Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 01:29
Behavioral task
behavioral1
Sample
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
Resource
win10v2004-20240226-en
General
-
Target
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
-
Size
3.2MB
-
MD5
1994f3ef2118aeecbb74e6c8976fd47b
-
SHA1
8f157fc5c2af51db24b66085f29d3c1240be36b2
-
SHA256
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
-
SHA512
48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
SSDEEP
49152:a4iktlQ2cj9ScADsiz76m0JVqeUYfHuv4mDrsdWE2hnKQ9nO1zdhBFMGIEdY/0/w:aXktlQQsE49UguAiu2cp1zjLddZ9QY
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 708 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2392 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2392 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe -
resource yara_rule behavioral1/memory/2340-0-0x00000000000F0000-0x0000000000420000-memory.dmp dcrat behavioral1/files/0x0006000000015d93-43.dat dcrat behavioral1/memory/892-75-0x0000000000F80000-0x00000000012B0000-memory.dmp dcrat behavioral1/memory/892-77-0x000000001B150000-0x000000001B1D0000-memory.dmp dcrat behavioral1/memory/1468-159-0x00000000011F0000-0x0000000001520000-memory.dmp dcrat behavioral1/memory/3040-202-0x00000000001D0000-0x0000000000500000-memory.dmp dcrat behavioral1/memory/3040-204-0x000000001B200000-0x000000001B280000-memory.dmp dcrat -
Executes dropped EXE 12 IoCs
pid Process 892 dllhost.exe 1744 dllhost.exe 2920 dllhost.exe 1680 dllhost.exe 2516 dllhost.exe 1468 dllhost.exe 2028 dllhost.exe 2172 dllhost.exe 3040 dllhost.exe 2024 dllhost.exe 1028 dllhost.exe 1444 dllhost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files (x86)\Uninstall Information\spoolsv.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\Internet Explorer\en-US\56085415360792 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Common Files\6203df4a6bafc7 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\MSBuild\csrss.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\Windows NT\Accessories\5940a34987c991 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\Google\Temp\dllhost.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Common Files\lsass.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Windows Mail\it-IT\csrss.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Windows Portable Devices\winlogon.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Windows Portable Devices\cc11b995f2a76d 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\Google\Temp\5940a34987c991 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files (x86)\MSBuild\886983d96e3d3e 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Program Files\Windows Mail\it-IT\886983d96e3d3e 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\ShellNew\Idle.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Windows\ShellNew\6ccacd8608530f 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Windows\Performance\WinSAT\DataStore\winlogon.exe 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe File created C:\Windows\Performance\WinSAT\DataStore\cc11b995f2a76d 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1580 schtasks.exe 2696 schtasks.exe 2920 schtasks.exe 2656 schtasks.exe 2720 schtasks.exe 600 schtasks.exe 944 schtasks.exe 2136 schtasks.exe 1576 schtasks.exe 1996 schtasks.exe 2084 schtasks.exe 1124 schtasks.exe 844 schtasks.exe 1984 schtasks.exe 1332 schtasks.exe 2132 schtasks.exe 1144 schtasks.exe 584 schtasks.exe 1236 schtasks.exe 916 schtasks.exe 2456 schtasks.exe 1688 schtasks.exe 2308 schtasks.exe 1484 schtasks.exe 1800 schtasks.exe 1508 schtasks.exe 2468 schtasks.exe 404 schtasks.exe 1752 schtasks.exe 708 schtasks.exe 1448 schtasks.exe 2264 schtasks.exe 2184 schtasks.exe 2284 schtasks.exe 1808 schtasks.exe 2688 schtasks.exe 328 schtasks.exe 2252 schtasks.exe 1804 schtasks.exe 2148 schtasks.exe 1796 schtasks.exe 2204 schtasks.exe 2980 schtasks.exe 1328 schtasks.exe 2924 schtasks.exe 1284 schtasks.exe 3048 schtasks.exe 2212 schtasks.exe 1564 schtasks.exe 1948 schtasks.exe 1444 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe 892 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Token: SeDebugPrivilege 892 dllhost.exe Token: SeDebugPrivilege 1744 dllhost.exe Token: SeDebugPrivilege 2920 dllhost.exe Token: SeDebugPrivilege 1680 dllhost.exe Token: SeDebugPrivilege 2516 dllhost.exe Token: SeDebugPrivilege 1468 dllhost.exe Token: SeDebugPrivilege 2028 dllhost.exe Token: SeDebugPrivilege 2172 dllhost.exe Token: SeDebugPrivilege 3040 dllhost.exe Token: SeDebugPrivilege 2024 dllhost.exe Token: SeDebugPrivilege 1028 dllhost.exe Token: SeDebugPrivilege 1444 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 892 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 80 PID 2340 wrote to memory of 892 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 80 PID 2340 wrote to memory of 892 2340 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe 80 PID 892 wrote to memory of 2808 892 dllhost.exe 82 PID 892 wrote to memory of 2808 892 dllhost.exe 82 PID 892 wrote to memory of 2808 892 dllhost.exe 82 PID 892 wrote to memory of 2812 892 dllhost.exe 83 PID 892 wrote to memory of 2812 892 dllhost.exe 83 PID 892 wrote to memory of 2812 892 dllhost.exe 83 PID 2808 wrote to memory of 1744 2808 WScript.exe 84 PID 2808 wrote to memory of 1744 2808 WScript.exe 84 PID 2808 wrote to memory of 1744 2808 WScript.exe 84 PID 1744 wrote to memory of 1740 1744 dllhost.exe 85 PID 1744 wrote to memory of 1740 1744 dllhost.exe 85 PID 1744 wrote to memory of 1740 1744 dllhost.exe 85 PID 1744 wrote to memory of 1724 1744 dllhost.exe 86 PID 1744 wrote to memory of 1724 1744 dllhost.exe 86 PID 1744 wrote to memory of 1724 1744 dllhost.exe 86 PID 1740 wrote to memory of 2920 1740 WScript.exe 87 PID 1740 wrote to memory of 2920 1740 WScript.exe 87 PID 1740 wrote to memory of 2920 1740 WScript.exe 87 PID 2920 wrote to memory of 324 2920 dllhost.exe 88 PID 2920 wrote to memory of 324 2920 dllhost.exe 88 PID 2920 wrote to memory of 324 2920 dllhost.exe 88 PID 2920 wrote to memory of 1584 2920 dllhost.exe 89 PID 2920 wrote to memory of 1584 2920 dllhost.exe 89 PID 2920 wrote to memory of 1584 2920 dllhost.exe 89 PID 324 wrote to memory of 1680 324 WScript.exe 90 PID 324 wrote to memory of 1680 324 WScript.exe 90 PID 324 wrote to memory of 1680 324 WScript.exe 90 PID 1680 wrote to memory of 1264 1680 dllhost.exe 91 PID 1680 wrote to memory of 1264 1680 dllhost.exe 91 PID 1680 wrote to memory of 1264 1680 dllhost.exe 91 PID 1680 wrote to memory of 376 1680 dllhost.exe 92 PID 1680 wrote to memory of 376 1680 dllhost.exe 92 PID 1680 wrote to memory of 376 1680 dllhost.exe 92 PID 1264 wrote to memory of 2516 1264 WScript.exe 95 PID 1264 wrote to memory of 2516 1264 WScript.exe 95 PID 1264 wrote to memory of 2516 1264 WScript.exe 95 PID 2516 wrote to memory of 2816 2516 dllhost.exe 96 PID 2516 wrote to memory of 2816 2516 dllhost.exe 96 PID 2516 wrote to memory of 2816 2516 dllhost.exe 96 PID 2516 wrote to memory of 2456 2516 dllhost.exe 97 PID 2516 wrote to memory of 2456 2516 dllhost.exe 97 PID 2516 wrote to memory of 2456 2516 dllhost.exe 97 PID 2816 wrote to memory of 1468 2816 WScript.exe 98 PID 2816 wrote to memory of 1468 2816 WScript.exe 98 PID 2816 wrote to memory of 1468 2816 WScript.exe 98 PID 1468 wrote to memory of 1968 1468 dllhost.exe 99 PID 1468 wrote to memory of 1968 1468 dllhost.exe 99 PID 1468 wrote to memory of 1968 1468 dllhost.exe 99 PID 1468 wrote to memory of 1004 1468 dllhost.exe 100 PID 1468 wrote to memory of 1004 1468 dllhost.exe 100 PID 1468 wrote to memory of 1004 1468 dllhost.exe 100 PID 1968 wrote to memory of 2028 1968 WScript.exe 101 PID 1968 wrote to memory of 2028 1968 WScript.exe 101 PID 1968 wrote to memory of 2028 1968 WScript.exe 101 PID 2028 wrote to memory of 2132 2028 dllhost.exe 102 PID 2028 wrote to memory of 2132 2028 dllhost.exe 102 PID 2028 wrote to memory of 2132 2028 dllhost.exe 102 PID 2028 wrote to memory of 2980 2028 dllhost.exe 103 PID 2028 wrote to memory of 2980 2028 dllhost.exe 103 PID 2028 wrote to memory of 2980 2028 dllhost.exe 103 PID 2132 wrote to memory of 2172 2132 WScript.exe 104 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340 -
C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:892 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3599326a-1a0e-4ad7-810e-3bcd8da406a6.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1744 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ff4f7e3-b8ee-4441-b99d-5c374ca374c7.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2920 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cf90a72-e69c-4d82-8cbe-4c6aa7d2eaae.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1680 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91050917-5450-4104-9851-fb0444b75dd3.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2516 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1188a621-1c37-415f-9b96-46a5e1158491.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1468 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2291065-7bfd-472a-bdb1-b4d09df2dc13.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2028 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ed21885-4349-48cd-bed1-31f6a117e8b4.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2172 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f40e772a-27fe-49f0-bfd7-0765d08d25a4.vbs"17⤵PID:1588
-
C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3040 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72bc2190-991d-4af2-9504-771f8f98330e.vbs"19⤵PID:2516
-
C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2024 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\994c7646-6dab-4c30-82f5-c12318bb2061.vbs"21⤵PID:1448
-
C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1028 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec9f3e96-16f8-462e-9b78-c6fd8138ac96.vbs"23⤵PID:2340
-
C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1444 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3bb2515-afd2-4046-9fc9-54a692cb84e3.vbs"25⤵PID:2260
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c838fc6-6233-41ed-841c-5efd4575ae42.vbs"25⤵PID:1956
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01a6ed68-6735-40af-8d34-99402f6b840f.vbs"23⤵PID:876
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529bb12d-1139-4070-a213-6d9ad6b33bc0.vbs"21⤵PID:692
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f613f50-abd1-4cfe-81d0-faa66d0e2e28.vbs"19⤵PID:1612
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\261925f6-6af8-45c4-9189-d5062fafb6af.vbs"17⤵PID:2128
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60c895f7-7ddd-4f72-88aa-26c99bc11852.vbs"15⤵PID:2980
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9532bd60-98be-479a-9cca-4ee604e71775.vbs"13⤵PID:1004
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13de8598-1970-4cdb-bf8b-a0cf07f172fb.vbs"11⤵PID:2456
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee1bba51-4598-4346-867e-bc27b931b052.vbs"9⤵PID:376
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13235e3b-5853-440b-8e2d-fe7be00effc0.vbs"7⤵PID:1584
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1748ffc4-589c-40d8-8023-a1fc8fdf5eed.vbs"5⤵PID:1724
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8d12bde-4c92-40be-a1f3-f444f1bc42ce.vbs"3⤵PID:2812
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Common Files\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
733B
MD586dc03ea428a3c414e9946d3be17003d
SHA193d52afd980dfa93d70e2791671a157da95ebcaf
SHA25682853db077457b2c6f334493ca8565f45ba3395d21df10dcc10291484e094e97
SHA512391fe033d377501a3493e0644b9ba007ee727c62844f9c78df59202d012ffd33f97f924a38befa8ba7f729c3b1818a1c95f3ba2620d0dcddc75ff921a922f100
-
Filesize
733B
MD59ec986e49aea3018e96cca75f9770e69
SHA1f6dc52e382fa38d6bd8ad44106f2437c1a654ec4
SHA2566278ad7f246182d87dc21c61e662be5a89dcfd406fe80098f2cd03a54a78d8f6
SHA5121abd82d4e84ce2376146dd325fc45386a6f971163af6a86e306e1b1e0eb5c44de2775d6428f6cd026a3b393dd4bcdebcdab92c0025d6c6a4285ef069aa38b982
-
Filesize
733B
MD5b40bb74a90bc1eee7b65e38a06f7f3c8
SHA1dec3f65cce73d2ac1843147c2c977b0b36a4e0ba
SHA256b291d0bd748abc38e22baa546455854c03c5dbe10261912d3efd4af021027506
SHA512bd6db907819393d8222ce10d1cda42dfc46e94d958d11663923edbcb7e15a316e94c4a43613788247ce414d5651c4481017be887d5ab032fcfade32d82fdb501
-
Filesize
732B
MD565379504f2a1e85cccc49de90e8b77ac
SHA15827ee13fd0b13e11232246f3fc22a960fa7d735
SHA25650d8dd5f6244075156802a78bf000ee1e238f28f865d9093a48d6cc8c24f236b
SHA512418705441490ac127f2d789d62d4b13fa77cc86cde8c5331aea347f1d95099be76e28633e7d168bab0f0a70249c8b79df989b49f6e7216ff32e9196b473c4822
-
Filesize
733B
MD5dcc446baf8d0ce373a347fb7a0b77e8b
SHA1e5bd2d5100c505033661cc56b4e3c5ae4b21dc6d
SHA2561b7af1edeca8498f8fe06b60c9d23eabdd46cb25b16595a442d83d821b8ee47d
SHA512f92b88065abce1aa68f43e5ff1e462fcb3ce00f55a6071f42e24dbb0cc3439dc7bacb3970e406ce1d70a68cae9361179a2ad1c9f081b4dc48aec2acd00b044da
-
Filesize
733B
MD595e88680748a0f4b498ea4b5610ee018
SHA1a0f802c2974905ac9473c19bbe5048604795932e
SHA256147264aa43a9b4354a73ba2f6cb311815e6f98713f44136a679d5d7dc5eb88b1
SHA512b5355df0c0acdefbac8df11a3b05244da810ddc0d06597fbfc1f8a799c808d3cb912e8506ab337d814fef20fcb35565a83f79c47a2e71170d57c2df96c0552c5
-
Filesize
733B
MD5f6c83e9bf394e243913ce12dfae9a45d
SHA16b88358c38b31a83a8c10a3ec5afdf81bd5fffff
SHA25685b437eacecf13853d59ae88c5973ceaf806b50356f4edcb5bb62bf867c2d938
SHA512268f138e9c19885e2372d4362502aeba73b0bd983143acd4a27d6098849b2bb82016cc1bb667ec57ce55b881ec55a798c6a37286ce673b934dc634558f7c649b
-
Filesize
733B
MD5699c46cc3c5161cce0a63f9fe8d595e1
SHA19fd8e8881d7eea76e94b1740a8e02dcf35e29dc1
SHA25623a4f48fe52da678dd64ecfbff7ede5869d58793df003bd68b18b4ac6d7d7842
SHA512af8cae014418c9a9df6e18dfa3557d760c374bd339614d27aeb360bb43b8d5c67a3c2f6d652956e448e993127dea19fb033f35b1dfe01ce81d31bac80ac5ddbd
-
Filesize
733B
MD52184cc07ca900c76dff794bebf0429cd
SHA13981f7754e1459ebcef1bf1864e0b62151b1bf98
SHA2565331d34fd5f9bd63c07e5687b3a0ed2623f11db28c9a5fe6d670cc2c8f02abc8
SHA51268a6608c7588817673197f5f290cc9e22d43ac17cb97878e5c3548a062799487956be5dbb4a1f7fa12d3acdd0cbfca45b517f06869edd8651588cae9aec6c77a
-
Filesize
733B
MD527d5425f7f061796c74a9e9e8236f9e9
SHA17ae01e62a7c0b68faa11f322a7f3984bac6342ac
SHA2562cac09c29e3cc15c43f10f9cf4d7d681aa227c530b2d44aabfb655e28e0934bb
SHA51261899517c33aba93627f744fe6aa5ad1ff6c82d805602c6511aba16c8990542cb7e5bf8c85c882f871ba11afb138fd71c5f23fec231380f4d8c5caa1ecdb7cbc
-
Filesize
733B
MD5cbe9cd18a665602a7ca5ab506a60617e
SHA168281ba8c716509c063e427b4c41061adc7505b3
SHA256f632f1f3bbbd82a6f75e27652bfdc26b65aabf605dc381f4e030f0c401a70ac0
SHA512ce3bc34d6be32a940657307936d98e63fb65ffbd506e017df4fd9ab5fbab7b8fd497a16b5eed4c3e7309dbafeb05cb2b1226be13f765da57bd6a7785e88fb1d4
-
Filesize
733B
MD541986473a67df88c2d29bd0b6b1e2c32
SHA15936bdeb7c6599f6c2f3aac8fba7a38caebd43ea
SHA25630428115af15f42cfa4347aa56fcfcd43967555050c2a86545b217389e7fd47f
SHA5120c31ec7db2dea8b12d2165635e73aec4c42e15e55ab5bbee830d30ae576f8e3f8d1294f7f464d373c8868a53d96141c10883afaa73cc12708c8716c7f1f24062
-
Filesize
509B
MD58917f1897d2073746f52d2434c6c924b
SHA1cc18b5bd92cd4cb7fd8b8cd339f1a6ab11c817b2
SHA256641f9534592404fd3869de22d315a3b4d435404323a45bfa8483fd1978dd8ce7
SHA5127fb42f4a76c038c12b345611421a3818ee92691542ddec0c1b2af3e9db5cea5de495e76b56e001534f7f05dd6af6fdf4353534a270a058e4fcf728b86c6dd005
-
Filesize
3.2MB
MD51994f3ef2118aeecbb74e6c8976fd47b
SHA18f157fc5c2af51db24b66085f29d3c1240be36b2
SHA2565d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA51248837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a