Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2023, 02:46
Behavioral task
behavioral1
Sample
caa690c0fc39cd9fd36bec2dd30f03ba.exe
Resource
win7-20230220-en
General
-
Target
caa690c0fc39cd9fd36bec2dd30f03ba.exe
-
Size
2.9MB
-
MD5
caa690c0fc39cd9fd36bec2dd30f03ba
-
SHA1
3c2f8fc34b75a6a3cbf64e946b42808bc9cdbeb0
-
SHA256
d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b
-
SHA512
f230928baebe31c183582c3a7db772844a8419591557b23aae24c54ed3c7418be69e87ff95405149685d3f0eed18719d46888c4ea9eb9e75d7fbbbe30c2e2f3a
-
SSDEEP
49152:CEvU1J8dN6XYbTGw5i+4pK1XWdOcYF62tLmkyWM2tG8r3p+7:CEvA/YbTjt6LkLLt1LrZ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3300 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4048 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4120 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4012 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3172 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3352 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3224 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4752 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3232 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3200 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4848 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4256 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4736 2128 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 2128 schtasks.exe 33 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" caa690c0fc39cd9fd36bec2dd30f03ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" caa690c0fc39cd9fd36bec2dd30f03ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" caa690c0fc39cd9fd36bec2dd30f03ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe -
resource yara_rule behavioral2/memory/4544-133-0x0000000000B90000-0x0000000000E70000-memory.dmp dcrat behavioral2/files/0x000800000002314e-145.dat dcrat behavioral2/files/0x0006000000023180-194.dat dcrat behavioral2/files/0x000600000002315d-539.dat dcrat behavioral2/files/0x000600000002315d-540.dat dcrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation caa690c0fc39cd9fd36bec2dd30f03ba.exe -
Executes dropped EXE 1 IoCs
pid Process 5532 WmiPrvSE.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA caa690c0fc39cd9fd36bec2dd30f03ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" caa690c0fc39cd9fd36bec2dd30f03ba.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 177 ipinfo.io 178 ipinfo.io -
Drops file in Program Files directory 17 IoCs
description ioc Process File opened for modification C:\Program Files\Reference Assemblies\SppExtComObj.exe caa690c0fc39cd9fd36bec2dd30f03ba.exe File created C:\Program Files\Reference Assemblies\e1ef82546f0b02 caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXC5E6.tmp caa690c0fc39cd9fd36bec2dd30f03ba.exe File created C:\Program Files\Reference Assemblies\SppExtComObj.exe caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\RCXCA2F.tmp caa690c0fc39cd9fd36bec2dd30f03ba.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\54a3c9f5-a40a-430d-817c-3dbb02085571.tmp setup.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe caa690c0fc39cd9fd36bec2dd30f03ba.exe File created C:\Program Files (x86)\Common Files\Adobe\ARM\24dbde2999530e caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\RCXCA4F.tmp caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Program Files\Reference Assemblies\RCXCEA8.tmp caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Program Files\Reference Assemblies\RCXCED7.tmp caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230309034721.pma setup.exe File created C:\Program Files (x86)\Common Files\Adobe\ARM\WmiPrvSE.exe caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXC5C6.tmp caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\WmiPrvSE.exe caa690c0fc39cd9fd36bec2dd30f03ba.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\24dbde2999530e caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe caa690c0fc39cd9fd36bec2dd30f03ba.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Setup\State\RCXD34F.tmp caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\RCXDAD6.tmp caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe caa690c0fc39cd9fd36bec2dd30f03ba.exe File created C:\Windows\Setup\State\RuntimeBroker.exe caa690c0fc39cd9fd36bec2dd30f03ba.exe File created C:\Windows\Setup\State\9e8d7a4ca61bd9 caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Windows\Setup\State\RCXD36F.tmp caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Windows\Setup\State\RuntimeBroker.exe caa690c0fc39cd9fd36bec2dd30f03ba.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\RCXD7E7.tmp caa690c0fc39cd9fd36bec2dd30f03ba.exe File created C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe caa690c0fc39cd9fd36bec2dd30f03ba.exe File created C:\Windows\Prefetch\ReadyBoot\5b884080fd4f94 caa690c0fc39cd9fd36bec2dd30f03ba.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2964 schtasks.exe 1872 schtasks.exe 4260 schtasks.exe 264 schtasks.exe 1488 schtasks.exe 4016 schtasks.exe 4500 schtasks.exe 4400 schtasks.exe 2112 schtasks.exe 4120 schtasks.exe 1436 schtasks.exe 1540 schtasks.exe 3224 schtasks.exe 5112 schtasks.exe 3956 schtasks.exe 4968 schtasks.exe 3980 schtasks.exe 3352 schtasks.exe 4184 schtasks.exe 3360 schtasks.exe 4848 schtasks.exe 4744 schtasks.exe 1548 schtasks.exe 3300 schtasks.exe 5024 schtasks.exe 2616 schtasks.exe 4372 schtasks.exe 3996 schtasks.exe 400 schtasks.exe 3172 schtasks.exe 3200 schtasks.exe 4048 schtasks.exe 1412 schtasks.exe 4524 schtasks.exe 2028 schtasks.exe 820 schtasks.exe 4256 schtasks.exe 4736 schtasks.exe 4188 schtasks.exe 3652 schtasks.exe 4144 schtasks.exe 4752 schtasks.exe 3232 schtasks.exe 4536 schtasks.exe 3332 schtasks.exe 920 schtasks.exe 4012 schtasks.exe 1812 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings caa690c0fc39cd9fd36bec2dd30f03ba.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 432 powershell.exe 432 powershell.exe 1068 powershell.exe 1068 powershell.exe 2692 powershell.exe 2692 powershell.exe 4536 powershell.exe 4536 powershell.exe 4744 powershell.exe 4744 powershell.exe 3588 powershell.exe 3588 powershell.exe 2396 powershell.exe 2396 powershell.exe 3332 powershell.exe 3332 powershell.exe 2948 powershell.exe 2948 powershell.exe 4304 powershell.exe 4304 powershell.exe 2572 powershell.exe 2572 powershell.exe 4524 powershell.exe 4524 powershell.exe 432 powershell.exe 1068 powershell.exe 3588 powershell.exe 2692 powershell.exe 4744 powershell.exe 3332 powershell.exe 2948 powershell.exe 4536 powershell.exe 2396 powershell.exe 4524 powershell.exe 2572 powershell.exe 4304 powershell.exe 5532 WmiPrvSE.exe 5532 WmiPrvSE.exe 5532 WmiPrvSE.exe 5532 WmiPrvSE.exe 5532 WmiPrvSE.exe 5532 WmiPrvSE.exe 5532 WmiPrvSE.exe 5532 WmiPrvSE.exe 5532 WmiPrvSE.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe Token: SeDebugPrivilege 432 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 4536 powershell.exe Token: SeDebugPrivilege 4744 powershell.exe Token: SeDebugPrivilege 3588 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 3332 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 4304 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeDebugPrivilege 5532 WmiPrvSE.exe Token: SeBackupPrivilege 5308 vssvc.exe Token: SeRestorePrivilege 5308 vssvc.exe Token: SeAuditPrivilege 5308 vssvc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3500 msedge.exe 3500 msedge.exe 3500 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4544 wrote to memory of 4536 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 139 PID 4544 wrote to memory of 4536 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 139 PID 4544 wrote to memory of 3588 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 162 PID 4544 wrote to memory of 3588 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 162 PID 4544 wrote to memory of 4744 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 161 PID 4544 wrote to memory of 4744 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 161 PID 4544 wrote to memory of 432 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 160 PID 4544 wrote to memory of 432 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 160 PID 4544 wrote to memory of 2692 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 159 PID 4544 wrote to memory of 2692 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 159 PID 4544 wrote to memory of 3332 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 158 PID 4544 wrote to memory of 3332 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 158 PID 4544 wrote to memory of 1068 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 156 PID 4544 wrote to memory of 1068 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 156 PID 4544 wrote to memory of 2948 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 154 PID 4544 wrote to memory of 2948 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 154 PID 4544 wrote to memory of 4524 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 153 PID 4544 wrote to memory of 4524 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 153 PID 4544 wrote to memory of 4304 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 152 PID 4544 wrote to memory of 4304 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 152 PID 4544 wrote to memory of 2396 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 148 PID 4544 wrote to memory of 2396 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 148 PID 4544 wrote to memory of 2572 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 145 PID 4544 wrote to memory of 2572 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 145 PID 4544 wrote to memory of 1436 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 163 PID 4544 wrote to memory of 1436 4544 caa690c0fc39cd9fd36bec2dd30f03ba.exe 163 PID 1436 wrote to memory of 5184 1436 cmd.exe 165 PID 1436 wrote to memory of 5184 1436 cmd.exe 165 PID 1436 wrote to memory of 5532 1436 cmd.exe 166 PID 1436 wrote to memory of 5532 1436 cmd.exe 166 PID 5532 wrote to memory of 5764 5532 WmiPrvSE.exe 167 PID 5532 wrote to memory of 5764 5532 WmiPrvSE.exe 167 PID 5532 wrote to memory of 5808 5532 WmiPrvSE.exe 168 PID 5532 wrote to memory of 5808 5532 WmiPrvSE.exe 168 PID 5532 wrote to memory of 3500 5532 WmiPrvSE.exe 176 PID 5532 wrote to memory of 3500 5532 WmiPrvSE.exe 176 PID 3500 wrote to memory of 636 3500 msedge.exe 177 PID 3500 wrote to memory of 636 3500 msedge.exe 177 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 PID 3500 wrote to memory of 5204 3500 msedge.exe 178 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" caa690c0fc39cd9fd36bec2dd30f03ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" caa690c0fc39cd9fd36bec2dd30f03ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" caa690c0fc39cd9fd36bec2dd30f03ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\caa690c0fc39cd9fd36bec2dd30f03ba.exe"C:\Users\Admin\AppData\Local\Temp\caa690c0fc39cd9fd36bec2dd30f03ba.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q1AusS7wFr.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:5184
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5532 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\470753cc-503d-420e-8471-e4f5d1934e9f.vbs"4⤵PID:5764
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecce3076-4118-48cf-8ff1-5360502163fa.vbs"4⤵PID:5808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:12662/4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff9a8fb46f8,0x7ff9a8fb4708,0x7ff9a8fb47185⤵PID:636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:25⤵PID:5204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:35⤵PID:3756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:85⤵PID:3480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:15⤵PID:936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:15⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:15⤵PID:2268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:15⤵PID:1156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:15⤵PID:1840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:15⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:85⤵PID:5216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
PID:5496 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x220,0x1fc,0x7ff613c95460,0x7ff613c95470,0x7ff613c954806⤵PID:4496
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:85⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:15⤵PID:4104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:15⤵PID:2504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:15⤵PID:1476
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\odt\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\odt\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "caa690c0fc39cd9fd36bec2dd30f03bac" /sc MINUTE /mo 9 /tr "'C:\odt\caa690c0fc39cd9fd36bec2dd30f03ba.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "caa690c0fc39cd9fd36bec2dd30f03ba" /sc ONLOGON /tr "'C:\odt\caa690c0fc39cd9fd36bec2dd30f03ba.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "caa690c0fc39cd9fd36bec2dd30f03bac" /sc MINUTE /mo 8 /tr "'C:\odt\caa690c0fc39cd9fd36bec2dd30f03ba.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Videos\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Videos\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5308
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3488
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5caa690c0fc39cd9fd36bec2dd30f03ba
SHA13c2f8fc34b75a6a3cbf64e946b42808bc9cdbeb0
SHA256d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b
SHA512f230928baebe31c183582c3a7db772844a8419591557b23aae24c54ed3c7418be69e87ff95405149685d3f0eed18719d46888c4ea9eb9e75d7fbbbe30c2e2f3a
-
Filesize
2.9MB
MD5caa690c0fc39cd9fd36bec2dd30f03ba
SHA13c2f8fc34b75a6a3cbf64e946b42808bc9cdbeb0
SHA256d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b
SHA512f230928baebe31c183582c3a7db772844a8419591557b23aae24c54ed3c7418be69e87ff95405149685d3f0eed18719d46888c4ea9eb9e75d7fbbbe30c2e2f3a
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD50820611471c1bb55fa7be7430c7c6329
SHA15ce7a9712722684223aced2522764c1e3a43fbb9
SHA256f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75
SHA51277ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148
-
Filesize
152B
MD5425e83cc5a7b1f8edfbec7d986058b01
SHA1432a90a25e714c618ff30631d9fdbe3606b0d0df
SHA256060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd
SHA5124bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2KB
MD5e8afa7a24a0a9417a819cf4daaa8d7af
SHA11a2023993e8f25b179bb3fa3acf023c557ecd874
SHA2562d356c08f80b74ad0d7d1fe2b185f8d92a7120f2b6ce1beacdada6db1a060621
SHA51229d8e75fdc39c681816cbcc81337aacecc9f61af429a5bffaca90c89398fd1deedeefa516a8be85641dcdfcfddc22073efca6e2683e87900043f5f43fb0887e3
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD54ea04e93fc7b3abe5f6a8f404f5ca804
SHA199851e6acf3b0071e20c0c7696bb75c11f90e537
SHA256bae1a4600213f2133119ed14bd7be26b11714e24c7ee6c3b1a147f180b669020
SHA5121f8f1f297b6eb02e89682126543d0110fbb800772221ee8e4fddddbf1801d15379fe1cd2bf98ac95e0fe849ec0b1a91ccf0a6b9c49a44367dcfba8b83a336de6
-
Filesize
5KB
MD5f64b1222c2f4ace686ed8499f3a69b81
SHA10031a4d037b93cbe4e1e835000065b3be512246e
SHA256b0d117415533a0d1adc1d851e0bcea37de08934c4f7c658a559dea820fd4a666
SHA5122907920afe88179fec014fb14027f413ba10b9fff7c012693cabe0fd56941fa278f6bb048c4a144da9261e38f58983ed16f201fefb1ae2220b8ec0ad229ff4b8
-
Filesize
5KB
MD5390369d2b5a99358e8de3ff22119967d
SHA1fea63ea3cded180bd96c5de2775d13624824fe2a
SHA25664d4ec084974f4423f50634c5d1af1b4b5a4b78013ecdc8adde28c431d333f78
SHA5129bd55a993f5e42fd040362def0bbe93e8d344a3b4d53fc55d077cbc69195bab62b396c8a7a2373c7603ad700a52db6f0f55117b353f5cae0f1b8211c0573adf7
-
Filesize
24KB
MD5d53ac35ab3976e67caeed75c4d44ffc1
SHA1c139ab66d75dc06f98ada34b5baf4d5693266176
SHA256647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437
SHA512391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
9KB
MD5e4083f01169fcb0a2351424abd55e537
SHA16c97baf00d877b1f2a61fdc786aa64867c06a7de
SHA25652f6188ba382a4be315d9cd9402d6fcddb27b7f919db98179815bc3161850b96
SHA512dab4787dfdb21fcd41ca384612ac6b0d91067d7db1484342f335373bffff7cedf420ca0afc3d2da4c291817b42113b304c283ef41aa445680a9706d1bb781eca
-
Filesize
12KB
MD5aea203d93cf3a720752b0143b5e4cf04
SHA1f93d568dfbf576837fd3f144d96d1cd38365df81
SHA2562a8b47e9db08f53e08ac33ea532dc76a9a10da2307c320598641d65990255805
SHA51294159e733c7ada1b115a3b28b7135a8c544d7c4fb102fb4ad192f9b0efbc42f62ddf990dc62f75174a05da2b5851e3cc6a90610f0eab67e3fbc6e44842075b27
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
735B
MD5b342a9d4a794111c0cc0c1e620d06df3
SHA14d31eaa04abdedfee9f7a46f6a8608799fd0ca1f
SHA256fda9f937aabb3c2a9a825b6be8bf329802935ceab842a059cfce5eecdb7222dc
SHA512c3159f439bd843f74de510ecc3e8e79c1d0d132cc06ff1f26c3bb0ca83e0e5b189a1f05e7086575f9206af38f9a05b187e6fa76507d1158664addd24c905132d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
511B
MD5f9103125ab6e285f4cc53a0796e33083
SHA19b93b162eeaede26e52277d93578f388460dad7d
SHA256067d20f643a8a143857860c39e35744a0589375e5b15991a118d89653b0ca364
SHA512786c9f809be36b84ef966cbc74ef65792d97bd8ab0a3f5b41709396c5b343dd46794ce59eda3869095447ea0e1ce9d219196de063e45a82db7ad91bb88e64888
-
Filesize
224B
MD5c632fd7a71f1007df95e6b2114ac76a6
SHA15052e39c0fa54a2ab8d16714d4bc4a08bbb435e0
SHA256495a0db2c21ed6fb5df765bd1d470b46f07308811366191e53c25bb58a21f7e4
SHA512ed88d0f561ae7091644f2f2f1fa1bbfb44de644f266009447e0e2a699277225aa64faccec60257555128f2a5b44122e18d5bfb3e095f4875f74832ddb0524e6a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD56ef2e62f2649123a9ce564107e9d0b61
SHA144b7a8086af149293d9face8b697ac368f587173
SHA2562ec0e42568b4efd70f0fe5c3a8d938eb923faa4ec9314a5511185904b9b289cb
SHA5120d6e76a4ff81dd120bea8ff5462a227e1d51d6846a417beb83af4646465965d9cf654d27926481ebf424bc40e04b7750a11312919d3902fe52e1e334068fa58a
-
Filesize
2.9MB
MD5393f7810c51e9fae12e95b05a9622404
SHA1fd639e0d2f80ae4c0157b3184a1b8704ee798057
SHA2567093de61d6787275ac75f5579086a333e06cceefd4f783d4d1ca3b8999981708
SHA512f468e6785c7f07dc6eb63d49c2a7568dd9e5232e4d3ba108aa012be1167fc91fd8a89ff07886af695c26ec77f6c14e73c6f14a931f1b5a3e5bda4137fda0e455
-
Filesize
2.9MB
MD5caa690c0fc39cd9fd36bec2dd30f03ba
SHA13c2f8fc34b75a6a3cbf64e946b42808bc9cdbeb0
SHA256d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b
SHA512f230928baebe31c183582c3a7db772844a8419591557b23aae24c54ed3c7418be69e87ff95405149685d3f0eed18719d46888c4ea9eb9e75d7fbbbe30c2e2f3a