Analysis
-
max time kernel
40s -
max time network
49s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-10-2024 15:49
Static task
static1
Behavioral task
behavioral1
Sample
jarbest-obf.jar
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
jarbest-obf.jar
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
jarbest-obf.jar
Resource
win11-20241007-en
General
-
Target
jarbest-obf.jar
-
Size
6.8MB
-
MD5
183038eacde2898dd081ea76f73775a3
-
SHA1
c1ea9bbd90f8ce35ea00d09f76254976f35e3cba
-
SHA256
405633b7f6c5ecfa971f23dbb09e85d40224bb74c83ffdafb827b301bc413427
-
SHA512
edba63707f4f257eb94503fe481db88dd28347e0a2d01836242ed9052164d340ff629c1585054c28a8cd2c867a8968c467b14cf2ac05bf8c73164843fcfa91f9
-
SSDEEP
196608:TsXGMtKkuX5P62xscItG5gPxioJEhslCM19l+RDIk:TsXGMIkuX5XmcI45gPkgpz1eZIk
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7756158094:AAEpUpUPcNX1ZlZzM558SewExaq3m8CuOnA/sendPhot
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Gurcu family
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Windows\\Temp\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Windows\\Logs\\csrss.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Windows\\Temp\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Windows\\Logs\\csrss.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\explorer.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Windows\\Temp\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Windows\\Logs\\csrss.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Windows\\Temp\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Windows\\Logs\\csrss.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Windows\\Temp\\winlogon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Windows\\Temp\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\Default User\\unsecapp.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\dotnet\\sysmon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Windows\\Temp\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Windows\\Logs\\csrss.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Windows\\Temp\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Windows\\Temp\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\dotnet\\sysmon.exe\", \"C:\\Windows\\Temp\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\Windows\\Logs\\csrss.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\"" RunShell.exe -
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4916 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3704 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 132 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 72 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4104 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3216 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3152 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3380 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4916 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3892 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3128 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3584 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3124 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3856 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 936 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 936 schtasks.exe 84 -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2960 powershell.exe 2536 powershell.exe 740 powershell.exe 4736 powershell.exe 940 powershell.exe 2820 powershell.exe 3152 powershell.exe 5116 powershell.exe 888 powershell.exe 4920 powershell.exe 3128 powershell.exe 844 powershell.exe 4636 powershell.exe 2076 powershell.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2012 attrib.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reg.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe java.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe java.exe -
Executes dropped EXE 11 IoCs
pid Process 3292 WinSFX.exe 2172 Checker.exe 1556 RunShell.exe 2772 msAgentreviewCommon.exe 3220 dllhost.exe 2092 dllhost.exe.exe 2012 unsecapp.exe 2628 winlogon.exe 4180 csrss.exe 3528 winlogon.exe.exe 2348 csrss.exe -
Loads dropped DLL 1 IoCs
pid Process 416 java.exe -
Adds Run key to start application 2 TTPs 36 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost.exe = "\"C:\\Recovery\\WindowsRE\\dllhost.exe.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Common Files\\DESIGNER\\explorer.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost.exe = "\"C:\\Recovery\\WindowsRE\\dllhost.exe.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Common Files\\DESIGNER\\explorer.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\BrowserSvc\\services.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Logs\\csrss.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\BrowserSvc\\WmiPrvSE.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\dotnet\\sysmon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\dotnet\\sysmon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Temp\\winlogon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Temp\\winlogon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\BrowserSvc\\WmiPrvSE.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Logs\\csrss.exe\"" dllhost.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\BrowserSvc\\services.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\"" msAgentreviewCommon.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: java.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 1 discord.com 1 raw.githubusercontent.com 17 discord.com 24 discord.com 26 raw.githubusercontent.com -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com 15 api.ipify.org 27 ipinfo.io 1 ipinfo.io 4 api.ipify.org -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCD3CD65E6827C48BD8926E2B0F3ED2AD3.TMP csc.exe File created \??\c:\Windows\System32\pf6bhg.exe csc.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\dotnet\sysmon.exe msAgentreviewCommon.exe File created C:\Program Files\dotnet\121e5b5079f7c0 msAgentreviewCommon.exe File created C:\Program Files\Common Files\DESIGNER\explorer.exe dllhost.exe.exe File created C:\Program Files\Common Files\DESIGNER\7a0fd90576e088 dllhost.exe.exe File created \??\c:\Program Files\dotnet\CSC29F9D2F210D54158AE44B1A1E813920.TMP csc.exe File created \??\c:\Program Files\dotnet\sysmon.exe csc.exe File created C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe msAgentreviewCommon.exe File created C:\Program Files (x86)\Microsoft.NET\9e8d7a4ca61bd9 msAgentreviewCommon.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Logs\886983d96e3d3e dllhost.exe.exe File created C:\Windows\Boot\Fonts\SppExtComObj.exe dllhost.exe.exe File created C:\Windows\Logs\csrss.exe dllhost.exe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Checker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinSFX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1052 PING.EXE -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings WinSFX.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings Checker.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings RunShell.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings dllhost.exe.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings msAgentreviewCommon.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2860 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1052 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1376 schtasks.exe 4916 schtasks.exe 2148 schtasks.exe 3152 schtasks.exe 3216 schtasks.exe 4512 schtasks.exe 2076 schtasks.exe 844 schtasks.exe 4864 schtasks.exe 1396 schtasks.exe 396 schtasks.exe 316 schtasks.exe 1952 schtasks.exe 132 schtasks.exe 1040 schtasks.exe 2644 schtasks.exe 2812 schtasks.exe 4468 schtasks.exe 3228 schtasks.exe 4916 schtasks.exe 3892 schtasks.exe 1892 schtasks.exe 1336 schtasks.exe 2900 schtasks.exe 1144 schtasks.exe 4104 schtasks.exe 3380 schtasks.exe 2792 schtasks.exe 3060 schtasks.exe 3596 schtasks.exe 2804 schtasks.exe 1028 schtasks.exe 4824 schtasks.exe 3128 schtasks.exe 392 schtasks.exe 1000 schtasks.exe 3856 schtasks.exe 548 schtasks.exe 3124 schtasks.exe 1592 schtasks.exe 4972 schtasks.exe 4404 schtasks.exe 3584 schtasks.exe 4324 schtasks.exe 5108 schtasks.exe 4180 schtasks.exe 72 schtasks.exe 2080 schtasks.exe 3704 schtasks.exe 1280 schtasks.exe 4920 schtasks.exe 3336 schtasks.exe 4956 schtasks.exe 2932 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 416 java.exe 888 powershell.exe 3128 powershell.exe 3128 powershell.exe 888 powershell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe 1556 RunShell.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeBackupPrivilege 416 java.exe Token: SeBackupPrivilege 416 java.exe Token: SeSecurityPrivilege 416 java.exe Token: SeDebugPrivilege 416 java.exe Token: SeDebugPrivilege 3128 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeRestorePrivilege 416 java.exe Token: SeDebugPrivilege 1556 RunShell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 4636 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeDebugPrivilege 2772 msAgentreviewCommon.exe Token: SeDebugPrivilege 2092 dllhost.exe.exe Token: SeDebugPrivilege 2012 unsecapp.exe Token: SeDebugPrivilege 740 powershell.exe Token: SeDebugPrivilege 5116 powershell.exe Token: SeDebugPrivilege 3152 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 4920 powershell.exe Token: SeDebugPrivilege 4180 csrss.exe Token: SeDebugPrivilege 3528 winlogon.exe.exe Token: SeDebugPrivilege 2348 csrss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 416 java.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 416 wrote to memory of 2860 416 java.exe 82 PID 416 wrote to memory of 2860 416 java.exe 82 PID 416 wrote to memory of 3128 416 java.exe 88 PID 416 wrote to memory of 3128 416 java.exe 88 PID 416 wrote to memory of 888 416 java.exe 90 PID 416 wrote to memory of 888 416 java.exe 90 PID 416 wrote to memory of 3292 416 java.exe 93 PID 416 wrote to memory of 3292 416 java.exe 93 PID 416 wrote to memory of 3292 416 java.exe 93 PID 3292 wrote to memory of 4848 3292 WinSFX.exe 94 PID 3292 wrote to memory of 4848 3292 WinSFX.exe 94 PID 3292 wrote to memory of 4848 3292 WinSFX.exe 94 PID 3292 wrote to memory of 2172 3292 WinSFX.exe 95 PID 3292 wrote to memory of 2172 3292 WinSFX.exe 95 PID 3292 wrote to memory of 2172 3292 WinSFX.exe 95 PID 416 wrote to memory of 3124 416 java.exe 98 PID 416 wrote to memory of 3124 416 java.exe 98 PID 2172 wrote to memory of 468 2172 Checker.exe 100 PID 2172 wrote to memory of 468 2172 Checker.exe 100 PID 2172 wrote to memory of 468 2172 Checker.exe 100 PID 3124 wrote to memory of 2012 3124 cmd.exe 101 PID 3124 wrote to memory of 2012 3124 cmd.exe 101 PID 4848 wrote to memory of 2500 4848 WScript.exe 102 PID 4848 wrote to memory of 2500 4848 WScript.exe 102 PID 4848 wrote to memory of 2500 4848 WScript.exe 102 PID 2500 wrote to memory of 1556 2500 cmd.exe 104 PID 2500 wrote to memory of 1556 2500 cmd.exe 104 PID 1556 wrote to memory of 1432 1556 RunShell.exe 108 PID 1556 wrote to memory of 1432 1556 RunShell.exe 108 PID 1432 wrote to memory of 1472 1432 csc.exe 110 PID 1432 wrote to memory of 1472 1432 csc.exe 110 PID 1556 wrote to memory of 2076 1556 RunShell.exe 126 PID 1556 wrote to memory of 2076 1556 RunShell.exe 126 PID 1556 wrote to memory of 4636 1556 RunShell.exe 127 PID 1556 wrote to memory of 4636 1556 RunShell.exe 127 PID 1556 wrote to memory of 844 1556 RunShell.exe 128 PID 1556 wrote to memory of 844 1556 RunShell.exe 128 PID 1556 wrote to memory of 940 1556 RunShell.exe 129 PID 1556 wrote to memory of 940 1556 RunShell.exe 129 PID 1556 wrote to memory of 2536 1556 RunShell.exe 131 PID 1556 wrote to memory of 2536 1556 RunShell.exe 131 PID 1556 wrote to memory of 2960 1556 RunShell.exe 132 PID 1556 wrote to memory of 2960 1556 RunShell.exe 132 PID 1556 wrote to memory of 2860 1556 RunShell.exe 138 PID 1556 wrote to memory of 2860 1556 RunShell.exe 138 PID 2860 wrote to memory of 3892 2860 cmd.exe 140 PID 2860 wrote to memory of 3892 2860 cmd.exe 140 PID 2860 wrote to memory of 2148 2860 cmd.exe 141 PID 2860 wrote to memory of 2148 2860 cmd.exe 141 PID 468 wrote to memory of 1372 468 WScript.exe 142 PID 468 wrote to memory of 1372 468 WScript.exe 142 PID 468 wrote to memory of 1372 468 WScript.exe 142 PID 1372 wrote to memory of 2772 1372 cmd.exe 144 PID 1372 wrote to memory of 2772 1372 cmd.exe 144 PID 2772 wrote to memory of 2976 2772 msAgentreviewCommon.exe 148 PID 2772 wrote to memory of 2976 2772 msAgentreviewCommon.exe 148 PID 2976 wrote to memory of 4916 2976 csc.exe 150 PID 2976 wrote to memory of 4916 2976 csc.exe 150 PID 2772 wrote to memory of 2888 2772 msAgentreviewCommon.exe 151 PID 2772 wrote to memory of 2888 2772 msAgentreviewCommon.exe 151 PID 2888 wrote to memory of 3676 2888 csc.exe 153 PID 2888 wrote to memory of 3676 2888 csc.exe 153 PID 2772 wrote to memory of 3552 2772 msAgentreviewCommon.exe 154 PID 2772 wrote to memory of 3552 2772 msAgentreviewCommon.exe 154 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2012 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\jarbest-obf.jar1⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SYSTEM32\reg.exereg query HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion2⤵
- Checks BIOS information in registry
- Modifies registry key
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3dncrutf\3dncrutf.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB268.tmp" "c:\Windows\System32\CSCD3CD65E6827C48BD8926E2B0F3ED2AD3.TMP"7⤵PID:1472
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZC7qAt698k.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:3892
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2148
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"7⤵
- Executes dropped EXE
PID:3220 -
C:\Recovery\WindowsRE\dllhost.exe.exe"C:\Recovery\WindowsRE\dllhost.exe.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2092 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y1lkdiwo\y1lkdiwo.cmdline"9⤵PID:4868
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD91.tmp" "c:\Users\Default User\CSC92BE0D79542142F5831CB666BAF06D41.TMP"10⤵PID:3452
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eqa5jqjf\eqa5jqjf.cmdline"9⤵
- Drops file in Program Files directory
PID:3852 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE1D.tmp" "c:\Program Files\dotnet\CSC29F9D2F210D54158AE44B1A1E813920.TMP"10⤵PID:3348
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fm0deu2x\fm0deu2x.cmdline"9⤵PID:1536
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCED9.tmp" "c:\Windows\Temp\CSC628B9EF1BF9E41A3B8397470B2FB5722.TMP"10⤵PID:4680
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\csrss.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\explorer.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\WmiPrvSE.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G6Sq1bPKWo.bat"9⤵PID:1428
-
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4976
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1052
-
-
C:\Windows\Logs\csrss.exe"C:\Windows\Logs\csrss.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
-
-
C:\Users\Default User\unsecapp.exe"C:\Users\Default User\unsecapp.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\Checker.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\Checker.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BrowserSvc\9jir1hGrtyuZOLHcOuhj8HZKZgcsvyzwZ1xbryhIf2ZdpzOmWWf.vbe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BrowserSvc\O41KRElzpOO.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\BrowserSvc\msAgentreviewCommon.exe"C:\BrowserSvc/msAgentreviewCommon.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y3lcjeyu\y3lcjeyu.cmdline"7⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8ED.tmp" "c:\BrowserSvc\CSC664C01BC4FC54326AD9D6070A184731.TMP"8⤵PID:4916
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ycgi03ax\ycgi03ax.cmdline"7⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC97A.tmp" "c:\Recovery\WindowsRE\CSCAE32E72999AD441AAB82CFE4D3697A9.TMP"8⤵PID:3676
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0w1qtfqn\0w1qtfqn.cmdline"7⤵PID:3552
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9F7.tmp" "c:\Users\Default User\CSCAC3AE19FE62441A8B2108578AF87D50.TMP"8⤵PID:4052
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\noq05adi\noq05adi.cmdline"7⤵PID:888
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA45.tmp" "c:\Recovery\WindowsRE\CSC2BF4454A81490DA8A9E1746FE67418.TMP"8⤵PID:4680
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lovqef4a\lovqef4a.cmdline"7⤵PID:2588
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC1A.tmp" "c:\Users\Admin\AppData\Roaming\Windows\Defender\CSCE373D6F7F5014A9B966377FBD86784.TMP"8⤵PID:2768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ASrzV9oBVJ.bat"7⤵PID:548
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:2884
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2768
-
-
C:\Windows\Temp\winlogon.exe"C:\Windows\Temp\winlogon.exe"8⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\Logs\csrss.exe"C:\Windows\Logs\csrss.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
C:\Windows\Temp\winlogon.exe.exe"C:\Windows\Temp\winlogon.exe.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
-
-
-
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c attrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform2⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\system32\attrib.exeattrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2012
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\BrowserSvc\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\BrowserSvc\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\BrowserSvc\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:72
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\dotnet\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Temp\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 8 /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommon" /sc ONLOGON /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 10 /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\DESIGNER\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\DESIGNER\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\BrowserSvc\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\BrowserSvc\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\BrowserSvc\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost.exed" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost.exe" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost.exed" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200B
MD58bb10502019ed38b3210cb6192c6a04b
SHA1125f17b9c2f4ffcccc1f19bcc9000c80bbc2dfe3
SHA2567ed5d362059760b6119ecf42b7a79bbbc6b8490c451bbffc6149632bd07877be
SHA512286d36ccf686d9c14612a949729bbde0881ff2993a854a1be8118a546fffcff515e48dd24639894a1d289a973939809874efdad1cf67391cf4f51deb85320637
-
Filesize
86B
MD5d6da62e1a07048cb1764846ff9e5991f
SHA116630a915028d374ef42fea0d1f34c8fae292e17
SHA256b34c0cb821817355a7cb807108bd0251e40c8492f76f24240047ee1df5dc9897
SHA512fcc21fac84eedb5229f1dfb79b4962b322e231dbbcf5c538d64c724dae8447f2c4f6dd55bb5faa5a854f90dd5ca24c3d332cf611af85104af8d33fb219bb5744
-
Filesize
1.9MB
MD5fe563f1526b6875781652660d9b2421a
SHA18ebcf5aa7bd3ce98ea7ea7825e23a27c4830b937
SHA256fb736b85b9d5efddda3a9c5997ec99582cf1167e64680a0dc469d59ab168fcf2
SHA51242ccb6127cfc2751dc82b89fab33c28db2cfc071d1adec6ddc2c77beef6ced390501bdae8dca4005d0f2377946d116e16cece8c0d7f0e56dd8119561ba01f1ed
-
Filesize
4KB
MD5a7148a441bb749e484da95998d76cb84
SHA1c2d9c7bd3695ca55c2e17d4a6a12f738729c7749
SHA256f0a711fd9f23b995f1551d5d9a6d34d5bceb33a70525bb370154f6ed3968ca13
SHA5129fdc3a1e44eea8cd13cdd4c957ba2a4d5756962c454e22a026289fc7904532b2ed013635eba6708d6ff50104f67d7a9dd4ed6a5abac93e9f1c53db224be02d25
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD5e3840d9bcedfe7017e49ee5d05bd1c46
SHA1272620fb2605bd196df471d62db4b2d280a363c6
SHA2563ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA51276adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376
-
Filesize
944B
MD56f0e62045515b66d0a0105abc22dbf19
SHA1894d685122f3f3c9a3457df2f0b12b0e851b394c
SHA256529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319
SHA512f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a
-
Filesize
944B
MD5c8e142ee24a77ad7f21f6a741d48c8da
SHA12f174ae49dd03c3b2acd2f9cb2f4e1913908e749
SHA256e81cbecfdbc457b5d8aad1fbd1dc29ab05e6425e9921bff30089f074ddfc6961
SHA512ea1c13f3c559afbdfd63a6ecd2ca354612c3c29c2716156d5afcafe6d3fbd0e7eca7b1f03e68f3a28c78cbea5ec430285fa699facad72fc52a37fca207999799
-
Filesize
944B
MD5d43afd1382296faf6bd410f36ae5885b
SHA12db060e876bc190264c9a394d2c250b2ed9e00a5
SHA2568e3964d648486cb54b2dc887e53fd0616744ecf2ba4e319afabd28e69663fec9
SHA512953ef19c61e75241dcb1ca0b8ec4d0c42d29450e83bb16cbd14a24876e779fc48b7be982c406a8084650c50b75fb6915ba2a4b8a01bfa7d34e58d121858b0d65
-
Filesize
944B
MD5831a49c2ad2ceba4f6bbe6ea6a75dde5
SHA1ba2023dd9b7d33cc71d8683347f961dfedcf0d0f
SHA25675281433e3273599256d84e48d4f272cb6b4599afb49227091912ac94212ff66
SHA512bf5bdda89a6669e586c28989808a436b9c1be726d5d3495eef5dabca5db2db9592a0ff33c6b1b23e20cb29cc4573035e0fa78853adcbc97ca101461c1e96c6e4
-
Filesize
1KB
MD5fccd60b95a68babf7468fd992135d1f8
SHA13a2c47efa4f6579a247b669ff91cb29b1c21c9f8
SHA2567ffe10f065856630a2b59619880f860b0a43e89f3dfdc1b12581bd7196a44641
SHA51262e20a0abf25e42088f42167de34067862960c6b2c66e4133b7070a87161083210bf5a8a52b91de7c7c405275ed8e7b97b6cf2710760bbb092c4c7e8bf03cbae
-
Filesize
1KB
MD5fe2c3d787968abb0686a8bc5bdb87227
SHA11c1f51a5bc0b9fd67b442c3db3a471296598440f
SHA25654e6aeff543aea13e1d1365ed706b1432e2f2dbe97976de8e1a410ce00fbd0a3
SHA5127de27102bc47da7bc891a7cf86ef40b1d4d8938ea265b63ce815000c3ed8d8ab7b5c45cbee5107453e16a2b8ef358b08fe9077c4d05373a99f2d1deff00b5b1b
-
Filesize
1KB
MD5b6516dbd4b4decb3327a34a7caa31a3f
SHA13c5fce45a9cb2cf7de62470ed0565a0fc8f21a01
SHA256e0cfcb67d26960bad659414191452a4c817adc5f86d62cd2f5e2ba5cf189d018
SHA5123fc9978254ec194a65c1506e6b196303a81dce2daf58b4d131e6ea63b9a96d87e7aa818465a67bdbd89dc5380f95b145be4d81b404dc09eea4eb2af5cc4b5dfd
-
Filesize
1KB
MD5b07883cc144e006b2148e79b6d4f411b
SHA1965b80edc97d06d766efa2a4daeb96cdad146215
SHA256c289e081b40c240b494d6a60ddf976a820ee3cae8e5eaac638eb8942f4364704
SHA5128cef1e8c4a33e8cd457606f04d1aadd14204c6ea78032ab8616af9640c4d2f6bf02a04ba59af54c8a9f818f77c2c2f3063800422c970c592f1dc0e33912cc65f
-
Filesize
1KB
MD5f404cf19678be94431c779b180d1658f
SHA1ba0bf4fa943361aa3085d6ccacf285de58721a6b
SHA25672ee0078c439352f3e663f011f2500f91153ce51429ae59ab9a914fbd4fa1316
SHA51201d314f4d5e0974fdd06a9f7313a07c4e4a916918dcf4f92bbcc43039ffba2991494e4fef3d037c133e385bcd4bd370392c7c29937510fd53dc643a77fab8024
-
Filesize
1KB
MD5d66193e467eb36eb64ee4535d44f477a
SHA1d3803cb8ad2869cb67b94501be39e13cfaa686cb
SHA25673d1e1adccf64c23196e9bbc20c9bcc55015816e34695e5dfc6715d6f01df911
SHA5124b865f2323171cf838dd3793053dc1e5d93ebba412ab33238d549e719e46db76dd363986b7319e220f0c3b38ac028d3479659b494b1c37c93b934d7e7c45c08a
-
Filesize
1KB
MD5858c9af7772815c5a414f3e480ee1438
SHA1c8731a870c9de704a4949cb5c07e40262596c26f
SHA256aa54a9c520d03f73929cbe8788d87dc25cdde3b25f7b10ff00a919121c1afb08
SHA512f52e64c5c8e19840b3423d5df3eafdb75b5a8c84d32c3e5e64a0f9423db8062d7ef3e3fcbfa7368759b13c69b3ebf89386df0c580cd1ff60d8be09b416a16891
-
Filesize
209B
MD518fa6d4adfd35b4358ccc4ccff9f5ccb
SHA1157335ba7cdb64208a0fb7957ae08bbaf38942b2
SHA256c28f3b4fbe406e1ed106118c06f2dfbca7a01179ccf1856a1a0b1585b96843bb
SHA5127cb93b286a0a715b70d10839b8b8b19d73ca20f2ea45b2a3462110ffd2eea3d0bf0a7883ef303621313860ac4d287f8ce24bcf4b51464339e2039220b947df3f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
248KB
MD5719d6ba1946c25aa61ce82f90d77ffd5
SHA194d2191378cac5719daecc826fc116816284c406
SHA25669c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b
-
Filesize
2.3MB
MD5deb9f64ee23f25627884a143d411fb9c
SHA1448f5388c390ec401d0551e5da97c2b9e24cfbf0
SHA256613716c888bffcb5668886335c326e276511267d8f4040afa420ccf65de51d7e
SHA512d4472ec02c355d76afcbacc51967adced80b3e3bb2cff25d34193d5cd5277baf451ec9149cf836d1647f60cf2c9bce70fb41d79ca76ff1c4dd7773be62447346
-
Filesize
2.2MB
MD5cbf28a22d6c61a0937b1bf15b3d22a1a
SHA1c414807315dfd5c33d91c783d168f417c7ca80fc
SHA256dfa13a2024f7bbdeebaa243a5b9a60736860d61e5ad1abfda61502df8f2e4d04
SHA512cb2a6e72c4a70150c10f7e84057b520dba2253e3a62b36cead3c1057a8b320d69414b99a99b4b160755437134b871de4f72fd3ccc885dc17951b5223eecbd4e0
-
Filesize
427KB
MD58d860de39a47014bb85432844205defc
SHA116b6485662cc4b57af26f1ee2fe5e5595156264d
SHA2566f64566b9adc350458221bc7312acaa09290c58241659336b9921c3dcf27fbbb
SHA512c76408b4390d9aeae243f7333c5acdc68b6fe08efd1694c774069627d09e91e97ab1a5ccf55b60a247f3b00e8b95166d3dfcc41ac92150f00dfb897480a5a539
-
Filesize
249B
MD55299f191d092a082374029620d0184cd
SHA1154c0f2d892c0dde9914e1d2e114995ab5f1a8cb
SHA2569c46745f3776d8f344029103da41e060516a4bf324e7238b112a3069abececf9
SHA512670159a1352e91ad4739903c7d5bbca2b91e81ab542ac6b4532db8701d5bf01b900909812164db6ce4dbdc2fc1af59593d9abc84daff835de07eb7d383869e39
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat
Filesize104B
MD5b33c8997ecd39b1b7e8af929abd526c7
SHA1e30e21ca9e74d508cfc35e9affd57a7fbc089a77
SHA25671340cb564242cd1454892eaa33aae6eaf8e444d9301731753a9aa993bb9785c
SHA512394a9df69628162228d6a8934d6df532d5055a65a41788ef7d2b8170fae3bd586d80c8592ebc10e32650b81d43efd2eefdef865523d687b6def20fe4374afefc
-
Filesize
1KB
MD5780929fe2feb53fb270143ab0691854b
SHA1be3e8b5c1d5a2897e95e7d00420b738c3bc311b4
SHA2561367fb29f1eed5f5360fc57d0f73955ab54997791757fde595e53df3df43dac7
SHA5127c30065be290afb2351786dd8900fd128dd822592d8c73959f0eb1ee633fef3e140f7ed5b54b16c747d7410b3486bc798136224b5ad923bad4fdf491e97ee272
-
Filesize
1KB
MD5f056d391568e0e6366b0b94faa33d178
SHA1783d3aeb49e3a0181f6a5ef3d2947cd8351d653c
SHA25630379a5e6080d0758fcb7ac7dc1d8ac00ac57bff046a38075565cca44545bf59
SHA512dd6fbc48d7321580001fdecf8ef989c48e20ca95211f5ab9ad556143671dfdb6753773abb4cdc252b1d38b0afb25ec7978d83c49bf584534c9b0715ea5e2a988
-
Filesize
1KB
MD56599147cdd55fb94e4b3db19edb1cf2f
SHA1e070030015f8a36bdc33e497f7265eda65e5340c
SHA2567c795f1fcfafc6da2ed1f889078a53dd907a0de440d943983aab9662c7fa7c9c
SHA51235e5f6e956f8faa52cf4a6c037959c1139aada7b77d0cb387ab17e8f3a67bd89a57b0e9115752b25275717ddbc40f44be07aed70221518f6a56e5f8be95c654c
-
Filesize
1KB
MD50b8c597c544ca92a39ba973ae92df58a
SHA1f5a2a3cf7f9b62ccb95455253946805b6440551e
SHA256295af82088d5d6637fd37d87140b4f0958bf444e5da19a2eed83a82b33263caf
SHA512f2aa858673620208198072d60cd348dd43284e23093ea9b718de83113a92d36ba9a7d5de540d99213f466017dcbbdea558a9bf80da5e49cc1bb6650944688c97
-
Filesize
375B
MD51d0dc3640c5746d40db3e41a6812fe4d
SHA110f3380b95e28de59a18716199f8dde2d9b82338
SHA256b4ce967f71e9eb1807fd761698896f8d1fbf3a3b18c2fc05ff028cb8caeabace
SHA512d767897d56058cbdbbb32b69a9d2aa6445ba717f6736b5d7267f0b80f9129f4929dce26dab7400a6743e28987f37b3abfe42196f4818be7282c210713a730776
-
Filesize
244B
MD54f80418b74f72bdf451bcb5d1ce780de
SHA10754cfd2b6d9dd1cc83d53749eb5e2e400321a63
SHA256861e924cc6cc6eab48fa44344d4b061edf3727800bbae1fe9d016a8f94d636bc
SHA5127168f2dedd6530ce213c85197809b56a03dba71764fec7213648b934157136ae2de55dd28e85c4a9fa68ee21ef7381f1d7a61c79fe32da30853df037e8331a4f
-
Filesize
358B
MD5f11f106cad245ddd402b30fe4eb2cb20
SHA1fbb2717d8950c2efb9f1526400bf903ed395c899
SHA256024f19453f3c6b96414bbf076860558fe7d1757476ddba43d18d9a7e66bfae64
SHA512aa592dffa5be4e048d40ad6c704ca444758274b424696df98f2138b1ac14494657c14dbdb46640255d2a4d9f5008219d242c9ffe046145463fe29aa8afeeb7e2
-
Filesize
235B
MD510894baf012e3d2ad0088c1cf1d1b1b4
SHA1ecc9a15dec91b49f4cace63a3daad00d7d2768f4
SHA25624bf5c65da0c5c8afbed785d18c3ea183521b1ce111a3aea86d54a6c1c5655e7
SHA512cfd04dacaf9fcdffa6fa31e7daf1fe5369dbbed768d25f1730bb933c72a1f8ea44ca4a20cc1bce2f864a327448734de42077f11f93aa6937d83b6c342dc3afe0
-
Filesize
361B
MD5f831e4eab1bc434d85018edefaec699e
SHA153e28f8c0482a1e8fe47c8504cfa74d77ccf4843
SHA2565261b955a80e747fd588bf0244870e52ce3eec6e442ac8f02aad8accc6bf2fe6
SHA5127f537de0eb25c3a459bec4a0946e335b963ded260ae7dd0216b0af37f92506f8945c7bf829ba32e2a955cafd32075f184db32fd1e7fec11155567f793fcea420
-
Filesize
239B
MD5ed40e4c51e59da30c068b9d4e6c8f398
SHA1f1f55a1e03fcc67c6ed3ec6bd6b70cd557fa03a8
SHA2560fe645fcc871d4cbbef95e5928de3675017c3be719aa77a0886874bacbd4776a
SHA512f50811b920e4d81488a9d778bb0a5ecff5c51a4ccb8ccc60466bf07e19063c1f818af0cc3faf8e007c9d95a833a1a41ef3fe442ff35e185b53359de7445fc7c1
-
Filesize
233B
MD537daaccee31874844c9a4168b1e1ac22
SHA1d970bc6eca793a088eaf923c3767153ece0f5e14
SHA256001c426ec7d9001dc9b2b1c5f7a089f65d57503452c5fff032b7fbe807e85db3
SHA512b5f8efb2913adcdf456e3e631d3aef475be3b2269717620116e4f7019d01780429047f7bf50e26cabb187706dc6d12c89017c5dce3d5b3c84e3ad9af69563f0b
-
Filesize
396B
MD5d6804ad42ccb8ad997230fb090f791e6
SHA115b1b40214586a59aca5cac0212852be5e6ff1be
SHA256931b8ec469ee04a52d07f7c2dab7381c5dcc46bc1812c4cef376876053742e43
SHA512b4a9f4f4209bbd8f3649e5fc1220e998715f85237966d9f55588598a8359c7db030b1e9617c39c57e5c58fe46bb4f87bfeeee9dcca3dfd55cfc977fdb44714c5
-
Filesize
265B
MD586ecd2b527f6678a59d3d7a197e6b957
SHA1404407d9b4915c4f3d31341720a057596f3d9565
SHA256f0094cc023fba8985af20207ae3ac9a94b9d73f2bd184a470290785f884b0a0c
SHA512cd175342410228b1a5da8cdb4d664f7e4060b93cbd6f91f47e5a8d1336b4d705df5c0862de0f7ec9dfed82fcfbf245e434f3adb8b2442b58939f160f4a2cd860
-
Filesize
369B
MD5fcc20b76709fda568c64ca579e91db39
SHA1e40e19a6320ac815b7ee1b08a1e2875659b4473c
SHA2564680c2dbdeb2140975a76751984bbf2ee36a21b54372b2df38c5c1817173e2de
SHA512bb5f3384b139655e43a41348c9e91604f48909197627624cc46d27c37991b66a5cb9db0f79a6ef5ec44012f7b9412cb2ba952f909e7c8b21e24080814428f118
-
Filesize
238B
MD57375e80383acaa19aa199544201e9fcc
SHA125d464623b42c84121906ec45b0ddecaf4053634
SHA256bad8420c51d434602086399d813338000227ca01e626fbd5345b41a00cd8ee3a
SHA512dedcb91b96c8c55c1598b7951760ae86d69403b2bd85349abafd831b6c65df7375cd1bc5f146c237a5c3da198e0f085d348a2d60b3c4df4d26cb1591384c522c
-
Filesize
361B
MD5b4d70f333fe583a1b7e0b0984777c2bd
SHA16d6de86e221ec98c6e9fde1fee69a5d998e0385e
SHA25671886409bd20d9920297045b19d70ce149f94f7c667e1f286321e810203110a3
SHA5126baeaf6a32308f19a79b65178679e2a7d2555f5dbb32f3b31fccc15d4890f9b1d17a201ff8c8a34d0ecc8caebe7a1560546fdc618937f5412ab3fb87fde070f6
-
Filesize
239B
MD5a94cb89a756ce1ecfd008f71984e4caf
SHA1d5d5fab7b792e3588b47acdb7e11ee6863f4d4b0
SHA25674df2009a0a0e0262631877b6ea7cabfe8800997325ccd1f1a79e6986a174c5e
SHA512e54f9c010ce82248bb01b1163fbf4896c51a13e20eb0cc0d3a0e0812a70dffb67856dff7338b80d915ebe4eea02d81e4ef30a9055fb4242a6c10d67e66f114e8
-
Filesize
362B
MD518723a14d4e779448dc7ecfc838eafb7
SHA18ee1699c6ce822218dc7f34363fe0b87fd4deecd
SHA2569b0638a90542a5ae106e152e74e56d2a1e59e4cc7a74ba9f07f256642e3a8fd1
SHA512ae616ee74a9c6e2591e247b2a3361f8722d04f4e1a0064ee50a7b0d22ffa33b70fe6f4114e586dc23a6e29296e3af71427eeb0c45af63ad4b4518c955116e1e2
-
Filesize
231B
MD51a7e82206f5f11b64e7c02d396367044
SHA194ee095249584309c4599946fac18ea9465c6b61
SHA2566339fcb708af4a6a99849b28de8d578eb8e946e46a88ac6537b3285535cf9cdb
SHA512c3f6e6b54d4e20ba1430376695308835ba4cfcf9e0081b183df19083b948dc295f5fc4551192caaf15a4ecaf21e211b8d9f48bc847c3587260e4e9d86a74a475
-
Filesize
369B
MD55ac6c857e9fc023031a47ac958cbb2e5
SHA18a866030bc4a7d85446e3dfd6e298e8a71de4891
SHA256577b46fcc299d86869498d9a5b5eb90c83e8f93d5e5834b362f21a9041ac708e
SHA51282cdc2e7edb910c8116a7daffaeab8c26b1512f911e330963e5ab9822d0355c0521257e119e2bc95bbdcda5bb0d2eb192e37d352d6029f35446f9358ee8e0739
-
Filesize
238B
MD58629a01c9bd71d8caa3c69e953cd8a7d
SHA1d80310dc55aa4b21640eff9dfa64e15d79727606
SHA256aa5c8ca3d4965aa40099b1216b14b3b9a09c737bea692978a3cc2916dbf305d2
SHA51263c3f4bcc3ff8ae8bdf4c542c2abf4c54bcb2ad996e7be98a835465be26255ae635bb4f7fe3682eec6c91ba4f9b5842eb4541583b017009e9bf6fcadb89e85aa
-
Filesize
1KB
MD52b854aa4ad703ddd796b59a5b6213e83
SHA12dfa8f55c5c1a24e75aaff8362211c32ce5e37bb
SHA256e3606666627a83b92b4ecc9c1df7c3f6a627ef8e49f477c249535ed4077f841e
SHA5121d8748f0121b947c425514babbd9c87e7070caec1adcc1be598b513707376f22dddb9dbe31c71baf70ad30b46638b15caa89f5cf84b9b31065f8cc47ec386e64
-
Filesize
1KB
MD58cb2d1f69e2730b5de634f6b6c12005f
SHA11f9496195f09f58a4e382994717a5da34086d770
SHA256f5d616663ac61dc843c8663f2ceaaf6939b974ffd74e6e1be232b3fe8c6667ea
SHA512d035c16a8d8f09abedc94e10d46983e371d2862b277128fe00184d3a1cbb8a69367c08e150c63b07729938bea6644af4e3913e629969d38978b0d934e9e61eda
-
Filesize
1KB
MD554a5996cbde821a9af661e0a87f72fe0
SHA178f3b0738e15ceb9edd17d90dd3dc68c9d42658f
SHA256ed14104f62993b17bcd142ee2716120393de87b43772fcc2baf7fd2d87c5bf0a
SHA51232eca948504a8ad573e736d0bccbf4a389bd6d16a7bba6e2bbf14bac649bde91dcb1d3a0cf483b8f83b99942ca813d91e45ac00ccbb2518e3b19ceb2f770d0f4