Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 05:45
Behavioral task
behavioral1
Sample
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe
Resource
win10v2004-20240426-en
General
-
Target
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe
-
Size
2.7MB
-
MD5
a78d0c51cca6fcf4a6ef0c33e5fd0bd4
-
SHA1
5768a7cf4aeed1327d64087f55fc6fba34f817fd
-
SHA256
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8
-
SHA512
a3d3c48766afe5890562f0e86f5c44bf62beefebcf8f87dfc5065ba53ecae6cb8f9e4f441ac87ec5359170c08792fc784e9187366cb7c9a64fc6eb4c90e250c5
-
SSDEEP
49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 26 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exefdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\", \"C:\\Windows\\debug\\WIA\\winlogon.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\smss.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\wininit.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\audiodg.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\taskhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\", \"C:\\Windows\\debug\\WIA\\winlogon.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\System.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\", \"C:\\Windows\\debug\\WIA\\winlogon.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\smss.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\wininit.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\", \"C:\\Windows\\debug\\WIA\\winlogon.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\", \"C:\\Windows\\debug\\WIA\\winlogon.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\", \"C:\\Windows\\debug\\WIA\\winlogon.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\smss.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\", \"C:\\Windows\\debug\\WIA\\winlogon.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\smss.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\", \"C:\\Windows\\debug\\WIA\\winlogon.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\smss.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\csrss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\", \"C:\\Windows\\debug\\WIA\\winlogon.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\", \"C:\\Windows\\debug\\WIA\\winlogon.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\", \"C:\\Windows\\debug\\WIA\\winlogon.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\smss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\", \"C:\\Windows\\debug\\WIA\\winlogon.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\smss.exe\", \"C:\\Windows\\system\\wininit.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\", \"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\", \"C:\\Windows\\debug\\WIA\\winlogon.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\System.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\smss.exe\", \"C:\\Windows\\system\\wininit.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\wininit.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\audiodg.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\", \"C:\\Windows\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 280 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 2608 schtasks.exe -
Processes:
csrss.exefdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exefdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Processes:
resource yara_rule behavioral1/memory/2360-1-0x00000000003E0000-0x00000000006A0000-memory.dmp dcrat C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe dcrat C:\Windows\system\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe dcrat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe dcrat behavioral1/memory/1700-208-0x0000000000150000-0x0000000000410000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2360-6-0x0000000000300000-0x0000000000310000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2360-11-0x00000000007B0000-0x00000000007BA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2360-12-0x000000001AAB0000-0x000000001AB06000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2360-15-0x0000000002280000-0x000000000228C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2360-18-0x00000000022B0000-0x00000000022BC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2360-21-0x000000001AEE0000-0x000000001AEEC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2360-24-0x000000001B0A0000-0x000000001B0AA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2360-22-0x000000001AEF0000-0x000000001AEFC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2144 powershell.exe 1084 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.execsrss.exepid process 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1700 csrss.exe -
Adds Run key to start application 2 TTPs 50 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exefdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\taskhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\lsass.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Vss\\Writers\\sppsvc.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Vss\\Writers\\sppsvc.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8 = "\"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\wininit.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\ja-JP\\lsass.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8 = "\"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\smss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Cookies\\lsm.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\System.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\csrss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\debug\\WIA\\winlogon.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Videos\\Sample Videos\\Idle.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\debug\\WIA\\winlogon.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\smss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\taskhost.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8 = "\"C:\\Users\\Admin\\Recent\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\ja-JP\\lsass.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\audiodg.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\csrss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8 = "\"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\wininit.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\wininit.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\system\\wininit.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Cookies\\lsm.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\wininit.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8 = "\"C:\\Windows\\system\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\csrss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8 = "\"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\System.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\audiodg.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\system\\wininit.exe\"" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exefdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.execsrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops file in Program Files directory 30 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exefdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\locale\lsass.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\886983d96e3d3e fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\smss.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\Windows NT\TableTextService\fr-FR\audiodg.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\csrss.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Network Sharing\RCX1411.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\RCX2112.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\56085415360792 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\csrss.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\Windows Mail\en-US\f3b6ecef712a24 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\69ddcba757bf72 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\f8b8b36af0ad28 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\VideoLAN\VLC\locale\6203df4a6bafc7 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files\Windows Mail\en-US\RCXF9C.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\Windows NT\TableTextService\fr-FR\42af1c969fbb7b fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\smss.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files\Windows NT\TableTextService\fr-FR\audiodg.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\Windows Mail\en-US\spoolsv.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files\Windows Mail\en-US\spoolsv.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files (x86)\Windows Defender\it-IT\56085415360792 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lsass.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\101b941d020240 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Network Sharing\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Drops file in Windows directory 17 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exefdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exedescription ioc process File opened for modification C:\Windows\debug\WIA\winlogon.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\system\wininit.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\ja-JP\RCX1D0A.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\system\RCX1819.tmp fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\ja-JP\lsass.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\Vss\Writers\sppsvc.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\Vss\Writers\sppsvc.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\system\56085415360792 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\system\f8b8b36af0ad28 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File opened for modification C:\Windows\system\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\Vss\Writers\0a1fd5f707cd16 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\debug\WIA\winlogon.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\debug\WIA\cc11b995f2a76d fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\system\wininit.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\ja-JP\lsass.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\ja-JP\6203df4a6bafc7 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe File created C:\Windows\system\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1672 schtasks.exe 2624 schtasks.exe 1184 schtasks.exe 1956 schtasks.exe 2528 schtasks.exe 696 schtasks.exe 2940 schtasks.exe 2768 schtasks.exe 2944 schtasks.exe 2852 schtasks.exe 1960 schtasks.exe 2600 schtasks.exe 2088 schtasks.exe 944 schtasks.exe 2020 schtasks.exe 1972 schtasks.exe 3004 schtasks.exe 1632 schtasks.exe 864 schtasks.exe 1528 schtasks.exe 1556 schtasks.exe 292 schtasks.exe 2052 schtasks.exe 2724 schtasks.exe 2136 schtasks.exe 2620 schtasks.exe 2760 schtasks.exe 1452 schtasks.exe 2176 schtasks.exe 1624 schtasks.exe 1800 schtasks.exe 2668 schtasks.exe 1792 schtasks.exe 2864 schtasks.exe 2088 schtasks.exe 1264 schtasks.exe 2760 schtasks.exe 2056 schtasks.exe 2588 schtasks.exe 2796 schtasks.exe 2824 schtasks.exe 2680 schtasks.exe 864 schtasks.exe 1424 schtasks.exe 2480 schtasks.exe 2684 schtasks.exe 1468 schtasks.exe 684 schtasks.exe 2508 schtasks.exe 1864 schtasks.exe 2412 schtasks.exe 876 schtasks.exe 1444 schtasks.exe 280 schtasks.exe 2160 schtasks.exe 2968 schtasks.exe 2116 schtasks.exe 2332 schtasks.exe 1664 schtasks.exe 1620 schtasks.exe 2564 schtasks.exe 1480 schtasks.exe 2340 schtasks.exe 2296 schtasks.exe -
Processes:
csrss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 csrss.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exepowershell.exefdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exepid process 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 2144 powershell.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exepowershell.exefdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exepowershell.execsrss.exedescription pid process Token: SeDebugPrivilege 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 1700 csrss.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exefdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.execmd.exedescription pid process target process PID 2360 wrote to memory of 2144 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe powershell.exe PID 2360 wrote to memory of 2144 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe powershell.exe PID 2360 wrote to memory of 2144 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe powershell.exe PID 2360 wrote to memory of 1760 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe PID 2360 wrote to memory of 1760 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe PID 2360 wrote to memory of 1760 2360 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe PID 1760 wrote to memory of 1084 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe powershell.exe PID 1760 wrote to memory of 1084 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe powershell.exe PID 1760 wrote to memory of 1084 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe powershell.exe PID 1760 wrote to memory of 668 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe cmd.exe PID 1760 wrote to memory of 668 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe cmd.exe PID 1760 wrote to memory of 668 1760 fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe cmd.exe PID 668 wrote to memory of 892 668 cmd.exe w32tm.exe PID 668 wrote to memory of 892 668 cmd.exe w32tm.exe PID 668 wrote to memory of 892 668 cmd.exe w32tm.exe PID 668 wrote to memory of 1700 668 cmd.exe csrss.exe PID 668 wrote to memory of 1700 668 cmd.exe csrss.exe PID 668 wrote to memory of 1700 668 cmd.exe csrss.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exefdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe"C:\Users\Admin\AppData\Local\Temp\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe"C:\Users\Admin\AppData\Local\Temp\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u5MeZyGQdN.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵PID:892
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Cookies\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8f" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8f" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8f" /sc MINUTE /mo 6 /tr "'C:\Windows\system\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8" /sc ONLOGON /tr "'C:\Windows\system\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8f" /sc MINUTE /mo 10 /tr "'C:\Windows\system\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8f" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8" /sc ONLOGON /tr "'C:\Users\Admin\Recent\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8f" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Recent\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\debug\WIA\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /f1⤵
- Process spawned unexpected child process
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\system\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\csrss.exe'" /f1⤵
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe'" /f1⤵
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\audiodg.exe'" /f1⤵
- Creates scheduled task(s)
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\audiodg.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\audiodg.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /f1⤵
- Creates scheduled task(s)
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1620
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5a78d0c51cca6fcf4a6ef0c33e5fd0bd4
SHA15768a7cf4aeed1327d64087f55fc6fba34f817fd
SHA256fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8
SHA512a3d3c48766afe5890562f0e86f5c44bf62beefebcf8f87dfc5065ba53ecae6cb8f9e4f441ac87ec5359170c08792fc784e9187366cb7c9a64fc6eb4c90e250c5
-
Filesize
237B
MD55d348d27d4d6502b9b8f64607b1b29ec
SHA1eaa0fe62129a5ad7ef9c86d8cab0ed23dfeaeca5
SHA256823801c23f6a208f9b65669e29413924beb529f38566867d457d12499d920c8c
SHA512e538810da92c0508f87947f602e9d1f32f22366c9b81f9252c2ccdfb1f84c337a6a5477124ddd3b7af50ced2a76f05c98151f222cfbe2107a6689ea9cc3a0ef6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58b338f1d2f694efc580ea74ab3981850
SHA1464b09d385bdec57d9133faabb3554a2354e1e74
SHA2567a1c6be470f437fc58a299b58e77e5031549e543827d45ab5f3192538b9825f7
SHA512fc45958f132e4fe3d2f9f609de4aac27188a6fe96df3333a9d094ca89bc300bf1bfe1c18b01422d102de03fdb2a06caa5c5bde9543b9a3adaeff14fe1f418d3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe
Filesize2.7MB
MD5ae65c997e56439f2ebac360add75316c
SHA195c9362d655548ca88b40e57a2ea5fd4278a6523
SHA256038371de6e69352136d0747b3ced1379a456be534932d0764ecd3b4b88f4dbfa
SHA5126fe30fb26717db5131844370982baaa2153991932e6a18ac509ddb95b0d2c10dd06db0e2cad173fc165474a4aa691db37c339d840bc8ed3270331575835b4130
-
Filesize
2.7MB
MD5ee2cd1521ff1bc39102dabbd375ad0b7
SHA1e413734d0c0e2d7d3dfe4e5920a6fab937368f02
SHA256b2ad526591e910739dea4ab308d400142069f4cf99ca7eaf1912e445709b9afa
SHA512629ecf240c106ce829f8bb7e5c58e9975e92456bcd57f1fc33faedd75784f098c0ad7a8e81be10e5910a4aeaeeb33e291567dd48f9c38eca05368f8f5e2844a2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e