Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
27-10-2024 15:49
Static task
static1
Behavioral task
behavioral1
Sample
jarbest-obf.jar
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
jarbest-obf.jar
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
jarbest-obf.jar
Resource
win11-20241007-en
General
-
Target
jarbest-obf.jar
-
Size
6.8MB
-
MD5
183038eacde2898dd081ea76f73775a3
-
SHA1
c1ea9bbd90f8ce35ea00d09f76254976f35e3cba
-
SHA256
405633b7f6c5ecfa971f23dbb09e85d40224bb74c83ffdafb827b301bc413427
-
SHA512
edba63707f4f257eb94503fe481db88dd28347e0a2d01836242ed9052164d340ff629c1585054c28a8cd2c867a8968c467b14cf2ac05bf8c73164843fcfa91f9
-
SSDEEP
196608:TsXGMtKkuX5P62xscItG5gPxioJEhslCM19l+RDIk:TsXGMIkuX5XmcI45gPkgpz1eZIk
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7756158094:AAEpUpUPcNX1ZlZzM558SewExaq3m8CuOnA/sendPhot
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Gurcu family
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\dllhost.exe\", \"C:\\BrowserSvc\\sysmon.exe\", \"C:\\Windows\\Web\\4K\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\dllhost.exe\", \"C:\\BrowserSvc\\sysmon.exe\", \"C:\\Windows\\Web\\4K\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Globalization\\Time Zone\\fontdrvhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\dllhost.exe\", \"C:\\BrowserSvc\\sysmon.exe\", \"C:\\Windows\\Web\\4K\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Globalization\\Time Zone\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\spoolsv.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\dllhost.exe\", \"C:\\BrowserSvc\\sysmon.exe\", \"C:\\Windows\\Web\\4K\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Globalization\\Time Zone\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\BrowserSvc\\RuntimeBroker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\dllhost.exe\", \"C:\\BrowserSvc\\sysmon.exe\", \"C:\\Windows\\Web\\4K\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Globalization\\Time Zone\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\taskhostw.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\dllhost.exe\", \"C:\\BrowserSvc\\sysmon.exe\", \"C:\\Windows\\Web\\4K\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Globalization\\Time Zone\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\taskhostw.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\dllhost.exe\", \"C:\\BrowserSvc\\sysmon.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\dllhost.exe\", \"C:\\BrowserSvc\\sysmon.exe\", \"C:\\Windows\\Web\\4K\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\dllhost.exe\", \"C:\\BrowserSvc\\sysmon.exe\", \"C:\\Windows\\Web\\4K\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Windows\\Globalization\\Time Zone\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\dllhost.exe\", \"C:\\BrowserSvc\\sysmon.exe\", \"C:\\Windows\\Web\\4K\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" RunShell.exe -
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4320 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3376 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4276 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 476 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3732 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3800 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3732 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 116 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5064 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3384 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3268 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 3464 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 3464 schtasks.exe 87 -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2244 powershell.exe 216 powershell.exe 2268 powershell.exe 3132 powershell.exe 4468 powershell.exe 1120 powershell.exe 1816 powershell.exe 2064 powershell.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2764 attrib.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reg.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation RunShell.exe Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation msAgentreviewCommon.exe Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation WinSFX.exe Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation Checker.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe java.exe -
Executes dropped EXE 6 IoCs
pid Process 1644 WinSFX.exe 2652 Checker.exe 1700 RunShell.exe 3684 msAgentreviewCommon.exe 3808 dllhost.exe 4936 spoolsv.exe -
Loads dropped DLL 1 IoCs
pid Process 1168 java.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Media Player\\it-IT\\spoolsv.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\BrowserSvc\\RuntimeBroker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\taskhostw.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\taskhostw.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\BrowserSvc\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\BrowserSvc\\sysmon.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Web\\4K\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Globalization\\Time Zone\\fontdrvhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\BrowserSvc\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Mail\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Mail\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\BrowserSvc\\sysmon.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Web\\4K\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\BrowserSvc\\RuntimeBroker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Globalization\\Time Zone\\fontdrvhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Media Player\\it-IT\\spoolsv.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" msAgentreviewCommon.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: java.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 12 discord.com 13 discord.com 16 discord.com 19 raw.githubusercontent.com 20 raw.githubusercontent.com -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 api.ipify.org 9 ip-api.com 23 ipinfo.io 25 ipinfo.io 7 api.ipify.org -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC6DF1E46D34174EC1A0A3C68DD0525AF4.TMP csc.exe File created \??\c:\Windows\System32\npvh5b.exe csc.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\Microsoft\ea9f0e6c9e2dcd msAgentreviewCommon.exe File created C:\Program Files\Windows Media Player\it-IT\spoolsv.exe msAgentreviewCommon.exe File created C:\Program Files\Windows Media Player\it-IT\f3b6ecef712a24 msAgentreviewCommon.exe File created C:\Program Files\Windows Mail\dllhost.exe RunShell.exe File created C:\Program Files\Windows Mail\5940a34987c991 RunShell.exe File created C:\Program Files (x86)\MSBuild\Microsoft\taskhostw.exe msAgentreviewCommon.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Globalization\Time Zone\fontdrvhost.exe msAgentreviewCommon.exe File created C:\Windows\Globalization\Time Zone\5b884080fd4f94 msAgentreviewCommon.exe File created \??\c:\Windows\Web\4K\CSC4D7FA4C9D8A649FEA819DE8310E7CFE4.TMP csc.exe File created \??\c:\Windows\Web\4K\RuntimeBroker.exe csc.exe File created C:\Windows\Web\4K\RuntimeBroker.exe RunShell.exe File created C:\Windows\Web\4K\9e8d7a4ca61bd9 RunShell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinSFX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Checker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings WinSFX.exe Key created \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings Checker.exe Key created \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings RunShell.exe Key created \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings msAgentreviewCommon.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 5032 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1052 schtasks.exe 476 schtasks.exe 3732 schtasks.exe 2204 schtasks.exe 3604 schtasks.exe 2648 schtasks.exe 3800 schtasks.exe 3384 schtasks.exe 4360 schtasks.exe 3068 schtasks.exe 2924 schtasks.exe 4524 schtasks.exe 116 schtasks.exe 2292 schtasks.exe 4276 schtasks.exe 5092 schtasks.exe 4232 schtasks.exe 2252 schtasks.exe 1188 schtasks.exe 3268 schtasks.exe 4320 schtasks.exe 4484 schtasks.exe 3732 schtasks.exe 3164 schtasks.exe 4520 schtasks.exe 1092 schtasks.exe 2020 schtasks.exe 5048 schtasks.exe 5064 schtasks.exe 4448 schtasks.exe 1048 schtasks.exe 3636 schtasks.exe 3376 schtasks.exe 3636 schtasks.exe 3132 schtasks.exe 3316 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 1168 java.exe 4468 powershell.exe 1120 powershell.exe 4468 powershell.exe 1120 powershell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe 1700 RunShell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 1168 java.exe Token: SeBackupPrivilege 1168 java.exe Token: SeSecurityPrivilege 1168 java.exe Token: SeDebugPrivilege 1168 java.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeDebugPrivilege 1120 powershell.exe Token: SeIncreaseQuotaPrivilege 1120 powershell.exe Token: SeSecurityPrivilege 1120 powershell.exe Token: SeTakeOwnershipPrivilege 1120 powershell.exe Token: SeLoadDriverPrivilege 1120 powershell.exe Token: SeSystemProfilePrivilege 1120 powershell.exe Token: SeSystemtimePrivilege 1120 powershell.exe Token: SeProfSingleProcessPrivilege 1120 powershell.exe Token: SeIncBasePriorityPrivilege 1120 powershell.exe Token: SeCreatePagefilePrivilege 1120 powershell.exe Token: SeBackupPrivilege 1120 powershell.exe Token: SeRestorePrivilege 1120 powershell.exe Token: SeShutdownPrivilege 1120 powershell.exe Token: SeDebugPrivilege 1120 powershell.exe Token: SeSystemEnvironmentPrivilege 1120 powershell.exe Token: SeRemoteShutdownPrivilege 1120 powershell.exe Token: SeUndockPrivilege 1120 powershell.exe Token: SeManageVolumePrivilege 1120 powershell.exe Token: 33 1120 powershell.exe Token: 34 1120 powershell.exe Token: 35 1120 powershell.exe Token: 36 1120 powershell.exe Token: SeIncreaseQuotaPrivilege 4468 powershell.exe Token: SeSecurityPrivilege 4468 powershell.exe Token: SeTakeOwnershipPrivilege 4468 powershell.exe Token: SeLoadDriverPrivilege 4468 powershell.exe Token: SeSystemProfilePrivilege 4468 powershell.exe Token: SeSystemtimePrivilege 4468 powershell.exe Token: SeProfSingleProcessPrivilege 4468 powershell.exe Token: SeIncBasePriorityPrivilege 4468 powershell.exe Token: SeCreatePagefilePrivilege 4468 powershell.exe Token: SeBackupPrivilege 4468 powershell.exe Token: SeRestorePrivilege 4468 powershell.exe Token: SeShutdownPrivilege 4468 powershell.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeSystemEnvironmentPrivilege 4468 powershell.exe Token: SeRemoteShutdownPrivilege 4468 powershell.exe Token: SeUndockPrivilege 4468 powershell.exe Token: SeManageVolumePrivilege 4468 powershell.exe Token: 33 4468 powershell.exe Token: 34 4468 powershell.exe Token: 35 4468 powershell.exe Token: 36 4468 powershell.exe Token: SeRestorePrivilege 1168 java.exe Token: SeDebugPrivilege 1700 RunShell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 3132 powershell.exe Token: SeDebugPrivilege 216 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeIncreaseQuotaPrivilege 3132 powershell.exe Token: SeSecurityPrivilege 3132 powershell.exe Token: SeTakeOwnershipPrivilege 3132 powershell.exe Token: SeLoadDriverPrivilege 3132 powershell.exe Token: SeSystemProfilePrivilege 3132 powershell.exe Token: SeSystemtimePrivilege 3132 powershell.exe Token: SeProfSingleProcessPrivilege 3132 powershell.exe Token: SeIncBasePriorityPrivilege 3132 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1168 java.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1168 wrote to memory of 5032 1168 java.exe 85 PID 1168 wrote to memory of 5032 1168 java.exe 85 PID 1168 wrote to memory of 4468 1168 java.exe 88 PID 1168 wrote to memory of 4468 1168 java.exe 88 PID 1168 wrote to memory of 1120 1168 java.exe 90 PID 1168 wrote to memory of 1120 1168 java.exe 90 PID 1168 wrote to memory of 1644 1168 java.exe 93 PID 1168 wrote to memory of 1644 1168 java.exe 93 PID 1168 wrote to memory of 1644 1168 java.exe 93 PID 1644 wrote to memory of 3444 1644 WinSFX.exe 94 PID 1644 wrote to memory of 3444 1644 WinSFX.exe 94 PID 1644 wrote to memory of 3444 1644 WinSFX.exe 94 PID 1644 wrote to memory of 2652 1644 WinSFX.exe 95 PID 1644 wrote to memory of 2652 1644 WinSFX.exe 95 PID 1644 wrote to memory of 2652 1644 WinSFX.exe 95 PID 1168 wrote to memory of 5020 1168 java.exe 97 PID 1168 wrote to memory of 5020 1168 java.exe 97 PID 5020 wrote to memory of 2764 5020 cmd.exe 99 PID 5020 wrote to memory of 2764 5020 cmd.exe 99 PID 2652 wrote to memory of 4308 2652 Checker.exe 100 PID 2652 wrote to memory of 4308 2652 Checker.exe 100 PID 2652 wrote to memory of 4308 2652 Checker.exe 100 PID 3444 wrote to memory of 1312 3444 WScript.exe 101 PID 3444 wrote to memory of 1312 3444 WScript.exe 101 PID 3444 wrote to memory of 1312 3444 WScript.exe 101 PID 1312 wrote to memory of 1700 1312 cmd.exe 103 PID 1312 wrote to memory of 1700 1312 cmd.exe 103 PID 1700 wrote to memory of 3000 1700 RunShell.exe 107 PID 1700 wrote to memory of 3000 1700 RunShell.exe 107 PID 3000 wrote to memory of 4332 3000 csc.exe 109 PID 3000 wrote to memory of 4332 3000 csc.exe 109 PID 1700 wrote to memory of 3132 1700 RunShell.exe 125 PID 1700 wrote to memory of 3132 1700 RunShell.exe 125 PID 1700 wrote to memory of 1816 1700 RunShell.exe 126 PID 1700 wrote to memory of 1816 1700 RunShell.exe 126 PID 1700 wrote to memory of 2268 1700 RunShell.exe 127 PID 1700 wrote to memory of 2268 1700 RunShell.exe 127 PID 1700 wrote to memory of 216 1700 RunShell.exe 128 PID 1700 wrote to memory of 216 1700 RunShell.exe 128 PID 1700 wrote to memory of 2244 1700 RunShell.exe 129 PID 1700 wrote to memory of 2244 1700 RunShell.exe 129 PID 1700 wrote to memory of 2064 1700 RunShell.exe 131 PID 1700 wrote to memory of 2064 1700 RunShell.exe 131 PID 1700 wrote to memory of 2788 1700 RunShell.exe 137 PID 1700 wrote to memory of 2788 1700 RunShell.exe 137 PID 2788 wrote to memory of 2396 2788 cmd.exe 139 PID 2788 wrote to memory of 2396 2788 cmd.exe 139 PID 2788 wrote to memory of 1416 2788 cmd.exe 140 PID 2788 wrote to memory of 1416 2788 cmd.exe 140 PID 4308 wrote to memory of 3852 4308 WScript.exe 141 PID 4308 wrote to memory of 3852 4308 WScript.exe 141 PID 4308 wrote to memory of 3852 4308 WScript.exe 141 PID 3852 wrote to memory of 3684 3852 cmd.exe 143 PID 3852 wrote to memory of 3684 3852 cmd.exe 143 PID 2788 wrote to memory of 3808 2788 cmd.exe 144 PID 2788 wrote to memory of 3808 2788 cmd.exe 144 PID 3684 wrote to memory of 924 3684 msAgentreviewCommon.exe 148 PID 3684 wrote to memory of 924 3684 msAgentreviewCommon.exe 148 PID 924 wrote to memory of 1144 924 csc.exe 150 PID 924 wrote to memory of 1144 924 csc.exe 150 PID 3684 wrote to memory of 4404 3684 msAgentreviewCommon.exe 151 PID 3684 wrote to memory of 4404 3684 msAgentreviewCommon.exe 151 PID 4404 wrote to memory of 4016 4404 csc.exe 153 PID 4404 wrote to memory of 4016 4404 csc.exe 153 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2764 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\jarbest-obf.jar1⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SYSTEM32\reg.exereg query HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion2⤵
- Checks BIOS information in registry
- Modifies registry key
PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uodwedhj\uodwedhj.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB258.tmp" "c:\Windows\System32\CSC6DF1E46D34174EC1A0A3C68DD0525AF4.TMP"7⤵PID:4332
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\sysmon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\4K\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\55kG6EOulP.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2396
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1416
-
-
C:\Program Files\Windows Mail\dllhost.exe"C:\Program Files\Windows Mail\dllhost.exe"7⤵
- Executes dropped EXE
PID:3808
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\Checker.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\Checker.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BrowserSvc\9jir1hGrtyuZOLHcOuhj8HZKZgcsvyzwZ1xbryhIf2ZdpzOmWWf.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BrowserSvc\O41KRElzpOO.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\BrowserSvc\msAgentreviewCommon.exe"C:\BrowserSvc/msAgentreviewCommon.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ywgtavij\ywgtavij.cmdline"7⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB4F.tmp" "c:\Windows\Web\4K\CSC4D7FA4C9D8A649FEA819DE8310E7CFE4.TMP"8⤵PID:1144
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5zp1ilk2\5zp1ilk2.cmdline"7⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC0A.tmp" "c:\Recovery\WindowsRE\CSC36FFBE30E4DD495C94C7F6B652F3BA8.TMP"8⤵PID:4016
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sfrxmhgm\sfrxmhgm.cmdline"7⤵PID:1620
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD43.tmp" "c:\BrowserSvc\CSCAD52546D3E51449CB36323A0E5FDE31.TMP"8⤵PID:1604
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qmtlu2jb\qmtlu2jb.cmdline"7⤵PID:648
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE5C.tmp" "c:\Users\Admin\AppData\Roaming\Windows\Defender\CSCE8185F6912E4423C98F919CEB8A1301A.TMP"8⤵PID:3008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqH9ANR2cY.bat"7⤵PID:4664
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:4632
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1676
-
-
C:\Program Files\Windows Media Player\it-IT\spoolsv.exe"C:\Program Files\Windows Media Player\it-IT\spoolsv.exe"8⤵
- Executes dropped EXE
PID:4936
-
-
-
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c attrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform2⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\attrib.exeattrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2764
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\BrowserSvc\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\BrowserSvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\BrowserSvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\BrowserSvc\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\BrowserSvc\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\BrowserSvc\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\4K\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Web\4K\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\4K\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\Time Zone\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\Time Zone\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\it-IT\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\BrowserSvc\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\BrowserSvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\BrowserSvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 11 /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommon" /sc ONLOGON /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 7 /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
845B
MD50e59fe4162ec22a53d5026b46ba49fd5
SHA1ccb7b97a5c1c7dabe29dfbc67c8e48bb12755dc7
SHA256b1cac2adc77d2413d9b4bd7c113d777889ca89d13e236a92c81f911bbf1888cd
SHA51254ee5829f4df6753edf497440b0dd36029f8f0cb1fabe5dcbc10d3d675636d5b1f2d8632efa7f9057d3fea2fc51902a22d7db065d6cbef3a59e5f79a1674ff0f
-
Filesize
200B
MD58bb10502019ed38b3210cb6192c6a04b
SHA1125f17b9c2f4ffcccc1f19bcc9000c80bbc2dfe3
SHA2567ed5d362059760b6119ecf42b7a79bbbc6b8490c451bbffc6149632bd07877be
SHA512286d36ccf686d9c14612a949729bbde0881ff2993a854a1be8118a546fffcff515e48dd24639894a1d289a973939809874efdad1cf67391cf4f51deb85320637
-
Filesize
86B
MD5d6da62e1a07048cb1764846ff9e5991f
SHA116630a915028d374ef42fea0d1f34c8fae292e17
SHA256b34c0cb821817355a7cb807108bd0251e40c8492f76f24240047ee1df5dc9897
SHA512fcc21fac84eedb5229f1dfb79b4962b322e231dbbcf5c538d64c724dae8447f2c4f6dd55bb5faa5a854f90dd5ca24c3d332cf611af85104af8d33fb219bb5744
-
Filesize
1.9MB
MD5fe563f1526b6875781652660d9b2421a
SHA18ebcf5aa7bd3ce98ea7ea7825e23a27c4830b937
SHA256fb736b85b9d5efddda3a9c5997ec99582cf1167e64680a0dc469d59ab168fcf2
SHA51242ccb6127cfc2751dc82b89fab33c28db2cfc071d1adec6ddc2c77beef6ced390501bdae8dca4005d0f2377946d116e16cece8c0d7f0e56dd8119561ba01f1ed
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD5c67441dfa09f61bca500bb43407c56b8
SHA15a56cf7cbeb48c109e2128c31b681fac3959157b
SHA25663082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33
SHA512325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8
-
Filesize
1KB
MD5066d7a664db2b501867c3274116fa5bb
SHA13514956514f3dd4334c39dfef89e079a50b04695
SHA256900bdacbe2e6fcddc3dbf613a5f29a8e3f6eca3a57681c3b3c3cae2ab7b190ca
SHA51285efdd87bc36f6b96b1b5d126c4208921fa1aa46a7f1de91fe858e59dc47c942873b99b9bb96d12307f8534bec8e4586862edbfad76304b167f3c6d9e4a6fa5e
-
Filesize
1KB
MD5539e69283f0bffcfd0ce76efb830ee58
SHA16f64e6df322286bea102e0453bc334bc172e3502
SHA256b9b5683ff44e7240b321fab2106fdc8871d60f828911d32fcc0cf1fecac24cec
SHA5120c06ac8cf5e8a6e5c0706f00e35d33db151eef1cc32ff76c2f6fef5fb05da0377f0ae0e232e01eadb0c3c2167626bb1f276cc2f8e9e3e53bd44861b72da9fd34
-
Filesize
1KB
MD5b30cad04681b1b680cc283449dc62df6
SHA1e153bf31208f0d7b314fc80e2c2ba34fef12fc1d
SHA25609192972ea4e20e52ddef1f14aa62acd9e2e479730730b3d5c7cad8cf2ad38c9
SHA512abd5c5bc2d4b5b142df10d66bef43c2d7a63fbd49701a4fbf85cbf57734894ab803265bf0e8bba6b6cb96aa9dfa7211d274fa61c4f83c62ad800f7c4b018600c
-
Filesize
217B
MD5bc5160dd7f93b7bdbca03e1811ad6726
SHA14ea9ce9f9dda7f0e980871c9754a0d00296d9b67
SHA25668874e3a479f0f2b4a11a8aca4f305b46e53e51689a63723fd11fdbc3607c3e3
SHA512cdf609df8fdd0cde5e7d652d122168afec38b088feb0fd54bc3eb87d76a7f2085f9a3b0aa7f27d5dbb42e811cf713e9236e97cbfa301285031f4aade62dc24de
-
Filesize
1KB
MD51bce07d42f66ccee5a1a6de78e9162a6
SHA14e8e1a430a9d9c707a371ec8e58682caa3508f4f
SHA256019e24bcbb255055d4d3b92a173fda0be259da6fb19a41daf4bd19341430ae60
SHA512fd9a7e8378f49c6d2b0717703fad07388dc0022ca3fce0bbe722591f1b5e28f5bbb7367f9b8fbc8e83227dbf122c48e1252fa3b7f7499b131b6af52498890285
-
Filesize
1KB
MD5ccfe6a1c191e71b3e5da3932011dec48
SHA13ea5f6365cecd0b3292f51f7b508feab165eed42
SHA256945104e6e32fff42b401d0e6563612b39ee0ce404dda9c74640c3c9c0c3fbbce
SHA512567c7de37bc1f2040d2de002bd970980d570b9bda81238ad5fac1c60f9281024e2b807d81d16dcd7108114bf432a45491e562c912276a535bcf28a788fc5b85d
-
Filesize
1KB
MD55ac008651fecc9f356081d08ad1c970c
SHA1e749652d0e1c26a08a41134c3929d147cc5651f9
SHA2565c120cc1f185ab8ab3e416a47c60d83d843d024bb0c8f5296334dae998b0edc6
SHA512833c0fa90f64764a364b4380432bf53ccc1a8808f62acd2ab41ab096d8ab74bd5a79f78188446d4731f17f0c88d086afe95c59e5c5c8253e7a1a037e679c1dc5
-
Filesize
1KB
MD50abf1a6ee4439c4b69620de212a6f7cd
SHA14194a8c9df0baefa1440818ef28cf73d769bf43c
SHA256c89b4b2ba233e8ee0a62616ee9aafe8a29c44865f04fb9200a1139bac1ec35d7
SHA512579cd6f0a64202bef4db701b7b6e726678aa9cbda3ac28d42c238f992bad18aa1e3de8db7e59b7805299bbc391df9be2afe02a62f871d1c3d7116b7f569241f0
-
Filesize
1KB
MD54e721112516139e5d445d2fe56264c59
SHA1df343aaadacb5d766db9efca5d370b39a1d3d438
SHA256361112986ed6c360ea9e4e3d41f3209c79d54c2478902977bd5d34225def5034
SHA5126990f8a728eaf687a412edb90467feeed509c3470ef86643cf59fc3b393ad82544d80ada71f86f0d95ed6389a9d5bd5d8edf613bc3776ebcff33be9193f727d1
-
Filesize
231B
MD51e58de1a29e3821760f49179b894afc2
SHA185f65d1409fa69be4eacb08bd2e20fd24c39c757
SHA2560352bab9892c303fefe59ed16aa2147e67ec586ecc541c7cb93f2dc3c9738b80
SHA512a2139e522b88ba54484557417142aa41d888167950eee1e1bb480222dfadb38c536f6d193ce1f9363a97655e243c603c9f64407dbe8e6a18a089e7174e93f03c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
248KB
MD5719d6ba1946c25aa61ce82f90d77ffd5
SHA194d2191378cac5719daecc826fc116816284c406
SHA25669c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b
-
Filesize
2.3MB
MD5deb9f64ee23f25627884a143d411fb9c
SHA1448f5388c390ec401d0551e5da97c2b9e24cfbf0
SHA256613716c888bffcb5668886335c326e276511267d8f4040afa420ccf65de51d7e
SHA512d4472ec02c355d76afcbacc51967adced80b3e3bb2cff25d34193d5cd5277baf451ec9149cf836d1647f60cf2c9bce70fb41d79ca76ff1c4dd7773be62447346
-
Filesize
2.2MB
MD5cbf28a22d6c61a0937b1bf15b3d22a1a
SHA1c414807315dfd5c33d91c783d168f417c7ca80fc
SHA256dfa13a2024f7bbdeebaa243a5b9a60736860d61e5ad1abfda61502df8f2e4d04
SHA512cb2a6e72c4a70150c10f7e84057b520dba2253e3a62b36cead3c1057a8b320d69414b99a99b4b160755437134b871de4f72fd3ccc885dc17951b5223eecbd4e0
-
Filesize
427KB
MD58d860de39a47014bb85432844205defc
SHA116b6485662cc4b57af26f1ee2fe5e5595156264d
SHA2566f64566b9adc350458221bc7312acaa09290c58241659336b9921c3dcf27fbbb
SHA512c76408b4390d9aeae243f7333c5acdc68b6fe08efd1694c774069627d09e91e97ab1a5ccf55b60a247f3b00e8b95166d3dfcc41ac92150f00dfb897480a5a539
-
Filesize
249B
MD55299f191d092a082374029620d0184cd
SHA1154c0f2d892c0dde9914e1d2e114995ab5f1a8cb
SHA2569c46745f3776d8f344029103da41e060516a4bf324e7238b112a3069abececf9
SHA512670159a1352e91ad4739903c7d5bbca2b91e81ab542ac6b4532db8701d5bf01b900909812164db6ce4dbdc2fc1af59593d9abc84daff835de07eb7d383869e39
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat
Filesize104B
MD5b33c8997ecd39b1b7e8af929abd526c7
SHA1e30e21ca9e74d508cfc35e9affd57a7fbc089a77
SHA25671340cb564242cd1454892eaa33aae6eaf8e444d9301731753a9aa993bb9785c
SHA512394a9df69628162228d6a8934d6df532d5055a65a41788ef7d2b8170fae3bd586d80c8592ebc10e32650b81d43efd2eefdef865523d687b6def20fe4374afefc
-
Filesize
1KB
MD5f056d391568e0e6366b0b94faa33d178
SHA1783d3aeb49e3a0181f6a5ef3d2947cd8351d653c
SHA25630379a5e6080d0758fcb7ac7dc1d8ac00ac57bff046a38075565cca44545bf59
SHA512dd6fbc48d7321580001fdecf8ef989c48e20ca95211f5ab9ad556143671dfdb6753773abb4cdc252b1d38b0afb25ec7978d83c49bf584534c9b0715ea5e2a988
-
Filesize
1KB
MD50b8c597c544ca92a39ba973ae92df58a
SHA1f5a2a3cf7f9b62ccb95455253946805b6440551e
SHA256295af82088d5d6637fd37d87140b4f0958bf444e5da19a2eed83a82b33263caf
SHA512f2aa858673620208198072d60cd348dd43284e23093ea9b718de83113a92d36ba9a7d5de540d99213f466017dcbbdea558a9bf80da5e49cc1bb6650944688c97
-
Filesize
385B
MD508665af056e9f02f8e41fccba0223a57
SHA1aae30369b3a3b0ba93f1aeaa16a1f70e6b0102a2
SHA256b58089c2c23629d7b3b4aeabeb05f5e9897b3b704a9793a28963a2887c97b004
SHA5127ccb5127264554f1a48abb00cec28d4363e24e15f48af97bc188c2a1eb8c49d9bf907036326b09ca2e8986e9e15718349f68c2ec057210d27f1c37516345c876
-
Filesize
238B
MD5a1cf4ef00fc26e5c76b1a25f39eceabe
SHA1fd6a3f5130084cd0229696f95efe6269477c004d
SHA256aecad29984331933c7fc785f7b3e2d9d23e8f2f5f15f7081faa7a19c2821a14f
SHA512f0d26ce28c2f3e8edfc1ae0d2d97c64c1a49e183b2d47079e52132758a1709c8a905c425d1d2106618c3f02bef7b874be5f50b0d4cc026f255b8d2af3515888e
-
Filesize
412B
MD574184e7cf623dafaae4c0f7ee43bd846
SHA187d2891ecb571d5da9f8d036103c52a5a477b5df
SHA2564768354294f4c2bf0e7da323fdc5e2b289000a2dfc758cc0fb015188bc4ade53
SHA5125ff8692dfc92ed980083cfecaee449cff7c64ef0ecbfc4bd70ee038054ec61e90e4dd6ef689b44ff13e20c0ab1c0b4cf0b2ec55b9b1bbab0fca4d965e13630be
-
Filesize
265B
MD527c96d84e5e64b5fef0f4da8ea7df0de
SHA11c00deea6a39ac82b7a481e491a5b269111009cb
SHA256f6b4f46dbb82da2f683479ae21a9f0eff904787736f18ecbb686a7f57d2e128b
SHA51214fdebf848b9982c1152397bfccb93bf8ac1fdb2915fcde2cf207ef4f3d8441c48caa5963bbd1c198fcadf1b36b3e03084bfdd5597aae968ab7f1b0dd41f6b88
-
Filesize
376B
MD50e76792e2f189ebd515dd08a3439ce7d
SHA1b849a20c3edbf7497c2b51c52122b020ad11eb38
SHA2564f7d4700ec55f1892e7675b96631e895965a43cf9b5371880c6e81421fb3c166
SHA512cdf604428aeeedf49a164e2d0a0b3b951c6c00e14e37d59eb73398a778f8797da183fe4ee9e4b8cf6ee51734229b8a7e21c7ef0972fb83f9646cbbad90b74bf1
-
Filesize
229B
MD5257345ed1053f4712153e445c766f794
SHA145bbca7543194e64487d8ce67b94df4505a27064
SHA25666171b1a2cbfa8d30aa4e9a0dbd2d3b2d2690b8c467df457ce51d7ead331834e
SHA5121aa095b41f2a53eee4f9a7c5cfec0050ae83114eea7e8539228ab144ddfc42a56915b0218299eba75b4f81a3979683af606808623eef475787de2e2c9833a204
-
Filesize
363B
MD549fa88d420fdd1ebf6ccc7502a3a0440
SHA19f714b0c5c3c04e7efdff403b86d2912abffa0a4
SHA2568400774164fca8beb84de46b51977efc00d64ad7737c995f567c306394ea1d65
SHA512f58fd7dc484a002fbff7f885c7091aa98c3cf1441cb287973ead6e1176c42306b00b95b1f8d92c0c31ba5907ee233578242912b16d9320141bccfc32564c12f8
-
Filesize
235B
MD5c6084dfbd8a3cf108aa4b353ec1a6794
SHA195a6654c16d3fbdfcbab004fd973edf4da26134c
SHA256ed2551948abefa1ad588c35090e2b372131ec7c308ce9828d8284bd4069fac7a
SHA512199321f6dde85f03e3fc756c5007535cd5457dc07d5aff541b3f70fa72a17c5d88bec2cbc71ccd1c47183efdc7bde6297b94255393ce463a87588e7dd3b39841
-
Filesize
387B
MD5f89eafd0b179d6ab5e88a8ef9cf72571
SHA1e7749439c637a6c3312939e45e4138bbca6b4cbc
SHA25694716d64fe5fe00ba308ea8cc3045ee049c32f7e85ae0c495798814d29daf846
SHA512ae2b1d44dc3a7a6d2a176f1c6c8215146e63fee9746a35d546f823530ce85045f009883a0bb13a2433da7bbeb712e9edf4546cfd78f882521d4b478be0795421
-
Filesize
240B
MD5229c05a7925a4d7a27fc47de8dbe70e0
SHA1a583b49fcae846d3a78cf2622951bae56b169ebb
SHA256e8261ba8a17150d7eb50c210f8b93387256a2a631436a9b5cff06edeb69c1c67
SHA5120b328de9734a6d0f59177038b346f533a6ca07e14660f31ee57dc280e343e7cf390bd5dd4cf18b71357f16395804fc5a579dbfd1dc57d5f28c193d3ef66c715a
-
Filesize
1KB
MD5819218476efff19538c5e47775890416
SHA144268f9a7b24e4477c5a6917ca26b1e9d4938bcd
SHA256adfdb51bd795924a67fd2310d33e40f21f7dde44168e85dd416784cb6b1f5cd2
SHA512fc1d1655478034e6c2ac8082e00397f1a3c6b527714fc1576b52bef7b2a9faa5ff1d89b1501d598bbeac943e899631007237071ddb73242438aa375ab74d3bcd
-
Filesize
1KB
MD519e1421a54f1523ab11614835b872fb8
SHA1d2de7ead70215a7063c9598e4b22e2ddb2d8698b
SHA2561cac65243c3e3a5b909055f131d60f31713dac08a3252319eb2740f39925aa29
SHA512250bd7f0546d3ae68be7de5657666a0f4460ca6948e02d36d2e7a5a24b209682fb29126adbae5f8a94ba0d6903dcce0f07b71db6e18b69ed4cd31ea110f4798a
-
Filesize
1KB
MD58cb2d1f69e2730b5de634f6b6c12005f
SHA11f9496195f09f58a4e382994717a5da34086d770
SHA256f5d616663ac61dc843c8663f2ceaaf6939b974ffd74e6e1be232b3fe8c6667ea
SHA512d035c16a8d8f09abedc94e10d46983e371d2862b277128fe00184d3a1cbb8a69367c08e150c63b07729938bea6644af4e3913e629969d38978b0d934e9e61eda