Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1008ced0b985...9b.exe
windows7-x64
1008ced0b985...9b.exe
windows10-2004-x64
100913fbedc2...24.exe
windows7-x64
100913fbedc2...24.exe
windows10-2004-x64
100973173c13...96.exe
windows7-x64
100973173c13...96.exe
windows10-2004-x64
10098168b228...dc.exe
windows7-x64
10098168b228...dc.exe
windows10-2004-x64
1009a344d3da...2f.exe
windows7-x64
1009a344d3da...2f.exe
windows10-2004-x64
1009b5a73b30...84.exe
windows7-x64
1009b5a73b30...84.exe
windows10-2004-x64
1009df096633...ea.exe
windows7-x64
1009df096633...ea.exe
windows10-2004-x64
100a06fa9dd0...c2.exe
windows7-x64
100a06fa9dd0...c2.exe
windows10-2004-x64
100a0c745477...fb.exe
windows7-x64
100a0c745477...fb.exe
windows10-2004-x64
70a121eca45...10.exe
windows7-x64
100a121eca45...10.exe
windows10-2004-x64
100a29f2916b...f7.exe
windows7-x64
100a29f2916b...f7.exe
windows10-2004-x64
100a2ec00b91...32.exe
windows7-x64
100a2ec00b91...32.exe
windows10-2004-x64
100a7efdf437...01.exe
windows7-x64
100a7efdf437...01.exe
windows10-2004-x64
100ab7e56cad...61.exe
windows7-x64
100ab7e56cad...61.exe
windows10-2004-x64
100ac60987a1...26.exe
windows7-x64
100ac60987a1...26.exe
windows10-2004-x64
100ace08628f...91.exe
windows7-x64
80ace08628f...91.exe
windows10-2004-x64
8Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:25
Behavioral task
behavioral1
Sample
08ced0b9853b7831e9f562c15ecbfb06a676bc1e9e133a6f9264e4bb7dd2049b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
08ced0b9853b7831e9f562c15ecbfb06a676bc1e9e133a6f9264e4bb7dd2049b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
0973173c13d86b9430c7f43bb76a0496.exe
Resource
win7-20250207-en
Behavioral task
behavioral6
Sample
0973173c13d86b9430c7f43bb76a0496.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
098168b2280eefaacf38576dc5c2ef26b9d27034c62094aa4273aa4ccb24e7dc.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
098168b2280eefaacf38576dc5c2ef26b9d27034c62094aa4273aa4ccb24e7dc.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
09a344d3dad53e34501fb523f1c35f2f.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
09a344d3dad53e34501fb523f1c35f2f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
09b5a73b30c3c0c56d3b973a837a6284.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
09b5a73b30c3c0c56d3b973a837a6284.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
09df096633080be658753777a8e7feea.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
09df096633080be658753777a8e7feea.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
0a06fa9dd00cdb3428faa863184cc6c2.exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
0a06fa9dd00cdb3428faa863184cc6c2.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
0a0c745477f1243667cbaf590f0e5dfb.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
0a0c745477f1243667cbaf590f0e5dfb.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
0a29f2916bfe7d25154bdee719d97af7.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
0a29f2916bfe7d25154bdee719d97af7.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
0a2ec00b91350189993338c37f03ee32.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
0a2ec00b91350189993338c37f03ee32.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
0a7efdf437b268455f4d328ffb164701.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
0a7efdf437b268455f4d328ffb164701.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
0ab7e56cada9281e0177e5b1bd800a9e3ab481eeab4719cae1b91f36b1275561.exe
Resource
win7-20241023-en
Behavioral task
behavioral28
Sample
0ab7e56cada9281e0177e5b1bd800a9e3ab481eeab4719cae1b91f36b1275561.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
0ace08628fec1c94697c5b0e6bed6ea1a955772fb493a52cde144e662f214791.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
0ace08628fec1c94697c5b0e6bed6ea1a955772fb493a52cde144e662f214791.exe
Resource
win10v2004-20250314-en
General
-
Target
09df096633080be658753777a8e7feea.exe
-
Size
1.9MB
-
MD5
09df096633080be658753777a8e7feea
-
SHA1
4b1b789ff3db59b07c1013c527273c350e78bf08
-
SHA256
63671cdfb5eddd70bfa3e97395c34e860c217a0838c853029ca85a40a5520298
-
SHA512
7216e17df59456ad6d0139be6ddd65c02c6f58519acc0f57aaacc7f7728d362abdd1470ebb5be67a1c446ae8ba1c596cf4d19ba8b8dbc65bbe5b241fb5a7b32a
-
SSDEEP
24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD
Malware Config
Signatures
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4896 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4216 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4064 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5880 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 5136 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 5136 schtasks.exe 88 -
UAC bypass 3 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 09df096633080be658753777a8e7feea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 09df096633080be658753777a8e7feea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 09df096633080be658753777a8e7feea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 09df096633080be658753777a8e7feea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 09df096633080be658753777a8e7feea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 09df096633080be658753777a8e7feea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4112 powershell.exe 2052 powershell.exe 1736 powershell.exe 5764 powershell.exe 3964 powershell.exe 4856 powershell.exe 4660 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 09df096633080be658753777a8e7feea.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation 09df096633080be658753777a8e7feea.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation 09df096633080be658753777a8e7feea.exe -
Executes dropped EXE 11 IoCs
pid Process 3168 09df096633080be658753777a8e7feea.exe 4484 RuntimeBroker.exe 2896 RuntimeBroker.exe 3796 RuntimeBroker.exe 920 RuntimeBroker.exe 2176 RuntimeBroker.exe 3232 RuntimeBroker.exe 1064 RuntimeBroker.exe 1952 RuntimeBroker.exe 2504 RuntimeBroker.exe 5660 RuntimeBroker.exe -
Checks whether UAC is enabled 1 TTPs 24 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 09df096633080be658753777a8e7feea.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 09df096633080be658753777a8e7feea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 09df096633080be658753777a8e7feea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 09df096633080be658753777a8e7feea.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\edge_BITS_4576_864690144\9e8d7a4ca61bd9 09df096633080be658753777a8e7feea.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OfficeClickToRun.exe 09df096633080be658753777a8e7feea.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\e6c9b481da804f 09df096633080be658753777a8e7feea.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OfficeClickToRun.exe 09df096633080be658753777a8e7feea.exe File created C:\Program Files\ModifiableWindowsApps\Registry.exe 09df096633080be658753777a8e7feea.exe File created C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe 09df096633080be658753777a8e7feea.exe File opened for modification C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe 09df096633080be658753777a8e7feea.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\ImmersiveControlPanel\pris\smss.exe 09df096633080be658753777a8e7feea.exe File created C:\Windows\ImmersiveControlPanel\pris\69ddcba757bf72 09df096633080be658753777a8e7feea.exe File opened for modification C:\Windows\ImmersiveControlPanel\pris\RCX6E2F.tmp 09df096633080be658753777a8e7feea.exe File opened for modification C:\Windows\ImmersiveControlPanel\pris\RCX6EAD.tmp 09df096633080be658753777a8e7feea.exe File opened for modification C:\Windows\ImmersiveControlPanel\pris\smss.exe 09df096633080be658753777a8e7feea.exe File created C:\Windows\PrintDialog\en-US\Idle.exe 09df096633080be658753777a8e7feea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 09df096633080be658753777a8e7feea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 09df096633080be658753777a8e7feea.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4804 schtasks.exe 4924 schtasks.exe 1688 schtasks.exe 4828 schtasks.exe 4864 schtasks.exe 4064 schtasks.exe 4788 schtasks.exe 1336 schtasks.exe 4216 schtasks.exe 4636 schtasks.exe 4896 schtasks.exe 4824 schtasks.exe 5880 schtasks.exe 2996 schtasks.exe 3560 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 6024 09df096633080be658753777a8e7feea.exe 4112 powershell.exe 4112 powershell.exe 4660 powershell.exe 4660 powershell.exe 2052 powershell.exe 2052 powershell.exe 4856 powershell.exe 4856 powershell.exe 4856 powershell.exe 4112 powershell.exe 4660 powershell.exe 2052 powershell.exe 3168 09df096633080be658753777a8e7feea.exe 1736 powershell.exe 3964 powershell.exe 3964 powershell.exe 1736 powershell.exe 5764 powershell.exe 5764 powershell.exe 3964 powershell.exe 1736 powershell.exe 5764 powershell.exe 4484 RuntimeBroker.exe 2896 RuntimeBroker.exe 3796 RuntimeBroker.exe 3796 RuntimeBroker.exe 920 RuntimeBroker.exe 920 RuntimeBroker.exe 2176 RuntimeBroker.exe 3232 RuntimeBroker.exe 1064 RuntimeBroker.exe 1952 RuntimeBroker.exe 2504 RuntimeBroker.exe 5660 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 6024 09df096633080be658753777a8e7feea.exe Token: SeDebugPrivilege 4112 powershell.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 3168 09df096633080be658753777a8e7feea.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 3964 powershell.exe Token: SeDebugPrivilege 5764 powershell.exe Token: SeDebugPrivilege 4484 RuntimeBroker.exe Token: SeDebugPrivilege 2896 RuntimeBroker.exe Token: SeDebugPrivilege 3796 RuntimeBroker.exe Token: SeDebugPrivilege 920 RuntimeBroker.exe Token: SeDebugPrivilege 2176 RuntimeBroker.exe Token: SeDebugPrivilege 3232 RuntimeBroker.exe Token: SeDebugPrivilege 1064 RuntimeBroker.exe Token: SeDebugPrivilege 1952 RuntimeBroker.exe Token: SeDebugPrivilege 2504 RuntimeBroker.exe Token: SeDebugPrivilege 5660 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 6024 wrote to memory of 4856 6024 09df096633080be658753777a8e7feea.exe 101 PID 6024 wrote to memory of 4856 6024 09df096633080be658753777a8e7feea.exe 101 PID 6024 wrote to memory of 4660 6024 09df096633080be658753777a8e7feea.exe 102 PID 6024 wrote to memory of 4660 6024 09df096633080be658753777a8e7feea.exe 102 PID 6024 wrote to memory of 4112 6024 09df096633080be658753777a8e7feea.exe 103 PID 6024 wrote to memory of 4112 6024 09df096633080be658753777a8e7feea.exe 103 PID 6024 wrote to memory of 2052 6024 09df096633080be658753777a8e7feea.exe 104 PID 6024 wrote to memory of 2052 6024 09df096633080be658753777a8e7feea.exe 104 PID 6024 wrote to memory of 3168 6024 09df096633080be658753777a8e7feea.exe 109 PID 6024 wrote to memory of 3168 6024 09df096633080be658753777a8e7feea.exe 109 PID 3168 wrote to memory of 3964 3168 09df096633080be658753777a8e7feea.exe 117 PID 3168 wrote to memory of 3964 3168 09df096633080be658753777a8e7feea.exe 117 PID 3168 wrote to memory of 5764 3168 09df096633080be658753777a8e7feea.exe 118 PID 3168 wrote to memory of 5764 3168 09df096633080be658753777a8e7feea.exe 118 PID 3168 wrote to memory of 1736 3168 09df096633080be658753777a8e7feea.exe 119 PID 3168 wrote to memory of 1736 3168 09df096633080be658753777a8e7feea.exe 119 PID 3168 wrote to memory of 4484 3168 09df096633080be658753777a8e7feea.exe 123 PID 3168 wrote to memory of 4484 3168 09df096633080be658753777a8e7feea.exe 123 PID 4484 wrote to memory of 4712 4484 RuntimeBroker.exe 125 PID 4484 wrote to memory of 4712 4484 RuntimeBroker.exe 125 PID 4484 wrote to memory of 832 4484 RuntimeBroker.exe 126 PID 4484 wrote to memory of 832 4484 RuntimeBroker.exe 126 PID 4712 wrote to memory of 2896 4712 WScript.exe 128 PID 4712 wrote to memory of 2896 4712 WScript.exe 128 PID 2896 wrote to memory of 1536 2896 RuntimeBroker.exe 129 PID 2896 wrote to memory of 1536 2896 RuntimeBroker.exe 129 PID 2896 wrote to memory of 3496 2896 RuntimeBroker.exe 130 PID 2896 wrote to memory of 3496 2896 RuntimeBroker.exe 130 PID 1536 wrote to memory of 3796 1536 WScript.exe 139 PID 1536 wrote to memory of 3796 1536 WScript.exe 139 PID 3796 wrote to memory of 5968 3796 RuntimeBroker.exe 140 PID 3796 wrote to memory of 5968 3796 RuntimeBroker.exe 140 PID 3796 wrote to memory of 1956 3796 RuntimeBroker.exe 141 PID 3796 wrote to memory of 1956 3796 RuntimeBroker.exe 141 PID 5968 wrote to memory of 920 5968 WScript.exe 142 PID 5968 wrote to memory of 920 5968 WScript.exe 142 PID 920 wrote to memory of 5380 920 RuntimeBroker.exe 143 PID 920 wrote to memory of 5380 920 RuntimeBroker.exe 143 PID 920 wrote to memory of 1496 920 RuntimeBroker.exe 144 PID 920 wrote to memory of 1496 920 RuntimeBroker.exe 144 PID 5380 wrote to memory of 2176 5380 WScript.exe 145 PID 5380 wrote to memory of 2176 5380 WScript.exe 145 PID 2176 wrote to memory of 5592 2176 RuntimeBroker.exe 146 PID 2176 wrote to memory of 5592 2176 RuntimeBroker.exe 146 PID 2176 wrote to memory of 4700 2176 RuntimeBroker.exe 147 PID 2176 wrote to memory of 4700 2176 RuntimeBroker.exe 147 PID 5592 wrote to memory of 3232 5592 WScript.exe 149 PID 5592 wrote to memory of 3232 5592 WScript.exe 149 PID 3232 wrote to memory of 2864 3232 RuntimeBroker.exe 150 PID 3232 wrote to memory of 2864 3232 RuntimeBroker.exe 150 PID 3232 wrote to memory of 5092 3232 RuntimeBroker.exe 151 PID 3232 wrote to memory of 5092 3232 RuntimeBroker.exe 151 PID 2864 wrote to memory of 1064 2864 WScript.exe 152 PID 2864 wrote to memory of 1064 2864 WScript.exe 152 PID 1064 wrote to memory of 4220 1064 RuntimeBroker.exe 153 PID 1064 wrote to memory of 4220 1064 RuntimeBroker.exe 153 PID 1064 wrote to memory of 4176 1064 RuntimeBroker.exe 154 PID 1064 wrote to memory of 4176 1064 RuntimeBroker.exe 154 PID 4220 wrote to memory of 1952 4220 WScript.exe 155 PID 4220 wrote to memory of 1952 4220 WScript.exe 155 PID 1952 wrote to memory of 640 1952 RuntimeBroker.exe 156 PID 1952 wrote to memory of 640 1952 RuntimeBroker.exe 156 PID 1952 wrote to memory of 6132 1952 RuntimeBroker.exe 157 PID 1952 wrote to memory of 6132 1952 RuntimeBroker.exe 157 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 09df096633080be658753777a8e7feea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 09df096633080be658753777a8e7feea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 09df096633080be658753777a8e7feea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 09df096633080be658753777a8e7feea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 09df096633080be658753777a8e7feea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 09df096633080be658753777a8e7feea.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\09df096633080be658753777a8e7feea.exe"C:\Users\Admin\AppData\Local\Temp\09df096633080be658753777a8e7feea.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\09df096633080be658753777a8e7feea.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\pris\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\09df096633080be658753777a8e7feea.exe"C:\Users\Admin\AppData\Local\Temp\09df096633080be658753777a8e7feea.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\09df096633080be658753777a8e7feea.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OfficeClickToRun.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4484 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c41a92b-a67c-4c2f-b5a1-d5d4dab1c92e.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2896 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2743e496-de16-42cf-ad6f-120797f6c884.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3796 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e658cceb-0972-4326-9e14-7b5d0a9d748b.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:5968 -
C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:920 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed885eb3-e58c-4874-bebd-ce649978f68d.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:5380 -
C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2176 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e9e3be6-b082-45a6-824b-80c3f61c3c5b.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:5592 -
C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3232 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe883030-a9a4-415c-aae6-4411fe7726ee.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1064 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d20baf9-f6be-4897-b10b-97acaa488947.vbs"16⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1952 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6e18a80-6bba-4dcf-8e24-86008ee26b16.vbs"18⤵PID:640
-
C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2504 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1c6a9aa-c2a3-437c-a9a7-35da7fe3f50b.vbs"20⤵PID:3352
-
C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5660 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab69f6b5-16ae-4811-81a4-e597e5de053a.vbs"22⤵PID:5088
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c61814fc-249d-4d74-badd-71007f8dd6c8.vbs"22⤵PID:2280
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc100ded-3ed3-4d05-9ea2-54d2a292b0dd.vbs"20⤵PID:5448
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acac3c63-61b3-459e-b5dd-394099bf2daf.vbs"18⤵PID:6132
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1bdd0b4-bee1-4e49-aae5-4b70a1866bbe.vbs"16⤵PID:4176
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b0522a0-7ddf-4059-8f34-b519b91d25c6.vbs"14⤵PID:5092
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08c29091-ddbf-484e-9253-0cbf005de071.vbs"12⤵PID:4700
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5976167-4432-4b0d-a1e3-01174e1837c1.vbs"10⤵PID:1496
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\650a2332-a3e1-4597-9a27-fe1ff4bdfaf8.vbs"8⤵PID:1956
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b3deca9-00dd-4be9-b78b-f0d2fa60ad31.vbs"6⤵PID:3496
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea0ad664-d515-47d0-b3ad-1a7287104e62.vbs"4⤵PID:832
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\ImmersiveControlPanel\pris\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\pris\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\ImmersiveControlPanel\pris\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\7330c8a20692d0b35002ea5a\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\7330c8a20692d0b35002ea5a\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4576_864690144\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD57e662f4dcb255ae1513802095c1a1b9d
SHA1e6b7a3df6b72bbb83427b83d1e19fef581beb3ab
SHA2561aa8b081412c2b79952d1669bdc8624f8f3792e2b7cb6ee9f766631e34979ee9
SHA512303da76b7b7bdac1cafa0a36350ebd65a67253892a8230173e2b135fca205e16513a5f6794fa2ee336e002ec7e99d57cc3a1b4714073c564eeb68f3212f31e17
-
Filesize
1.9MB
MD53918c3f0b4b4a5979727b94ba8bf09b0
SHA1c2346ba1c07c4a68c5f406569191f1f3e0262fa6
SHA2565dd6ea23bd3ba182191d684f6c8c2407124790cf9dfb851d45a08b2dfbda03da
SHA512e45e87baf08cfb7238753b7cbf826252a6b9bbd260a8d4ad05dd3b16eb54ddb962f1b482f9cee606f1a139b5c6490a292d71576a6e33dad2a924ac3d75a870c8
-
Filesize
1KB
MD5364147c1feef3565925ea5b4ac701a01
SHA19a46393ac3ffad3bb3c8f0e074b65d68d75e21ef
SHA25638cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b
SHA512bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5e7d0883e28000a6270cf6b3b3f7b6c5a
SHA174d916eb15baa5ce4a168cd80d3d2c45d503daa2
SHA25663f3369719ec0f4063138a71ba369a25fb4824bc035eaa4072ee6a5a1812480a
SHA5124b4ade064020959bc677689fa658816c8c498c8117df70a1ae4076533972593b4e2c3bf45d39e28662892e12db07641f14870ef69292e81030f8b3d7c92302f1
-
Filesize
944B
MD50b9ebff96ce87bb2948f7decf425a335
SHA13172582f4a97c15d0c5162c547fe81b811de8e74
SHA2569e2d1f92a7985c38161bb08726c708271673b6644d66b327b72e5023a53daf2c
SHA5124eeaf75114389ca025b6eb589c160f03ddceb2e2c67196f05cdf2da5c946c617816056265a0420dcae13c19781a291ef8c456cd08bca6760bbcdd89a83e96357
-
Filesize
944B
MD5aeceee3981c528bdc5e1c635b65d223d
SHA1de9939ed37edca6772f5cdd29f6a973b36b7d31b
SHA256b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32
SHA512df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb
-
Filesize
944B
MD567e8893616f805af2411e2f4a1411b2a
SHA139bf1e1a0ddf46ce7c136972120f512d92827dcd
SHA256ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31
SHA512164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d
-
Filesize
735B
MD5f44c2f9e97570a5a27c669b262802420
SHA12a9167b8f03c71da57177c56ae17e53dfe2f354a
SHA2561024c0bf162c7c757be43f136cf4e9afb10b95ac683ea22c877ed7d88c20009a
SHA512313577afa67a4f9dc7958caefc907936650a8ebfd17683ae714beec03a4c34e9bc6f5f65ce292cc86b60f937156c67632f967f0c3705d98534bd390dd7034ea5
-
Filesize
735B
MD5dbfc690009a0159172a8812d1cdc33c3
SHA1c9d8ca1f774acfcc70b0765ca1da69f914b2a87a
SHA256ed970ac96bc0952bbf932de2b19e702033950e49c562fac13729ff88ef6a3139
SHA512311a067a77a96014b56430f77df871c9b87fdc89ca5c09d024eede1f3cb85abbeb9ae2df5ebf455852ae18be7e6ceb1dfee00d67bcba03b8ddc316db287577a2
-
Filesize
735B
MD5436d2488d28c8478ac492f9886f6fece
SHA1b71159471c5cab40c04195749a016382c423405a
SHA2565b8baa30e528871b60e8f59e36e9c47053ac5c166c18b55692ddd588cc756627
SHA512065583f71b2fdd74bf8f4a82e1f4f176843779049dbdde754d393e591cddd1fc2c4ba0d59a2c6de26ebfd6babe63702b5883a9c0370a6f7d41b3bb6e09ac2211
-
Filesize
1.9MB
MD5b6e6caf37455dc20349725666ee5d255
SHA15a1fa6c046521702837a7c06afc67f412f3c178d
SHA256feeef8978d75e1c01d348940de50f95c9f8ed8db8d695df77cab83fab20002d9
SHA51235ee56436ba29c5c0e7016ec812e8992f8c2823a30e418833faaed084daa7f1e36a80ec904a2d13d0b834cc11bf449e3b8ca2be6094b7ad46b6fbf8c42c68e18
-
Filesize
735B
MD5eebe797fb5d15e017e03bfecf35b8519
SHA179c40b2c1329c8aa9a4245ec6b6392665eb96cb0
SHA2564d71d55f7320444036909feb466e7c6883f19df15b8366616d8745ac8810ef71
SHA512ea171151aeff24fddf8a5f10cf2267db818b5a2987b3b00a2eeb9f0ee6edd6bce7acdd37faf044ce610e7ad3526d7c1331099189c019d7ffb699fa64ed57efc2
-
Filesize
1.9MB
MD509df096633080be658753777a8e7feea
SHA14b1b789ff3db59b07c1013c527273c350e78bf08
SHA25663671cdfb5eddd70bfa3e97395c34e860c217a0838c853029ca85a40a5520298
SHA5127216e17df59456ad6d0139be6ddd65c02c6f58519acc0f57aaacc7f7728d362abdd1470ebb5be67a1c446ae8ba1c596cf4d19ba8b8dbc65bbe5b241fb5a7b32a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
735B
MD58300966637eff9fb0b229ef76a46cb84
SHA1e5f7207ad15ec02fac175c28115d0ae2bcb7f864
SHA256bd35319471a14117d83cfb3413a3542461f80a3686e398548854a6581a6e7886
SHA51213a588da5a89957cd0b9fa6be1b93251fbcc41569920a55d182c5a2d6a757c9bfcf6e2b4171ed32fb4938f02892b3839dacabac1395119a716d61fc3c7a2c486
-
Filesize
735B
MD58e25108b2b1e50e559cc7b691c8349b3
SHA135edd6cab6551044f2e430c41c99e33e3ed44260
SHA256c2d1dec2513d1ce3f56972ac366767f2b8e47c59fb2e70d3319c5203fdb8450b
SHA5121c0355289cb867b1b66fd800b6535d586a5ea4b6140815dd800b50f90e1893e66b10c73dfa82ef1daab05c1bf1f42835d41f428cd09f652f11303ac977379fcc
-
Filesize
735B
MD58d5e73dce2a5436921506df2cc1c13a0
SHA127e2c04abe20fca608cbde6d9f563ae5ecf716b9
SHA25623523867dfe3060b81ac9965f92f7a027c79d99ec5e4349a44d0b9a5e47cf9b2
SHA5122946bda8f7ae85bb575586c246edf0c78e5d3de2c9912ca8546d4f637ec2bc7529d1bc92cd59bc87dd796f15774ea3e163f639bc8998e261f32afdb11ce2486a
-
Filesize
735B
MD56c13f4c720543cf56ab5e2a265abdfaf
SHA1bf2420014a41ee288bfc4a16ce6b19bea93a4fcb
SHA256ee8706a2912ce143e97f7668ba57cdc22870edc8e6c9cb0baaf2ff18c7d954bc
SHA512f5c2261e59307943d40dd21bb4756042bf9c6d95b0e6b76e3dc2ee73599e47e1ff033042969b311a0cc91e2f3a24543242f4a83bbd492c6281769e99bf64dce2
-
Filesize
511B
MD5dc2f49d9f193351c55237350b555bfbe
SHA15a3c6f30026b1f1d9740b8fad235c2fcd2974735
SHA256fca6c292349f624db8097fc93be3e800363ae97a35d0f391843e9a4f6a110f9c
SHA512727ab4992ba944bb50d34c9d871603549a82ba6a0fb73320eef8a71487811c4d9c872084a5c86d819b895398afbf7cb69690d8754ed667e16f220541985f5a85
-
Filesize
734B
MD5375864e9a053eaaa407d754c40b7f76b
SHA1d341ec90efbc20db8f9d1e254ae365c087a9cd0e
SHA25670e7a8f05281371fe169091b92df3a7ce803782bccf71c21dadcdaba28a9a041
SHA5126f586472696b7ff37eba00346dfabc09569294c612e84aebb4828d16490e86a81b978ead33430676c69cc3ebc696b90cffb1d6d6a5447e91ee16fc8d8c9fb182
-
Filesize
735B
MD562ba2d0bb2ca39b7ca01ed3bc7bdb035
SHA15175ede20989a3811281dd229cce0d2d9108cb13
SHA256cdef58faf419c67797d2931003c16106887b56bbfb08db94bfc61c0caa2b7550
SHA51244663b2a403fd970eb92152d8fd70285aec3a255c029591a4761067bcfbaf3db9bc516426bafc9b0d453a0ff2420bc575250813fc7dbfd9e7a67e0277f5315d7
-
Filesize
444B
MD571cb9a6b33084f6546aa1edbc53e37fa
SHA1e05b66937010549439edb7f13937f61211b28b0b
SHA256dfb33193b7ac4df873b8099743dcdef97fe25d00eeb6b8d1f6ad2697df5b0ef3
SHA512934d6b5f150c70bcf0b8574675b1cb4d0eb9702a22a55d7200d33881f3036e58eb4443a2854a4c716eabb2d5e56287073eaddb3994368e91d25bb8a7757699fc
-
Filesize
1.9MB
MD508f577b6bad84392a6a4617592348f0b
SHA1283aaded99e54208375e6c1f45e9e4059784cf73
SHA256ed45609cdb64076f0d810facda659ac2adab7042a3548c3bba28cf6e9e01c5ad
SHA5123285c7852884796541ef3ff97c6a7f238ad7ea3f793c64c533b0d65d30376de45b310bfe118821429a4d45eb06c6cf751f72008b6fdb2504cce39c0f7d35e015