Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 15:51
Static task
static1
Behavioral task
behavioral1
Sample
jarbest-obf.jar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
jarbest-obf.jar
Resource
win10v2004-20241007-en
General
-
Target
jarbest-obf.jar
-
Size
6.8MB
-
MD5
183038eacde2898dd081ea76f73775a3
-
SHA1
c1ea9bbd90f8ce35ea00d09f76254976f35e3cba
-
SHA256
405633b7f6c5ecfa971f23dbb09e85d40224bb74c83ffdafb827b301bc413427
-
SHA512
edba63707f4f257eb94503fe481db88dd28347e0a2d01836242ed9052164d340ff629c1585054c28a8cd2c867a8968c467b14cf2ac05bf8c73164843fcfa91f9
-
SSDEEP
196608:TsXGMtKkuX5P62xscItG5gPxioJEhslCM19l+RDIk:TsXGMIkuX5XmcI45gPkgpz1eZIk
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7756158094:AAEpUpUPcNX1ZlZzM558SewExaq3m8CuOnA/sendPhot
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Gurcu family
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\My Notebook\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Users\\Public\\WmiPrvSE.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\conhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\My Notebook\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Users\\Public\\WmiPrvSE.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\conhost.exe\", \"C:\\Users\\Public\\Desktop\\Idle.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\My Notebook\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Users\\Public\\WmiPrvSE.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\conhost.exe\", \"C:\\Users\\Public\\Desktop\\Idle.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\My Notebook\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Users\\Public\\WmiPrvSE.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\conhost.exe\", \"C:\\Users\\Public\\Desktop\\Idle.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\My Notebook\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\RuntimeBroker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\My Notebook\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\RuntimeBroker.exe\", \"C:\\Users\\Public\\WmiPrvSE.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\fontdrvhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\My Notebook\\backgroundTaskHost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\BrowserSvc\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\BrowserSvc\\MoUsoCoreWorker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\My Notebook\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe -
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4240 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4356 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4012 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3276 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3124 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4172 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3268 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3904 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 3020 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 3020 schtasks.exe 91 -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5028 powershell.exe 3572 powershell.exe 1976 powershell.exe 4732 powershell.exe 1896 powershell.exe 888 powershell.exe 2956 powershell.exe 2252 powershell.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2320 attrib.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reg.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WinSFX.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Checker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RunShell.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation msAgentreviewCommon.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe java.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe java.exe -
Executes dropped EXE 6 IoCs
pid Process 1348 WinSFX.exe 4556 Checker.exe 1780 RunShell.exe 3052 msAgentreviewCommon.exe 3876 csrss.exe 948 Idle.exe -
Loads dropped DLL 1 IoCs
pid Process 1848 java.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Desktop\\Idle.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Migration\\WTR\\Idle.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\BrowserSvc\\RuntimeBroker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Public\\WmiPrvSE.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\RemotePackages\\RemoteApps\\conhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Migration\\WTR\\Idle.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\BrowserSvc\\fontdrvhost.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\My Notebook\\backgroundTaskHost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\BrowserSvc\\RuntimeBroker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\RemotePackages\\RemoteApps\\conhost.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\BrowserSvc\\fontdrvhost.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\BrowserSvc\\MoUsoCoreWorker.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\My Notebook\\backgroundTaskHost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Desktop\\Idle.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\BrowserSvc\\MoUsoCoreWorker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Public\\WmiPrvSE.exe\"" msAgentreviewCommon.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: java.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 35 raw.githubusercontent.com 26 discord.com 29 discord.com 30 discord.com 34 raw.githubusercontent.com -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 44 ipinfo.io 17 api.ipify.org 18 api.ipify.org 21 ip-api.com 43 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCC153F5A2E18C452CA027C46ABAB80FF.TMP csc.exe File created \??\c:\Windows\System32\lhkpi-.exe csc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Windows Sidebar\csrss.exe csc.exe File created C:\Program Files (x86)\Windows Sidebar\csrss.exe RunShell.exe File created C:\Program Files (x86)\Windows Sidebar\886983d96e3d3e RunShell.exe File created \??\c:\Program Files (x86)\Windows Sidebar\CSC7098C1159379401586BEEB8DCCDD8562.TMP csc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Migration\WTR\Idle.exe msAgentreviewCommon.exe File opened for modification C:\Windows\Migration\WTR\Idle.exe msAgentreviewCommon.exe File created C:\Windows\Migration\WTR\6ccacd8608530f msAgentreviewCommon.exe File created C:\Windows\RemotePackages\RemoteApps\conhost.exe msAgentreviewCommon.exe File created C:\Windows\RemotePackages\RemoteApps\088424020bedd6 msAgentreviewCommon.exe File created C:\Windows\Boot\Resources\services.exe RunShell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinSFX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Checker.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4560 PING.EXE 4488 PING.EXE -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings Checker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RunShell.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings msAgentreviewCommon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings WinSFX.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2316 reg.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4560 PING.EXE 4488 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4012 schtasks.exe 568 schtasks.exe 5044 schtasks.exe 4356 schtasks.exe 1120 schtasks.exe 4840 schtasks.exe 5044 schtasks.exe 1716 schtasks.exe 5112 schtasks.exe 3276 schtasks.exe 4660 schtasks.exe 2764 schtasks.exe 4520 schtasks.exe 1476 schtasks.exe 4488 schtasks.exe 4552 schtasks.exe 5068 schtasks.exe 4172 schtasks.exe 2588 schtasks.exe 2680 schtasks.exe 4360 schtasks.exe 1628 schtasks.exe 4560 schtasks.exe 2060 schtasks.exe 3976 schtasks.exe 3268 schtasks.exe 1780 schtasks.exe 4520 schtasks.exe 2764 schtasks.exe 1600 schtasks.exe 3124 schtasks.exe 3308 schtasks.exe 3904 schtasks.exe 4240 schtasks.exe 2908 schtasks.exe 5108 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 1848 java.exe 888 powershell.exe 888 powershell.exe 1896 powershell.exe 1896 powershell.exe 888 powershell.exe 1896 powershell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe 1780 RunShell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3876 csrss.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 1848 java.exe Token: SeBackupPrivilege 1848 java.exe Token: SeSecurityPrivilege 1848 java.exe Token: SeDebugPrivilege 1848 java.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeRestorePrivilege 1848 java.exe Token: SeDebugPrivilege 1780 RunShell.exe Token: SeDebugPrivilege 4732 powershell.exe Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 3572 powershell.exe Token: SeDebugPrivilege 5028 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 3052 msAgentreviewCommon.exe Token: SeDebugPrivilege 3876 csrss.exe Token: SeDebugPrivilege 948 Idle.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1848 java.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2316 1848 java.exe 89 PID 1848 wrote to memory of 2316 1848 java.exe 89 PID 1848 wrote to memory of 1896 1848 java.exe 95 PID 1848 wrote to memory of 1896 1848 java.exe 95 PID 1848 wrote to memory of 888 1848 java.exe 96 PID 1848 wrote to memory of 888 1848 java.exe 96 PID 1848 wrote to memory of 1348 1848 java.exe 100 PID 1848 wrote to memory of 1348 1848 java.exe 100 PID 1848 wrote to memory of 1348 1848 java.exe 100 PID 1348 wrote to memory of 4268 1348 WinSFX.exe 101 PID 1348 wrote to memory of 4268 1348 WinSFX.exe 101 PID 1348 wrote to memory of 4268 1348 WinSFX.exe 101 PID 1348 wrote to memory of 4556 1348 WinSFX.exe 102 PID 1348 wrote to memory of 4556 1348 WinSFX.exe 102 PID 1348 wrote to memory of 4556 1348 WinSFX.exe 102 PID 1848 wrote to memory of 2064 1848 java.exe 104 PID 1848 wrote to memory of 2064 1848 java.exe 104 PID 2064 wrote to memory of 2320 2064 cmd.exe 106 PID 2064 wrote to memory of 2320 2064 cmd.exe 106 PID 4556 wrote to memory of 3548 4556 Checker.exe 107 PID 4556 wrote to memory of 3548 4556 Checker.exe 107 PID 4556 wrote to memory of 3548 4556 Checker.exe 107 PID 4268 wrote to memory of 4564 4268 WScript.exe 110 PID 4268 wrote to memory of 4564 4268 WScript.exe 110 PID 4268 wrote to memory of 4564 4268 WScript.exe 110 PID 4564 wrote to memory of 1780 4564 cmd.exe 112 PID 4564 wrote to memory of 1780 4564 cmd.exe 112 PID 1780 wrote to memory of 2452 1780 RunShell.exe 116 PID 1780 wrote to memory of 2452 1780 RunShell.exe 116 PID 2452 wrote to memory of 4120 2452 csc.exe 118 PID 2452 wrote to memory of 4120 2452 csc.exe 118 PID 1780 wrote to memory of 4732 1780 RunShell.exe 134 PID 1780 wrote to memory of 4732 1780 RunShell.exe 134 PID 1780 wrote to memory of 1976 1780 RunShell.exe 135 PID 1780 wrote to memory of 1976 1780 RunShell.exe 135 PID 1780 wrote to memory of 3572 1780 RunShell.exe 136 PID 1780 wrote to memory of 3572 1780 RunShell.exe 136 PID 1780 wrote to memory of 5028 1780 RunShell.exe 137 PID 1780 wrote to memory of 5028 1780 RunShell.exe 137 PID 1780 wrote to memory of 2252 1780 RunShell.exe 138 PID 1780 wrote to memory of 2252 1780 RunShell.exe 138 PID 1780 wrote to memory of 2956 1780 RunShell.exe 139 PID 1780 wrote to memory of 2956 1780 RunShell.exe 139 PID 1780 wrote to memory of 4328 1780 RunShell.exe 146 PID 1780 wrote to memory of 4328 1780 RunShell.exe 146 PID 4328 wrote to memory of 4136 4328 cmd.exe 148 PID 4328 wrote to memory of 4136 4328 cmd.exe 148 PID 4328 wrote to memory of 4560 4328 cmd.exe 149 PID 4328 wrote to memory of 4560 4328 cmd.exe 149 PID 3548 wrote to memory of 4944 3548 WScript.exe 150 PID 3548 wrote to memory of 4944 3548 WScript.exe 150 PID 3548 wrote to memory of 4944 3548 WScript.exe 150 PID 4944 wrote to memory of 3052 4944 cmd.exe 152 PID 4944 wrote to memory of 3052 4944 cmd.exe 152 PID 3052 wrote to memory of 1704 3052 msAgentreviewCommon.exe 156 PID 3052 wrote to memory of 1704 3052 msAgentreviewCommon.exe 156 PID 1704 wrote to memory of 3612 1704 csc.exe 158 PID 1704 wrote to memory of 3612 1704 csc.exe 158 PID 3052 wrote to memory of 1980 3052 msAgentreviewCommon.exe 159 PID 3052 wrote to memory of 1980 3052 msAgentreviewCommon.exe 159 PID 1980 wrote to memory of 2116 1980 csc.exe 161 PID 1980 wrote to memory of 2116 1980 csc.exe 161 PID 3052 wrote to memory of 4540 3052 msAgentreviewCommon.exe 162 PID 3052 wrote to memory of 4540 3052 msAgentreviewCommon.exe 162 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2320 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\jarbest-obf.jar1⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SYSTEM32\reg.exereg query HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion2⤵
- Checks BIOS information in registry
- Modifies registry key
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a4vpmxnu\a4vpmxnu.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4A5.tmp" "c:\Windows\System32\CSCC153F5A2E18C452CA027C46ABAB80FF.TMP"7⤵PID:4120
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\fontdrvhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\MoUsoCoreWorker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backgroundTaskHost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C4QSdvLa5k.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:4136
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4560
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\Checker.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\Checker.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BrowserSvc\9jir1hGrtyuZOLHcOuhj8HZKZgcsvyzwZ1xbryhIf2ZdpzOmWWf.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BrowserSvc\O41KRElzpOO.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\BrowserSvc\msAgentreviewCommon.exe"C:\BrowserSvc/msAgentreviewCommon.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\psahxzbd\psahxzbd.cmdline"7⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED2F.tmp" "c:\BrowserSvc\CSCAEE0AC16960944588C8612BA3C62C0.TMP"8⤵PID:3612
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bp1tbhaw\bp1tbhaw.cmdline"7⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDDA.tmp" "c:\Program Files (x86)\Windows Sidebar\CSC7098C1159379401586BEEB8DCCDD8562.TMP"8⤵PID:2116
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lfiltwi3\lfiltwi3.cmdline"7⤵PID:4540
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE77.tmp" "c:\BrowserSvc\CSC6189A319FE504319B2CD2887BF72D49F.TMP"8⤵PID:4992
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ohyy44oy\ohyy44oy.cmdline"7⤵PID:2676
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF23.tmp" "c:\Users\Admin\Documents\OneNote Notebooks\My Notebook\CSCCE56167BA357490197B8E84580968BD1.TMP"8⤵PID:2976
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\spbgmn0l\spbgmn0l.cmdline"7⤵PID:4496
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFAF.tmp" "c:\Users\Admin\AppData\Roaming\Windows\Defender\CSC566FAD053A5843C9A838DF43DC5F622F.TMP"8⤵PID:3572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oTYmKTHufL.bat"7⤵PID:728
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:4136
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4488
-
-
C:\Users\Public\Desktop\Idle.exe"C:\Users\Public\Desktop\Idle.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
-
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c attrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform2⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\system32\attrib.exeattrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2320
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\BrowserSvc\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\BrowserSvc\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\BrowserSvc\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\BrowserSvc\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\BrowserSvc\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\BrowserSvc\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\BrowserSvc\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\BrowserSvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\BrowserSvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteApps\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 13 /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommon" /sc ONLOGON /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msAgentreviewCommonm" /sc MINUTE /mo 11 /tr "'C:\BrowserSvc\msAgentreviewCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200B
MD58bb10502019ed38b3210cb6192c6a04b
SHA1125f17b9c2f4ffcccc1f19bcc9000c80bbc2dfe3
SHA2567ed5d362059760b6119ecf42b7a79bbbc6b8490c451bbffc6149632bd07877be
SHA512286d36ccf686d9c14612a949729bbde0881ff2993a854a1be8118a546fffcff515e48dd24639894a1d289a973939809874efdad1cf67391cf4f51deb85320637
-
Filesize
86B
MD5d6da62e1a07048cb1764846ff9e5991f
SHA116630a915028d374ef42fea0d1f34c8fae292e17
SHA256b34c0cb821817355a7cb807108bd0251e40c8492f76f24240047ee1df5dc9897
SHA512fcc21fac84eedb5229f1dfb79b4962b322e231dbbcf5c538d64c724dae8447f2c4f6dd55bb5faa5a854f90dd5ca24c3d332cf611af85104af8d33fb219bb5744
-
Filesize
1.9MB
MD5fe563f1526b6875781652660d9b2421a
SHA18ebcf5aa7bd3ce98ea7ea7825e23a27c4830b937
SHA256fb736b85b9d5efddda3a9c5997ec99582cf1167e64680a0dc469d59ab168fcf2
SHA51242ccb6127cfc2751dc82b89fab33c28db2cfc071d1adec6ddc2c77beef6ced390501bdae8dca4005d0f2377946d116e16cece8c0d7f0e56dd8119561ba01f1ed
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD592075279f2dbcaa5724ee5a47e49712f
SHA18dd3e2faa8432dde978946ebaf9054f7c6e0b2cb
SHA256fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442
SHA512744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22
-
Filesize
944B
MD55cfe303e798d1cc6c1dab341e7265c15
SHA1cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e
-
Filesize
944B
MD5eb033be02578f9635ec47bdc1de5c3fb
SHA1ec356bc87381354a06baa9c30e8c3ac3d30e0f6f
SHA256bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063
SHA5124d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed
-
Filesize
944B
MD5e5663972c1caaba7088048911c758bf3
SHA13462dea0f9c2c16a9c3afdaef8bbb1f753c1c198
SHA2569f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e
SHA512ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc
-
Filesize
159B
MD57d9df6c75b76689a85930a10ec5c4a93
SHA1e4840034a997b6928f08ef20a7feaa3e8295236f
SHA256add665ad4fe3a7c235fb5cb039a01145587452271a4e3a835b9ad29d8e22b2b5
SHA512c657214e3f5fc391dc8dfdc2b6855258517a8ffe2c0a3b897174410484cbaf10f7b11bff7da3d6c50e154d897d8c6cc7dc14ff8085921db042aab8e6dd5bbb23
-
Filesize
1KB
MD5ecd7314e0fdde7cca88a37351d096ab3
SHA185e26e51b45e703277e52cb4cb0e6502c410b026
SHA2565e6f90ca17613935a84a54e7268bfa02ed0c704bcf3c558b0a4184ef25de45a3
SHA512732d44fdac3d89ffe5a1b6ae04289305ecfae8bfc1a8986781ba2e46db1ba5e75823d55568bb76605abf597194fe489d44d5f2ea4e092d02143c59c190922909
-
Filesize
1KB
MD5d659fb83c06ad6ffeb447f93e4294f2a
SHA1648683e70db9ee66b3faa100beb8a2e4c8d0a617
SHA2568509390c538319bf10f058887109317a12a4a271ce45e70a4fee66dc25790b52
SHA51262b93ad9b948d988eeadae48656e4d25bbb1483a2660e8e26c344befa17f3bbda2ee5a457261c3706f700c6606fc2c009a5fdc37e56be976c7dcd1b0cdd9d1ba
-
Filesize
1KB
MD5ff858825f84eba7fc2d2e418f3192745
SHA1c68e815f7f223e9f6dcbc233ab4f690c3849ef82
SHA25679dabbcb6c16575b2cbc30d0924f010f810e97edcbb0f628441fbedd5d4ff21a
SHA512865f125ead102a9231c8081a8e467808187434c8dc87bc2ed3208b442bd254cd3d3d0ff1e8b84199825451db6efb82a5f3507e3ad20fe640d838e889a0fa8901
-
Filesize
1KB
MD5fadc7fb6da5a41956c9e8dcd8e42e57d
SHA17e69f15be88ff51da1f773801aa12d27f103d6f8
SHA256ddbbb47a12ca67dc74275c161d2360addc608f3a58fc94d1164937d4502e042d
SHA5129490ade176c94ac41022ae1b00284686052e46793fa51bf5fb0a3daa68fa90ced7f387c19cfb9e06a5585d54f5d1de1a5a6ac9b13cb614fedd5e36f398a37c9b
-
Filesize
1KB
MD5d1c90c142ce93a8aa2cd97857e7b6706
SHA18e8ec2e4246b28bf712fe9c01b9c41803188a039
SHA2563d81f4f1c98ec1b750462b1b9c5a2e96ae2088b87326e0b20c6aa4f8ca24adf9
SHA5127c9292feea294ab8f10af3fb0d518614f46a31956ddd57b2959f76a9b89834fcbf48a390ba342ce5f177964df3c6bd29dc5ca2714506c7579b60e01102570664
-
Filesize
1KB
MD5eadc5fa2e5a8ddbf0aec44454c720a18
SHA1dbcf566b732201a9830a09cd845ac2b511b1f097
SHA2564814d08692a152889201f1d7cb7da893834e98d509cc6f4f0ec90253c0af6b71
SHA5129c07dd9a41b910b246dff91c2d97bd4b74a48f2535cbd65392d4364600f09341c5ca5930b5f4f07cafc2584aa14f9e324fb72270fba72fcf4fb52ac2e29ab697
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
248KB
MD5719d6ba1946c25aa61ce82f90d77ffd5
SHA194d2191378cac5719daecc826fc116816284c406
SHA25669c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b
-
Filesize
160B
MD5f6788db458e103c448d31300bdd2322e
SHA14e02cf24f48bedd7dbd0e0ccddfe1e62ca3700bc
SHA256149b01217ddc8ad61428a6a7c9d7fb5b89f19e974d91d7ff6b4fd2ef033ab773
SHA512bd5319734e05970e17ccd4376ad1624f8831910000f7f71ac522555830a3841662cbb94daa3be1180436218704ebecc204bc922f9b73a63c9ebe6d49cb6682b1
-
Filesize
2.3MB
MD5deb9f64ee23f25627884a143d411fb9c
SHA1448f5388c390ec401d0551e5da97c2b9e24cfbf0
SHA256613716c888bffcb5668886335c326e276511267d8f4040afa420ccf65de51d7e
SHA512d4472ec02c355d76afcbacc51967adced80b3e3bb2cff25d34193d5cd5277baf451ec9149cf836d1647f60cf2c9bce70fb41d79ca76ff1c4dd7773be62447346
-
Filesize
2.2MB
MD5cbf28a22d6c61a0937b1bf15b3d22a1a
SHA1c414807315dfd5c33d91c783d168f417c7ca80fc
SHA256dfa13a2024f7bbdeebaa243a5b9a60736860d61e5ad1abfda61502df8f2e4d04
SHA512cb2a6e72c4a70150c10f7e84057b520dba2253e3a62b36cead3c1057a8b320d69414b99a99b4b160755437134b871de4f72fd3ccc885dc17951b5223eecbd4e0
-
Filesize
427KB
MD58d860de39a47014bb85432844205defc
SHA116b6485662cc4b57af26f1ee2fe5e5595156264d
SHA2566f64566b9adc350458221bc7312acaa09290c58241659336b9921c3dcf27fbbb
SHA512c76408b4390d9aeae243f7333c5acdc68b6fe08efd1694c774069627d09e91e97ab1a5ccf55b60a247f3b00e8b95166d3dfcc41ac92150f00dfb897480a5a539
-
Filesize
249B
MD55299f191d092a082374029620d0184cd
SHA1154c0f2d892c0dde9914e1d2e114995ab5f1a8cb
SHA2569c46745f3776d8f344029103da41e060516a4bf324e7238b112a3069abececf9
SHA512670159a1352e91ad4739903c7d5bbca2b91e81ab542ac6b4532db8701d5bf01b900909812164db6ce4dbdc2fc1af59593d9abc84daff835de07eb7d383869e39
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat
Filesize104B
MD5b33c8997ecd39b1b7e8af929abd526c7
SHA1e30e21ca9e74d508cfc35e9affd57a7fbc089a77
SHA25671340cb564242cd1454892eaa33aae6eaf8e444d9301731753a9aa993bb9785c
SHA512394a9df69628162228d6a8934d6df532d5055a65a41788ef7d2b8170fae3bd586d80c8592ebc10e32650b81d43efd2eefdef865523d687b6def20fe4374afefc
-
Filesize
1KB
MD5ad5530e645b1dc922ab093e14a6f1e14
SHA1ab8f91d2fe84362a1eea05a4839d40f05629bcef
SHA256d319e66b94c8e6e3b506760217e0a63c82a5db32696632eea9090c3856f7c3c1
SHA5125e9f366d4747e5d61317eb4049f4d7afa358372b8c96258de4262fe80c206ca3fa71bb0fa8ff1a1f88b01dab3b2325728c41347f9f1ff0398b2ece8dbf7b3bde
-
Filesize
1KB
MD5521714d2285e7a08176a625501a63dbd
SHA1bdbea9d1689eaec992ebb4d18da17ac11d23a5ba
SHA2562321cb3263522d960a807655a7be4d661407f2130d32d40d756876d0b28cfbcd
SHA512fd0c59e354652acc36bc7e72f570117c46e3fc0b6f80499f1f335418e6980c774e13917619319108c14c9fd06637d3dc97c47b292c3e2ba44a314dfbee430128
-
Filesize
1KB
MD52dde0a04b3cfc5bca956764d6cdcb81f
SHA109131c520d3d3ffdfc0e0d9b0d3bac0631610dd7
SHA2560a4c68c7293e89a8a3cbf968d3fa776410dd1aa531483b9f33774f95b243146a
SHA5127a0975ec6b525af8822c739cfaaeee51d1fd0b5b9cb08fd1836096f3b76370f9e9476ee4a3dba4a0c4177e892ba145b690668d2d2592c3b5c5c7d38daeb1c799
-
Filesize
361B
MD539515356a6919e18d4ef406b72bb136d
SHA1f8829d3e05a7ed668448cbf8fe16749da51557c8
SHA2563aa819c6b8bdb202066316c7d24dc4049e58aec2b2a5e663b57b8569db125adb
SHA512e720631c8ddbf9a0de060446914299374c5a48d7a92af3d001bb27710b13a26e3e12d18a136e762c861fc25a0146ae8b1c99d736b58627bd937061d62bd29555
-
Filesize
235B
MD5a189e129c8eeb7403395f5c44e729364
SHA1ce71d5d38ad0bfe7ed01e485cce61b0118a98765
SHA2566a8af75361538bd9698acdcd3cac69b80f968a9ca54e2d796510d04cdb7cee41
SHA512780b92c26a922b5d02f5f5d18d1085ae065607caed330866b92397ccaf82e854bdcec0ce5ac6f6613344a03a1852c561200517233a483bf6a9bb545138b5708c
-
Filesize
381B
MD55ee5ecf83a95f6b244ce47341cab9857
SHA1262caa2267f4627fbcb4d0c2e494bca7c9a1af09
SHA2567f108804ae69fffd695c32704831e0a3cf2d558cf88f8821037e7a857e46fade
SHA5127a17c5d4d3eb1b72c6a82a564c1e58dd34679d23b9afb86f4ddc767fdd1afad815905c4620623c75ba7cae05efc869da38491b71ca3bdfba726a0692c21802c6
-
Filesize
253B
MD5aec1553f5d12d9827ad8575ee9e084c2
SHA1dc6d43cfd344746d8429c402cfa800986a667fdc
SHA2569213c0c4d1fa746b25c50ac383940a10c0f903e0bb68081c4c682f879647ef9b
SHA5121c02b7655228f92eb9ddf8e0e49b31c0898ac0349042e6dc9cb1f8e629728b046e8ee34d24f7edf48119dcc89cdd9822207aa81655bab361e2cf945d5be1f997
-
Filesize
366B
MD5fd11e32ec0b2c941ba8a22e431dfe5ce
SHA1b413b136edd26703f677aef3910897f62a489ffc
SHA2566751d9a1517a0510d39b58484acd8ffa4229dfb1ca2ed0ccdb5cf17bcc785c16
SHA512245515dd2f9df07f9a9628b0e533e487f4e38e5c4d91c40d9bcffd8378589ac25e5ba06534df5adee8ea306dd55e55ccfa20875bb4683533674423642a26a769
-
Filesize
238B
MD5b8e65d556559e000bd3bd767b76fb86b
SHA16b3391d00ab9941933a257f926a4af733de1c2c5
SHA2564b8c0e8383fb40e96e116eb3994b9e9c66641e1c2b3d33353e5eb0b687890c12
SHA512418eab769d8a6c5918c781e790ef11d76e4d95a69385564d406b2ddf211a6eb90fde1e7f57891d5c009ff8f23e56b09dc3c62276ef115fea3ff214676b8098d7
-
Filesize
410B
MD51a24ef2abe34f68278f1a8502084f1db
SHA169052f953c639059a0f8d45d72f43242b1a075f2
SHA2562d3eb18d2ea57fbad97f0fc3c878d3fba1063f793a71aff9eec5a6a6a19a1b1c
SHA5126037ffeac02fc2440dc79717c313c2078ef32df5dca79263b14a65fca67630c0f05ab482af3bf0236e8826b12f6bee6368d4841c242ba88666cdc749aa7f72d7
-
Filesize
282B
MD5005eaefbacb43d22130a41494eb7ceba
SHA12ac4fde3834eeaf6ee4c9afe73a8f171c4615a8c
SHA2560410e6215638b9ba702f28d9996a5cac37197da0a99690a71956786f843b7706
SHA5120acedf5fb19dc25aa83db0fcd2ad62bbb640a1804d36dc7d3f4c1d91fb682102ec5a4d94548bafce6ece283da429739c1fd4a85c33eaf2aff51595b97a2d4aec
-
Filesize
362B
MD5ad31045eca214c79008abf8f44d8747f
SHA1bb5434054298c66a3d6d1e9a74e70a631d0fa1fd
SHA25673f23bb6ca7b6bc464219b09068ef5a61f123538e21dc64f0466ee7be22f123a
SHA512a5192ecc42112e79c936832aa080cdafda16e048ea3658f8db80543c6a1554e4c970213b1e7c1c1e410a5b30d35db053afb071d388d9fb27cfbd3c37393228f7
-
Filesize
234B
MD5a8cfd7847ee165976fd62ff76341ec14
SHA10c0794683db0f141f0696076df48ded5163ae41a
SHA256a4d9337b966b6e5c4d05bfe57a6d897ae07e27b6d0a40c20f2e6311f985f3c43
SHA5121e6ba5899b1cc6f51e8930f70fc08c0ff4de79d1524f2733d1e49bee470969cc89cfc9a2ddffe2aec4072fdba87f065c91d96aebd22b6e89aa71fbd005627d3e
-
Filesize
393B
MD50f978b709ece0784207cd2c5456e98f8
SHA17e3f5ce4bc4e13919efb4802438b19c95005421c
SHA256351f77da064df4e4999025f4d17ca1067d7457298d2d37ab5bae57d86eb9eb0f
SHA512c49065dacb5b929347c663ff4eb56cb0eabf98012a5dc89c97ffaa34819d5ab394fd833c08f2d29c9b39ea9152bdffd3fd0533e1479d651bd86d561417b7b8be
-
Filesize
265B
MD567d888819fcb4d0b11f1a90aedb85233
SHA177089093b3a1b317925bf9eec11550db83493531
SHA256f0d2b2cd8e84548faa45c4b5fbc3eacf454c89e891db618b530cdd76d207e6ad
SHA512f4f68b4ad768e3622c36ba43ac761c0850a206ed94591ebb0d9c2f1aa9aaa08e21b2aa063cf1adba463fff2649c13ab73df1703eb3f1d7647b9b9171daebff32
-
Filesize
1KB
MD5819218476efff19538c5e47775890416
SHA144268f9a7b24e4477c5a6917ca26b1e9d4938bcd
SHA256adfdb51bd795924a67fd2310d33e40f21f7dde44168e85dd416784cb6b1f5cd2
SHA512fc1d1655478034e6c2ac8082e00397f1a3c6b527714fc1576b52bef7b2a9faa5ff1d89b1501d598bbeac943e899631007237071ddb73242438aa375ab74d3bcd
-
Filesize
1KB
MD59c79512cdc499a5b389833c64a598ca0
SHA1d22bb6dcf714437e7dfc174a430a9261e5252eab
SHA256f80cd1d705b5511c8743912f3a2c50f48468a765bc72762977110415420b4aef
SHA5120c23ca561c4c78ad446a27c1002b8d9747c6cf9a045e75bb1a42f95ba2e5677511e3cd3df6be804873fe210353fdb915d796eb2980c7b59d06310368ce4d05ff
-
Filesize
1KB
MD575e32610d8ef6143201c7c28465fcda9
SHA1b2bae99fade2dda07aecbe1659d184be0fc4e7a6
SHA25697ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b
SHA512b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc