Analysis
-
max time kernel
41s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 15:49
Static task
static1
Behavioral task
behavioral1
Sample
jarbest-obf.jar
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
jarbest-obf.jar
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
jarbest-obf.jar
Resource
win11-20241007-en
General
-
Target
jarbest-obf.jar
-
Size
6.8MB
-
MD5
183038eacde2898dd081ea76f73775a3
-
SHA1
c1ea9bbd90f8ce35ea00d09f76254976f35e3cba
-
SHA256
405633b7f6c5ecfa971f23dbb09e85d40224bb74c83ffdafb827b301bc413427
-
SHA512
edba63707f4f257eb94503fe481db88dd28347e0a2d01836242ed9052164d340ff629c1585054c28a8cd2c867a8968c467b14cf2ac05bf8c73164843fcfa91f9
-
SSDEEP
196608:TsXGMtKkuX5P62xscItG5gPxioJEhslCM19l+RDIk:TsXGMIkuX5XmcI45gPkgpz1eZIk
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7756158094:AAEpUpUPcNX1ZlZzM558SewExaq3m8CuOnA/sendPhot
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Gurcu family
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\", \"C:\\Windows\\schemas\\CodeIntegrity\\dllhost.exe\", \"C:\\BrowserSvc\\unsecapp.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" upfc.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\", \"C:\\Windows\\schemas\\CodeIntegrity\\dllhost.exe\", \"C:\\BrowserSvc\\unsecapp.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserSvc\\w32tm.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\"" upfc.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\", \"C:\\Windows\\schemas\\CodeIntegrity\\dllhost.exe\", \"C:\\BrowserSvc\\unsecapp.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\", \"C:\\Windows\\schemas\\CodeIntegrity\\dllhost.exe\", \"C:\\BrowserSvc\\unsecapp.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\", \"C:\\Windows\\schemas\\CodeIntegrity\\dllhost.exe\", \"C:\\BrowserSvc\\unsecapp.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserSvc\\w32tm.exe\"" upfc.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\", \"C:\\Windows\\schemas\\CodeIntegrity\\dllhost.exe\", \"C:\\BrowserSvc\\unsecapp.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserSvc\\w32tm.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Windows\\en-US\\lsass.exe\", \"C:\\Windows\\Vss\\Writers\\backgroundTaskHost.exe\"" upfc.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\", \"C:\\Windows\\schemas\\CodeIntegrity\\dllhost.exe\", \"C:\\BrowserSvc\\unsecapp.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserSvc\\w32tm.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Windows\\en-US\\lsass.exe\", \"C:\\Windows\\Vss\\Writers\\backgroundTaskHost.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe.exe\"" upfc.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\", \"C:\\Windows\\schemas\\CodeIntegrity\\dllhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\upfc.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\", \"C:\\Windows\\schemas\\CodeIntegrity\\dllhost.exe\", \"C:\\BrowserSvc\\unsecapp.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserSvc\\w32tm.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Windows\\en-US\\lsass.exe\"" upfc.exe.exe -
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3276 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3680 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 372 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3276 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3716 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3692 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 460 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3776 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4308 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 4624 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 4624 schtasks.exe 91 -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1620 powershell.exe 3364 powershell.exe 2556 powershell.exe 2360 powershell.exe 1792 powershell.exe 4456 powershell.exe 2188 powershell.exe 2628 powershell.exe 1972 powershell.exe 3464 powershell.exe 5080 powershell.exe 5084 powershell.exe 2628 powershell.exe 3808 powershell.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1028 attrib.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reg.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WinSFX.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Checker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation msAgentreviewCommon.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation upfc.exe.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RunShell.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation upfc.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe java.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe java.exe -
Executes dropped EXE 10 IoCs
pid Process 3860 WinSFX.exe 1812 Checker.exe 1728 RunShell.exe 3384 msAgentreviewCommon.exe 1724 upfc.exe 844 upfc.exe.exe 4616 msAgentreviewCommon.exe 4496 dllhost.exe 1468 dllhost.exe.exe 3572 upfc.exe.exe -
Loads dropped DLL 1 IoCs
pid Process 2360 java.exe -
Adds Run key to start application 2 TTPs 36 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\schemas\\CodeIntegrity\\dllhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\BrowserSvc\\unsecapp.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\"" upfc.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\bcastdvr\\upfc.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\Vss\\Writers\\backgroundTaskHost.exe\"" upfc.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc.exe = "\"C:\\Windows\\bcastdvr\\upfc.exe.exe\"" upfc.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\w32tm = "\"C:\\BrowserSvc\\w32tm.exe\"" upfc.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\en-US\\lsass.exe\"" upfc.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc.exe = "\"C:\\Windows\\bcastdvr\\upfc.exe.exe\"" upfc.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Defender\\smss.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\"" upfc.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\Vss\\Writers\\backgroundTaskHost.exe\"" upfc.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\Users\\All Users\\Packages\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\schemas\\CodeIntegrity\\dllhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\BrowserSvc\\unsecapp.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\en-US\\lsass.exe\"" upfc.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" upfc.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\w32tm = "\"C:\\BrowserSvc\\w32tm.exe\"" upfc.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" upfc.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Defender\\smss.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\WindowsPowerShell\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\bcastdvr\\upfc.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" msAgentreviewCommon.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: java.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 27 discord.com 28 discord.com 33 discord.com 38 raw.githubusercontent.com 39 raw.githubusercontent.com -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 api.ipify.org 22 ip-api.com 46 ipinfo.io 47 ipinfo.io 17 api.ipify.org -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCBFF02F972CD74EE898EF1A636536A81.TMP csc.exe File created \??\c:\Windows\System32\-63gkj.exe csc.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\CSC8D1FA316F8B14EF9B820206416555E14.TMP csc.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\dllhost.exe csc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\dllhost.exe RunShell.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\5940a34987c991 RunShell.exe File created C:\Program Files (x86)\Windows Defender\smss.exe RunShell.exe File created C:\Program Files (x86)\Windows Defender\69ddcba757bf72 RunShell.exe File created \??\c:\Program Files (x86)\WindowsPowerShell\CSC6218CE8863974421835BBBD1F83D71.TMP csc.exe File created \??\c:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe csc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\dllhost.exe RunShell.exe File created C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe RunShell.exe File created C:\Program Files (x86)\WindowsPowerShell\9e8d7a4ca61bd9 RunShell.exe File created \??\c:\Program Files (x86)\Windows Defender\CSC93CD0C0977F940629D851619DF4D1525.TMP csc.exe File created \??\c:\Program Files (x86)\Windows Defender\smss.exe csc.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\bcastdvr\ea1d8f6d871115 RunShell.exe File created C:\Windows\schemas\CodeIntegrity\dllhost.exe msAgentreviewCommon.exe File created C:\Windows\schemas\CodeIntegrity\5940a34987c991 msAgentreviewCommon.exe File created C:\Windows\DiagTrack\Scenarios\dllhost.exe msAgentreviewCommon.exe File created \??\c:\Windows\bcastdvr\CSCFFFE03B08079448A9BA1CD5C92A1994.TMP csc.exe File created C:\Windows\bcastdvr\upfc.exe RunShell.exe File created \??\c:\Windows\bcastdvr\upfc.exe csc.exe File created \??\c:\Windows\schemas\CodeIntegrity\CSCCABBB2F324AF4F02B3839E43F5C6C5F2.TMP csc.exe File created \??\c:\Windows\schemas\CodeIntegrity\dllhost.exe csc.exe File created C:\Windows\DiagTrack\Scenarios\5940a34987c991 msAgentreviewCommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinSFX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Checker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 532 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings WinSFX.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings Checker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RunShell.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings msAgentreviewCommon.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings upfc.exe.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1812 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 532 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2000 schtasks.exe 4972 schtasks.exe 4924 schtasks.exe 2820 schtasks.exe 3916 schtasks.exe 1860 schtasks.exe 4448 schtasks.exe 3604 schtasks.exe 2292 schtasks.exe 3688 schtasks.exe 2432 schtasks.exe 1396 schtasks.exe 4824 schtasks.exe 1488 schtasks.exe 1484 schtasks.exe 1856 schtasks.exe 3228 schtasks.exe 3692 schtasks.exe 4144 schtasks.exe 4600 schtasks.exe 2144 schtasks.exe 4588 schtasks.exe 3276 schtasks.exe 3680 schtasks.exe 2872 schtasks.exe 212 schtasks.exe 2036 schtasks.exe 4340 schtasks.exe 1460 schtasks.exe 460 schtasks.exe 636 schtasks.exe 3776 schtasks.exe 4496 schtasks.exe 2000 schtasks.exe 4308 schtasks.exe 776 schtasks.exe 1432 schtasks.exe 4468 schtasks.exe 1100 schtasks.exe 1732 schtasks.exe 3368 schtasks.exe 1740 schtasks.exe 372 schtasks.exe 1956 schtasks.exe 1296 schtasks.exe 2324 schtasks.exe 1188 schtasks.exe 744 schtasks.exe 4620 schtasks.exe 3276 schtasks.exe 3604 schtasks.exe 3716 schtasks.exe 2832 schtasks.exe 684 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 2360 java.exe 3364 powershell.exe 3364 powershell.exe 3364 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe 1728 RunShell.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeBackupPrivilege 2360 java.exe Token: SeBackupPrivilege 2360 java.exe Token: SeSecurityPrivilege 2360 java.exe Token: SeDebugPrivilege 2360 java.exe Token: SeDebugPrivilege 3364 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeRestorePrivilege 2360 java.exe Token: SeDebugPrivilege 1728 RunShell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 3808 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 3384 msAgentreviewCommon.exe Token: SeDebugPrivilege 4616 msAgentreviewCommon.exe Token: SeDebugPrivilege 5080 powershell.exe Token: SeDebugPrivilege 4456 powershell.exe Token: SeDebugPrivilege 3464 powershell.exe Token: SeDebugPrivilege 5084 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 3276 backgroundTaskHost.exe Token: SeDebugPrivilege 1468 dllhost.exe.exe Token: SeDebugPrivilege 3572 upfc.exe.exe Token: SeDebugPrivilege 1808 taskmgr.exe Token: SeSystemProfilePrivilege 1808 taskmgr.exe Token: SeCreateGlobalPrivilege 1808 taskmgr.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
pid Process 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe -
Suspicious use of SendNotifyMessage 23 IoCs
pid Process 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe 1808 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2360 java.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 1812 2360 java.exe 89 PID 2360 wrote to memory of 1812 2360 java.exe 89 PID 2360 wrote to memory of 1620 2360 java.exe 95 PID 2360 wrote to memory of 1620 2360 java.exe 95 PID 2360 wrote to memory of 3364 2360 java.exe 96 PID 2360 wrote to memory of 3364 2360 java.exe 96 PID 2360 wrote to memory of 3860 2360 java.exe 101 PID 2360 wrote to memory of 3860 2360 java.exe 101 PID 2360 wrote to memory of 3860 2360 java.exe 101 PID 3860 wrote to memory of 4108 3860 WinSFX.exe 102 PID 3860 wrote to memory of 4108 3860 WinSFX.exe 102 PID 3860 wrote to memory of 4108 3860 WinSFX.exe 102 PID 3860 wrote to memory of 1812 3860 WinSFX.exe 103 PID 3860 wrote to memory of 1812 3860 WinSFX.exe 103 PID 3860 wrote to memory of 1812 3860 WinSFX.exe 103 PID 2360 wrote to memory of 744 2360 java.exe 106 PID 2360 wrote to memory of 744 2360 java.exe 106 PID 744 wrote to memory of 1028 744 cmd.exe 108 PID 744 wrote to memory of 1028 744 cmd.exe 108 PID 1812 wrote to memory of 1336 1812 Checker.exe 109 PID 1812 wrote to memory of 1336 1812 Checker.exe 109 PID 1812 wrote to memory of 1336 1812 Checker.exe 109 PID 4108 wrote to memory of 4572 4108 WScript.exe 114 PID 4108 wrote to memory of 4572 4108 WScript.exe 114 PID 4108 wrote to memory of 4572 4108 WScript.exe 114 PID 4572 wrote to memory of 1728 4572 cmd.exe 116 PID 4572 wrote to memory of 1728 4572 cmd.exe 116 PID 1728 wrote to memory of 3088 1728 RunShell.exe 120 PID 1728 wrote to memory of 3088 1728 RunShell.exe 120 PID 3088 wrote to memory of 3364 3088 csc.exe 122 PID 3088 wrote to memory of 3364 3088 csc.exe 122 PID 1728 wrote to memory of 3808 1728 RunShell.exe 138 PID 1728 wrote to memory of 3808 1728 RunShell.exe 138 PID 1728 wrote to memory of 2628 1728 RunShell.exe 139 PID 1728 wrote to memory of 2628 1728 RunShell.exe 139 PID 1728 wrote to memory of 2360 1728 RunShell.exe 140 PID 1728 wrote to memory of 2360 1728 RunShell.exe 140 PID 1728 wrote to memory of 2556 1728 RunShell.exe 141 PID 1728 wrote to memory of 2556 1728 RunShell.exe 141 PID 1728 wrote to memory of 1792 1728 RunShell.exe 142 PID 1728 wrote to memory of 1792 1728 RunShell.exe 142 PID 1728 wrote to memory of 1972 1728 RunShell.exe 143 PID 1728 wrote to memory of 1972 1728 RunShell.exe 143 PID 1728 wrote to memory of 1468 1728 RunShell.exe 150 PID 1728 wrote to memory of 1468 1728 RunShell.exe 150 PID 1468 wrote to memory of 2820 1468 cmd.exe 152 PID 1468 wrote to memory of 2820 1468 cmd.exe 152 PID 1468 wrote to memory of 532 1468 cmd.exe 153 PID 1468 wrote to memory of 532 1468 cmd.exe 153 PID 1336 wrote to memory of 1864 1336 WScript.exe 155 PID 1336 wrote to memory of 1864 1336 WScript.exe 155 PID 1336 wrote to memory of 1864 1336 WScript.exe 155 PID 1864 wrote to memory of 3384 1864 cmd.exe 157 PID 1864 wrote to memory of 3384 1864 cmd.exe 157 PID 3384 wrote to memory of 3588 3384 msAgentreviewCommon.exe 161 PID 3384 wrote to memory of 3588 3384 msAgentreviewCommon.exe 161 PID 3588 wrote to memory of 3400 3588 csc.exe 163 PID 3588 wrote to memory of 3400 3588 csc.exe 163 PID 3384 wrote to memory of 4468 3384 msAgentreviewCommon.exe 164 PID 3384 wrote to memory of 4468 3384 msAgentreviewCommon.exe 164 PID 4468 wrote to memory of 4356 4468 csc.exe 166 PID 4468 wrote to memory of 4356 4468 csc.exe 166 PID 3384 wrote to memory of 716 3384 msAgentreviewCommon.exe 167 PID 3384 wrote to memory of 716 3384 msAgentreviewCommon.exe 167 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1028 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\jarbest-obf.jar1⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SYSTEM32\reg.exereg query HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion2⤵
- Checks BIOS information in registry
- Modifies registry key
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
-
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qdalndig\qdalndig.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB594.tmp" "c:\Windows\System32\CSCBFF02F972CD74EE898EF1A636536A81.TMP"7⤵PID:3364
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\smss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\upfc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PhfpGtg7J6.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2820
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:532
-
-
C:\Windows\bcastdvr\upfc.exe"C:\Windows\bcastdvr\upfc.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
PID:1724 -
C:\Windows\bcastdvr\upfc.exe.exe"C:\Windows\bcastdvr\upfc.exe.exe"8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:844 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zhhacwnf\zhhacwnf.cmdline"9⤵
- Drops file in Windows directory
PID:2204 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE232.tmp" "c:\Windows\schemas\CodeIntegrity\CSCCABBB2F324AF4F02B3839E43F5C6C5F2.TMP"10⤵PID:3444
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qfml3qql\qfml3qql.cmdline"9⤵PID:1892
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2CE.tmp" "c:\BrowserSvc\CSCE573BD44700044BB8815AD98E0BE53C9.TMP"10⤵PID:1956
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x1twfpz1\x1twfpz1.cmdline"9⤵PID:4888
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE38A.tmp" "c:\Recovery\WindowsRE\CSCD0C5AD9F3414FBB9B60142777BA4E80.TMP"10⤵PID:4812
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dkdgag0c\dkdgag0c.cmdline"9⤵PID:1452
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE416.tmp" "c:\BrowserSvc\CSC71BF786DA93F40C2A9E7598A9065AF41.TMP"10⤵PID:3400
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\w32tm.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\lsass.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\backgroundTaskHost.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\upfc.exe.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nJHpk4onqZ.bat"9⤵PID:1948
-
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3144
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2808
-
-
C:\Windows\bcastdvr\upfc.exe.exe"C:\Windows\bcastdvr\upfc.exe.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
-
-
C:\Users\All Users\Packages\msAgentreviewCommon.exe"C:\Users\All Users\Packages\msAgentreviewCommon.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\Checker.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\Checker.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BrowserSvc\9jir1hGrtyuZOLHcOuhj8HZKZgcsvyzwZ1xbryhIf2ZdpzOmWWf.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BrowserSvc\O41KRElzpOO.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\BrowserSvc\msAgentreviewCommon.exe"C:\BrowserSvc/msAgentreviewCommon.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2pxiedw3\2pxiedw3.cmdline"7⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCA6.tmp" "c:\Recovery\WindowsRE\CSC29005026BB084AA2A8BCC44D62876D.TMP"8⤵PID:3400
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fp5rx5os\fp5rx5os.cmdline"7⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD23.tmp" "c:\Program Files (x86)\Windows Defender\CSC93CD0C0977F940629D851619DF4D1525.TMP"8⤵PID:4356
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f4ddbsad\f4ddbsad.cmdline"7⤵
- Drops file in Program Files directory
PID:716 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD91.tmp" "c:\Program Files (x86)\WindowsPowerShell\CSC6218CE8863974421835BBBD1F83D71.TMP"8⤵PID:1396
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pd0fz03v\pd0fz03v.cmdline"7⤵
- Drops file in Windows directory
PID:1732 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE0E.tmp" "c:\Windows\bcastdvr\CSCFFFE03B08079448A9BA1CD5C92A1994.TMP"8⤵PID:380
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1gepkqw4\1gepkqw4.cmdline"7⤵
- Drops file in Program Files directory
PID:3176 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE7B.tmp" "c:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\CSC8D1FA316F8B14EF9B820206416555E14.TMP"8⤵PID:3688
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3d4pusmw\3d4pusmw.cmdline"7⤵PID:744
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEC9.tmp" "c:\Users\Admin\AppData\Roaming\Windows\Defender\CSCA29799F0EA7C44CBB1B09FF160F2301C.TMP"8⤵PID:1596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yL9HagX5Si.bat"7⤵PID:3024
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:4300
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1092
-
-
C:\Windows\schemas\CodeIntegrity\dllhost.exe"C:\Windows\schemas\CodeIntegrity\dllhost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
PID:4496 -
C:\Windows\schemas\CodeIntegrity\dllhost.exe.exe"C:\Windows\schemas\CodeIntegrity\dllhost.exe.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Recovery\WindowsRE\backgroundTaskHost.exe"C:\Recovery\WindowsRE\backgroundTaskHost.exe"9⤵
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
-
-
-
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c attrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform2⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\system32\attrib.exeattrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1028
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\bcastdvr\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\bcastdvr\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Packages\msAgentreviewCommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommon" /sc ONLOGON /tr "'C:\Users\All Users\Packages\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Packages\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\DiagTrack\Scenarios\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\Scenarios\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\CodeIntegrity\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\schemas\CodeIntegrity\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\schemas\CodeIntegrity\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\BrowserSvc\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\BrowserSvc\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\BrowserSvc\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 10 /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommon" /sc ONLOGON /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 11 /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "w32tmw" /sc MINUTE /mo 10 /tr "'C:\BrowserSvc\w32tm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "w32tm" /sc ONLOGON /tr "'C:\BrowserSvc\w32tm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "w32tmw" /sc MINUTE /mo 7 /tr "'C:\BrowserSvc\w32tm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc.exeu" /sc MINUTE /mo 14 /tr "'C:\Windows\bcastdvr\upfc.exe.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc.exe" /sc ONLOGON /tr "'C:\Windows\bcastdvr\upfc.exe.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc.exeu" /sc MINUTE /mo 5 /tr "'C:\Windows\bcastdvr\upfc.exe.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:64
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1808
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200B
MD58bb10502019ed38b3210cb6192c6a04b
SHA1125f17b9c2f4ffcccc1f19bcc9000c80bbc2dfe3
SHA2567ed5d362059760b6119ecf42b7a79bbbc6b8490c451bbffc6149632bd07877be
SHA512286d36ccf686d9c14612a949729bbde0881ff2993a854a1be8118a546fffcff515e48dd24639894a1d289a973939809874efdad1cf67391cf4f51deb85320637
-
Filesize
86B
MD5d6da62e1a07048cb1764846ff9e5991f
SHA116630a915028d374ef42fea0d1f34c8fae292e17
SHA256b34c0cb821817355a7cb807108bd0251e40c8492f76f24240047ee1df5dc9897
SHA512fcc21fac84eedb5229f1dfb79b4962b322e231dbbcf5c538d64c724dae8447f2c4f6dd55bb5faa5a854f90dd5ca24c3d332cf611af85104af8d33fb219bb5744
-
Filesize
1.9MB
MD5fe563f1526b6875781652660d9b2421a
SHA18ebcf5aa7bd3ce98ea7ea7825e23a27c4830b937
SHA256fb736b85b9d5efddda3a9c5997ec99582cf1167e64680a0dc469d59ab168fcf2
SHA51242ccb6127cfc2751dc82b89fab33c28db2cfc071d1adec6ddc2c77beef6ced390501bdae8dca4005d0f2377946d116e16cece8c0d7f0e56dd8119561ba01f1ed
-
Filesize
1KB
MD5cb4338b342d00bfe6111ffee5cbfc2ed
SHA1fc16673b6833ad3cb00743a32868b859e90aa536
SHA256343ed6661687e81c9615dcaea42fb1a98b70572bb9fe07e16f020108725dbbe9
SHA5124bcea1366b8be00d08eb15cfd78c87e1c8f3aea140a4ea30efb3c0511cd3de21b7ce8c933c7478fb06a356573ecb928e50df23d340fbd9a6e6c156a004d2a77a
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD592075279f2dbcaa5724ee5a47e49712f
SHA18dd3e2faa8432dde978946ebaf9054f7c6e0b2cb
SHA256fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442
SHA512744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22
-
Filesize
944B
MD5cbc41bceec6e8cf6d23f68d952487858
SHA1f52edbceff042ded7209e8be90ec5e09086d62eb
SHA256b97a8a2a5dbc3c1b994affa4751e61e1ac6bddcf336a4c77ee96a3ce07c59f4d
SHA5120f025ea2559e477c56500b9f4ecc251325793629cf1ae8d43ad783f1036b830c51757274b0aa8bb3183ac636cdfc1e0e8be1163a45695b8fb57df98c362534fb
-
Filesize
156B
MD55c504fa3a7a9fd6b4575f7ae83b0bcfb
SHA1f2743af99117ce705135ce1ee1b1a32ee694dc2b
SHA2560511a22e98f140c83ed4e0c4f4276c15c8a1c2d7dd9d27e54be21ff444174775
SHA51221fd230325d147923894b2f0c501be9aeabe3a16dc20f046546ef667b0c839320eac15f61d28ffecc299a81258c03a4b0b1c3938336dc5a8dfa4f84b850d5eab
-
Filesize
1KB
MD501859ba0090dfac1a546f8ccdf272865
SHA182616ee6d518f364b64101ecd6735a2e3e56934c
SHA25644e39c18150e976e011585d18646910f2d9c482af44a8860467fa92fbf93e720
SHA5127bb36cb21d796e9c8a6c1f2308e95e3725f03f054e2464d16d146f6183a8002e68c0c9a666b7b8bfbc18509991dfd2b0c7252a6ed293558682c04ca6056ae885
-
Filesize
1KB
MD5e59ed096ce1a6369704d831814c79667
SHA117dc611e979f8babcdc4ff0f02d3ff6b996cc1b6
SHA2565cd3e2d3eb1c86ad8b543e6a587b2321bd0275f5fd8cfd138baa9b5c78295d8c
SHA51245b436ea72cad0adb2f2e8326e8727798f9ac927903ffa9de8883f63c50a365edd0e7fa82a29352de113ea6858d2c4f328c438ef5df0e81c5f3d0e94e079110f
-
Filesize
1KB
MD532c05319ebb521ee13c4dd2b0bd140d6
SHA1631b294cb6971cc2cec9406b35703dd97ab53f97
SHA256d187a21e1489159d809d1eae1db770fd38c501de454e8bc79caabe431131c818
SHA51253fd48b5f3c883ad489c290463f20c7892ac7b77f83e657c5375e91a657235f6cb5b89be62f96c04dece33e11fc66c06fd3336ca2b67c0c439d2a8c7329f050e
-
Filesize
1KB
MD5ac8994f1000f6c09aaed3cc86c3caaeb
SHA1ca6e1f35e4ab80921b2f6860569dc644b64de1aa
SHA256dffa83558474398bc8d3ea345075e96ec616692774aac7ed2f0f2e403d42897d
SHA51267fe0eec226a2c201717a34c4e09342c9887df5ac4d2a4a1cd4f436f485d51376cb300721cb0fd8ca421b6c0ed760452905477136141cdc3eccfa117c143c73a
-
Filesize
1KB
MD56dc81538a706412c6a66d905e753866b
SHA1e7a9989cdd3e0bef9ead3824e0c13ae167ed1362
SHA2565dcc8b17da51f6efac30fe86eaa35faa7be6cb526ea0769ba24cbbf5a0e83290
SHA5126ad2e96e80b45ed4503aa9a0472efde0e60b24d7a8afe21997d2b650342a2c2982c85c713a235d2d2e14cb6e6ae420d6ff056fe788b7542fddf1884c43af54d6
-
Filesize
1KB
MD5779bc89f650e6b32bc7e672cc795b487
SHA126dc5a41f373467e752ab086df62a53bde9fd236
SHA2566db72371493235c81f91331ed0e901e86d58efa906041149c3cc73bc374f1add
SHA512a0d868849d33a48a0c026ba2c9cd1c870b0bacff8a11a7443372b96c1eaad3a1b66e23bb190f32821dbd3d42b4c12d623437ecb6e7dd4de71de63e112429ba38
-
Filesize
1KB
MD59527019a38a3c5d269f32ead9d09a78a
SHA18cdac1a966284eaf0eb407a128170fb965959dff
SHA2565e8b7ea466c58b0a8702cd188dcf1e805497d173d55adc666cf8f8f397074069
SHA5120e07394a6dac7ebdf99544a772f8d39c338266770b96ca4ce6e50b0565a5acf3b51872f71b037785b0ca3d1a1586d9fcacc7678a414d59c2bcabeba6932eec07
-
Filesize
1KB
MD5051403ba061d3498dbe74a2226af90c4
SHA1596aa48779d7130d3f6457c852754dfdd523e041
SHA256f66a657f577facc9ca393683a5f7a12e37f60c50c3a2b8ef3a3ec75fe06a00ac
SHA51295f43fb3c5c78044f283fd34fd4466c47dd7207c30e9bb374f4dcee0c74980b74a421e3e155282c812c79a14f6e0e26ce68fc9babb2e4dba5ecf6ed4b8f21466
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
248KB
MD5719d6ba1946c25aa61ce82f90d77ffd5
SHA194d2191378cac5719daecc826fc116816284c406
SHA25669c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b
-
Filesize
220B
MD550483ccf6a21603bc1d19169892cc848
SHA13c0ada8bfce0eb2e95e7f7c9474e2a33440e013e
SHA256955a72d54af9392ae6c8d113815aa34c14bb9cd2e3da634feff2f0d4c98aa22b
SHA512c848645b986fa7677746076802be49a5c68080fd1169a7fc8ca29b4f1895ec1b2b50518e6978cec6689ffe2b08b0930d6dec4dc1850a79b2e692af5df92b0ac1
-
Filesize
2.3MB
MD5deb9f64ee23f25627884a143d411fb9c
SHA1448f5388c390ec401d0551e5da97c2b9e24cfbf0
SHA256613716c888bffcb5668886335c326e276511267d8f4040afa420ccf65de51d7e
SHA512d4472ec02c355d76afcbacc51967adced80b3e3bb2cff25d34193d5cd5277baf451ec9149cf836d1647f60cf2c9bce70fb41d79ca76ff1c4dd7773be62447346
-
Filesize
2.2MB
MD5cbf28a22d6c61a0937b1bf15b3d22a1a
SHA1c414807315dfd5c33d91c783d168f417c7ca80fc
SHA256dfa13a2024f7bbdeebaa243a5b9a60736860d61e5ad1abfda61502df8f2e4d04
SHA512cb2a6e72c4a70150c10f7e84057b520dba2253e3a62b36cead3c1057a8b320d69414b99a99b4b160755437134b871de4f72fd3ccc885dc17951b5223eecbd4e0
-
Filesize
427KB
MD58d860de39a47014bb85432844205defc
SHA116b6485662cc4b57af26f1ee2fe5e5595156264d
SHA2566f64566b9adc350458221bc7312acaa09290c58241659336b9921c3dcf27fbbb
SHA512c76408b4390d9aeae243f7333c5acdc68b6fe08efd1694c774069627d09e91e97ab1a5ccf55b60a247f3b00e8b95166d3dfcc41ac92150f00dfb897480a5a539
-
Filesize
249B
MD55299f191d092a082374029620d0184cd
SHA1154c0f2d892c0dde9914e1d2e114995ab5f1a8cb
SHA2569c46745f3776d8f344029103da41e060516a4bf324e7238b112a3069abececf9
SHA512670159a1352e91ad4739903c7d5bbca2b91e81ab542ac6b4532db8701d5bf01b900909812164db6ce4dbdc2fc1af59593d9abc84daff835de07eb7d383869e39
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat
Filesize104B
MD5b33c8997ecd39b1b7e8af929abd526c7
SHA1e30e21ca9e74d508cfc35e9affd57a7fbc089a77
SHA25671340cb564242cd1454892eaa33aae6eaf8e444d9301731753a9aa993bb9785c
SHA512394a9df69628162228d6a8934d6df532d5055a65a41788ef7d2b8170fae3bd586d80c8592ebc10e32650b81d43efd2eefdef865523d687b6def20fe4374afefc
-
Filesize
4KB
MD585305c448548c4bed9df9c3ffbd8a6dc
SHA14c402a13ac56795a9a67ee23ab8ecf58e934bf9b
SHA25629cf04f93616a5983dfef2a8c8777639d1882fa1c84be410a29faa8408940eda
SHA512b446c10aa8e40ebe5d01c79746964aa16ee94bc7e0d2c327a004d8d237df7c8741bb8b5d3e96e01d4ec5cf5739f263366690de98276185ff3044faf0234fabcc
-
\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\CSC8D1FA316F8B14EF9B820206416555E14.TMP
Filesize1KB
MD50b8c597c544ca92a39ba973ae92df58a
SHA1f5a2a3cf7f9b62ccb95455253946805b6440551e
SHA256295af82088d5d6637fd37d87140b4f0958bf444e5da19a2eed83a82b33263caf
SHA512f2aa858673620208198072d60cd348dd43284e23093ea9b718de83113a92d36ba9a7d5de540d99213f466017dcbbdea558a9bf80da5e49cc1bb6650944688c97
-
Filesize
1KB
MD570ebd87a449c83d0645ba22e10ab83e5
SHA15980251d5a46d81e6f48fe53ee04e87a28219015
SHA256b4713f585dbd4185833afeb466a2fbaa5c9d17071f9de2a1f0dfeec01b346c01
SHA512b44a0154a6c4b1f2af61046a0357b8018a5095262f0ec54e701f4bd46adcaad3e88bafe23567e49b845bd83578d0291bcff6a43351d6027ea02c9e1ead96ca66
-
Filesize
1KB
MD58cb2d1f69e2730b5de634f6b6c12005f
SHA11f9496195f09f58a4e382994717a5da34086d770
SHA256f5d616663ac61dc843c8663f2ceaaf6939b974ffd74e6e1be232b3fe8c6667ea
SHA512d035c16a8d8f09abedc94e10d46983e371d2862b277128fe00184d3a1cbb8a69367c08e150c63b07729938bea6644af4e3913e629969d38978b0d934e9e61eda
-
Filesize
1KB
MD58646a5e75779514abe73c90f56e622a4
SHA1b4abca3ec4e9385c61e0bb186a74011e3efa39c8
SHA256c8f173154d19a0abcee4a35a9b2005f46903218c83ef5a0ff4aba3552ea08ac7
SHA512f80363c2c564fed56d2da571bb120728ffe0ce4737ce38bedac7e31dd140e069be09e6e0562c08ab748aba7d824680f68f5db3d38d43afea7202c4f4cff02994
-
Filesize
423B
MD57871f03525cb05c3590c0899050961ff
SHA1b8236497476c8009b1934b5888809da0f04d010d
SHA25696c90fbdaf63d0f554ea3d80935cf6a91946ce8817123e95f8df8c2a3a968174
SHA51252f7801d551878714ad2424b3092cfc06c9b1871248dca8428aa8ee4fbed811275212386bb6cb2a1bef527481c6fc6a4f699377f4a534f23958a1cffaf6d6484
-
Filesize
275B
MD56837861d1f5b8f00f71b0c549896e6b2
SHA1980a3f0125521a1d6f1acf5ac7ab38c82ccb2f32
SHA256252031f86a2db1a1d9dd9d9ba37769c79035dffac343315ae6f3b93a2213ac93
SHA512c96ffeca22ed910d96a41c7e8859e5dfbaa9661f207a8370ddb4a5b78e7a440fd7f93c21cff511e5870cba379740e89676eb3d535258a157efde5925e5f20a55
-
Filesize
395B
MD50be97ad37a56ea28a19c394746255e7a
SHA1a2b20ee6cbcad1b5270dbc17ae91cdd0d89eb3cc
SHA256f1fb765f272cb0dffca460e210e44250ea363f39bf63b512f633417fe05eeffb
SHA512f6bb759a6f666c178f54e0c5b7fb79cb1d6830c30df214d317eae59bc6c47af1aff472de662e34aed133232c4e54abef21ed41e8b54d7c2dfb8a5a049b5dd045
-
Filesize
247B
MD5b01ebe7e7c0af9e6adb14d6598166296
SHA111cedbb9e68fdc6a77e07428b7842a08a15ded3a
SHA256aef8a01c54652979bb581b1d991771ca3974e69335c78055344f1c4d2f43568f
SHA512eaae6b07d4d377e735cee1319901ba242b4abb2eed6a170450ac3d8ff416c79d75a3bf27a639d5b115958790898d672ef8dacd8b94d837da108be5c3704d84f9
-
Filesize
413B
MD56cae29d4e6a31f7bbce888905b453fcf
SHA1dea5bbdcd666931c8c6e1184b22cb7f2cb60f9d7
SHA2564bc87dfd1588d83d1b7be77f0e3e61d3e1c70c8d4d0b481afa3b850cfcd41332
SHA5128776d2faf1485f2c25743f1901edaadaed5f99747b4995d303d3474effd9334ebce75abee9760e7a17ce80a775a7891b364a27a18a161a79ea00ca42cc25c2b2
-
Filesize
265B
MD57b1403cf8896eb3346ea706ba35207d3
SHA1a3285f96940b164377a0a94a7afbe278425d6640
SHA25618de345e94d2f220d7209fbb1ce78461c677e6cf44dee08fddf364720e6a22d1
SHA512d6a1c38b1f1c2bc01768c574a4e29d6ebdc429d67538ec0b68ef2b7949ef83372f85ffa97cc7b40172ffae9f75da063784c158d9016cb1e16a804000692ac46b
-
Filesize
411B
MD529c3e86af644d0b7bd0485c695793459
SHA16a1e3c1dc3492c2ccf79ef8f47a0b7aea9174b47
SHA256476dd26b9ed8f1beb2ba9ccb4c421c75149594b855c9cf4c923ce4d17994565e
SHA5127e35c7926c9bbcb847af5b29a543fea036829f754ad945ec8a05a902162a5fdd5110f9beb58f7fe42f44aa89c9ccc6d1eda2bc7036ea693312fbec0e88fa1ae8
-
Filesize
263B
MD5a75ddfd304b6b30c77f57de7d46d6bf8
SHA13b2a203d8d783088bb6438fdf9b7f547dc65904b
SHA25608f844c146269271b901c52e0bcd2c239d04ce624946dad96106625c80b1393d
SHA5124814435d849c9a2ac2101d6975385fa9fb058f1af2ef6c7934a663c191619c8a87ef0c8ef929651c23882fdcb222041ee9e50829faf1716c1c3944289c579811
-
Filesize
401B
MD54a50bf58c237d9cbe63cbb303100ad57
SHA12b4b376a7bc2a8a6eebc1309fb1a1ab7c7a2437e
SHA2564d7a3eb76ecdd2536e5204d1cb3b51002d66caa60b37e90331990d9041e58eee
SHA512d2eee2857c66583e10cbd14845ed1dcac17803ce4abd23b69bc4756ae97ec34703a4391d8dd494acb80851f25cc0de1bc12243c76a4d47d6d342951af87137bb
-
Filesize
253B
MD56e282d4c5d665c7470aaf6848460f848
SHA1c8ee1f3978ff792ccab341f67643bf6253dbb332
SHA256bfa4d1515171d1758f6da87b6d9f16c97d9151f1b5add1d70293cde39876fa02
SHA51247ba270f98549c8f5e2dd97f74c630c00c0987fccf59feb534c4c32f802e384357c1c43860c05aa0f75fe8991ccb7d6f3d9a2c592a591a3fa1ce3b2788c9ea21
-
Filesize
381B
MD5789cd8465db1b3ceba08f3eb8ffdb72b
SHA10a134b31c0a9d62547c5ee951956672efd7498c3
SHA256b7ff3054f4bcaf12ca11b0dceef974df171718a57950845486b30c4533b12046
SHA512e31fecf53b33d6ac5332b6c325e65e555a5fb736c0bacab1eca80efca7692d43ff477a184d710bcbe434e338aece9d473adb1d0711f1f10dfe00f05a4f1377c1
-
Filesize
233B
MD513924efc39fa0b01e2da8991eaf8721a
SHA1cf634eda0b9123b5101fe62ec317e65e517d8b92
SHA256b412253a41327b6c88264a0bb47c9460d065b245e52504721af81867a7f62d58
SHA512888b152f77461e5614a6e0f8eb63e533832d167e942b110e4c017d743e2296ee8562082df46c6cd96f190c43523c36c741d05fa2c2dfdd87868dc19060e1e978
-
Filesize
374B
MD5d31f8df0bce48a4cf78d55aa60b6f515
SHA11846595bc4313df05677f3e1c01dda312b54426f
SHA2561e4cacdf07954d92484b4ccf82306d4434b4ea31f75acb9b425e547622574404
SHA5126ef8113985f340f5ceac0adec280b14272f9ef80653310ce52c519a1dee6ff0c4c3e5d490d0e441326d6034df869f304235d7d9567d19d8ec1fd282e3e791bcc
-
Filesize
235B
MD53107aabb6a865d1b6335c0e6b1dd34d0
SHA1ee2e144431a1ccdacc3fa72216e2668a17c21f7b
SHA2565b9022d9e67ca4e5acf3d16ebdd9e34ecb7a715857deb252a17cc78913ebdb4d
SHA5128330f8cc23ffb41b194e00a01c82aa707b7dc9132b7c63b39663d46af43825737b47c43439784dc4cbf836d30368ad57b7dbe985173daa1d9ed02d180e18aa0b
-
Filesize
1KB
MD5819218476efff19538c5e47775890416
SHA144268f9a7b24e4477c5a6917ca26b1e9d4938bcd
SHA256adfdb51bd795924a67fd2310d33e40f21f7dde44168e85dd416784cb6b1f5cd2
SHA512fc1d1655478034e6c2ac8082e00397f1a3c6b527714fc1576b52bef7b2a9faa5ff1d89b1501d598bbeac943e899631007237071ddb73242438aa375ab74d3bcd
-
Filesize
1KB
MD582a7b8ef3bc275711e3b27c6df93c7ff
SHA1bdac909f26475c94c74145576bcf22adb0f8203c
SHA256582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124
SHA512f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248
-
Filesize
1KB
MD5ea7b1e3bff59c5c21f8ccc2d3afbaac7
SHA1053b86d6dfb26ccedca35401d6ea88a481f97361
SHA256db68b31d332dca2d0b33f52e6a75b9ad5b2677e2d2078883b0010404c7aa1ed7
SHA5128bbefbfeb456af568e50d3ac0336ff12b1ad421de53d190c3f08c6f1f565a53424da84f03261ee10497dbb42464f3eee8d93d643bd4b852ab591634e203555c9