Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10410897f368...44.exe
windows7-x64
10410897f368...44.exe
windows10-2004-x64
1041234e0118...f5.exe
windows7-x64
1041234e0118...f5.exe
windows10-2004-x64
10412f4448e9...bb.exe
windows7-x64
10412f4448e9...bb.exe
windows10-2004-x64
10414a1d4000...6f.exe
windows7-x64
1414a1d4000...6f.exe
windows10-2004-x64
1414cb3c4ac...da.exe
windows7-x64
3414cb3c4ac...da.exe
windows10-2004-x64
3414f523f34...3b.exe
windows7-x64
10414f523f34...3b.exe
windows10-2004-x64
10415b778406...d0.exe
windows7-x64
10415b778406...d0.exe
windows10-2004-x64
104175909fcd...67.exe
windows7-x64
74175909fcd...67.exe
windows10-2004-x64
7417e4b0837...74.exe
windows7-x64
10417e4b0837...74.exe
windows10-2004-x64
104189a83a9b...b4.exe
windows7-x64
14189a83a9b...b4.exe
windows10-2004-x64
1041c0c0017e...70.exe
windows7-x64
1041c0c0017e...70.exe
windows10-2004-x64
1041dc6460e6...c8.exe
windows7-x64
1041dc6460e6...c8.exe
windows10-2004-x64
104202cc1a54...c1.exe
windows7-x64
104202cc1a54...c1.exe
windows10-2004-x64
104227543d6c...7e.exe
windows7-x64
104227543d6c...7e.exe
windows10-2004-x64
10424fdd0325...46.exe
windows7-x64
10424fdd0325...46.exe
windows10-2004-x64
104255dacb36...cd.exe
windows7-x64
104255dacb36...cd.exe
windows10-2004-x64
7Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:10
Behavioral task
behavioral1
Sample
410897f36809104096c8b600eb3a0444.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
410897f36809104096c8b600eb3a0444.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
41234e0118ba1cfc06b88d347f3a53f5.exe
Resource
win7-20250207-en
Behavioral task
behavioral4
Sample
41234e0118ba1cfc06b88d347f3a53f5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
412f4448e99979a1ce810cdf392b6abb.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
412f4448e99979a1ce810cdf392b6abb.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
414a1d40006fffeb00666df68e3457f2db0ca7e9045535cc5de3c88c9e7fcc6f.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
414a1d40006fffeb00666df68e3457f2db0ca7e9045535cc5de3c88c9e7fcc6f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
414cb3c4ac2d42889d7c55565afc0f57d2a0e9f7a186b5d5d8e5118fd3f976da.exe
Resource
win7-20250207-en
Behavioral task
behavioral10
Sample
414cb3c4ac2d42889d7c55565afc0f57d2a0e9f7a186b5d5d8e5118fd3f976da.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
414f523f34e87006f31ca4b703886d3b.exe
Resource
win7-20250207-en
Behavioral task
behavioral12
Sample
414f523f34e87006f31ca4b703886d3b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
415b778406bbdc705f1962ded94e90d0.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
415b778406bbdc705f1962ded94e90d0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
4175909fcd35882461a1cfd784f7c967.exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
4175909fcd35882461a1cfd784f7c967.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
417e4b08378988e057831e5c3a74fd18014fc5fe2402e8aa3746e020a467ce74.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
417e4b08378988e057831e5c3a74fd18014fc5fe2402e8aa3746e020a467ce74.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
4189a83a9b95038e6e32f05b4c69f3b4.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
4189a83a9b95038e6e32f05b4c69f3b4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
41c0c0017e07c3984ced9121a820b070.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
41c0c0017e07c3984ced9121a820b070.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
41dc6460e6f99bd865a3456e9c0348c8.exe
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
41dc6460e6f99bd865a3456e9c0348c8.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
4202cc1a54d458c6b3a7579733cc35c1.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
4202cc1a54d458c6b3a7579733cc35c1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
4227543d6caf9c96a1ecdceb233e7a0b225f1dcb7baf02087183829d55361f7e.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
4227543d6caf9c96a1ecdceb233e7a0b225f1dcb7baf02087183829d55361f7e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
424fdd032528ca656b1513d1ca79a17116a6770be9d2f05a4e203c95d0b4dd46.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
424fdd032528ca656b1513d1ca79a17116a6770be9d2f05a4e203c95d0b4dd46.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
4255dacb3601f46615055d9d23a538cd.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
4255dacb3601f46615055d9d23a538cd.exe
Resource
win10v2004-20250314-en
General
-
Target
410897f36809104096c8b600eb3a0444.exe
-
Size
1.1MB
-
MD5
410897f36809104096c8b600eb3a0444
-
SHA1
18e8b8e65471f7f19b3612ba93a20bd6a702e7dc
-
SHA256
1cf0ed57e906c3779244c8b9c1f5482db0f92e67c2055dce9fa90dc8fbef65ed
-
SHA512
479e8b2a06d8861f8bb1ca9d5271149408853dcccb5c93a1e7a0d72e2a01af47131cd91d50e1edbd5bc2c0edcdfdf07f56c8f6c04fd3c12edc67389cd75664d0
-
SSDEEP
12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ
Malware Config
Signatures
-
DcRat 13 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 368 schtasks.exe 4752 schtasks.exe 4840 schtasks.exe 4808 schtasks.exe 4768 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 410897f36809104096c8b600eb3a0444.exe 4072 schtasks.exe 2492 schtasks.exe 2584 schtasks.exe 4708 schtasks.exe 4780 schtasks.exe 4960 schtasks.exe 2096 schtasks.exe -
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\", \"C:\\Windows\\System32\\Windows.UI.Search\\RuntimeBroker.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\", \"C:\\Windows\\System32\\Windows.UI.Search\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wowreg32\\conhost.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\", \"C:\\Windows\\System32\\Windows.UI.Search\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wowreg32\\conhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\lsass.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\", \"C:\\Windows\\System32\\Windows.UI.Search\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wowreg32\\conhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\lsass.exe\", \"C:\\Windows\\System32\\DeviceReactivation\\fontdrvhost.exe\"" 410897f36809104096c8b600eb3a0444.exe -
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4708 4228 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4752 4228 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 4228 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 4228 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 4228 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 4228 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 4228 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 4228 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 4228 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 4228 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 368 4228 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 4228 schtasks.exe 87 -
UAC bypass 3 TTPs 48 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 410897f36809104096c8b600eb3a0444.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3368 powershell.exe 1624 powershell.exe 4980 powershell.exe 4488 powershell.exe 3232 powershell.exe 3924 powershell.exe 2952 powershell.exe 2532 powershell.exe 4704 powershell.exe 4868 powershell.exe 4876 powershell.exe 1220 powershell.exe 1424 powershell.exe 1016 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 410897f36809104096c8b600eb3a0444.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation 410897f36809104096c8b600eb3a0444.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation 410897f36809104096c8b600eb3a0444.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation lsass.exe -
Executes dropped EXE 15 IoCs
pid Process 4676 410897f36809104096c8b600eb3a0444.exe 1884 lsass.exe 3332 lsass.exe 1108 lsass.exe 5124 lsass.exe 3588 lsass.exe 3480 lsass.exe 452 lsass.exe 1556 lsass.exe 516 lsass.exe 5196 lsass.exe 8 lsass.exe 788 lsass.exe 4392 lsass.exe 1268 lsass.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.UI.Search\\RuntimeBroker.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\PerfLogs\\RuntimeBroker.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.UI.Search\\RuntimeBroker.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Microsoft\\WinMSIPC\\lsass.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Microsoft\\WinMSIPC\\lsass.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\DeviceReactivation\\fontdrvhost.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\DeviceReactivation\\fontdrvhost.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\PerfLogs\\RuntimeBroker.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\wowreg32\\conhost.exe\"" 410897f36809104096c8b600eb3a0444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\wowreg32\\conhost.exe\"" 410897f36809104096c8b600eb3a0444.exe -
Checks whether UAC is enabled 1 TTPs 32 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 410897f36809104096c8b600eb3a0444.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 410897f36809104096c8b600eb3a0444.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe -
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\System32\wowreg32\conhost.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\wdc\9e8d7a4ca61bd9 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\wdc\RuntimeBroker.exe 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\AudioSrvPolicyManager\RCX8C68.tmp 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip\powershell.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\Windows.UI.Search\RuntimeBroker.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\DeviceReactivation\5b884080fd4f94 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\wdc\RCX83F9.tmp 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\AudioSrvPolicyManager\backgroundTaskHost.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip\e978f868350d50 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\Windows.UI.Search\9e8d7a4ca61bd9 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\Windows.UI.Search\RuntimeBroker.exe 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\System32\DeviceReactivation\fontdrvhost.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\wowreg32\conhost.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\AudioSrvPolicyManager\backgroundTaskHost.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\AudioSrvPolicyManager\eddb19405b7ce1 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip\powershell.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\DeviceReactivation\fontdrvhost.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\wdc\RuntimeBroker.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\System32\wowreg32\088424020bedd6 410897f36809104096c8b600eb3a0444.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\9e8d7a4ca61bd9 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RCX81F4.tmp 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Idle.exe 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX866B.tmp 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Program Files (x86)\Microsoft.NET\Idle.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Program Files (x86)\Microsoft.NET\6ccacd8608530f 410897f36809104096c8b600eb3a0444.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe 410897f36809104096c8b600eb3a0444.exe File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\22eafd247d37c3 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\RCX8870.tmp 410897f36809104096c8b600eb3a0444.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe 410897f36809104096c8b600eb3a0444.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings 410897f36809104096c8b600eb3a0444.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 410897f36809104096c8b600eb3a0444.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings lsass.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4840 schtasks.exe 4780 schtasks.exe 4808 schtasks.exe 4768 schtasks.exe 2096 schtasks.exe 368 schtasks.exe 2584 schtasks.exe 4708 schtasks.exe 4960 schtasks.exe 4072 schtasks.exe 2492 schtasks.exe 4752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 4704 powershell.exe 4704 powershell.exe 4868 powershell.exe 4868 powershell.exe 4980 powershell.exe 4980 powershell.exe 6072 410897f36809104096c8b600eb3a0444.exe 4876 powershell.exe 4876 powershell.exe 1016 powershell.exe 1016 powershell.exe 4488 powershell.exe 4488 powershell.exe 1424 powershell.exe 1424 powershell.exe 1220 powershell.exe 1220 powershell.exe 1424 powershell.exe 4876 powershell.exe 1016 powershell.exe 4704 powershell.exe 4980 powershell.exe 4868 powershell.exe 1220 powershell.exe 4488 powershell.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 6072 410897f36809104096c8b600eb3a0444.exe 4676 410897f36809104096c8b600eb3a0444.exe 4676 410897f36809104096c8b600eb3a0444.exe 4676 410897f36809104096c8b600eb3a0444.exe 4676 410897f36809104096c8b600eb3a0444.exe 4676 410897f36809104096c8b600eb3a0444.exe 4676 410897f36809104096c8b600eb3a0444.exe 4676 410897f36809104096c8b600eb3a0444.exe 4676 410897f36809104096c8b600eb3a0444.exe 4676 410897f36809104096c8b600eb3a0444.exe 4676 410897f36809104096c8b600eb3a0444.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 6072 410897f36809104096c8b600eb3a0444.exe Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 4980 powershell.exe Token: SeDebugPrivilege 4868 powershell.exe Token: SeDebugPrivilege 4876 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeDebugPrivilege 4488 powershell.exe Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 4676 410897f36809104096c8b600eb3a0444.exe Token: SeDebugPrivilege 3924 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 3368 powershell.exe Token: SeDebugPrivilege 3232 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 1884 lsass.exe Token: SeDebugPrivilege 3332 lsass.exe Token: SeDebugPrivilege 1108 lsass.exe Token: SeDebugPrivilege 5124 lsass.exe Token: SeDebugPrivilege 3588 lsass.exe Token: SeDebugPrivilege 3480 lsass.exe Token: SeDebugPrivilege 452 lsass.exe Token: SeDebugPrivilege 1556 lsass.exe Token: SeDebugPrivilege 516 lsass.exe Token: SeDebugPrivilege 5196 lsass.exe Token: SeDebugPrivilege 8 lsass.exe Token: SeDebugPrivilege 788 lsass.exe Token: SeDebugPrivilege 4392 lsass.exe Token: SeDebugPrivilege 1268 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 6072 wrote to memory of 4704 6072 410897f36809104096c8b600eb3a0444.exe 98 PID 6072 wrote to memory of 4704 6072 410897f36809104096c8b600eb3a0444.exe 98 PID 6072 wrote to memory of 4868 6072 410897f36809104096c8b600eb3a0444.exe 99 PID 6072 wrote to memory of 4868 6072 410897f36809104096c8b600eb3a0444.exe 99 PID 6072 wrote to memory of 4980 6072 410897f36809104096c8b600eb3a0444.exe 100 PID 6072 wrote to memory of 4980 6072 410897f36809104096c8b600eb3a0444.exe 100 PID 6072 wrote to memory of 4876 6072 410897f36809104096c8b600eb3a0444.exe 101 PID 6072 wrote to memory of 4876 6072 410897f36809104096c8b600eb3a0444.exe 101 PID 6072 wrote to memory of 1016 6072 410897f36809104096c8b600eb3a0444.exe 102 PID 6072 wrote to memory of 1016 6072 410897f36809104096c8b600eb3a0444.exe 102 PID 6072 wrote to memory of 4488 6072 410897f36809104096c8b600eb3a0444.exe 103 PID 6072 wrote to memory of 4488 6072 410897f36809104096c8b600eb3a0444.exe 103 PID 6072 wrote to memory of 1424 6072 410897f36809104096c8b600eb3a0444.exe 104 PID 6072 wrote to memory of 1424 6072 410897f36809104096c8b600eb3a0444.exe 104 PID 6072 wrote to memory of 1220 6072 410897f36809104096c8b600eb3a0444.exe 105 PID 6072 wrote to memory of 1220 6072 410897f36809104096c8b600eb3a0444.exe 105 PID 6072 wrote to memory of 4676 6072 410897f36809104096c8b600eb3a0444.exe 114 PID 6072 wrote to memory of 4676 6072 410897f36809104096c8b600eb3a0444.exe 114 PID 4676 wrote to memory of 2532 4676 410897f36809104096c8b600eb3a0444.exe 122 PID 4676 wrote to memory of 2532 4676 410897f36809104096c8b600eb3a0444.exe 122 PID 4676 wrote to memory of 2952 4676 410897f36809104096c8b600eb3a0444.exe 123 PID 4676 wrote to memory of 2952 4676 410897f36809104096c8b600eb3a0444.exe 123 PID 4676 wrote to memory of 3924 4676 410897f36809104096c8b600eb3a0444.exe 124 PID 4676 wrote to memory of 3924 4676 410897f36809104096c8b600eb3a0444.exe 124 PID 4676 wrote to memory of 3232 4676 410897f36809104096c8b600eb3a0444.exe 125 PID 4676 wrote to memory of 3232 4676 410897f36809104096c8b600eb3a0444.exe 125 PID 4676 wrote to memory of 1624 4676 410897f36809104096c8b600eb3a0444.exe 126 PID 4676 wrote to memory of 1624 4676 410897f36809104096c8b600eb3a0444.exe 126 PID 4676 wrote to memory of 3368 4676 410897f36809104096c8b600eb3a0444.exe 127 PID 4676 wrote to memory of 3368 4676 410897f36809104096c8b600eb3a0444.exe 127 PID 4676 wrote to memory of 3440 4676 410897f36809104096c8b600eb3a0444.exe 134 PID 4676 wrote to memory of 3440 4676 410897f36809104096c8b600eb3a0444.exe 134 PID 3440 wrote to memory of 5200 3440 cmd.exe 136 PID 3440 wrote to memory of 5200 3440 cmd.exe 136 PID 3440 wrote to memory of 1884 3440 cmd.exe 138 PID 3440 wrote to memory of 1884 3440 cmd.exe 138 PID 1884 wrote to memory of 3812 1884 lsass.exe 139 PID 1884 wrote to memory of 3812 1884 lsass.exe 139 PID 1884 wrote to memory of 1964 1884 lsass.exe 140 PID 1884 wrote to memory of 1964 1884 lsass.exe 140 PID 3812 wrote to memory of 3332 3812 WScript.exe 141 PID 3812 wrote to memory of 3332 3812 WScript.exe 141 PID 3332 wrote to memory of 3344 3332 lsass.exe 143 PID 3332 wrote to memory of 3344 3332 lsass.exe 143 PID 3332 wrote to memory of 3276 3332 lsass.exe 144 PID 3332 wrote to memory of 3276 3332 lsass.exe 144 PID 3344 wrote to memory of 1108 3344 WScript.exe 152 PID 3344 wrote to memory of 1108 3344 WScript.exe 152 PID 1108 wrote to memory of 2152 1108 lsass.exe 153 PID 1108 wrote to memory of 2152 1108 lsass.exe 153 PID 1108 wrote to memory of 3664 1108 lsass.exe 154 PID 1108 wrote to memory of 3664 1108 lsass.exe 154 PID 2152 wrote to memory of 5124 2152 WScript.exe 155 PID 2152 wrote to memory of 5124 2152 WScript.exe 155 PID 5124 wrote to memory of 4988 5124 lsass.exe 156 PID 5124 wrote to memory of 4988 5124 lsass.exe 156 PID 5124 wrote to memory of 1408 5124 lsass.exe 157 PID 5124 wrote to memory of 1408 5124 lsass.exe 157 PID 4988 wrote to memory of 3588 4988 WScript.exe 158 PID 4988 wrote to memory of 3588 4988 WScript.exe 158 PID 3588 wrote to memory of 820 3588 lsass.exe 159 PID 3588 wrote to memory of 820 3588 lsass.exe 159 PID 3588 wrote to memory of 4068 3588 lsass.exe 160 PID 3588 wrote to memory of 4068 3588 lsass.exe 160 -
System policy modification 1 TTPs 48 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 410897f36809104096c8b600eb3a0444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe"C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wdc\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\AudioSrvPolicyManager\backgroundTaskHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe"C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip\powershell.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.UI.Search\RuntimeBroker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wowreg32\conhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\WinMSIPC\lsass.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DeviceReactivation\fontdrvhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3368
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\81VaE6Q4eQ.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵PID:5200
-
-
C:\ProgramData\Microsoft\WinMSIPC\lsass.exe"C:\ProgramData\Microsoft\WinMSIPC\lsass.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1884 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaf26042-3961-47d1-b701-8c3c51731fcd.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\ProgramData\Microsoft\WinMSIPC\lsass.exeC:\ProgramData\Microsoft\WinMSIPC\lsass.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3332 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d051598e-a0e9-4827-85e6-39fe0aaa9b89.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\ProgramData\Microsoft\WinMSIPC\lsass.exeC:\ProgramData\Microsoft\WinMSIPC\lsass.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4dac5c5-2d14-42d4-ba97-55859d138c7c.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\ProgramData\Microsoft\WinMSIPC\lsass.exeC:\ProgramData\Microsoft\WinMSIPC\lsass.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5124 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d2b71f-288f-490c-b9e0-f287f8d9eddc.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\ProgramData\Microsoft\WinMSIPC\lsass.exeC:\ProgramData\Microsoft\WinMSIPC\lsass.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3588 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bfab3c8-5259-4173-8e62-7514782681d3.vbs"13⤵PID:820
-
C:\ProgramData\Microsoft\WinMSIPC\lsass.exeC:\ProgramData\Microsoft\WinMSIPC\lsass.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3480 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd62e811-f0b0-46d3-a89e-0858bfb2a963.vbs"15⤵PID:4712
-
C:\ProgramData\Microsoft\WinMSIPC\lsass.exeC:\ProgramData\Microsoft\WinMSIPC\lsass.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:452 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5b199c8-a2ab-4af2-8706-2eba0c3725cb.vbs"17⤵PID:1988
-
C:\ProgramData\Microsoft\WinMSIPC\lsass.exeC:\ProgramData\Microsoft\WinMSIPC\lsass.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1556 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29823425-a1dc-4c1d-b166-c3e61cb778ef.vbs"19⤵PID:1004
-
C:\ProgramData\Microsoft\WinMSIPC\lsass.exeC:\ProgramData\Microsoft\WinMSIPC\lsass.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:516 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c71aa7d7-4e19-4bc6-b35d-9c27537be80f.vbs"21⤵PID:4900
-
C:\ProgramData\Microsoft\WinMSIPC\lsass.exeC:\ProgramData\Microsoft\WinMSIPC\lsass.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5196 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0353ce62-a226-4ffe-bbea-9d1789a7cff2.vbs"23⤵PID:596
-
C:\ProgramData\Microsoft\WinMSIPC\lsass.exeC:\ProgramData\Microsoft\WinMSIPC\lsass.exe24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:8 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41b74bdf-1e4d-48da-80dc-4f5a5b26bb9f.vbs"25⤵PID:1112
-
C:\ProgramData\Microsoft\WinMSIPC\lsass.exeC:\ProgramData\Microsoft\WinMSIPC\lsass.exe26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:788 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d250668b-3f7c-486c-ba8c-fb93312cda76.vbs"27⤵PID:5108
-
C:\ProgramData\Microsoft\WinMSIPC\lsass.exeC:\ProgramData\Microsoft\WinMSIPC\lsass.exe28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4392 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea1b92b8-03ee-4bdc-a5b2-cbf75a05279c.vbs"29⤵PID:5364
-
C:\ProgramData\Microsoft\WinMSIPC\lsass.exeC:\ProgramData\Microsoft\WinMSIPC\lsass.exe30⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1268 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e45ceb23-70ff-4d8a-85e6-526fcca8da06.vbs"31⤵PID:3764
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef8e38da-ef76-4196-8e79-9a14ac053052.vbs"31⤵PID:224
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f933126-8b5a-4a5a-b104-9e3be4055865.vbs"29⤵PID:3304
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c7a4d49-593d-4801-8af1-a6b29d008003.vbs"27⤵PID:4740
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c659fec4-0f82-4e62-adc8-e4c57478b991.vbs"25⤵PID:4848
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7d83f2c-b2f4-4d1f-a864-5e4ae5c4d155.vbs"23⤵PID:4976
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d2e6377-c6ed-4ad1-9519-dd96fc172c0c.vbs"21⤵PID:3256
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8da156b-7261-46e5-9c65-c15252bd1031.vbs"19⤵PID:6004
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94dea313-5b7c-40ae-a126-5d7d682fff92.vbs"17⤵PID:4204
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0bb67d2-1889-44ad-a33a-4c5d6f79ef9e.vbs"15⤵PID:1148
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de34fe53-27c2-4bef-a7ba-8d5d30392322.vbs"13⤵PID:4068
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d33e50f7-21e6-47e7-bc71-97a9723e70fa.vbs"11⤵PID:1408
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a22e577-dd7a-4705-893b-a9c85b2355b9.vbs"9⤵PID:3664
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87cfe211-f2ec-4c66-892e-915a528e7040.vbs"7⤵PID:3276
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0e3d261-183e-4fc6-9f4b-5e2f17865ed1.vbs"5⤵PID:1964
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PerfLogs\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\wdc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\AudioSrvPolicyManager\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\Windows.UI.Search\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\wowreg32\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\WinMSIPC\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\DeviceReactivation\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5410897f36809104096c8b600eb3a0444
SHA118e8b8e65471f7f19b3612ba93a20bd6a702e7dc
SHA2561cf0ed57e906c3779244c8b9c1f5482db0f92e67c2055dce9fa90dc8fbef65ed
SHA512479e8b2a06d8861f8bb1ca9d5271149408853dcccb5c93a1e7a0d72e2a01af47131cd91d50e1edbd5bc2c0edcdfdf07f56c8f6c04fd3c12edc67389cd75664d0
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5e69ced0a44ced088c3954d6ae03796e7
SHA1ef4cac17b8643fb57424bb56907381a555a8cb92
SHA25649ee2b78c2766e68fad51109337710f032e25649bcebebf14562edfbf2e98108
SHA51215ebe961c61ee8efadd8370d856c936e5b605c3b847b8ddabb3cafb63c724d374a0a9567054852444de95794c7c8b3f9f12d05258104573c7546ff88023d7cd4
-
Filesize
944B
MD5b0bd0ba1b6d523383ae26f8138bac15f
SHA18d2828b9380b09fe6b0a78703a821b9fb8a491e5
SHA256a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1
SHA512614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45
-
Filesize
944B
MD5ff8dea104630cb0cb3da85eea627c4c0
SHA1b332b51a9f473a604710d64b66c01c9df8caf88b
SHA25697d63b322c131f512e5b1f2052d364bd82e41de6899d4d334532a35f6e290d7f
SHA512698ee25bcecac3a2c71452150be7e69fb08bed1a041f2f44e38427a9bb6911a4eea8d7320bb4530c2893c11994913142051d472ddefe900055f415cb9673552e
-
Filesize
944B
MD526403455115fbc3da2573a37cc28744a
SHA16a9bf407036a8b9d36313462c0257f53b4ee9170
SHA256222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352
SHA512be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6
-
Filesize
719B
MD5726ec93615f0017fa7640a2ff71b0180
SHA18c7d21ede357d68fa6a183cc898620e5b0625632
SHA256105ae5b6af1502429e4a39cf6b44d25de322ffc0123655358168bcb1e0f7fbfc
SHA512ce4edd86c3403226c2e3554a4cac360205f4108d5863ecefe167a4eda3504cda8ba78d334065851092b249f8bfc4d7ab309fedc7f6c6ae658472a1fd72fe2b21
-
Filesize
719B
MD5791a12bd0077de80832895a6da09e73f
SHA15afe7103d363fb3c580aacc6deb8fb3cc2a11522
SHA256c41522eca34ae087ac00ce487f9892bba4e19304e04fdad7ad568393e6a7d55f
SHA51283ea1acba61680c3aefa7bb1632767faad6706e18ac7c61c04192504487543cce5c1594ec68e4dceb16f0e9959a3c5d4e8d66ee5f10ff2db18b3b00174ef05ba
-
Filesize
716B
MD5be47888984d8b32456abe941f4fc2e4e
SHA11fdabb953452d90a19baf5a98e351c29c99cd24d
SHA25679eb1863d119909da0734cf2f7630e5f868cf22f6dcaf64ea5c780bbd7c25126
SHA512a231ec0ef45fa228b107cd3c286b6982108c14d5d3025b78627280aa785a987590d97ea9b8ea61bf88324e90181540ceb406ea82055742833f8eac36e156d371
-
Filesize
719B
MD5cf3509dcb8150adca240ff4d8391db80
SHA187ec2f9f80533b62d50e49efddd69050bc18e860
SHA2569c8f05ce53d518b9daef0159f3b3041764b813f91c0e39517c88bd4ab2684990
SHA512e136dddb974f31d1103beb22973994e6b2d65e744fe92a0ce1cbde180ac31afebb8ad4afdc1b2e2ed19390148aa0d8e21027be9d3f5b6aadcdf4eb40170516cd
-
Filesize
719B
MD5b5b3dde604732d9c39c60b8ecd406fce
SHA1d913ba49cb6d22377bcdad70a40694b37d51ddfe
SHA256551e4ac9f5fd0ddaee470e2f93c01bbd36c4de0a84afe6a305bd59c4d12c32b8
SHA512a43cac99dee25099db6461b39f18b602752277c27b1545dba9e0b2fd1144ddedd1790b0ee2143694e7231da8edbe6a88b12708366cf0f8690c9f9a68db8fc019
-
Filesize
207B
MD59c7fbc07881bb0111ec21c0e45ec3ddb
SHA147d1c6dbca5c5460cc9924f4aeb6857a27c3b3e7
SHA25677b49ded09c6abc3aed47ac50e38178d62110bcccb662a3ccb26c129b18e1fce
SHA512d7ab0469e02bf52696bf814e86d2a2a2f112656c567e82feb57a24e6f142819c53b59d013394f3054b777adbf5fe56c2afe7f7d8c879985504a277cfddaa5ce2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
719B
MD54ff03d72de552270f63b064e79e71bfd
SHA1b74539d05a8df3d1250d992f26d8291d8ae7c9f6
SHA256aaff1ed04d584185e472eab2b3a1a27590c8835d86d182a7e36184d593e5b902
SHA5122967a7520affc61424351194ab5b7b2d6c1796b0e19bb9c0fae806522b9b3baf5c3dce0a79963c9474a435c31ea60300879c82245c86842addeddb464f3975ff
-
Filesize
718B
MD5bcbd78458422b5c290492707a7fabc91
SHA1235ae127f702301ecbd565e34531ce74bf787dc8
SHA256313615d9f9c0ec0975ad0cdb53c4166f67591303afe3f7bd87863934a236dd1a
SHA51257ce8aca2cdc018cd5252e724b924c94b05d1186b2b5fd9fa721bda90fdc74c918a57a7c2d55c9cabe104f140b2391f664774ddc450112461662f4b9e35b026d
-
Filesize
719B
MD50fed312f700b3c2fbcd7135f3bbc298e
SHA171d86ac8bce315566accf3eec0f24073b871c025
SHA2560249e1f333256fe22a01cab72af06a359209952cf3182f46165b36bf403687b8
SHA512327b54af69bd5e2a6fd39b64259f5c20ad3607fa352cfa721e6d1f291e2d270bcd81bb88b2132e9ef7b1fa3f8c5bf29d0c27da7db04d852e1a834ec10698675b
-
Filesize
495B
MD5ccb98b59dd9a0ed390d964ca07b67ec8
SHA137fc0d6b86542058894cdaa0eeb05f79e3202787
SHA2568f598bb2f437cae844f9c42380bb8c0da431617d58ceaac8113e919fabba8ae6
SHA512ba2bb53c458303da063dc5055f6453456621574c0fed778e7da33e3debde7dff7d16ac87bb78186c5148659f6cb7e88d430d21d3c0aefaf9d5cf2e8d87bcf09b
-
Filesize
719B
MD5cbae056fdf34967db4470e2f2855decf
SHA1132ea3080a7d19f392d5a61c34519ae8c6e8a3c2
SHA25681b139a68c803942f47c01dbfb55e7d5328291f6a12da00e367ceb35c2364cbf
SHA51211347399b845dc385c2452464b548d5af394bc5b77ce25fa2b3e4c9d65a931a2f01809283bbf575d47d7795969bf1d94727cb66bed7fdd50385437a4cb983540
-
Filesize
719B
MD52e4dafca4e82b6edf300f6e8b20b0e08
SHA1b1574db75ecbe5055f84f6eb81bd6b9933ffd6f3
SHA256b5d97005666ceaf125439369319fb754bdd4126cd863c28ad0470ac062b473e1
SHA51202eb725689eeaf0766956a075a423a27848c8824aa43fdb073aca433db2e7dd72cbb77ab72c10047e570bf744fb523d7090bc4ac660e9550ee8975d18bbfc22d
-
Filesize
718B
MD565771bfa33f7dc57b25e3b1c5e41fb64
SHA12ef22d4212397c742a8f90dbd0b07000a2b544eb
SHA256d71613fd4d7b5b407aebbdaa4ce5fd18f2f1055687a91d8a09a43dad567b5368
SHA512cd1973d484382fd85a350c02db5b986737d55f3eecdc43e5e35b59be6be695eee1bd271c2d0c8ea7b32e9edb590bec123baab98f86b0fd42ac5ab60d0ede5663
-
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab
Filesize500B
MD532a207bc45a735fd1f81449bdf12f151
SHA1528b6dd3fc15175217eb6dcf5dd781c805622fd7
SHA2564971e88223bf1200feb70648e9185c20eb2f2a74f8b7ecc7a8ca70f7e2df1723
SHA512760a3b9bea801310b3f7e39b5d2c5c7596a792bb4fffa9ad9d24d3fface368fec8eceb64d440c228e2db636865449b38f13ed4d0fa250952b383705c39fd4720