Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 02:11
Behavioral task
behavioral1
Sample
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
Resource
win10v2004-20240226-en
General
-
Target
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
-
Size
3.2MB
-
MD5
1994f3ef2118aeecbb74e6c8976fd47b
-
SHA1
8f157fc5c2af51db24b66085f29d3c1240be36b2
-
SHA256
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
-
SHA512
48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
SSDEEP
49152:a4iktlQ2cj9ScADsiz76m0JVqeUYfHuv4mDrsdWE2hnKQ9nO1zdhBFMGIEdY/0/w:aXktlQQsE49UguAiu2cp1zjLddZ9QY
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3136 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3204 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3904 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 472 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3416 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4980 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3844 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3324 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3580 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4368 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4572 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4752 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 3060 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3188 3060 schtasks.exe 90 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
resource yara_rule behavioral2/memory/4840-0-0x00000000005F0000-0x0000000000920000-memory.dmp dcrat behavioral2/files/0x0007000000023252-44.dat dcrat behavioral2/files/0x000700000002326f-170.dat dcrat -
Detects executables packed with SmartAssembly 8 IoCs
resource yara_rule behavioral2/memory/4840-7-0x000000001B550000-0x000000001B560000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4840-14-0x000000001B6E0000-0x000000001B6EA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4840-22-0x0000000002B20000-0x0000000002B2C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4840-23-0x0000000002B30000-0x0000000002B3C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4840-26-0x000000001BDC0000-0x000000001BDCC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4840-28-0x000000001BED0000-0x000000001BEDA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4840-32-0x000000001C010000-0x000000001C01C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4840-34-0x000000001C030000-0x000000001C03A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation explorer.exe -
Executes dropped EXE 10 IoCs
pid Process 4384 explorer.exe 2200 explorer.exe 3624 explorer.exe 1008 explorer.exe 3188 explorer.exe 4012 explorer.exe 3652 explorer.exe 2492 explorer.exe 3152 explorer.exe 3940 explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\c5b4cb5e9653cc 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Windows Sidebar\Gadgets\ee2ad38f3d4382 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\Internet Explorer\SIGNUP\66fc9ff0ee96c2 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\9e8d7a4ca61bd9 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Windows Sidebar\Gadgets\Registry.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\microsoft.system.package.metadata\backgroundTaskHost.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Windows Media Player\es-ES\System.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Windows Media Player\es-ES\27d1bcfc3c54e0 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\dllhost.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\CSC\System.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Windows\DiagTrack\Settings\Registry.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Windows\CSC\SppExtComObj.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Windows\Help\Help\sihost.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Windows\Resources\dllhost.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Windows\Resources\5940a34987c991 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Windows\Help\Help\66fc9ff0ee96c2 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Windows\security\audit\backgroundTaskHost.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Windows\security\audit\eddb19405b7ce1 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Windows\DiagTrack\Settings\ee2ad38f3d4382 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1620 schtasks.exe 2848 schtasks.exe 3136 schtasks.exe 4292 schtasks.exe 4340 schtasks.exe 3204 schtasks.exe 2628 schtasks.exe 1080 schtasks.exe 3580 schtasks.exe 3916 schtasks.exe 1256 schtasks.exe 5060 schtasks.exe 4448 schtasks.exe 8 schtasks.exe 4632 schtasks.exe 1820 schtasks.exe 4752 schtasks.exe 4516 schtasks.exe 5036 schtasks.exe 3324 schtasks.exe 2800 schtasks.exe 3904 schtasks.exe 5028 schtasks.exe 4980 schtasks.exe 2116 schtasks.exe 2568 schtasks.exe 3844 schtasks.exe 2324 schtasks.exe 1224 schtasks.exe 444 schtasks.exe 4368 schtasks.exe 1480 schtasks.exe 472 schtasks.exe 1536 schtasks.exe 2368 schtasks.exe 3416 schtasks.exe 4988 schtasks.exe 4260 schtasks.exe 4792 schtasks.exe 2492 schtasks.exe 2216 schtasks.exe 640 schtasks.exe 1372 schtasks.exe 5072 schtasks.exe 3016 schtasks.exe 3432 schtasks.exe 4316 schtasks.exe 3460 schtasks.exe 5020 schtasks.exe 3064 schtasks.exe 4076 schtasks.exe 4964 schtasks.exe 4572 schtasks.exe 2200 schtasks.exe 1160 schtasks.exe 3188 schtasks.exe 1200 schtasks.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe 4384 explorer.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Token: SeDebugPrivilege 4384 explorer.exe Token: SeDebugPrivilege 2200 explorer.exe Token: SeDebugPrivilege 3624 explorer.exe Token: SeDebugPrivilege 1008 explorer.exe Token: SeDebugPrivilege 3188 explorer.exe Token: SeDebugPrivilege 4012 explorer.exe Token: SeDebugPrivilege 3652 explorer.exe Token: SeDebugPrivilege 2492 explorer.exe Token: SeDebugPrivilege 3152 explorer.exe Token: SeDebugPrivilege 3940 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4840 wrote to memory of 808 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 148 PID 4840 wrote to memory of 808 4840 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 148 PID 808 wrote to memory of 768 808 cmd.exe 150 PID 808 wrote to memory of 768 808 cmd.exe 150 PID 808 wrote to memory of 4384 808 cmd.exe 153 PID 808 wrote to memory of 4384 808 cmd.exe 153 PID 4384 wrote to memory of 3548 4384 explorer.exe 154 PID 4384 wrote to memory of 3548 4384 explorer.exe 154 PID 4384 wrote to memory of 3868 4384 explorer.exe 155 PID 4384 wrote to memory of 3868 4384 explorer.exe 155 PID 3548 wrote to memory of 2200 3548 WScript.exe 162 PID 3548 wrote to memory of 2200 3548 WScript.exe 162 PID 2200 wrote to memory of 3664 2200 explorer.exe 164 PID 2200 wrote to memory of 3664 2200 explorer.exe 164 PID 2200 wrote to memory of 4788 2200 explorer.exe 165 PID 2200 wrote to memory of 4788 2200 explorer.exe 165 PID 3664 wrote to memory of 3624 3664 WScript.exe 167 PID 3664 wrote to memory of 3624 3664 WScript.exe 167 PID 3624 wrote to memory of 908 3624 explorer.exe 168 PID 3624 wrote to memory of 908 3624 explorer.exe 168 PID 3624 wrote to memory of 2668 3624 explorer.exe 169 PID 3624 wrote to memory of 2668 3624 explorer.exe 169 PID 908 wrote to memory of 1008 908 WScript.exe 170 PID 908 wrote to memory of 1008 908 WScript.exe 170 PID 1008 wrote to memory of 4984 1008 explorer.exe 171 PID 1008 wrote to memory of 4984 1008 explorer.exe 171 PID 1008 wrote to memory of 2632 1008 explorer.exe 172 PID 1008 wrote to memory of 2632 1008 explorer.exe 172 PID 4984 wrote to memory of 3188 4984 WScript.exe 173 PID 4984 wrote to memory of 3188 4984 WScript.exe 173 PID 3188 wrote to memory of 2748 3188 explorer.exe 174 PID 3188 wrote to memory of 2748 3188 explorer.exe 174 PID 3188 wrote to memory of 4292 3188 explorer.exe 175 PID 3188 wrote to memory of 4292 3188 explorer.exe 175 PID 2748 wrote to memory of 4012 2748 WScript.exe 176 PID 2748 wrote to memory of 4012 2748 WScript.exe 176 PID 4012 wrote to memory of 392 4012 explorer.exe 178 PID 4012 wrote to memory of 392 4012 explorer.exe 178 PID 4012 wrote to memory of 116 4012 explorer.exe 179 PID 4012 wrote to memory of 116 4012 explorer.exe 179 PID 392 wrote to memory of 3652 392 WScript.exe 180 PID 392 wrote to memory of 3652 392 WScript.exe 180 PID 3652 wrote to memory of 3804 3652 explorer.exe 181 PID 3652 wrote to memory of 3804 3652 explorer.exe 181 PID 3652 wrote to memory of 3472 3652 explorer.exe 182 PID 3652 wrote to memory of 3472 3652 explorer.exe 182 PID 3804 wrote to memory of 2492 3804 WScript.exe 183 PID 3804 wrote to memory of 2492 3804 WScript.exe 183 PID 2492 wrote to memory of 3524 2492 explorer.exe 184 PID 2492 wrote to memory of 3524 2492 explorer.exe 184 PID 2492 wrote to memory of 3980 2492 explorer.exe 185 PID 2492 wrote to memory of 3980 2492 explorer.exe 185 PID 3524 wrote to memory of 3152 3524 WScript.exe 190 PID 3524 wrote to memory of 3152 3524 WScript.exe 190 PID 3152 wrote to memory of 2224 3152 explorer.exe 191 PID 3152 wrote to memory of 2224 3152 explorer.exe 191 PID 3152 wrote to memory of 3976 3152 explorer.exe 192 PID 3152 wrote to memory of 3976 3152 explorer.exe 192 PID 2224 wrote to memory of 3940 2224 WScript.exe 193 PID 2224 wrote to memory of 3940 2224 WScript.exe 193 PID 3940 wrote to memory of 3168 3940 explorer.exe 194 PID 3940 wrote to memory of 3168 3940 explorer.exe 194 PID 3940 wrote to memory of 2116 3940 explorer.exe 195 PID 3940 wrote to memory of 2116 3940 explorer.exe 195 -
System policy modification 1 TTPs 33 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RntjMyf9uZ.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:768
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4384 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3da10925-1a32-4095-9c8f-715259bffb39.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2200 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7749a4f1-df73-40f7-9b89-cccdb664941c.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3624 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75cd2b4b-47ee-49e7-b1ab-3b74c6c79d0e.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1008 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0645b1ab-1e89-46ef-bb22-22286c12f5f8.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3188 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0dda8b6-2be4-489b-9cc6-59c47cd28b8d.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4012 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\648769ee-16ba-4f95-a8c6-43d3e6afbcc2.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3652 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37bbd2bc-ba1e-49b6-a70a-9ace85d126b7.vbs"16⤵
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2492 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57000d27-45c4-42cd-a82d-ee922975253e.vbs"18⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3152 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\229df18c-f654-4c79-ba84-08376a8ce56b.vbs"20⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3940 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2487cd07-39a2-4f35-9b3a-15141891ce55.vbs"22⤵PID:3168
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3954ee1a-cee5-4161-bff2-45a4cc9e533a.vbs"22⤵PID:2116
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5314319f-845c-4a3d-8cd8-4e6c9f28dd68.vbs"20⤵PID:3976
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fb7b653-8b7c-4e1f-93f2-d846ebcf79f0.vbs"18⤵PID:3980
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad606097-b984-4806-aaa4-51f0c950294f.vbs"16⤵PID:3472
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\276ffccd-57ed-49c3-8f74-db64bb5ec581.vbs"14⤵PID:116
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ef4c74b-8e9f-4c66-891e-431b7b93225c.vbs"12⤵PID:4292
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3ab9556-fba8-44cf-8225-db84e6232aca.vbs"10⤵PID:2632
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\819246bb-a0eb-47a9-9561-dc97e35ce37c.vbs"8⤵PID:2668
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aeadb36-66a9-4262-a0e4-ac8ab4079000.vbs"6⤵PID:4788
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\388adb51-ebd0-4eab-ba58-d822365ca0fc.vbs"4⤵PID:3868
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\es-ES\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\es-ES\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\security\audit\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\security\audit\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\security\audit\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\DiagTrack\Settings\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\Settings\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\odt\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\odt\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Resources\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Help\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Help\Help\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\Help\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD51994f3ef2118aeecbb74e6c8976fd47b
SHA18f157fc5c2af51db24b66085f29d3c1240be36b2
SHA2565d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA51248837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
Filesize
2.6MB
MD598c52308d2a6eba5e88bfe8ddeb6b0bc
SHA17aa710108f2f3ab799df4ee4bf789bccc97a3086
SHA25629844501b9a24006bbd72a2701e0a84e761cb697f901bb5ae986ebcd23d28116
SHA512f45ada1c49c5a384f57495785ec45fce8600a3368dabf3be9d03f38b66790d9e14213296c29077e6d7eab21104533067db7f0a2f0a52e98df00ccbca49587e7b
-
Filesize
1KB
MD5caa9da90d9bfc2c0fbadbf7eb57d1aae
SHA1b0237d1cdb8c7fdb6f89e72475dbfb639c025ed7
SHA256b5c2348671b5ad62cc02ded41adcf1855341bd6d20706bf45d9d68e4cddd4bbd
SHA512da20485cf87f6e9b95141dea062188b5a2299ff1e1a7f83446afac0d8b70a2d18d02b60b232b2c9e6af5071906dd08f41cf4637379165c1823a9fa9b82d155d8
-
Filesize
710B
MD539036b0b31b61363462933d0e47fdfcb
SHA1b3d73ec383b0b74030019220b92eeb961fbed45e
SHA256d5d2b7b447dca3f68ff3422edd0eccdf23f1d4a817e0ecb0d9e6d2240c1f4b8d
SHA512f1760dd9c1ebe59c0a5d30175dfcaffe070f7a85b5a68d46a08c2dc37e49fbb501d5968c556df7055c1854d74e0041760546248c58d5043c0449c9adb4023a2c
-
Filesize
710B
MD5a849b652b22cf2beb8fdf29ba1634f95
SHA170f51869f45a3cc88b0e38e25a67dc801b2bbc3c
SHA25655878a660bdb987664319363eacd0dbd74808a7377069b5a5dc4015c4e95a5ce
SHA512462af8b2dd4cb36bb107bf8b082e22abc4fc428ff4a79b21736824f2a6319dedf851c7a175ba667b75c4ab4f7bd131b9d6ac4a71e0a8ae7d66e56ff410a82b0d
-
Filesize
710B
MD51c8ea01eaa9e6c4c41634cd5e0c9321d
SHA16c4a0c2f97ac69e2b4b82b70c0a38246ae0ac769
SHA256bbc7fa0078aab82df753160af31da8308ab4a68c73774aa2664011c8bd279b24
SHA512e1902401dffe635e167e6e51e3a9a534fdaf729005068b0a4318beed9ab15a2346edc65031dd2369dc2f881ac0fd6672c4688da458b6ef7054afd4a984594b86
-
Filesize
710B
MD5cb41d8bce2ba65ae99eca1b86cf8cfd6
SHA1ba827f2acc3d39d31441e085e5957cefa7842df7
SHA25680333efa52321dc4ebd04d14ab56efba5e69c0e755d658d2f979db2ff1c699cf
SHA51224b7b7408daac0d0a8f2546b2c4e50d1502dbbc64da3e78754668f58a228f04139321b5fffb0cd5adedbc4e96c23cd074d20c81d4d37807f53cf31c14a7a1c05
-
Filesize
486B
MD52e5cfca88dfe83a724518eb03d6bb1d4
SHA1a54b252bd92ba4a2a88977aedacf1bac42200eb0
SHA25657c8a44cf0b34dc807cd8c827e7ad704e22db704b8a9b62488f2af4facfd6596
SHA512b2b47904784b976c52669363023b012c13a5f147057b5e532f3db489f240f078ad41bc113f2c21f95fd2aae635ca2c6fa43a8db387f252cb18b7e376ff8a29f6
-
Filesize
710B
MD5346a086c30cf07c5f89b87af6b886740
SHA10619c185b7bbb93537ef1976d2e1e0d14bb10f82
SHA2567f974008d3ef0d6dce3f36d82b13346913d1fc0aeffa759b9fa9e39080c24727
SHA5121f93e63ce8fed65379381e02497f3c68b0fd8bf4efcff22cc0270eff2454cd6dd06e8783ddec0ed73a003d39a3da4a0f0dbcc24803c19e8bd05fbce75867b132
-
Filesize
710B
MD53b0d14a1ff5af3c56244a823626a43d1
SHA1b21b09bd119ce79a7de044180113de722ec4467f
SHA2563ecf18eed4a5c5266ce3d1331a71979afaee6fd311dab748e6055589c15ec0f8
SHA5128c28934c39fd2b162da7e1e15269b0752f4128c091bf32e1bde2c5dc6900d745faded3e20a6e1cedcb303e59efdffacfa82eedef74cd33b738c023ba0993da0c
-
Filesize
710B
MD5c4dada0bfc15419fa6a379011e4f757a
SHA1734acf8472c9d590e9f12eaff968c50131c647fe
SHA256b1bba83a0ed9a24cfb4747a9ae5b2781cec12a77291d6cc6455a7ad65dcce131
SHA5121437e0dc3cefe53f354fbb5bf93fba47dbc2e1c709cec101568926b2a62fce67d53f1965a0e4503e8c1a90e069473ef4c1467f8c24ac6244991f4434ca5260c1
-
Filesize
710B
MD56dfc36f4f7eda0c2d917ad761877b763
SHA184d9f9952100c6594bb0275a2c93f89f491a69aa
SHA25658b1fbc956f81d31fcb901baf31cd5120a5903ebb1df8fff6c990582d0267234
SHA512dc1e24feb4feaa11e8a60e7462c00b7fc59f649826bf1b46583f8e9b60dcfc7e6f7725e08deacc4cc1b40379b8ab32934f7e713bcfe77b63a1c7ea7cfe991b75
-
Filesize
710B
MD540b6c0042bb61622f0dbe459a88ac3f9
SHA16c7ae11c7a3a81374f32f7e9c0ac0f394554d92f
SHA256a1b4af28b590621b5382c3563153783886511189fc7de9c3a4a3daf8fa52deea
SHA512edfea0777868ec24a10790dbdb00283f94f896e8f2f7a2645acfd9df3e126b76fb20e8f28ecf2fbf8f2319723e2f39264e03d658862fc7cd0586429c35019167
-
Filesize
199B
MD56cf068a242a005763dbcc3239356b0dd
SHA122fe93f2b34a0e9eff75f03e822eb15140dbde74
SHA256922b0453684b48d51fa03f1c1e15a4352ebb8a7b242df0a1a75e994691a53d15
SHA51284aea3d16fc3812b5fde2295231035ed76ffe474b73aec99edc32bcb2a9199ad7c60ac76918a40c6a9753443830d4e10f42383fbdac655f4781b28928cbaf3ce
-
Filesize
710B
MD56679daaf57c32408fa24d71ec2a09279
SHA1b5eecf46034afb50fbd1d9d52517c0b2570d786f
SHA2564abc2f8330adbef7361c31519f0c6f4396bc7bd7b53792b5f4cc5261c21287ed
SHA512742f9a21318f4264c89ca9259425c4809886eb8af3fa1a55a5a77349d0d6606729d731e6b55bd6067e087f58ed7ad3abe1acbd10fbcb8b4ad8a7e7a5d9aa33de