Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 00:21
Behavioral task
behavioral1
Sample
20ec8d347f674ebadc53399ef6aa49cb.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
20ec8d347f674ebadc53399ef6aa49cb.exe
Resource
win10v2004-20231130-en
General
-
Target
20ec8d347f674ebadc53399ef6aa49cb.exe
-
Size
3.4MB
-
MD5
20ec8d347f674ebadc53399ef6aa49cb
-
SHA1
f418d228eb276f216b4986b55b2c762d11991a31
-
SHA256
9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
-
SHA512
e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
SSDEEP
49152:RoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9Bl0fijOu4:RW6eW8WAh2DQyC0q8G9wyQ
Malware Config
Signatures
-
DcRat 32 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 904 schtasks.exe 2504 schtasks.exe 2900 schtasks.exe 544 schtasks.exe 2256 schtasks.exe 2884 schtasks.exe 1160 schtasks.exe 2360 schtasks.exe 2492 schtasks.exe 2056 schtasks.exe 796 schtasks.exe 2444 schtasks.exe 2896 schtasks.exe 2932 schtasks.exe 2500 schtasks.exe 2024 schtasks.exe 2756 schtasks.exe 1372 schtasks.exe 2468 schtasks.exe 1688 schtasks.exe 2704 schtasks.exe 1780 schtasks.exe 684 schtasks.exe 2872 schtasks.exe 2016 schtasks.exe 2260 schtasks.exe 1048 schtasks.exe 3052 schtasks.exe 1920 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\101b941d020240 20ec8d347f674ebadc53399ef6aa49cb.exe 1684 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\", \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\", \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Windows\\Media\\Quirky\\20ec8d347f674ebadc53399ef6aa49cb.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\", \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Windows\\Media\\Quirky\\20ec8d347f674ebadc53399ef6aa49cb.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\csrss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\", \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Windows\\Media\\Quirky\\20ec8d347f674ebadc53399ef6aa49cb.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\lsm.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\", \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Windows\\Media\\Quirky\\20ec8d347f674ebadc53399ef6aa49cb.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\lsm.exe\", \"C:\\Windows\\debug\\WIA\\spoolsv.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\", \"C:\\Windows\\it-IT\\System.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe -
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 2564 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 2564 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe -
resource yara_rule behavioral1/memory/3024-0-0x00000000003A0000-0x000000000070A000-memory.dmp dcrat behavioral1/files/0x0007000000016d1a-46.dat dcrat behavioral1/files/0x0006000000016d57-64.dat dcrat behavioral1/files/0x0006000000016d57-65.dat dcrat behavioral1/memory/1512-66-0x0000000000EB0000-0x000000000121A000-memory.dmp dcrat behavioral1/files/0x0006000000016d57-79.dat dcrat behavioral1/memory/3012-81-0x000000001B230000-0x000000001B2B0000-memory.dmp dcrat behavioral1/files/0x0007000000018bab-85.dat dcrat behavioral1/files/0x0006000000016d57-93.dat dcrat behavioral1/files/0x0007000000018bab-98.dat dcrat behavioral1/files/0x0006000000016d57-106.dat dcrat behavioral1/memory/2856-107-0x00000000001B0000-0x000000000051A000-memory.dmp dcrat behavioral1/files/0x0007000000018bab-114.dat dcrat behavioral1/files/0x0006000000016d57-122.dat dcrat behavioral1/memory/680-123-0x0000000000B30000-0x0000000000E9A000-memory.dmp dcrat behavioral1/memory/680-125-0x0000000002710000-0x0000000002790000-memory.dmp dcrat behavioral1/files/0x0007000000018bab-129.dat dcrat behavioral1/files/0x0006000000016d57-137.dat dcrat behavioral1/memory/2860-138-0x0000000000C40000-0x0000000000FAA000-memory.dmp dcrat behavioral1/files/0x0007000000018bab-144.dat dcrat behavioral1/files/0x0006000000016d57-152.dat dcrat behavioral1/files/0x0007000000018bab-158.dat dcrat behavioral1/files/0x0006000000016d57-166.dat dcrat behavioral1/files/0x0007000000018bab-174.dat dcrat behavioral1/files/0x0006000000016d57-182.dat dcrat behavioral1/files/0x0007000000018bab-189.dat dcrat behavioral1/files/0x0006000000016d57-197.dat dcrat behavioral1/files/0x0007000000018bab-206.dat dcrat behavioral1/files/0x0006000000016d57-214.dat dcrat behavioral1/files/0x0007000000018bab-222.dat dcrat behavioral1/files/0x0006000000016d57-230.dat dcrat -
Executes dropped EXE 11 IoCs
pid Process 1512 audiodg.exe 3012 audiodg.exe 2600 audiodg.exe 2856 audiodg.exe 680 audiodg.exe 2860 audiodg.exe 1804 audiodg.exe 1628 audiodg.exe 980 audiodg.exe 2204 audiodg.exe 1468 audiodg.exe -
Adds Run key to start application 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\it-IT\\System.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ServiceProfiles\\LocalService\\csrss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\20ec8d347f674ebadc53399ef6aa49cb = "\"C:\\Windows\\Media\\Quirky\\20ec8d347f674ebadc53399ef6aa49cb.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Setup\\State\\audiodg.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\it-IT\\System.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ServiceProfiles\\LocalService\\csrss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\debug\\WIA\\spoolsv.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Setup\\State\\audiodg.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20ec8d347f674ebadc53399ef6aa49cb = "\"C:\\Windows\\Media\\Quirky\\20ec8d347f674ebadc53399ef6aa49cb.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\lsm.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\lsm.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\debug\\WIA\\spoolsv.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\de-DE\101b941d020240 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files (x86)\Windows Sidebar\csrss.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files (x86)\Windows Sidebar\886983d96e3d3e 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe 20ec8d347f674ebadc53399ef6aa49cb.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\it-IT\System.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Windows\it-IT\27d1bcfc3c54e0 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Windows\Media\Quirky\efb053bab4605e 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Windows\ServiceProfiles\LocalService\csrss.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Windows\debug\WIA\f3b6ecef712a24 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Windows\Setup\State\audiodg.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Windows\Setup\State\42af1c969fbb7b 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Windows\Media\Quirky\20ec8d347f674ebadc53399ef6aa49cb.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Windows\ServiceProfiles\LocalService\886983d96e3d3e 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Windows\debug\WIA\spoolsv.exe 20ec8d347f674ebadc53399ef6aa49cb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1048 schtasks.exe 1920 schtasks.exe 2056 schtasks.exe 2256 schtasks.exe 904 schtasks.exe 2468 schtasks.exe 2900 schtasks.exe 1684 schtasks.exe 2360 schtasks.exe 2444 schtasks.exe 2504 schtasks.exe 2756 schtasks.exe 1372 schtasks.exe 1688 schtasks.exe 2260 schtasks.exe 2896 schtasks.exe 2016 schtasks.exe 1780 schtasks.exe 796 schtasks.exe 3052 schtasks.exe 2932 schtasks.exe 2872 schtasks.exe 2492 schtasks.exe 544 schtasks.exe 2024 schtasks.exe 2884 schtasks.exe 1160 schtasks.exe 2704 schtasks.exe 2500 schtasks.exe 684 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3024 20ec8d347f674ebadc53399ef6aa49cb.exe 3024 20ec8d347f674ebadc53399ef6aa49cb.exe 3024 20ec8d347f674ebadc53399ef6aa49cb.exe 3024 20ec8d347f674ebadc53399ef6aa49cb.exe 3024 20ec8d347f674ebadc53399ef6aa49cb.exe 3024 20ec8d347f674ebadc53399ef6aa49cb.exe 3024 20ec8d347f674ebadc53399ef6aa49cb.exe 3024 20ec8d347f674ebadc53399ef6aa49cb.exe 3024 20ec8d347f674ebadc53399ef6aa49cb.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 1512 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe 3012 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 3024 20ec8d347f674ebadc53399ef6aa49cb.exe Token: SeDebugPrivilege 1512 audiodg.exe Token: SeDebugPrivilege 3012 audiodg.exe Token: SeDebugPrivilege 2600 audiodg.exe Token: SeDebugPrivilege 2856 audiodg.exe Token: SeDebugPrivilege 680 audiodg.exe Token: SeDebugPrivilege 2860 audiodg.exe Token: SeDebugPrivilege 1804 audiodg.exe Token: SeDebugPrivilege 1628 audiodg.exe Token: SeDebugPrivilege 980 audiodg.exe Token: SeDebugPrivilege 2204 audiodg.exe Token: SeDebugPrivilege 1468 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 828 3024 20ec8d347f674ebadc53399ef6aa49cb.exe 59 PID 3024 wrote to memory of 828 3024 20ec8d347f674ebadc53399ef6aa49cb.exe 59 PID 3024 wrote to memory of 828 3024 20ec8d347f674ebadc53399ef6aa49cb.exe 59 PID 828 wrote to memory of 2400 828 cmd.exe 61 PID 828 wrote to memory of 2400 828 cmd.exe 61 PID 828 wrote to memory of 2400 828 cmd.exe 61 PID 828 wrote to memory of 1512 828 cmd.exe 62 PID 828 wrote to memory of 1512 828 cmd.exe 62 PID 828 wrote to memory of 1512 828 cmd.exe 62 PID 1512 wrote to memory of 3000 1512 audiodg.exe 63 PID 1512 wrote to memory of 3000 1512 audiodg.exe 63 PID 1512 wrote to memory of 3000 1512 audiodg.exe 63 PID 1512 wrote to memory of 2852 1512 audiodg.exe 64 PID 1512 wrote to memory of 2852 1512 audiodg.exe 64 PID 1512 wrote to memory of 2852 1512 audiodg.exe 64 PID 3000 wrote to memory of 3012 3000 WScript.exe 65 PID 3000 wrote to memory of 3012 3000 WScript.exe 65 PID 3000 wrote to memory of 3012 3000 WScript.exe 65 PID 3012 wrote to memory of 1616 3012 audiodg.exe 66 PID 3012 wrote to memory of 1616 3012 audiodg.exe 66 PID 3012 wrote to memory of 1616 3012 audiodg.exe 66 PID 3012 wrote to memory of 2616 3012 audiodg.exe 67 PID 3012 wrote to memory of 2616 3012 audiodg.exe 67 PID 3012 wrote to memory of 2616 3012 audiodg.exe 67 PID 1616 wrote to memory of 2600 1616 WScript.exe 68 PID 1616 wrote to memory of 2600 1616 WScript.exe 68 PID 1616 wrote to memory of 2600 1616 WScript.exe 68 PID 2600 wrote to memory of 2552 2600 audiodg.exe 69 PID 2600 wrote to memory of 2552 2600 audiodg.exe 69 PID 2600 wrote to memory of 2552 2600 audiodg.exe 69 PID 2600 wrote to memory of 1072 2600 audiodg.exe 70 PID 2600 wrote to memory of 1072 2600 audiodg.exe 70 PID 2600 wrote to memory of 1072 2600 audiodg.exe 70 PID 2552 wrote to memory of 2856 2552 WScript.exe 71 PID 2552 wrote to memory of 2856 2552 WScript.exe 71 PID 2552 wrote to memory of 2856 2552 WScript.exe 71 PID 2856 wrote to memory of 584 2856 audiodg.exe 74 PID 2856 wrote to memory of 584 2856 audiodg.exe 74 PID 2856 wrote to memory of 584 2856 audiodg.exe 74 PID 2856 wrote to memory of 904 2856 audiodg.exe 75 PID 2856 wrote to memory of 904 2856 audiodg.exe 75 PID 2856 wrote to memory of 904 2856 audiodg.exe 75 PID 584 wrote to memory of 680 584 WScript.exe 76 PID 584 wrote to memory of 680 584 WScript.exe 76 PID 584 wrote to memory of 680 584 WScript.exe 76 PID 680 wrote to memory of 848 680 audiodg.exe 77 PID 680 wrote to memory of 848 680 audiodg.exe 77 PID 680 wrote to memory of 848 680 audiodg.exe 77 PID 680 wrote to memory of 1536 680 audiodg.exe 78 PID 680 wrote to memory of 1536 680 audiodg.exe 78 PID 680 wrote to memory of 1536 680 audiodg.exe 78 PID 848 wrote to memory of 2860 848 WScript.exe 79 PID 848 wrote to memory of 2860 848 WScript.exe 79 PID 848 wrote to memory of 2860 848 WScript.exe 79 PID 2860 wrote to memory of 2456 2860 audiodg.exe 80 PID 2860 wrote to memory of 2456 2860 audiodg.exe 80 PID 2860 wrote to memory of 2456 2860 audiodg.exe 80 PID 2860 wrote to memory of 2712 2860 audiodg.exe 81 PID 2860 wrote to memory of 2712 2860 audiodg.exe 81 PID 2860 wrote to memory of 2712 2860 audiodg.exe 81 PID 2456 wrote to memory of 1804 2456 WScript.exe 82 PID 2456 wrote to memory of 1804 2456 WScript.exe 82 PID 2456 wrote to memory of 1804 2456 WScript.exe 82 PID 1804 wrote to memory of 2104 1804 audiodg.exe 83 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe"C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6duSsQqWjw.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2400
-
-
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe"C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1512 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41bd7273-2680-4f7c-aecc-d77a0b6c30fa.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exeC:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3012 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67bf951a-fd49-4fe8-88da-62ad79b45680.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exeC:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2600 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46535dec-4736-494f-9c64-c2c0add82f7d.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exeC:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2856 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3544b973-88a7-4a99-a6c8-98ea7fa12259.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exeC:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:680 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c0b2dcb-6e82-4d0b-89a2-a0951f2de7f2.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exeC:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2860 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c334203c-f3a8-49b0-bd6b-7b0ca72b947b.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exeC:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1804 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1df24147-8eae-44b8-aa4a-1aecdbb4a5f7.vbs"16⤵PID:2104
-
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exeC:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1628 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33ac1b40-0212-4318-805c-875e831b8cc4.vbs"18⤵PID:1160
-
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exeC:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:980 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af5c8f99-bc44-435b-b255-a4049cf272b4.vbs"20⤵PID:2836
-
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exeC:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2204 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6ec34ea-fbdb-4f6a-9803-c8ff588e6b37.vbs"22⤵PID:2560
-
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exeC:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1468 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24901394-deda-4337-b718-0a3709822930.vbs"24⤵PID:1220
-
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exeC:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe25⤵PID:2252
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fd11f68-b667-4f21-bfd4-1a23413e4931.vbs"24⤵PID:1756
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\debcb75f-be70-45c6-b46a-3b8d32ec91d9.vbs"22⤵PID:896
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3007ba6-efe9-4452-9159-8a9acbf15039.vbs"20⤵PID:2148
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33906f0c-8bb5-49e7-8a9a-88f53a877304.vbs"18⤵PID:2792
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ebc5b65-b5f7-49ae-82d6-92aea4f64404.vbs"16⤵PID:2024
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f9d0660-ddb6-4918-8caa-57331b96e6bb.vbs"14⤵PID:2712
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d86c347e-9dad-4cd7-ac18-51ea8ce513f9.vbs"12⤵PID:1536
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c45932db-425b-48ca-9063-ad2734cf808c.vbs"10⤵PID:904
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e43a469b-893c-417d-8ab7-4f7bf027ec9b.vbs"8⤵PID:1072
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32074192-775f-4aa9-ae35-b7a842be07ed.vbs"6⤵PID:2616
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7920eb4f-cf22-4b66-a82b-19ad5ed510fa.vbs"4⤵PID:2852
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Setup\State\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "20ec8d347f674ebadc53399ef6aa49cb2" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Quirky\20ec8d347f674ebadc53399ef6aa49cb.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "20ec8d347f674ebadc53399ef6aa49cb" /sc ONLOGON /tr "'C:\Windows\Media\Quirky\20ec8d347f674ebadc53399ef6aa49cb.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "20ec8d347f674ebadc53399ef6aa49cb2" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Quirky\20ec8d347f674ebadc53399ef6aa49cb.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\LocalService\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\LocalService\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
576KB
MD5fe352ec25397d2c4a7454b13533f2ceb
SHA121527a7d603408c01a68081ebc0890133d018625
SHA2561ff67df58a33ef26207e0f16a25a1a6658676fdd88e985d6b3b9ac0dbd2e0509
SHA5123be4c13cfb9177905e46efb41120e98f7280b1990c48ed3e1f7df90255b0b832fe9d85748671067191d3e07651c58da2b2dfac4989258017dd450554dbc0ceb9
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
736B
MD523b0246418d38465028152d1d431d122
SHA1aad6af8380f6d21424346453e10600384730bdac
SHA25634d9bc568374347246d6f16a137d073dea7eb840ba344b0408d5037268150750
SHA512ea4b88872291313a474d492393cfc7f9542038a835a0658316b6be8953c143807a9c391531b58b44f42d30a2e5bd79020847bd985906df59711804e8527f1bd5
-
Filesize
736B
MD5579cc0a8dba7ff07a44200fef2f7955a
SHA13cfe75d627dc3932909dbbc7f09a7a7b933c18ef
SHA256a9ba626a911a33318094e235f07c36c89d924ac40199a7c7f553096e07dfdf28
SHA512da654bba8c47b0bf3b8e824cf4a0dec3d07f6f6e7b6253481c41b1ae14b8b0cceaf677f576de5e4dfec58fc77f247e91dce6c6d18b1b20953aab967ced145a1c
-
Filesize
735B
MD5a3b878a5936f511d737e228a8c8009df
SHA1aa08a3ac58f115fe46c0543a408a30152519b636
SHA256723cb9dbe34cc317b613b9c8265b79c63842dedacaf9ed682637f47e74484c74
SHA51213e1e5478588828306433fed9cd0cb69794a54f9f60cad5b9d51807a3a1540fd6d1815ea8bd14f12e3ca2697a259402635721859b1f1a2e76572f4c48ea8cb58
-
Filesize
512B
MD5941528fb958adec2b55a4c03d35bdd04
SHA1d911920e590c86e68debfd48dc6805f635c44aa9
SHA2568830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA5125ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068
-
Filesize
512B
MD5941528fb958adec2b55a4c03d35bdd04
SHA1d911920e590c86e68debfd48dc6805f635c44aa9
SHA2568830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA5125ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068
-
Filesize
512B
MD5941528fb958adec2b55a4c03d35bdd04
SHA1d911920e590c86e68debfd48dc6805f635c44aa9
SHA2568830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA5125ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068
-
Filesize
736B
MD54b469cf4305015c315ee8da0c5d81232
SHA1c8e9faec266a6c0091c5a8948b34520364327500
SHA256564541da59ba974c295ed714d0227f6bbf59b66419b52ec67f4fafcec73a5850
SHA512cd331a7728be56ba0df4a6fd05959fc694826182f09482518876535e1913783dd7d37512b83c79428e24403f4826cfce358b912c841b180f519bdea4894ed2bb
-
Filesize
736B
MD5de929189f6aedc176bf467cbc2938ac5
SHA13a7f3b712f722d08219525eadd569970ab65b6b3
SHA256ce491f39cb5ab7b03292ded7e8e052062126f109e4225f8cc2318e7f3d7f77de
SHA5128d39eeb9174668b4d6dfed839ca734aaf8f4ba4b776f91af5844c094dea2385dbf804982b6feb4910325846d26867c7ec298f85fc6012ed165cede87f6a53b6b
-
Filesize
736B
MD54a54a34649442f0359c53752d864abfe
SHA1b1132f2582ffb617a14f2562dbd22a94f3445da1
SHA25651e777f816adcf889011c8c66c79d6e7f808e0ee5214f4cc2f1c25b40bbcb1be
SHA51227ae9b3e2b38135b89c715c3043b0e218189ebf9f3154f1565ffa81ceaf0c6c0a6b9daf088773c8fe4828be530478d592c49c2f15f2286db6b55fd9a2200c923
-
Filesize
736B
MD5cbbb8087351e21de19b5ca76567e6559
SHA103329d71f523208c935e2953a71fc3b33b74cce6
SHA256cafaab16c92c34a120eb2e156f7abc74e75711c417eb9d678cf6fb5480010fe5
SHA5121ca6d9574bc8df72eb11969d22a18f29839ea7c332307dc4ea963156b33b3bf723c790a1fb183d7819096172655008658962fafae161800b3fdd16ff12021714
-
Filesize
512B
MD5941528fb958adec2b55a4c03d35bdd04
SHA1d911920e590c86e68debfd48dc6805f635c44aa9
SHA2568830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA5125ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068
-
Filesize
512B
MD5941528fb958adec2b55a4c03d35bdd04
SHA1d911920e590c86e68debfd48dc6805f635c44aa9
SHA2568830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA5125ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068
-
Filesize
736B
MD5e3cad206201de24d9cba776c97a35ebf
SHA1508fb21fea551a78d5f6b27c0bd5bbf3f27b4bf8
SHA2564ac76b5081e68b0677566e5991e8dba375c395b4ac42ea429366324361341b66
SHA512e119e2a58637b3982ded6aad04514fa11de2ce34375c7e4f719631d6e04f8524351939f45f26589c5d01d049674d4f02b0d88602bdaaacfb619c2b517524c646
-
Filesize
225B
MD5b8db43950d59d33b301ce5289334c524
SHA16d2e12ff0ca4b491042ed3c15139915739c9c1ff
SHA2568873190d01964c01f592b03bf952862ca639fff15c1b926e1e7a3d269e954b20
SHA5121bc800e05839d47432103f5faed9e028bc92035b12f6e296001f8bb4fe490fb674f4a93d24dd0bc199c3643082bb124605c03243b30f1cb2ee6c9c247b3a766b
-
Filesize
512B
MD5941528fb958adec2b55a4c03d35bdd04
SHA1d911920e590c86e68debfd48dc6805f635c44aa9
SHA2568830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA5125ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068
-
Filesize
512B
MD5941528fb958adec2b55a4c03d35bdd04
SHA1d911920e590c86e68debfd48dc6805f635c44aa9
SHA2568830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA5125ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068
-
Filesize
735B
MD5fa94d1e3e259ee0f921f3a23d1eb42da
SHA112cbb1eb58bea6490a32d076a2df2e9c2ccfa405
SHA25699e3b77a0b3616c91fd83b3dd20eca775dd1b1516994d2307d2b1133713a3fc8
SHA512b45de7e3414398ac7f8d3b0854713ab3ad77563bf895f0848c19dabed448899932d895aa25779fb415ed92693096f2592d2e5a0916f4836bb326091da2f7acf2
-
Filesize
736B
MD5b333efd4eba715f6ab7e7de7abb08683
SHA10ba0d56132680b5b7bc47066cba159440f6a1d6a
SHA2565068da928326ba676c020ed59121d1bc7d398ede0b4439135f2002241f7ac54c
SHA512e4a33146e96e07414619e1e3a5148e48b121198631694fb403e17518b2f449c166a0b32d265cd2a0f45f81cfc39de96e648640b864125cdb55e1e3b95b9664cd
-
Filesize
512B
MD5941528fb958adec2b55a4c03d35bdd04
SHA1d911920e590c86e68debfd48dc6805f635c44aa9
SHA2568830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA5125ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
512B
MD5941528fb958adec2b55a4c03d35bdd04
SHA1d911920e590c86e68debfd48dc6805f635c44aa9
SHA2568830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA5125ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068
-
Filesize
512B
MD5941528fb958adec2b55a4c03d35bdd04
SHA1d911920e590c86e68debfd48dc6805f635c44aa9
SHA2568830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA5125ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068
-
Filesize
512B
MD5941528fb958adec2b55a4c03d35bdd04
SHA1d911920e590c86e68debfd48dc6805f635c44aa9
SHA2568830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA5125ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068
-
Filesize
512B
MD5941528fb958adec2b55a4c03d35bdd04
SHA1d911920e590c86e68debfd48dc6805f635c44aa9
SHA2568830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA5125ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068
-
Filesize
736B
MD5b77e7e684a3d983929bafa8ccc16ef78
SHA134a08ada212b2bd57847cf80144c345a8badfd81
SHA2562745062dea6a2c57e4591ea516dc8e5914344296010707f891d665d36fc78108
SHA512ca5466cb094b058c918749de09069c37815ca67f0c6d116e1966f3806603e463a74db2b18b41c306182ae8a5cef14baa62f3a3c5fc3c98b2e369484a8694610e
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44