Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-09-2024 14:16
Static task
static1
Behavioral task
behavioral1
Sample
443110dabe7095bf8afe27bf3dc27f60N.exe
Resource
win7-20240903-en
General
-
Target
443110dabe7095bf8afe27bf3dc27f60N.exe
-
Size
4.9MB
-
MD5
443110dabe7095bf8afe27bf3dc27f60
-
SHA1
03554dc5583fd4d38124bf4f65405faadf61543e
-
SHA256
43f8b28bff64dc200d51657f0f0aafd27125f9489e7c06fc109a22e58eadebc3
-
SHA512
aca75451bf62ffa71190bcac77606c1dae1edf9813ded3443c2a5f6535a71ee2809bbf3889e31b40cc9dcccf85675e67be9103329e6e7566b157f2b004da5070
-
SSDEEP
49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2740 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2740 schtasks.exe 29 -
Processes:
443110dabe7095bf8afe27bf3dc27f60N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 443110dabe7095bf8afe27bf3dc27f60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 443110dabe7095bf8afe27bf3dc27f60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 443110dabe7095bf8afe27bf3dc27f60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe -
Processes:
resource yara_rule behavioral1/memory/984-3-0x000000001B520000-0x000000001B64E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 2904 powershell.exe 2784 powershell.exe 2848 powershell.exe 1968 powershell.exe 2824 powershell.exe 2628 powershell.exe 1392 powershell.exe 1384 powershell.exe 2928 powershell.exe 2844 powershell.exe 2328 powershell.exe 2896 powershell.exe -
Executes dropped EXE 8 IoCs
Processes:
sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exepid Process 2240 sppsvc.exe 2440 sppsvc.exe 2812 sppsvc.exe 2128 sppsvc.exe 2352 sppsvc.exe 3036 sppsvc.exe 1312 sppsvc.exe 2036 sppsvc.exe -
Processes:
sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe443110dabe7095bf8afe27bf3dc27f60N.exesppsvc.exesppsvc.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 443110dabe7095bf8afe27bf3dc27f60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 443110dabe7095bf8afe27bf3dc27f60N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe -
Drops file in Program Files directory 8 IoCs
Processes:
443110dabe7095bf8afe27bf3dc27f60N.exedescription ioc Process File opened for modification C:\Program Files\Windows NT\Accessories\it-IT\RCX2E44.tmp 443110dabe7095bf8afe27bf3dc27f60N.exe File opened for modification C:\Program Files\Windows NT\Accessories\it-IT\System.exe 443110dabe7095bf8afe27bf3dc27f60N.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX32B9.tmp 443110dabe7095bf8afe27bf3dc27f60N.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe 443110dabe7095bf8afe27bf3dc27f60N.exe File created C:\Program Files\Windows NT\Accessories\it-IT\System.exe 443110dabe7095bf8afe27bf3dc27f60N.exe File created C:\Program Files\Windows NT\Accessories\it-IT\27d1bcfc3c54e0 443110dabe7095bf8afe27bf3dc27f60N.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe 443110dabe7095bf8afe27bf3dc27f60N.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\0a1fd5f707cd16 443110dabe7095bf8afe27bf3dc27f60N.exe -
Drops file in Windows directory 8 IoCs
Processes:
443110dabe7095bf8afe27bf3dc27f60N.exedescription ioc Process File created C:\Windows\addins\6ccacd8608530f 443110dabe7095bf8afe27bf3dc27f60N.exe File opened for modification C:\Windows\inf\de-DE\RCX3086.tmp 443110dabe7095bf8afe27bf3dc27f60N.exe File opened for modification C:\Windows\inf\de-DE\wininit.exe 443110dabe7095bf8afe27bf3dc27f60N.exe File opened for modification C:\Windows\addins\RCX34DC.tmp 443110dabe7095bf8afe27bf3dc27f60N.exe File opened for modification C:\Windows\addins\Idle.exe 443110dabe7095bf8afe27bf3dc27f60N.exe File created C:\Windows\inf\de-DE\wininit.exe 443110dabe7095bf8afe27bf3dc27f60N.exe File created C:\Windows\inf\de-DE\56085415360792 443110dabe7095bf8afe27bf3dc27f60N.exe File created C:\Windows\addins\Idle.exe 443110dabe7095bf8afe27bf3dc27f60N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 2040 schtasks.exe 2652 schtasks.exe 2552 schtasks.exe 3044 schtasks.exe 2172 schtasks.exe 1792 schtasks.exe 2112 schtasks.exe 2916 schtasks.exe 2180 schtasks.exe 3056 schtasks.exe 2736 schtasks.exe 2960 schtasks.exe 1992 schtasks.exe 2920 schtasks.exe 2584 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
443110dabe7095bf8afe27bf3dc27f60N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exepid Process 984 443110dabe7095bf8afe27bf3dc27f60N.exe 1392 powershell.exe 2848 powershell.exe 2824 powershell.exe 2784 powershell.exe 2896 powershell.exe 2904 powershell.exe 1968 powershell.exe 1384 powershell.exe 2844 powershell.exe 2928 powershell.exe 2328 powershell.exe 2628 powershell.exe 2240 sppsvc.exe 2440 sppsvc.exe 2812 sppsvc.exe 2128 sppsvc.exe 2352 sppsvc.exe 3036 sppsvc.exe 1312 sppsvc.exe 2036 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
443110dabe7095bf8afe27bf3dc27f60N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exedescription pid Process Token: SeDebugPrivilege 984 443110dabe7095bf8afe27bf3dc27f60N.exe Token: SeDebugPrivilege 1392 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 1384 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 2240 sppsvc.exe Token: SeDebugPrivilege 2440 sppsvc.exe Token: SeDebugPrivilege 2812 sppsvc.exe Token: SeDebugPrivilege 2128 sppsvc.exe Token: SeDebugPrivilege 2352 sppsvc.exe Token: SeDebugPrivilege 3036 sppsvc.exe Token: SeDebugPrivilege 1312 sppsvc.exe Token: SeDebugPrivilege 2036 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
443110dabe7095bf8afe27bf3dc27f60N.exesppsvc.exeWScript.exesppsvc.exeWScript.exesppsvc.exedescription pid Process procid_target PID 984 wrote to memory of 1392 984 443110dabe7095bf8afe27bf3dc27f60N.exe 45 PID 984 wrote to memory of 1392 984 443110dabe7095bf8afe27bf3dc27f60N.exe 45 PID 984 wrote to memory of 1392 984 443110dabe7095bf8afe27bf3dc27f60N.exe 45 PID 984 wrote to memory of 1384 984 443110dabe7095bf8afe27bf3dc27f60N.exe 46 PID 984 wrote to memory of 1384 984 443110dabe7095bf8afe27bf3dc27f60N.exe 46 PID 984 wrote to memory of 1384 984 443110dabe7095bf8afe27bf3dc27f60N.exe 46 PID 984 wrote to memory of 2904 984 443110dabe7095bf8afe27bf3dc27f60N.exe 48 PID 984 wrote to memory of 2904 984 443110dabe7095bf8afe27bf3dc27f60N.exe 48 PID 984 wrote to memory of 2904 984 443110dabe7095bf8afe27bf3dc27f60N.exe 48 PID 984 wrote to memory of 2784 984 443110dabe7095bf8afe27bf3dc27f60N.exe 49 PID 984 wrote to memory of 2784 984 443110dabe7095bf8afe27bf3dc27f60N.exe 49 PID 984 wrote to memory of 2784 984 443110dabe7095bf8afe27bf3dc27f60N.exe 49 PID 984 wrote to memory of 2896 984 443110dabe7095bf8afe27bf3dc27f60N.exe 50 PID 984 wrote to memory of 2896 984 443110dabe7095bf8afe27bf3dc27f60N.exe 50 PID 984 wrote to memory of 2896 984 443110dabe7095bf8afe27bf3dc27f60N.exe 50 PID 984 wrote to memory of 2928 984 443110dabe7095bf8afe27bf3dc27f60N.exe 51 PID 984 wrote to memory of 2928 984 443110dabe7095bf8afe27bf3dc27f60N.exe 51 PID 984 wrote to memory of 2928 984 443110dabe7095bf8afe27bf3dc27f60N.exe 51 PID 984 wrote to memory of 2844 984 443110dabe7095bf8afe27bf3dc27f60N.exe 52 PID 984 wrote to memory of 2844 984 443110dabe7095bf8afe27bf3dc27f60N.exe 52 PID 984 wrote to memory of 2844 984 443110dabe7095bf8afe27bf3dc27f60N.exe 52 PID 984 wrote to memory of 2328 984 443110dabe7095bf8afe27bf3dc27f60N.exe 53 PID 984 wrote to memory of 2328 984 443110dabe7095bf8afe27bf3dc27f60N.exe 53 PID 984 wrote to memory of 2328 984 443110dabe7095bf8afe27bf3dc27f60N.exe 53 PID 984 wrote to memory of 2628 984 443110dabe7095bf8afe27bf3dc27f60N.exe 54 PID 984 wrote to memory of 2628 984 443110dabe7095bf8afe27bf3dc27f60N.exe 54 PID 984 wrote to memory of 2628 984 443110dabe7095bf8afe27bf3dc27f60N.exe 54 PID 984 wrote to memory of 2848 984 443110dabe7095bf8afe27bf3dc27f60N.exe 55 PID 984 wrote to memory of 2848 984 443110dabe7095bf8afe27bf3dc27f60N.exe 55 PID 984 wrote to memory of 2848 984 443110dabe7095bf8afe27bf3dc27f60N.exe 55 PID 984 wrote to memory of 2824 984 443110dabe7095bf8afe27bf3dc27f60N.exe 56 PID 984 wrote to memory of 2824 984 443110dabe7095bf8afe27bf3dc27f60N.exe 56 PID 984 wrote to memory of 2824 984 443110dabe7095bf8afe27bf3dc27f60N.exe 56 PID 984 wrote to memory of 1968 984 443110dabe7095bf8afe27bf3dc27f60N.exe 57 PID 984 wrote to memory of 1968 984 443110dabe7095bf8afe27bf3dc27f60N.exe 57 PID 984 wrote to memory of 1968 984 443110dabe7095bf8afe27bf3dc27f60N.exe 57 PID 984 wrote to memory of 2240 984 443110dabe7095bf8afe27bf3dc27f60N.exe 69 PID 984 wrote to memory of 2240 984 443110dabe7095bf8afe27bf3dc27f60N.exe 69 PID 984 wrote to memory of 2240 984 443110dabe7095bf8afe27bf3dc27f60N.exe 69 PID 984 wrote to memory of 2240 984 443110dabe7095bf8afe27bf3dc27f60N.exe 69 PID 984 wrote to memory of 2240 984 443110dabe7095bf8afe27bf3dc27f60N.exe 69 PID 2240 wrote to memory of 2600 2240 sppsvc.exe 70 PID 2240 wrote to memory of 2600 2240 sppsvc.exe 70 PID 2240 wrote to memory of 2600 2240 sppsvc.exe 70 PID 2240 wrote to memory of 2920 2240 sppsvc.exe 71 PID 2240 wrote to memory of 2920 2240 sppsvc.exe 71 PID 2240 wrote to memory of 2920 2240 sppsvc.exe 71 PID 2600 wrote to memory of 2440 2600 WScript.exe 72 PID 2600 wrote to memory of 2440 2600 WScript.exe 72 PID 2600 wrote to memory of 2440 2600 WScript.exe 72 PID 2600 wrote to memory of 2440 2600 WScript.exe 72 PID 2600 wrote to memory of 2440 2600 WScript.exe 72 PID 2440 wrote to memory of 960 2440 sppsvc.exe 73 PID 2440 wrote to memory of 960 2440 sppsvc.exe 73 PID 2440 wrote to memory of 960 2440 sppsvc.exe 73 PID 2440 wrote to memory of 2232 2440 sppsvc.exe 74 PID 2440 wrote to memory of 2232 2440 sppsvc.exe 74 PID 2440 wrote to memory of 2232 2440 sppsvc.exe 74 PID 960 wrote to memory of 2812 960 WScript.exe 75 PID 960 wrote to memory of 2812 960 WScript.exe 75 PID 960 wrote to memory of 2812 960 WScript.exe 75 PID 960 wrote to memory of 2812 960 WScript.exe 75 PID 960 wrote to memory of 2812 960 WScript.exe 75 PID 2812 wrote to memory of 1548 2812 sppsvc.exe 76 -
System policy modification 1 TTPs 27 IoCs
Processes:
443110dabe7095bf8afe27bf3dc27f60N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 443110dabe7095bf8afe27bf3dc27f60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 443110dabe7095bf8afe27bf3dc27f60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 443110dabe7095bf8afe27bf3dc27f60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\443110dabe7095bf8afe27bf3dc27f60N.exe"C:\Users\Admin\AppData\Local\Temp\443110dabe7095bf8afe27bf3dc27f60N.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2240 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60e7b06c-4491-447c-95fc-4642800edf96.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2440 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\408377c1-5825-4ba0-9728-7e4027fb671d.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2812 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce713ec0-df60-4489-95b6-133fa1605fda.vbs"7⤵PID:1548
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2128 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d186c95-dab6-462b-a343-6bf3e34954de.vbs"9⤵PID:2504
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2352 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbaa5748-3db0-4a30-bcde-c67e4e75adb2.vbs"11⤵PID:956
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3036 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a7215af-a79d-40d2-b64a-060e0ca00bed.vbs"13⤵PID:2912
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1312 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3800567-4f92-4cbd-9314-304dd32b4d7f.vbs"15⤵PID:1652
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2036
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fd36744-a89a-4469-88d3-c415ea69f36f.vbs"15⤵PID:2820
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52838bf6-1ee6-483e-a374-9767d97fbbbf.vbs"13⤵PID:1212
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76f92ac8-3513-481f-95ec-70fe6cd96871.vbs"11⤵PID:2652
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\949a8410-26dc-47ed-a959-43208b1901bf.vbs"9⤵PID:2900
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\062a8ecd-5f3a-4c74-94df-6e37404e47dd.vbs"7⤵PID:1748
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf365e92-5dd8-4438-a9f5-1ff20ef8dfc4.vbs"5⤵PID:2232
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc671ec6-f7f3-48fd-909b-90343576f257.vbs"3⤵PID:2920
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\de-DE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\inf\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
757B
MD5b6079aa4b6c443f0ff5be6d4570d8055
SHA19492c01488898788c13cd9aa089e4b2be0b2a800
SHA2563725b43e41d6102f07370713c666f9c9ddf7a66b6da17126356de6a9596b4cae
SHA5124ee768d54285a38914cf016c86bb4c898806b1350b04bab478772b3ca057a3788ceb84455d274d22d5fb703336111c194575404a5265dc4946f707f4573ddb6b
-
Filesize
757B
MD5cef39c1d5468d02a883a32593f5b197d
SHA195fd45a3eedc6d54d0ba844c2aa0f397697e2ff7
SHA256dfbe1426b8905e758642b6f04471ed19ba7f419ce942b6f9c188ba77cfc87c12
SHA512b1a5b4be1d22286734094864ebfec87ce23679c3fe745e40edbc2aa1ea4fb90d56a9b3d3bdb85cda4905b09101af926ba4bf2862e4acb162f73f5b173964a3a5
-
Filesize
757B
MD5b96709700623c578aab2bc9bc8935dd4
SHA1635aab0315ecb88ac6a123624dcc4be3c0c83bc4
SHA256178da982fffd62877ae99b6b8f62f19b411e5e7302ddc0799d61482f8d16cac7
SHA51210fddea6cacf4c689606a3cb0b420e410dc9f73568b45a9324423397430a8ffbf23e1184c8f9f31440b125637f19b328f10af8b55ca08be2606a3079694bd362
-
Filesize
757B
MD54e42afed0549f75bc518e67b978902cf
SHA12bd2c51098faacabbcf02199d4234305a2537a42
SHA256f8b3bcdde3e006191f26e3f3c8c0de0304aa1d6e5a7ad2b385cbf6f71b95861b
SHA512146b652894dbe1be32ca919c504bf0fba0771efe9e051f6ac3e0508142b6418b2e6c7212cc941a06f1d8c666d1a8f01db90c74da0597210bded3f2ecbd36c1d6
-
Filesize
757B
MD55177c5ac3538c60ec648eb9fdb26c702
SHA1ff2e398a185aa56aa465b0e931332ececc8d7f39
SHA256f0be22edca38315083c63e6240b104d4bc508f24d2ee021ee8bb3680896aae4d
SHA5129c2ad7ae035364079c3a7ae07774d5e61b815abb13a6f8d85c8aa23c6f3e9d920bcded952fb8e9f38329d98c8c0b1b0a5c3935b5f757b715c55ffd3f81e2359d
-
Filesize
757B
MD559df3ec037fb7e7467cc21035bc0ddef
SHA1382e4a3067a15f8bf99c08baf70e2a32e458c3f1
SHA2568d5146ef4f07f7ca1ec7651dac2ca2f9b10733fbf14b9e0da586c5b11beacb52
SHA5123e6ee4d77ab16a758b848f35939b098f24f45e855af40fe12f9c1280c6b7e7a60c65130f95b4fe842707732646ff32971a49e6fa22e5877d73bafd54ab2e1211
-
Filesize
533B
MD5d65317641551435f11a36ba706e2c240
SHA1a82e8fc672b9aa04a1c5c08b0ecaa63fefcb4381
SHA256de2116f96ef9e6982603d4f941a8a029fbaa8f9cf603da1ad35cbc6bad9100c9
SHA5127f45bd6fc934fcdefc28c04c48707c5caf0516c42d9bff35be205aa71f84f5a7f54c4fde0a977f05b244f0820c5d5d353b10859b054767a22f02880d245f67d6
-
Filesize
757B
MD5a5b965a17481e0c548737a31df732075
SHA1f830acd9b61eccfbe047be31887e194d35acca2c
SHA25661672ba0638d966308514741e32715b903421c24fde40a0189a432612ec01633
SHA5121383b0f8f7ba6f02a8c8410d0bf5bf4cd06d145479570adf73701162af002d27a102a58ed99c2812cddba129f1237ad5ff6d7c40ab19cfcf9c1eac1846db4225
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD545e8b99a3c656da3c51783d9bed6b343
SHA16f3c70f2cd96b93ea353223a4aeef080da0c7743
SHA256307ca468d1edb57beb6853360b8048e69b21eaf539a98a3d81ec0b92af6cb294
SHA512db8059ea54dc0ffb73b86c440d4a930db24692f0bbdf260d6668b91316593c1807261e9f31d4ea3dec9d1560603bb7eaab0742ddd24ca8780ce02a32298cedcd
-
Filesize
4.9MB
MD5443110dabe7095bf8afe27bf3dc27f60
SHA103554dc5583fd4d38124bf4f65405faadf61543e
SHA25643f8b28bff64dc200d51657f0f0aafd27125f9489e7c06fc109a22e58eadebc3
SHA512aca75451bf62ffa71190bcac77606c1dae1edf9813ded3443c2a5f6535a71ee2809bbf3889e31b40cc9dcccf85675e67be9103329e6e7566b157f2b004da5070