA25679e413a952d33c3b98c712f4fc55c899ec1c647e335929db4449d64877b5f187
SHA5120f920f5b3bbdeb303e2340ee42c415f9aea068138d3085e4b82c9911cdde5f5e6f8a9d26c825b092185ef9023212aafe72f95e10588c1aa96fcc4f9ea58fe029
-
Filesize
984KB
MD5d2ea06c8e3050b71e7e31e52afc98ae6
SHA1a6517c96cfcb06812ab71a111c1e19dc0d8520b9
SHA256a3c810c97bf1812455d811a70840133ca7cb99154e7936d992e2ab55f0b8d3d8
SHA512baecec4fbd42f687b564108c810c2e84966cbcfea3a2bf215dfd71574f0249ee1942602ba2197635bdeb8a0237c5ffd67b560a33983bb876f327b8a73f58e5c4