Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 20:31
Static task
static1
Behavioral task
behavioral1
Sample
182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Resource
win10v2004-20241007-en
General
-
Target
182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
-
Size
1.5MB
-
MD5
6e727ca86bf17b8eb1d83e3e7a3bb202
-
SHA1
956d2b768d3842b3e579a45c4b53c9d7ea805833
-
SHA256
182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6
-
SHA512
6176e666c50d3a4c88a04dba49a9a7d44041402bb83d5f9a414c52737a41466624f0fa926b2b5c9137540d012b7dfd683151cb1a4a74e1ae42e340d846efe8a2
-
SSDEEP
24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\fwcfg\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\fwcfg\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Devices.Midi\\dwm.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\fwcfg\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Devices.Midi\\dwm.exe\", \"C:\\Windows\\System32\\mblctr\\dllhost.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\fwcfg\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Devices.Midi\\dwm.exe\", \"C:\\Windows\\System32\\mblctr\\dllhost.exe\", \"C:\\PerfLogs\\dllhost.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\fwcfg\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Devices.Midi\\dwm.exe\", \"C:\\Windows\\System32\\mblctr\\dllhost.exe\", \"C:\\PerfLogs\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\OfficeClickToRun.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\fwcfg\\dwm.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 1708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 1708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 1708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 1708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 1708 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 1708 schtasks.exe 83 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2400 powershell.exe 4704 powershell.exe 3000 powershell.exe 4088 powershell.exe 4464 powershell.exe 4572 powershell.exe 3684 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dllhost.exe -
Executes dropped EXE 15 IoCs
pid Process 3248 dllhost.exe 3216 dllhost.exe 4644 dllhost.exe 1736 dllhost.exe 4564 dllhost.exe 908 dllhost.exe 3472 dllhost.exe 3016 dllhost.exe 2132 dllhost.exe 4204 dllhost.exe 3188 dllhost.exe 5100 dllhost.exe 4856 dllhost.exe 4928 dllhost.exe 3816 dllhost.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\fwcfg\\dwm.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\mblctr\\dllhost.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\dllhost.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\OfficeClickToRun.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\fwcfg\\dwm.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\Windows.Devices.Midi\\dwm.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\Windows.Devices.Midi\\dwm.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\mblctr\\dllhost.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\dllhost.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\OfficeClickToRun.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\"" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\System32\fwcfg\dwm.exe 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File created C:\Windows\System32\Windows.Devices.Midi\6cb0b6c459d5d3 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File created C:\Windows\System32\mblctr\5940a34987c991 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File opened for modification C:\Windows\System32\fwcfg\RCXA1BF.tmp 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File opened for modification C:\Windows\System32\mblctr\RCXA84A.tmp 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File opened for modification C:\Windows\System32\mblctr\dllhost.exe 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File opened for modification C:\Windows\System32\fwcfg\dwm.exe 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File created C:\Windows\System32\fwcfg\6cb0b6c459d5d3 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File created C:\Windows\System32\Windows.Devices.Midi\dwm.exe 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File created C:\Windows\System32\mblctr\dllhost.exe 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File opened for modification C:\Windows\System32\Windows.Devices.Midi\RCXA5C8.tmp 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File opened for modification C:\Windows\System32\Windows.Devices.Midi\dwm.exe 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File created C:\Program Files\Microsoft Office 15\ClientX64\e6c9b481da804f 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCXACD0.tmp 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\55b276f4edf653 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\RCXA3C4.tmp 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dllhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1048 schtasks.exe 968 schtasks.exe 5108 schtasks.exe 5036 schtasks.exe 2112 schtasks.exe 2020 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 3000 powershell.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 4704 powershell.exe 3684 powershell.exe 4572 powershell.exe 4464 powershell.exe 4088 powershell.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 2400 powershell.exe 3684 powershell.exe 4572 powershell.exe 3000 powershell.exe 4704 powershell.exe 4088 powershell.exe 4464 powershell.exe 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 2400 powershell.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe 3248 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 3684 powershell.exe Token: SeDebugPrivilege 4572 powershell.exe Token: SeDebugPrivilege 4464 powershell.exe Token: SeDebugPrivilege 4088 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 3248 dllhost.exe Token: SeDebugPrivilege 3216 dllhost.exe Token: SeDebugPrivilege 4644 dllhost.exe Token: SeDebugPrivilege 1736 dllhost.exe Token: SeDebugPrivilege 4564 dllhost.exe Token: SeDebugPrivilege 908 dllhost.exe Token: SeDebugPrivilege 3472 dllhost.exe Token: SeDebugPrivilege 3016 dllhost.exe Token: SeDebugPrivilege 2132 dllhost.exe Token: SeDebugPrivilege 4204 dllhost.exe Token: SeDebugPrivilege 3188 dllhost.exe Token: SeDebugPrivilege 5100 dllhost.exe Token: SeDebugPrivilege 4856 dllhost.exe Token: SeDebugPrivilege 4928 dllhost.exe Token: SeDebugPrivilege 3816 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3968 wrote to memory of 2400 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 91 PID 3968 wrote to memory of 2400 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 91 PID 3968 wrote to memory of 4704 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 92 PID 3968 wrote to memory of 4704 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 92 PID 3968 wrote to memory of 3000 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 93 PID 3968 wrote to memory of 3000 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 93 PID 3968 wrote to memory of 4088 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 94 PID 3968 wrote to memory of 4088 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 94 PID 3968 wrote to memory of 4464 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 95 PID 3968 wrote to memory of 4464 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 95 PID 3968 wrote to memory of 4572 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 96 PID 3968 wrote to memory of 4572 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 96 PID 3968 wrote to memory of 3684 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 97 PID 3968 wrote to memory of 3684 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 97 PID 3968 wrote to memory of 3248 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 105 PID 3968 wrote to memory of 3248 3968 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe 105 PID 3248 wrote to memory of 968 3248 dllhost.exe 106 PID 3248 wrote to memory of 968 3248 dllhost.exe 106 PID 3248 wrote to memory of 3424 3248 dllhost.exe 107 PID 3248 wrote to memory of 3424 3248 dllhost.exe 107 PID 968 wrote to memory of 3216 968 WScript.exe 108 PID 968 wrote to memory of 3216 968 WScript.exe 108 PID 3216 wrote to memory of 1196 3216 dllhost.exe 109 PID 3216 wrote to memory of 1196 3216 dllhost.exe 109 PID 3216 wrote to memory of 2768 3216 dllhost.exe 110 PID 3216 wrote to memory of 2768 3216 dllhost.exe 110 PID 1196 wrote to memory of 4644 1196 WScript.exe 122 PID 1196 wrote to memory of 4644 1196 WScript.exe 122 PID 4644 wrote to memory of 4400 4644 dllhost.exe 124 PID 4644 wrote to memory of 4400 4644 dllhost.exe 124 PID 4644 wrote to memory of 1948 4644 dllhost.exe 125 PID 4644 wrote to memory of 1948 4644 dllhost.exe 125 PID 4400 wrote to memory of 1736 4400 WScript.exe 128 PID 4400 wrote to memory of 1736 4400 WScript.exe 128 PID 1736 wrote to memory of 3480 1736 dllhost.exe 129 PID 1736 wrote to memory of 3480 1736 dllhost.exe 129 PID 1736 wrote to memory of 2020 1736 dllhost.exe 130 PID 1736 wrote to memory of 2020 1736 dllhost.exe 130 PID 3480 wrote to memory of 4564 3480 WScript.exe 131 PID 3480 wrote to memory of 4564 3480 WScript.exe 131 PID 4564 wrote to memory of 4288 4564 dllhost.exe 132 PID 4564 wrote to memory of 4288 4564 dllhost.exe 132 PID 4564 wrote to memory of 3952 4564 dllhost.exe 133 PID 4564 wrote to memory of 3952 4564 dllhost.exe 133 PID 4288 wrote to memory of 908 4288 WScript.exe 134 PID 4288 wrote to memory of 908 4288 WScript.exe 134 PID 908 wrote to memory of 1676 908 dllhost.exe 135 PID 908 wrote to memory of 1676 908 dllhost.exe 135 PID 908 wrote to memory of 3608 908 dllhost.exe 136 PID 908 wrote to memory of 3608 908 dllhost.exe 136 PID 1676 wrote to memory of 3472 1676 WScript.exe 138 PID 1676 wrote to memory of 3472 1676 WScript.exe 138 PID 3472 wrote to memory of 3420 3472 dllhost.exe 139 PID 3472 wrote to memory of 3420 3472 dllhost.exe 139 PID 3472 wrote to memory of 4596 3472 dllhost.exe 140 PID 3472 wrote to memory of 4596 3472 dllhost.exe 140 PID 3420 wrote to memory of 3016 3420 WScript.exe 141 PID 3420 wrote to memory of 3016 3420 WScript.exe 141 PID 3016 wrote to memory of 1256 3016 dllhost.exe 142 PID 3016 wrote to memory of 1256 3016 dllhost.exe 142 PID 3016 wrote to memory of 1640 3016 dllhost.exe 143 PID 3016 wrote to memory of 1640 3016 dllhost.exe 143 PID 1256 wrote to memory of 2132 1256 WScript.exe 144 PID 1256 wrote to memory of 2132 1256 WScript.exe 144 -
System policy modification 1 TTPs 48 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe"C:\Users\Admin\AppData\Local\Temp\182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\fwcfg\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.Devices.Midi\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mblctr\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
-
C:\PerfLogs\dllhost.exe"C:\PerfLogs\dllhost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3248 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f92c6e0-6d53-4ed0-88b7-eac4b29d5c65.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3216 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\885ce6ed-5f92-42ac-bc44-02c9dbab7594.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4644 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eef9aa16-204b-4814-a834-0dde5667a416.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af6ab6a8-528d-441c-bddf-ad08a68b1f71.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4564 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb3bcfa1-ee11-4a97-8f24-7382e1b5b5b7.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b9527a-a886-4b75-ac8d-839a29033ec3.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3472 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7ce2f9c-b869-4446-94a0-6c3695f6a237.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3016 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9319944-488b-457a-97b8-e1b338282ce5.vbs"17⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2132 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\668159ff-0bd6-4d5d-a04c-29acf9d325a5.vbs"19⤵PID:4584
-
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4204 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f459856-bf5e-4492-a3e9-890345def5cb.vbs"21⤵PID:4440
-
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3188 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\425fdd4d-6024-4c6a-b5ce-558e98778029.vbs"23⤵PID:3892
-
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5100 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cdd5bbf-6d07-4af7-ae16-c5a0cda7b4bf.vbs"25⤵PID:3460
-
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4856 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b94b227-9ce5-4d54-b022-1f578311f186.vbs"27⤵PID:3476
-
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4a0553c-310e-45e2-8cd7-ed3761820b00.vbs"29⤵PID:1616
-
C:\PerfLogs\dllhost.exeC:\PerfLogs\dllhost.exe30⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3816 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d69cfc9-c890-411a-8ca9-c7fad900211e.vbs"31⤵PID:1120
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aec75c49-05f6-4677-a63e-406573756ac7.vbs"31⤵PID:1980
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529726f4-9b20-4a50-bedb-438857cc1aff.vbs"29⤵PID:456
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0668e634-6246-4203-adb6-25d4eac76702.vbs"27⤵PID:5112
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7431edff-5339-40c5-a7cd-f4df6e29216b.vbs"25⤵PID:4324
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bd7fbc7-f64c-4a82-9692-9711c11b95d8.vbs"23⤵PID:1500
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf174cfb-6a0c-4e79-bb41-55318452e292.vbs"21⤵PID:4728
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96c42abf-08f5-4a5b-8112-9bde8f756661.vbs"19⤵PID:956
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d740a85-3061-4d5f-91b5-124588005119.vbs"17⤵PID:1640
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\604eb722-517c-43bb-89e3-31f8d5250865.vbs"15⤵PID:4596
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce4eb3be-96f9-4a6e-8174-0a44c66e086e.vbs"13⤵PID:3608
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f82794b-cfb9-4da6-97bb-d5e635f1e82e.vbs"11⤵PID:3952
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d06f0e49-b3e1-4b66-a89f-7ffc34eba301.vbs"9⤵PID:2020
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3f8356a-1b5a-430a-92ef-63eabf05d45a.vbs"7⤵PID:1948
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce22ef15-1401-4c8a-941c-75ef6e6df9ef.vbs"5⤵PID:2768
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78c37c7e-4abb-4d9c-bae6-44cf79b6c660.vbs"3⤵PID:3424
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\fwcfg\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Devices.Midi\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\mblctr\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD56e727ca86bf17b8eb1d83e3e7a3bb202
SHA1956d2b768d3842b3e579a45c4b53c9d7ea805833
SHA256182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6
SHA5126176e666c50d3a4c88a04dba49a9a7d44041402bb83d5f9a414c52737a41466624f0fa926b2b5c9137540d012b7dfd683151cb1a4a74e1ae42e340d846efe8a2
-
Filesize
1.5MB
MD5db28ca18b6faa8ff80f31b8d04a3438a
SHA1fc8f3c9816414a69614be017f07883fb73b9ac2a
SHA256644ccb3d976e0fea07a933f74750e3197dd00fc6f77871e350436dd7fa482907
SHA5126d00c8b4f723431071d802ebfe92f7dc1b56077ca8efee56fc26c97e3470a41c8cdb80231085259c0c659e5a1b47bc3277392f91bb53cb1d6de08b375424bab3
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
698B
MD5d56cd49b7454598b045353338a9bb0df
SHA17462d14f37a807dc8b6e3c4c7dd44efcf47e97ee
SHA256eb8c3ec30172b6b1fd9c39bfc1f7b474b5c42daaeb5dd708e9b3dbde1c763b6b
SHA512f469c4f7042e4eeab5d2a446ddea01080860a2e74792633d85dc748f25b6de322340f7ca4ef1967ad7242bce78337b3fd2cae55d2d29713cfaf49fe6d848b1b7
-
Filesize
699B
MD55874f4579bf9f6b271f1d146ad420199
SHA125c5760cabda533aef90277c0575c9eb290491b6
SHA25661996f40a5d75ab7071da6844de3bdd3551f6e495060be9384bd5ca02a9d24de
SHA512cd7a4ad784838c60f1f07b9bd9c83dfdd94ab5d09ed843e760503b9b8a9a14a39390ab797d753c09d5f6620f4006330ae23dcf7910ba98339a915b6017cf62b2
-
Filesize
699B
MD555df5cf594c03ad85cb06bcee59e4abb
SHA1362c6d2ac4eda2f039d84fbfbf57b372bcdfff1a
SHA2562949bd37364499cb86ad9fee9ad923d9ba8d2123d62efc5816aac42115748cc8
SHA512fdfe1675461c956d801a7fa6f5df067c23b5af7b85eb3d34da8d4c14b3a9214794df38c5b41e99ee40d9e0f235b6d10c3ffc91e348b25c1cf13e302b0aecf102
-
Filesize
699B
MD54280007d2afc0da4a7238d0cf165c7ae
SHA1f3ee55d34220a27485c501dc74317ea18b6f13d6
SHA25686924670622034335eee197acefab4318e764bc9f4d5fe30f664bff8b8742aa1
SHA5125f4ff84e976903973dadbfe4817590f831c3e322d788450257e2af9d2be42b82846f8dd2a521e79061077a675dc97dfc1e887d4cef73c81c887e9188953886fa
-
Filesize
699B
MD58f93ce19a1b354d623ee755a310ee83d
SHA1dbae4bc70801acb0e937693536d581802dd003ca
SHA256de5894c6e224df4add88982dba0434ed172bd05dfbc67ba2d984f11ab00cd6e1
SHA512c01a7215ad1ed88c5b2c9de6ade7939a3c718812f58fc1204aabefac50d5c9f208a10573c0627eb3c9b29d8bdd886fc6db541ccd1a97556876bafa9e916d66a2
-
Filesize
475B
MD574ce0b8fc07fd993c1b4cf026d674c44
SHA13beeca655a2830e243ef9ba2139c76bb0cb719ab
SHA2567765d984cc464985a56e8914adfb47d67b77ed3a5794e63e5e66404c1c7801f9
SHA5123a4eb6114f528b00dae7590b5148151c2804c163a394752849a3727fec008b4c17b4fdb7d36dea417468c2106e97cdd96ed9be3bba427717ba99c76e6c72fde6
-
Filesize
699B
MD57e03ff199feb96a6ad46798c4f7e43f7
SHA19b30168348893c23b352953fcdb2edcae4cc9724
SHA2562ace3502ee3224cbdd03feb126e2e5f7f1f1b0ed99be4f080319bd9c24c0ce9b
SHA512d6461146848e64f9c2ddbd5e7d3bef762e17d80026b4de7da6012fd5a6d41208816063be4a4f0315e6f6802e2a05c894493a333b01a7a07de30ec956932718ae
-
Filesize
699B
MD58a416a5ab51fdd78395c180db9365875
SHA11932f8b2a74c8bb7a1bfc6cff676753b30b68588
SHA256079bc177f026664ab74304f7329a82443752f57e634b2d36e0850e50d9f3f8cb
SHA512cb295d7a0a941f721a0eeb91cae47074231513e6aab2b724776a4102bf546d8a8af3c9cb20a51faadc20be8e9d0c9547fdf09ed3e3a278c2b6df7331de39bd77
-
Filesize
699B
MD53f910256b0d3c5c56ab3c3fb0745d862
SHA15134585183767babf3f641985993826711c49eb1
SHA25635b740e199575515d795e2f2aafe45b1dcd9b50815d4dffa84b66382cdf84eed
SHA512da38681e5e2f3767360cd6185b4078e01b04179e7dcae9a81ea1b18048608a9639c78008348a41a7c7929e71b9fedd03c34df608e9bc655ab5a5cafcfb19cd36
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
699B
MD5be98d3d9b9fd1148268b86797b1ffe9b
SHA1cfb52f84e38e3642710a9b0e5a7aa1fc073a744b
SHA256178388e62d166423ebb9d90c673c71d96aed0637c7e5b3849fdf14de8b3e85bb
SHA512fefbb62e52241a903add14526cfd1df39531906f0ab624c6fe9d4f6a578f62dfbad2e8ba849dcbe5f9dd6cb594b5a69dfab8d7d54b95677b074a2118db8c3a9b
-
Filesize
699B
MD5992b7b318ff9098a4fa3769b37a20c95
SHA1214ad535f5fc5fc6b1308c909a6e433f37917d53
SHA256e830322128c00446f7f43c9f2b79e9c7d5ccf5f2a49349214ee9f9fcdf4934e7
SHA512ddece9163c6a4d5905eced62493a1b1b97143aefa54c4362c54843e246052a5fb91494ab84cc0e0c70ca70d8e85c87cfc33691dd3c0e89c5c391b97741632b1a
-
Filesize
699B
MD546222a5a8d643996967dc4480fa0678f
SHA176255303dac841667b91f8ec6969c7f9a3e7dc18
SHA256f87ad2774e18d3bafdc6c4b863a9876b71f13b3f9f6ef5e054e8392bff88c851
SHA5127924b7295288a38d33df8b221b8a95d903463b1447edb19618cae4266cc193338566acb5048c0a3116786a0207557e3597c35b24e0ed76fe3d53584a12c26946
-
Filesize
699B
MD5df9fafbaddb3666109a9bc001fce2fe1
SHA14ac240702f5ae0a551877f2a00faa12cf2556197
SHA256a01edf247d35b3cee403daeadf8722b86ed1e5b56d3268e3f3aec75e8d9c67ee
SHA5124972e24c3e2b22d80bd05e7f9a3389b8e1c84cbddf24dd2fcefe80c60788a97903b7221f836487ccb48796d2f306c3229180d535db24e8b556d3261a030669ae
-
Filesize
699B
MD5bdf6e4e50c2c2c7dbfa4fe464fa7642b
SHA12ff641175115a2fb1ff8850e2d7f01d9501e9328
SHA256eb8581891d68710a77db8f2c4cf08533423f614e1099525526e7168bfc5cfb03
SHA512bcabe2c659f5175c7fc80fb3a1ffaba4d47376087f41dba57f744d4650e7f1483c56e30a62bfa7c30ce8f4e76abac196064211c4cdf862697d01479e0af0dcf8
-
Filesize
699B
MD5e70750eb2700b64e00dee5203c288d6c
SHA180618fb5a49579493ca6bb20c5fcd6a9a285bb8b
SHA25628bf279a2d9a516826678b969ebb9a081b5f45fb3518cae5f318c1a2bb4235b7
SHA5126cb759c07fc2bf3513c28d7e3c4afe558697305c0262cff8cbec7d6adec0f244676df5cd112f9a4a004c478dfc9ec3196962af946dc8ed3af3b5f7bcdbab5812