Overview
overview
10Static
static
1084b12442aa...e4.exe
windows7-x64
1084b12442aa...e4.exe
windows10-2004-x64
1084c3944913...92.exe
windows7-x64
184c3944913...92.exe
windows10-2004-x64
184debf79f2...ff.exe
windows7-x64
184debf79f2...ff.exe
windows10-2004-x64
184f75ab85b...fd.exe
windows7-x64
1084f75ab85b...fd.exe
windows10-2004-x64
10855deb7775...d7.exe
windows7-x64
10855deb7775...d7.exe
windows10-2004-x64
1085744dd3f6...0b.exe
windows7-x64
785744dd3f6...0b.exe
windows10-2004-x64
785c94c7c76...5f.exe
windows7-x64
1085c94c7c76...5f.exe
windows10-2004-x64
1085d0793219...96.exe
windows7-x64
1085d0793219...96.exe
windows10-2004-x64
1085da941cd1...86.exe
windows7-x64
785da941cd1...86.exe
windows10-2004-x64
785edcd8fbc...42.exe
windows7-x64
1085edcd8fbc...42.exe
windows10-2004-x64
108601303574...8e.exe
windows7-x64
108601303574...8e.exe
windows10-2004-x64
1086513494c7...6d.exe
windows7-x64
1086513494c7...6d.exe
windows10-2004-x64
1086700eca73...12.exe
windows7-x64
1086700eca73...12.exe
windows10-2004-x64
10867e002192...1f.exe
windows7-x64
10867e002192...1f.exe
windows10-2004-x64
1086c8fa2e13...a0.exe
windows7-x64
1086c8fa2e13...a0.exe
windows10-2004-x64
1086ca2f06f1...26.exe
windows7-x64
1086ca2f06f1...26.exe
windows10-2004-x64
10Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:13
Behavioral task
behavioral1
Sample
84b12442aac5bc73f568e7fa4d5d958ba9edc5bdc504d16f499a30ce549965e4.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
84b12442aac5bc73f568e7fa4d5d958ba9edc5bdc504d16f499a30ce549965e4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
84c3944913d37db4d64ab41d8ceb266686cc28048d92b7aad2e15467adf75092.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
84c3944913d37db4d64ab41d8ceb266686cc28048d92b7aad2e15467adf75092.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
84debf79f2864b51cf49de435c5fc2ff.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
84debf79f2864b51cf49de435c5fc2ff.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
84f75ab85b7776371d89c84d47ac58fd.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
84f75ab85b7776371d89c84d47ac58fd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
855deb7775f714f1fc46d29fea8008d7.exe
Resource
win7-20250207-en
Behavioral task
behavioral10
Sample
855deb7775f714f1fc46d29fea8008d7.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
85d0793219eb0fac73bf85eade28e6ed1d676ec16ff8c01eacf13994f3267896.exe
Resource
win7-20240729-en
Behavioral task
behavioral16
Sample
85d0793219eb0fac73bf85eade28e6ed1d676ec16ff8c01eacf13994f3267896.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
85da941cd1a122ad907ea9a637c620517ddd1e21857a01f6244dfa3ec0d3c286.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
85da941cd1a122ad907ea9a637c620517ddd1e21857a01f6244dfa3ec0d3c286.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
85edcd8fbc445760ff0796aa459e3c42.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
85edcd8fbc445760ff0796aa459e3c42.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
8601303574d298fe6d9a433d6fab9854ff5fb81d357d01f5065dccdb4407bb8e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
86513494c7861a5a0c9f1c0fb478e36d.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
86513494c7861a5a0c9f1c0fb478e36d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
Resource
win7-20241023-en
Behavioral task
behavioral26
Sample
86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
867e002192bde08a346a10ca74cc4a611293f0e312a048bc63b7dfa0f87cfc1f.exe
Resource
win7-20241023-en
Behavioral task
behavioral28
Sample
867e002192bde08a346a10ca74cc4a611293f0e312a048bc63b7dfa0f87cfc1f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
86c8fa2e136e29f51a3670f440b9f0a0.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
86c8fa2e136e29f51a3670f440b9f0a0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Resource
win10v2004-20250314-en
General
-
Target
86513494c7861a5a0c9f1c0fb478e36d.exe
-
Size
2.5MB
-
MD5
86513494c7861a5a0c9f1c0fb478e36d
-
SHA1
0e7ef50b5b4d51bda8789151b444505e4fdec51f
-
SHA256
80c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794
-
SHA512
e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff
-
SSDEEP
49152:bcuxJ/hk+7ZklWBJPxWMbKdZeQUj5xqJb6TquwYhx19ZyBNDGE:bcsSFlWBJJVbKkl2z/YhryBNDn
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3404 4724 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 4724 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 4724 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 4724 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 4724 schtasks.exe 89 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 540 powershell.exe 4552 powershell.exe 3272 powershell.exe 4908 powershell.exe 1668 powershell.exe 2644 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation 86513494c7861a5a0c9f1c0fb478e36d.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation smss.exe -
Executes dropped EXE 15 IoCs
pid Process 4440 smss.exe 844 smss.exe 4048 smss.exe 4116 smss.exe 208 smss.exe 1672 smss.exe 5108 smss.exe 1908 smss.exe 3300 smss.exe 2728 smss.exe 4404 smss.exe 3456 smss.exe 5044 smss.exe 3304 smss.exe 3332 smss.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInput\\TextInputHost.exe\"" 86513494c7861a5a0c9f1c0fb478e36d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BackgroundTransferHost = "\"C:\\Windows\\System32\\find\\BackgroundTransferHost.exe\"" 86513494c7861a5a0c9f1c0fb478e36d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\smss.exe\"" 86513494c7861a5a0c9f1c0fb478e36d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\dfe2e59cddd00040f555dab607351a1d\\wininit.exe\"" 86513494c7861a5a0c9f1c0fb478e36d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\jscript9\\fontdrvhost.exe\"" 86513494c7861a5a0c9f1c0fb478e36d.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\System32\find\BackgroundTransferHost.exe 86513494c7861a5a0c9f1c0fb478e36d.exe File opened for modification C:\Windows\System32\find\BackgroundTransferHost.exe 86513494c7861a5a0c9f1c0fb478e36d.exe File created C:\Windows\System32\find\766532ba8a13d2 86513494c7861a5a0c9f1c0fb478e36d.exe File created C:\Windows\System32\jscript9\fontdrvhost.exe 86513494c7861a5a0c9f1c0fb478e36d.exe File opened for modification C:\Windows\System32\find\RCX5650.tmp 86513494c7861a5a0c9f1c0fb478e36d.exe File opened for modification C:\Windows\System32\find\RCX5651.tmp 86513494c7861a5a0c9f1c0fb478e36d.exe File opened for modification C:\Windows\System32\jscript9\fontdrvhost.exe 86513494c7861a5a0c9f1c0fb478e36d.exe File created C:\Windows\System32\jscript9\5b884080fd4f94 86513494c7861a5a0c9f1c0fb478e36d.exe File opened for modification C:\Windows\System32\jscript9\RCX5D0C.tmp 86513494c7861a5a0c9f1c0fb478e36d.exe File opened for modification C:\Windows\System32\jscript9\RCX5D1D.tmp 86513494c7861a5a0c9f1c0fb478e36d.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe 86513494c7861a5a0c9f1c0fb478e36d.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\69ddcba757bf72 86513494c7861a5a0c9f1c0fb478e36d.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCX5874.tmp 86513494c7861a5a0c9f1c0fb478e36d.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCX5875.tmp 86513494c7861a5a0c9f1c0fb478e36d.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe 86513494c7861a5a0c9f1c0fb478e36d.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe 86513494c7861a5a0c9f1c0fb478e36d.exe File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\22eafd247d37c3 86513494c7861a5a0c9f1c0fb478e36d.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\RCX5F9F.tmp 86513494c7861a5a0c9f1c0fb478e36d.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\RCX5FA0.tmp 86513494c7861a5a0c9f1c0fb478e36d.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe 86513494c7861a5a0c9f1c0fb478e36d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings 86513494c7861a5a0c9f1c0fb478e36d.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings smss.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1296 schtasks.exe 3404 schtasks.exe 852 schtasks.exe 1692 schtasks.exe 5040 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 2644 powershell.exe 2644 powershell.exe 540 powershell.exe 540 powershell.exe 1668 powershell.exe 1668 powershell.exe 4552 powershell.exe 4552 powershell.exe 3272 powershell.exe 3272 powershell.exe 540 powershell.exe 1668 powershell.exe 4908 powershell.exe 4908 powershell.exe 4552 powershell.exe 2644 powershell.exe 4908 powershell.exe 3272 powershell.exe 4440 smss.exe 4440 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe 844 smss.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2300 86513494c7861a5a0c9f1c0fb478e36d.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 540 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 3272 powershell.exe Token: SeDebugPrivilege 4908 powershell.exe Token: SeDebugPrivilege 4440 smss.exe Token: SeDebugPrivilege 844 smss.exe Token: SeDebugPrivilege 4048 smss.exe Token: SeDebugPrivilege 4116 smss.exe Token: SeDebugPrivilege 208 smss.exe Token: SeDebugPrivilege 1672 smss.exe Token: SeDebugPrivilege 5108 smss.exe Token: SeDebugPrivilege 1908 smss.exe Token: SeDebugPrivilege 3300 smss.exe Token: SeDebugPrivilege 2728 smss.exe Token: SeDebugPrivilege 4404 smss.exe Token: SeDebugPrivilege 3456 smss.exe Token: SeDebugPrivilege 5044 smss.exe Token: SeDebugPrivilege 3304 smss.exe Token: SeDebugPrivilege 3332 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 4908 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 99 PID 2300 wrote to memory of 4908 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 99 PID 2300 wrote to memory of 3272 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 100 PID 2300 wrote to memory of 3272 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 100 PID 2300 wrote to memory of 4552 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 125 PID 2300 wrote to memory of 4552 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 125 PID 2300 wrote to memory of 540 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 102 PID 2300 wrote to memory of 540 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 102 PID 2300 wrote to memory of 2644 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 103 PID 2300 wrote to memory of 2644 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 103 PID 2300 wrote to memory of 1668 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 104 PID 2300 wrote to memory of 1668 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 104 PID 2300 wrote to memory of 4824 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 110 PID 2300 wrote to memory of 4824 2300 86513494c7861a5a0c9f1c0fb478e36d.exe 110 PID 4824 wrote to memory of 4904 4824 cmd.exe 113 PID 4824 wrote to memory of 4904 4824 cmd.exe 113 PID 4824 wrote to memory of 4440 4824 cmd.exe 116 PID 4824 wrote to memory of 4440 4824 cmd.exe 116 PID 4440 wrote to memory of 2844 4440 smss.exe 117 PID 4440 wrote to memory of 2844 4440 smss.exe 117 PID 4440 wrote to memory of 2268 4440 smss.exe 118 PID 4440 wrote to memory of 2268 4440 smss.exe 118 PID 2844 wrote to memory of 844 2844 WScript.exe 120 PID 2844 wrote to memory of 844 2844 WScript.exe 120 PID 844 wrote to memory of 4404 844 smss.exe 121 PID 844 wrote to memory of 4404 844 smss.exe 121 PID 844 wrote to memory of 3264 844 smss.exe 122 PID 844 wrote to memory of 3264 844 smss.exe 122 PID 4404 wrote to memory of 4048 4404 WScript.exe 123 PID 4404 wrote to memory of 4048 4404 WScript.exe 123 PID 4048 wrote to memory of 2716 4048 smss.exe 124 PID 4048 wrote to memory of 2716 4048 smss.exe 124 PID 4048 wrote to memory of 4552 4048 smss.exe 125 PID 4048 wrote to memory of 4552 4048 smss.exe 125 PID 2716 wrote to memory of 4116 2716 WScript.exe 132 PID 2716 wrote to memory of 4116 2716 WScript.exe 132 PID 4116 wrote to memory of 532 4116 smss.exe 135 PID 4116 wrote to memory of 532 4116 smss.exe 135 PID 4116 wrote to memory of 3068 4116 smss.exe 136 PID 4116 wrote to memory of 3068 4116 smss.exe 136 PID 532 wrote to memory of 208 532 WScript.exe 140 PID 532 wrote to memory of 208 532 WScript.exe 140 PID 208 wrote to memory of 2300 208 smss.exe 141 PID 208 wrote to memory of 2300 208 smss.exe 141 PID 208 wrote to memory of 3056 208 smss.exe 142 PID 208 wrote to memory of 3056 208 smss.exe 142 PID 2300 wrote to memory of 1672 2300 WScript.exe 143 PID 2300 wrote to memory of 1672 2300 WScript.exe 143 PID 1672 wrote to memory of 3380 1672 smss.exe 144 PID 1672 wrote to memory of 3380 1672 smss.exe 144 PID 1672 wrote to memory of 408 1672 smss.exe 145 PID 1672 wrote to memory of 408 1672 smss.exe 145 PID 3380 wrote to memory of 5108 3380 WScript.exe 146 PID 3380 wrote to memory of 5108 3380 WScript.exe 146 PID 5108 wrote to memory of 4988 5108 smss.exe 147 PID 5108 wrote to memory of 4988 5108 smss.exe 147 PID 5108 wrote to memory of 4480 5108 smss.exe 148 PID 5108 wrote to memory of 4480 5108 smss.exe 148 PID 4988 wrote to memory of 1908 4988 WScript.exe 150 PID 4988 wrote to memory of 1908 4988 WScript.exe 150 PID 1908 wrote to memory of 3232 1908 smss.exe 151 PID 1908 wrote to memory of 3232 1908 smss.exe 151 PID 1908 wrote to memory of 852 1908 smss.exe 152 PID 1908 wrote to memory of 852 1908 smss.exe 152 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe"C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\find\BackgroundTransferHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\jscript9\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mFL6E8qZp6.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4904
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b079c04-495c-4fe2-89c9-0b4f5793c231.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7da15118-0976-4e0a-a9f1-b965e34d52c0.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5274ed18-70d5-4308-a1d8-e3647fe3a1cb.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\050b4428-5ebe-4008-9300-ddf37e21ee63.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d88a2028-a8cd-4a54-8053-2502ddef464f.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b0ae911-fed0-4eaa-8b65-261a0238411a.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fccf1bd-62b2-4d22-bc98-342461ae6c07.vbs"16⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c85b7a6-a976-433c-a16b-7197a39f1178.vbs"18⤵PID:3232
-
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3300 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fb725a7-79c3-4cc7-961b-6e31bf2fad86.vbs"20⤵PID:3316
-
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63154a15-f709-4595-911a-fd039d2378c6.vbs"22⤵PID:4904
-
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4404 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35b94402-8719-4b05-973e-7f164024596d.vbs"24⤵PID:3600
-
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3456 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e926df7-3fb8-4c55-ac7b-3e42001e64ae.vbs"26⤵PID:2752
-
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3361069a-fdc9-4472-b8f5-c34bf11a0a4a.vbs"28⤵PID:3280
-
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a36dce7-dcf7-48bf-a9f6-905165cd478a.vbs"30⤵PID:4976
-
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3332 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daeb5052-745b-450e-b314-781d798150f5.vbs"32⤵PID:4904
-
C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe"33⤵PID:2300
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2123606a-d3a9-4caa-a2e8-f52de713c68c.vbs"34⤵PID:4948
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85832a49-76e8-4696-967c-78deed286755.vbs"34⤵PID:1420
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89817f68-b912-4a93-ac21-5ee65f8f8f97.vbs"32⤵PID:4404
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\137d256d-a172-4b94-93ce-53b8cbfe3d26.vbs"30⤵PID:3888
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35c3d366-512d-442a-bc30-bdbd51dd3df2.vbs"28⤵PID:2148
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1f23059-b9a2-414e-92a9-30ca54c0fc78.vbs"26⤵PID:1372
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdb0dcd2-41c4-4f08-ae34-059dfcb893c6.vbs"24⤵PID:2124
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b598749-c560-4bfe-9a87-6e91aab51894.vbs"22⤵PID:3392
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\382e081c-c7f8-436b-8715-a55aa96b4a88.vbs"20⤵PID:396
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2330eb04-9995-4531-b7ab-d214ec303eee.vbs"18⤵PID:852
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\069d5e4a-3e3d-4184-b9bc-3d59fe78a4e3.vbs"16⤵PID:4480
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5f969f2-50af-4d42-9df2-4c440aa79148.vbs"14⤵PID:408
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bf9da48-80b8-48e7-87bc-b92f7bb82f3a.vbs"12⤵PID:3056
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2119cd77-2327-4f8c-9e99-8f3caa6e64f0.vbs"10⤵PID:3068
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cab201df-4dc6-43fb-9713-aff038ee7190.vbs"8⤵PID:4552
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fb51fc8-9a61-44f6-a329-c3cbff5187b4.vbs"6⤵PID:3264
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f17530c8-f96b-41e3-8620-9974a796ac59.vbs"4⤵PID:2268
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BackgroundTransferHost" /sc ONLOGON /tr "'C:\Windows\System32\find\BackgroundTransferHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\jscript9\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD59699cf9bb24ebbc9b1035710e92b7bd2
SHA173f0f26db57ea306970a76f42c647bbce02a3f23
SHA256fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5
SHA5123a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb
-
Filesize
944B
MD5842369b08704bbddf9de4d90016e58dd
SHA18bc3da656c08abbc14c58201e65b0dc823964bea
SHA256cbf20404c609c0792de4320ac3fa1806269cf5d97420565e3f43d409a11a2808
SHA5128f6cc3419f04b1cb4e6c7986ad9fb8a43fb380fee263937e223d8a5269aec918c2c8cd362ee708de0ded3a533f4cd43624d606f45b37e128bec52ada30c43b42
-
Filesize
944B
MD5dc1d0291bbd8e80c9703fb1f4b4d14dc
SHA1084009b8f1e67e03c9b7333293fbc00d3617948e
SHA2564a51e06db1301abc4ee1789a9b15be257835194db4bf1830ea1275e4fdebe78a
SHA51275672017d7b8eecd07b7cef153c1c2f3d8660f36fe312b0fd2b58f5e2d36945d6406a42b85158e7a721a7b859a3d4e52dc4988cf4f02e429da44f59df691a311
-
Filesize
944B
MD5ffaa33c7940b1713a06a430414e2fed0
SHA1b1ade7d02b641ac9c382fad82cb1d31362fafb91
SHA256a9c2268a32d4b53421c510878be105729a41bb03d01622456369d322e3e35c5e
SHA51261913fe437de06bae8a99a02f3ff35f483d06ddd9593c16f9bb652dde94930ff47f1a07765b2d78ac5108abb65837a66444dc7ff9691ba9c9ceaf85f0ae73f4d
-
Filesize
944B
MD5ada23d35e4a3f1bc35ac8d393cd02675
SHA188dd6ddecec82aeafba2b6368078c7c70b88fcac
SHA25698d17949831dda7243aa8b24a66443eee75d0805996826290fbe1a75bfc79e72
SHA5120acae33f83787122b779b8b1b41580f4595eb44c74ef0035949e3d90103fd22e15ed4af4238985bd58f8a0378dc8bce4d77549ca4bb661c2c515018be99a79e6
-
Filesize
736B
MD5f06f56731073316ecc7ccd04b9588213
SHA1d4218b05ed7131a215fd59522a4fcd69dc2fe201
SHA256a4fa4915f261ef4c56867bb10322e0eb8767b0860a5272b873ff90016220f458
SHA512ec7e217073f8475ab7e114f27168e2d202366987b2afef77979186453519a426f11ca75ce38521aec511b209ee0d0a42e3228424d4d4db6c3adc6cb30074b256
-
Filesize
736B
MD5a017c74aaed5103f69d494b135e0d8c2
SHA1f39a5ee4d83d306aabfdf3a33fe282751cbc1065
SHA2561ed7e4cf85ecfbb194e0aa1dfc73a78a5cbbf4df09dbc8f82230afb85e83c15c
SHA5125fea17e5929bf157a3660b805556e844dd19306f3d737f37fdcc28949c75a96b35b5584ec96bf28cf3ea213a6fd8a5e3540c2a78887140e4d83d67c1ce759be1
-
Filesize
736B
MD58a919a3fb0657f24e8e4b471ddfded41
SHA12340e8388e9f7b3da06a1ac7b0ae633bd9f67580
SHA2565a9cca5a05acfdcb6c911551071ca71d88db19643a145d70b17a7fc18ae42a06
SHA512786a769e93a9b3195b78971ca192130d2f11029a5fb8e5257f4e4577d37fc58b2abe8a7e52cdd86f75c428644cb12453d66794dfe67381b683f1fe4f71afe46c
-
Filesize
736B
MD514d87f2cbed8b9cc2d90a772a4809e62
SHA13ddb9a5004309b93dae001b9065834d5724ba369
SHA256a3921bb8b34ebed286dce76ebad523e59b0e9b31791d0ce07a34a98137b9450b
SHA512544f27061490e1b28befa4d03ec62d5e8112a6bd0f6860d7fc785792127d5f85d94bc6fb933d40b882f03c65c06361f04653b7ac83180a43502fb36ba7037e58
-
Filesize
736B
MD5e8c8403edf0739770c2d508c6cc239d7
SHA197a94cae9ea81d24ae3b0dfca25663f9d7c1a022
SHA256e3bcfe1cbc299166eb46f097f3007b89204227990b246b0f76c9ef56f2730fd5
SHA5127c30900b5da0a67f2e9d2ffd39b28ba39f3acd8a641cc61dcfbb584e2bc21284d148b4d88db0d66c0027e2ec23377f8e1e29e84e321ef0a15caeb4160f1ab901
-
Filesize
736B
MD5f3e45a68be423b21b984c9bf573472ec
SHA197a37fa9c5c7a6489df164f9e9c1441957e5c560
SHA2569a3d6e0837750736b15f385fb70ebb488d124351bbdea8072726d3cc163c87b3
SHA512c0da85be1e0db312982684f0fe0808fec14c06b9537403a0f3b67af731775bc4813b71f2558b54021750770b8cbdd07e42ff923d4722cc3b8c4ad4cd8c6b91d5
-
Filesize
736B
MD525a71243b4e954c1d5114b476fe0440d
SHA1294c1f33d78c42cf68697eb4ef2ba8a72faa5ba0
SHA2566cae87277f671a7f56abc95e463238f7495c4bafe79a25a827391055786a6e36
SHA512c0ab211a12808c99e6e5cfe74e7b4e3d03003cf40acf9cc0f6be1cc1d96ec28f419c42c020bc8c8fe41bf6ff35218ae686b3fd60e6fedf084b099c4fa7eb75d8
-
Filesize
736B
MD5b5dea2c2dbfac503c01427bf2be71b0f
SHA1c6f15dbf1254d7a1628229c7bb5b73183d5d47fe
SHA2563c119f50c1c781591b9f292db857f37742144b43bba51fde8958cc5d5e2991ac
SHA512a110389da241973d7e5561c9571f2fc82da5a6a6152df15594212e8a8a30308fee4a96be87ed62ad9d4b73c29f1a919c21289bd83c0b652ca847b4520e6bf799
-
Filesize
736B
MD5308b20a7912151808054a5191011768e
SHA192d52972e9b08b31d01bd4780f8fc0a64a9fff36
SHA25674840a166dba0e08d38f6afc33bfd74947730b47c81019c459f5e6994bd5ca4d
SHA512aa246dd7996ac6a1c8c4467f8316a6c6de72088ee40a12a259f00c88c6c2f464844ec36da7c079ad5761973cfca24e295a04659cd75251e5a4e56ae4ddf3006f
-
Filesize
735B
MD5d886ecbacd7f48f03a5c83f00c328b26
SHA1250c620f05a1ccd275f17922994556bcbd674976
SHA2567fec8a0ed666bddb79f8ccb5a005bbaee0e4d5f768b61dd75a4f8859fb4c04fb
SHA51280476137e87f87d007a6ed5f46a6a236a49f98c04e652c2bcae20671651526222a94113ba335183494f8d86c28c213bf3f27eefa209eaffb4f050388191f2245
-
Filesize
736B
MD53cfba908f7deebe028447c6ded6f47d0
SHA1edf4ef8a03e5b020bc0a97ee2f4817951e59bd6e
SHA256e8ccc33ccbd79dc7eb35b3ea44ec6f3065c2e4ec9d749e4dcdb59de031c11cf8
SHA51251b21a2b49b4f384941710d2fbcdfa3c8cb15d1f1ced58469fe29a8b6263c88bb89b7265327cc2f1960958f7e878a1c5159fd33dc77a8cdcf40609ed2bc859ca
-
Filesize
736B
MD542489eba2ca1dac99f1154f2ae7de265
SHA18ab19186f062bac870318a732e967b8b0b176a81
SHA2569aeb72699784ae522aaab50d33dd97fb5de167709a1f55a3d9a67a469bb4a141
SHA5121be29b4a6d7decd8df1b835df43405028a5e69226ad0f6451bb72359733d31e6bcebbd0e09b960fbdc452ca36e2d6840c9d25049b35d8348bb4e7bbaa2c300e5
-
Filesize
736B
MD56403e133afe39914ae06ce0ef3d9aeab
SHA1c191eb1e43edae4820d3336413c74306407e7146
SHA256da6f44df0354602eaa0987b49456cfa5ab71b0bdd667aa71b28b7b699923c8aa
SHA512bdf7979c8620c551286910376a4893cd764795fb689d4d7aa1f415fe24b31326a090651cebdbc30f2ab899ddca9e1ee6890eb5d708badb374da97391a094fb69
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
735B
MD5d9744e0c3769071d667d9f8e89bd2b1a
SHA1dbe3e95cab238847f52f01131f6fc39bdafb124a
SHA25694ba1a5e7d8d24c4af91942f62123c883224dd46030657b0d48c2acb86e111fe
SHA5125ac1181296cc5acf89a57cbaad9f126d2b98b148b4f766c2c320d42f9b790117422f726d6dd1c92a893dd05982d42e54b34202adf49ef7bafde8d28b0a2b51d1
-
Filesize
512B
MD52439ce820018d347626820aa745fc2e3
SHA127b607fadb3c1ddd6978c0edfd2bc6986925e2c3
SHA2567edcfdf752d9a3a728cdb8bac2acc1e81e7b7dcac68c225dbc1ca70fb03dcf3d
SHA5127a51abcacb00740e1eef50f00accaca1bdacf26c31c0452dedf7ecc43bfda45c82945b5f3bd08f19ea82e1eab5261baa2ac19468ab8a267a5624ffb64eb6711b
-
Filesize
224B
MD57b2bbe5dea5efeec98583261a7af3ee1
SHA1064e36db719739aa588b545a23d6eb3f2df0da4e
SHA256aafd29d9138b2aeb26de83ab4c6fec582ec73cd47af6c6cc81e0124bd6274d7b
SHA512ef0cec5c507a6d7c103d8f50ba22867f0987c47c17af8dbaf394159c811d69c588ac34558b30718fe797b5169802837db04edb675a278d5dba534cc1e790a28b
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe
Filesize2.5MB
MD586513494c7861a5a0c9f1c0fb478e36d
SHA10e7ef50b5b4d51bda8789151b444505e4fdec51f
SHA25680c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794
SHA512e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff