Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 05:23
Behavioral task
behavioral1
Sample
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
Resource
win7-20240221-en
General
-
Target
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
-
Size
3.2MB
-
MD5
438789fc2753a3a41d1704542bf93769
-
SHA1
81a6c969c14fc47a15d2574cfb63dee2cbcbf12c
-
SHA256
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2
-
SHA512
c2ae311e1d852759bcfcc3ad0d0daac2e702a8f95065ce71f6eb104d116cadcbacb6b775c0b646d5f57ec1d2463d3c1749803b1416caa75de5b30a03430e329c
-
SSDEEP
98304:2smfE8eD0M782w1JSdvi199xP9/ecsFjPSz:2QNBY2S99xl
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2396 schtasks.exe -
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.execsrss.execsrss.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe -
Processes:
resource yara_rule behavioral1/memory/2648-1-0x0000000000ED0000-0x000000000120C000-memory.dmp dcrat C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe dcrat C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe dcrat C:\Program Files\Windows Portable Devices\audiodg.exe dcrat C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe dcrat C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe dcrat behavioral1/memory/1744-242-0x0000000000150000-0x000000000048C000-memory.dmp dcrat behavioral1/memory/1368-253-0x0000000001040000-0x000000000137C000-memory.dmp dcrat behavioral1/memory/804-322-0x0000000001350000-0x000000000168C000-memory.dmp dcrat C:\Users\Admin\AppData\Local\Temp\ca1033d37860b7102ff60b8f8b730d81674a1cfb.exe dcrat -
Detects executables packed with SmartAssembly 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2648-8-0x0000000000530000-0x0000000000540000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2648-12-0x0000000000AA0000-0x0000000000AAA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2648-19-0x000000001AAA0000-0x000000001AAAC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2648-20-0x000000001AAB0000-0x000000001AABC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2648-22-0x000000001AAD0000-0x000000001AADC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2648-24-0x000000001AAF0000-0x000000001AAFA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2648-28-0x000000001AF00000-0x000000001AF0C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2648-30-0x000000001AF20000-0x000000001AF2A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2496 powershell.exe 2520 powershell.exe 2584 powershell.exe 2700 powershell.exe 2472 powershell.exe 2104 powershell.exe 2452 powershell.exe 2488 powershell.exe 2580 powershell.exe 2572 powershell.exe 2512 powershell.exe 2860 powershell.exe -
Executes dropped EXE 8 IoCs
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exepid process 1744 csrss.exe 1368 csrss.exe 2944 csrss.exe 2948 csrss.exe 1484 csrss.exe 3012 csrss.exe 2912 csrss.exe 804 csrss.exe -
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exefe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops file in Program Files directory 20 IoCs
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exedescription ioc process File created C:\Program Files\7-Zip\Lang\886983d96e3d3e fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files\7-Zip\Lang\RCXB7A1.tmp fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files\Windows NT\Accessories\fr-FR\RCXCCA7.tmp fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File created C:\Program Files\Windows Portable Devices\audiodg.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File created C:\Program Files\Windows Portable Devices\42af1c969fbb7b fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File created C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files\7-Zip\Lang\RCXB7A0.tmp fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files\Windows Portable Devices\RCXC457.tmp fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files\Windows Portable Devices\audiodg.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File created C:\Program Files\7-Zip\Lang\csrss.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXC989.tmp fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXCA16.tmp fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files\Windows NT\Accessories\fr-FR\RCXCC1A.tmp fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File created C:\Program Files\Windows NT\Accessories\fr-FR\7a0fd90576e088 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files\7-Zip\Lang\csrss.exe fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe File opened for modification C:\Program Files\Windows Portable Devices\RCXC4D4.tmp fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2464 schtasks.exe 1936 schtasks.exe 1932 schtasks.exe 2412 schtasks.exe 2616 schtasks.exe 2276 schtasks.exe 2148 schtasks.exe 2384 schtasks.exe 2528 schtasks.exe 2404 schtasks.exe 2164 schtasks.exe 2076 schtasks.exe 776 schtasks.exe 1272 schtasks.exe 1356 schtasks.exe 2724 schtasks.exe 1912 schtasks.exe 2248 schtasks.exe 568 schtasks.exe 2228 schtasks.exe 2476 schtasks.exe 1672 schtasks.exe 2760 schtasks.exe 1388 schtasks.exe 540 schtasks.exe 1216 schtasks.exe 548 schtasks.exe 1440 schtasks.exe 1632 schtasks.exe 1288 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exepid process 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe 2488 powershell.exe 2104 powershell.exe 2520 powershell.exe 2512 powershell.exe 2580 powershell.exe 2472 powershell.exe 2452 powershell.exe 2700 powershell.exe 2584 powershell.exe 2860 powershell.exe 2572 powershell.exe 2496 powershell.exe 1744 csrss.exe 1744 csrss.exe 1744 csrss.exe 1744 csrss.exe 1744 csrss.exe 1744 csrss.exe 1744 csrss.exe 1744 csrss.exe 1744 csrss.exe 1744 csrss.exe 1744 csrss.exe 1744 csrss.exe 1744 csrss.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription pid process Token: SeDebugPrivilege 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 1744 csrss.exe Token: SeDebugPrivilege 1368 csrss.exe Token: SeDebugPrivilege 2944 csrss.exe Token: SeDebugPrivilege 2948 csrss.exe Token: SeDebugPrivilege 1484 csrss.exe Token: SeDebugPrivilege 3012 csrss.exe Token: SeDebugPrivilege 2912 csrss.exe Token: SeDebugPrivilege 804 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.execmd.execsrss.exeWScript.execsrss.exeWScript.execsrss.exedescription pid process target process PID 2648 wrote to memory of 2452 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2452 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2452 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2472 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2472 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2472 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2860 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2860 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2860 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2512 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2512 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2512 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2572 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2572 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2572 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2580 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2580 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2580 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2584 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2584 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2584 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2520 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2520 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2520 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2488 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2488 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2488 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2496 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2496 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2496 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2104 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2104 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2104 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2700 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2700 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2700 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe powershell.exe PID 2648 wrote to memory of 2420 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe cmd.exe PID 2648 wrote to memory of 2420 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe cmd.exe PID 2648 wrote to memory of 2420 2648 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe cmd.exe PID 2420 wrote to memory of 1288 2420 cmd.exe w32tm.exe PID 2420 wrote to memory of 1288 2420 cmd.exe w32tm.exe PID 2420 wrote to memory of 1288 2420 cmd.exe w32tm.exe PID 2420 wrote to memory of 1744 2420 cmd.exe csrss.exe PID 2420 wrote to memory of 1744 2420 cmd.exe csrss.exe PID 2420 wrote to memory of 1744 2420 cmd.exe csrss.exe PID 1744 wrote to memory of 2652 1744 csrss.exe WScript.exe PID 1744 wrote to memory of 2652 1744 csrss.exe WScript.exe PID 1744 wrote to memory of 2652 1744 csrss.exe WScript.exe PID 1744 wrote to memory of 1076 1744 csrss.exe WScript.exe PID 1744 wrote to memory of 1076 1744 csrss.exe WScript.exe PID 1744 wrote to memory of 1076 1744 csrss.exe WScript.exe PID 2652 wrote to memory of 1368 2652 WScript.exe csrss.exe PID 2652 wrote to memory of 1368 2652 WScript.exe csrss.exe PID 2652 wrote to memory of 1368 2652 WScript.exe csrss.exe PID 1368 wrote to memory of 1640 1368 csrss.exe WScript.exe PID 1368 wrote to memory of 1640 1368 csrss.exe WScript.exe PID 1368 wrote to memory of 1640 1368 csrss.exe WScript.exe PID 1368 wrote to memory of 796 1368 csrss.exe WScript.exe PID 1368 wrote to memory of 796 1368 csrss.exe WScript.exe PID 1368 wrote to memory of 796 1368 csrss.exe WScript.exe PID 1640 wrote to memory of 2944 1640 WScript.exe csrss.exe PID 1640 wrote to memory of 2944 1640 WScript.exe csrss.exe PID 1640 wrote to memory of 2944 1640 WScript.exe csrss.exe PID 2944 wrote to memory of 2376 2944 csrss.exe WScript.exe -
System policy modification 1 TTPs 27 IoCs
Processes:
fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZulfStaN0H.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1288
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1744 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ba87ecb-5940-4e8e-99b5-c28594552428.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1368 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9ff88d6-4078-428f-820d-d181dc812c8b.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2944 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d34eee8e-524c-4087-a91e-d65ccab7e45a.vbs"8⤵PID:2376
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2948 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc084c79-a470-4d86-930c-d700d3640fdf.vbs"10⤵PID:2076
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1484 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35ce29fa-6efb-4e8a-a27e-88125fae8067.vbs"12⤵PID:2628
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3012 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e469dcc1-53c4-4778-9dbb-78fc602cc11e.vbs"14⤵PID:2652
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2912 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cd5ec01-4606-41ef-9bc8-2f0fc4de7219.vbs"16⤵PID:1252
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:804 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c417b61-62ba-4d00-878d-f6c7f03d2c67.vbs"18⤵PID:1908
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"19⤵PID:2536
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\375815db-b0f5-4f6e-a3db-62422041f877.vbs"20⤵PID:2764
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9228f5ee-a058-463b-8c2c-682d53753662.vbs"20⤵PID:2392
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56f45f54-f828-4fbd-840a-ec174146d5bd.vbs"18⤵PID:456
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7796154a-93df-48a5-90d2-035d9d1fd528.vbs"16⤵PID:1912
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f60a501-32b9-480d-ba19-0600d2faf1d3.vbs"14⤵PID:1936
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32820891-7f20-4536-a645-0b24fa57176c.vbs"12⤵PID:1720
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5da4343-89e7-4ce4-8f8b-0ff6ad17c0dc.vbs"10⤵PID:3036
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b912e0d1-476a-4d1e-9a76-23175d7b3fb4.vbs"8⤵PID:2056
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9a63528-aa9c-4210-a140-02570c0c228a.vbs"6⤵PID:796
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38f2a627-7cef-471d-b9ba-76ada4004ead.vbs"4⤵PID:1076
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5438789fc2753a3a41d1704542bf93769
SHA181a6c969c14fc47a15d2574cfb63dee2cbcbf12c
SHA256fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2
SHA512c2ae311e1d852759bcfcc3ad0d0daac2e702a8f95065ce71f6eb104d116cadcbacb6b775c0b646d5f57ec1d2463d3c1749803b1416caa75de5b30a03430e329c
-
Filesize
3.2MB
MD560e4f641688b2f4359d3fac826d1a199
SHA19bee2792188e7295cf751d97352f131248d4fe1e
SHA2563b728f74657834fca6750373d3b7c656f579c8dfccd4723e701d2d8ab64cdf6d
SHA51284206d85790b8672df8e43d1cb31b613cb938dfd8c30046dea17c3b4dbcc4f215dffaeb376aaeae9604cd789fca43714ffccd1bb353323b8016f949c43d87041
-
Filesize
3.2MB
MD5749daae6606bc774af81edcff23d833b
SHA18ff78bb25516f657866a0165ba7f6f628c995485
SHA2565bd6a0f6e337a46d1a630e1b80fc35f94e448dc7809cfd0ea906dcd1adf045d6
SHA512704e05c520803712ef19da7af200b375bd4b991e9ef7aa8a898aa9832ccebf196f468487321ac1037a0bd65e958ddec0815907454fc9a9218914e37380dc6af7
-
Filesize
3.2MB
MD5919c134f4a1609c03d12346bafd0c477
SHA10492532a5e7b2aaf43b8ee90d322a0837f070a65
SHA2568afb1a06f73741269d3a7503b4dc9457761b87f984662643beec753f48e851a7
SHA512ba892d002686265dd59374f3c07602c5ba64e2fff119b72ce9ec72298807db1cd684f31cf928d0f92e091db8daf243d327fc20ac312452c184fb2b0a2910e37c
-
Filesize
3.2MB
MD571426b5d75999b9cf0e9c103197c08c9
SHA1319845464554dfd87365487f54b6bb8500edc4b6
SHA256169155d69cc77f53659647c1081ecc5a2cc88e9953f81e060f95bf6d73f3e8d2
SHA5122ce7d09b2004227e839ab70c5fa961c7cf634929fc98c03d106f668e24e46d1b6f32b6913b7a4af72658309ae4dcb5e2a7d1451473eeabba37ef877f203b5418
-
Filesize
755B
MD5f2dfbea51ed6b3095e63a93b63c1177a
SHA1cd3ba5650272afee57c65c6a34c101eb3cbfc4d2
SHA2568b12ebd3d9e2538c6981e34dab3672d0d9e896ee1f64a3a453bb51633ce98dfb
SHA512f5b58211b8714d2d9d7d7ad981b364990c116e239903612dd2c06d12eecf7be2f7238fca4efb766e3fbeb37bcf6f6c951d978703ad6962d2ce3e00a27fdbfa1d
-
Filesize
756B
MD57ac4f0fe7b64c0f85c8ab335ec7ff105
SHA17360f81176c38ab2df7100f458a0cb949cb83cfb
SHA256b77c6967198fd38b3120f812d9772d2b866961d11a5a86b156e6d26cf2df7cc6
SHA512369d5e4baada2e36a75fbb62a39b7ab5302eb879e7ee9907458b34c7dfb480486c1f0117a0be2e9ace680f04e1c7a484bce85dd1d592ae4a572a8326dc1e22bf
-
Filesize
756B
MD56ab9904c4d9fd634d5a056d4916efb96
SHA19f0b254940aa44674e15b0f69e01bbc0bab44d08
SHA2567550b8db0d3e18fe1c911019eb96131f97733f2874b0e8641d04a5817bec0a2f
SHA512d0a7341b425e776e05d6ce4a58e76943aad7a9319c65911058b03408f81efa34b998731b88292b16f671a4018dce613be0dd0f690300d4d6635cbfb9e2fb7354
-
Filesize
756B
MD50c88e1125e2e075cffd6a30744b1698c
SHA1af466f851db31ffcf8857db943e80fa45f0ba4bc
SHA256fc142352c5366c0a4ea12449c0d55a932556fe188df35bce98295254db59e198
SHA5125522f1005bab30082f0800784962b289680d521d080f6226ee0a7b7e79da9b0426eef1322bdcebda8e7825528e4335af64ef94c97a52ba879f83205de428337b
-
Filesize
532B
MD510303bc69fa8240d20cf5411ed9f08d2
SHA1f9ce752d2017e8ea9b4c2ffaf7b52e6deb8dcbb9
SHA2566e21f2ccae98936d1bfaaf865f5b222a32f3ed364a48229d985245bee85afee9
SHA512c7375740505967e759231bec896e8327c4763d80cfd87eb374f1e0b1ecb6148f36aba687a957a7eaf783ce5cdca276e68ad06604bd5bc47dc4f0550b969d5eda
-
Filesize
756B
MD500d4d9e1de1097dfabff299dfc0e3629
SHA1ab218433e1eafa3d6e68fceed5ec83f18d604cb4
SHA256812a358fa3397570aec1f135edff46404579e56edfdd155d6b04717827f405da
SHA512d95bc8931aeb7fc2727ce1417b91eff92ab7713f6a61a9b8e5e6ba283c22db5c3452a422f0902fdc743f9289cb489f346e19fb9546f8673d01758be76d48f105
-
Filesize
245B
MD5c1a19ccf2aa8d88f6f365cfd2547f516
SHA174713e9d55b05b1b2c61d5474c213ee7646d254f
SHA2561ff928749c2a6499bb57f96e0164ffb8be19cb00653dca7cc9b6bac0dc0fbf21
SHA5125d4f3ff110f442910382e00c783b3c7958e8493677b9144467fce0c6dd4bb731c71ab7f127a2aeab784c7d5571457ad68827f1d1d306a13452bdcd81c201a656
-
Filesize
467KB
MD57300e57d231fce9f16f15085540f8246
SHA137c8b4127eac2c7f744d016d1376cda68e4aad5b
SHA2560cd54d02aa25982056b8a47df0fdc1af8904f1060bd7aeb922c8b83be1b54fe2
SHA512dc050385d1aa8051f0da2976772a766caa6d4a77105e42bdf409f3a15d6c7e7366cd0aa537152b85e8a556e1bd4746e2700a6284aacd33a26bb58acfa9f697ef
-
Filesize
756B
MD57e3ddd3047c8b776e128e14beb7c46ed
SHA1e47c0d9956f6beb72cbb8bef4c2c2015891ddbb1
SHA2565f1e1f425d87bc945abbe9f4912fc2f6540d8952a4969b211b0f5bc5d3f14573
SHA5121139ac45e1cf1e26733d8e1dbf52900b7461351afda27c5e38c7076a21e52a65b2e67918b3a8c84b0ff9a72e4b6ff970483ddef8e99785eb22a8be8bdd5a4057
-
Filesize
756B
MD5fdfbbf4d02a9b20da56338041af9571c
SHA17375fd808379b91c3e1a6cd83403101659f84e10
SHA25691860b4f3a1046a68feb6bc9f474ea6a5097790e5f626392a8e0412ea60810b0
SHA51298415bbdeb343cdb287bb08e0d458c681fe5b0a3bb5f26b03ba5aa7be0b195e160a1f50f5a5cfe07ac3141687e9f3ef30e904978a19ba84e3ef4d69b787b5dfa
-
Filesize
756B
MD59d7fe2321ed6d6284dc0b9e038fa3aec
SHA1f5dd74d9d5717324535d858dfd1275eceb26d7d1
SHA256c1f1657f9bfd71022a44d2cbf9a817da933872e82ebfe04de0489e64332767ef
SHA5124d32babdd81156949025df111049a744200a1b7c286690bcc1f75827c337d7cd81ce23f9123d7ff02ad62d0096e77c59e8762c9480765ad818c355c9efc1bef6
-
Filesize
756B
MD59a97b45e5fdb92ca10bccec669bb1b6a
SHA12f0e201465fe4d95b0678f229fb93fb22967d7b5
SHA2568c303c0a32929cbd6be14474ca3a76afdba8e570d655eddcffcd1a9fafdfe10a
SHA5126096a197ad4994a6f6b1fcfeff9193e7ff492b1d6a76c63c5208d518e5d7abe1027ffbacaa15f3453953bc3a7793455d697106fad3c7cce2522158f77010bc19
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50f9e54f32bc40170c3f7b2d24e3cc207
SHA12b65591f3f1135405a3c64e8f429028895d9a113
SHA2560dcdbbeba1690cbb792e1845c02a8de2c80b3fbd120a7944f72182a7bac39b6d
SHA5126bf40f4106429e3a5b88da196266166557c3b0465be3550045ce6cbeb9bbad30578b28b96e4b929ace1314dff97d1ab22d9c7cce786422cbf02deddd486a9247
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e